diff --git a/policy-20071130.patch b/policy-20071130.patch
index 29972b4..fde4db6 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -2050,7 +2050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.3.1/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.if 2008-03-09 08:33:16.000000000 -0400
@@ -152,6 +152,24 @@
########################################
@@ -2076,10 +2076,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -173,6 +191,27 @@
+@@ -173,6 +191,48 @@
########################################
## <summary>
++## dontaudit attempts to Send and receive messages from
++## rpm over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_dbus_chat',`
++ gen_require(`
++ type rpm_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 rpm_t:dbus send_msg;
++ dontaudit rpm_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+## Send and receive messages from
+## rpm_script over dbus.
+## </summary>
@@ -2104,7 +2125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -210,6 +249,24 @@
+@@ -210,6 +270,24 @@
########################################
## <summary>
@@ -2129,7 +2150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
-@@ -225,7 +282,29 @@
+@@ -225,7 +303,29 @@
')
files_search_tmp($1)
@@ -2159,7 +2180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -289,3 +368,157 @@
+@@ -289,3 +389,157 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -5055,7 +5076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-04 14:46:08.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-10 14:36:14.000000000 -0400
@@ -0,0 +1,344 @@
+
+## <summary>policy for nsplugin</summary>
@@ -5272,7 +5293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ nsplugin_use($1, $2)
+
+ optional_policy(`
-+ xserver_common_app_template($2, nsplugin_t)
++ xserver_common_app_to_user($2, nsplugin_t)
+ ')
+
+ role $3 types nsplugin_t;
@@ -5403,8 +5424,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-04 10:03:36.000000000 -0500
-@@ -0,0 +1,154 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-10 14:35:49.000000000 -0400
+@@ -0,0 +1,166 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5471,6 +5492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
++dev_write_sound(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
@@ -5495,6 +5517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+miscfiles_manage_home_fonts(nsplugin_t)
+
+userdom_read_user_home_content_files(user, nsplugin_t)
++userdom_read_user_tmp_files(user, nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
+userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
+
@@ -5503,6 +5526,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
+
+optional_policy(`
++ gnome_exec_gconf(nsplugin_t)
++')
++
++optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_t)
+ mozilla_write_user_home_files(user, nsplugin_t)
+')
@@ -5511,6 +5538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
+ xserver_xdm_rw_shm(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
++ xserver_read_user_xauth(user, nsplugin_t)
+')
+
+########################################
@@ -5519,16 +5547,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+#
+
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched getsched execmem };
++allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir })
++manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -5559,6 +5589,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+userdom_search_all_users_home_content(nsplugin_config_t)
+
+nsplugin_domtrans(nsplugin_config_t)
++
++allow nsplugin_t user_home_t:dir { write read };
++allow nsplugin_t user_home_t:file write;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.3.1/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/screen.fc 2008-02-26 08:29:22.000000000 -0500
@@ -10430,7 +10463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-02-26 10:37:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-03-10 13:34:57.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -10470,7 +10503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
-@@ -47,16 +57,33 @@
+@@ -47,16 +57,37 @@
auth_use_nsswitch(consolekit_t)
@@ -10492,22 +10525,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
++')
++
optional_policy(`
- dbus_system_bus_client_template(consolekit, consolekit_t)
- dbus_connect_system_bus(consolekit_t)
-+ cron_read_system_job_lib_files(consolekit_t)
-+')
-
-- hal_dbus_chat(consolekit_t)
-+optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+ optional_policy(`
+ hal_dbus_chat(consolekit_t)
+ ')
+- hal_dbus_chat(consolekit_t)
++ optional_policy(`
++ rpm_dbus_chat(consolekit_t)
++ ')
+
optional_policy(`
unconfined_dbus_chat(consolekit_t)
-@@ -64,6 +91,33 @@
+@@ -64,6 +95,33 @@
')
optional_policy(`
@@ -10519,7 +10556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
-+')
+ ')
+
+optional_policy(`
+ #reading .Xauthity
@@ -10534,7 +10571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_list_nfs(consolekit_t)
+ fs_dontaudit_rw_nfs_files(consolekit_t)
- ')
++')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_list_cifs(consolekit_t)
@@ -11199,8 +11236,65 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.3.1/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-02-26 08:29:22.000000000 -0500
-@@ -247,3 +247,102 @@
++++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-03-10 12:18:38.000000000 -0400
+@@ -20,6 +20,30 @@
+
+ ########################################
+ ## <summary>
++## Setup cups to transtion to the cups backend domain
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`cups_backend',`
++ gen_require(`
++ type cupsd_t;
++ ')
++
++ domtrans_pattern(cupsd_t,$2, $1)
++
++ allow cupsd_t $1:process signal;
++ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
++
++ cups_read_config($1)
++ cups_append_log($1)
++')
++
++########################################
++## <summary>
+ ## Connect to cupsd over an unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+@@ -212,6 +236,25 @@
+
+ ########################################
+ ## <summary>
++## Append cups log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cups_append_log',`
++ gen_require(`
++ type cupsd_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, cupsd_log_t, cupsd_log_t)
++')
++
++########################################
++## <summary>
+ ## Write cups log files.
+ ## </summary>
+ ## <param name="domain">
+@@ -247,3 +290,102 @@
files_search_pids($1)
stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t)
')
@@ -11305,8 +11399,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-03-04 10:00:21.000000000 -0500
-@@ -43,14 +43,12 @@
++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-03-10 12:08:24.000000000 -0400
+@@ -43,14 +43,13 @@
type cupsd_var_run_t;
files_pid_file(cupsd_var_run_t)
@@ -11318,12 +11412,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-+domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
++# For CUPS to run as a backend
++cups_backend(hplip_t, hplip_exec_t)
+domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
-@@ -65,12 +63,17 @@
+@@ -65,12 +64,17 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
@@ -11341,7 +11436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
########################################
-@@ -79,13 +82,14 @@
+@@ -79,13 +83,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -11359,7 +11454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -104,7 +108,7 @@
+@@ -104,7 +109,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -11368,7 +11463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -116,13 +120,19 @@
+@@ -116,13 +121,19 @@
manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -11390,7 +11485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -149,32 +159,35 @@
+@@ -149,32 +160,35 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -11430,7 +11525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
-@@ -186,7 +199,7 @@
+@@ -186,7 +200,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -11439,7 +11534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +208,15 @@
+@@ -195,15 +209,15 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -11459,7 +11554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -219,17 +232,22 @@
+@@ -219,17 +233,22 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -11484,7 +11579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -242,12 +260,21 @@
+@@ -242,12 +261,21 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -11506,7 +11601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -263,6 +290,10 @@
+@@ -263,6 +291,10 @@
')
optional_policy(`
@@ -11517,7 +11612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -326,6 +357,7 @@
+@@ -326,6 +358,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -11525,7 +11620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -353,6 +385,7 @@
+@@ -353,6 +386,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@@ -11533,7 +11628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -372,6 +405,10 @@
+@@ -372,6 +406,10 @@
')
optional_policy(`
@@ -11544,7 +11639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -387,6 +424,7 @@
+@@ -387,6 +425,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -11552,7 +11647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -499,14 +537,12 @@
+@@ -499,15 +538,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -11560,18 +11655,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
cups_stream_connect(hplip_t)
--
+
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
-read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
-files_search_etc(hplip_t)
-+# For CUPS to run as a backend
-+allow cupsd_t hplip_t:process signal;
-+allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms;
-
+-
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,14 +573,14 @@
+
+@@ -537,14 +571,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -11588,10 +11681,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
-@@ -565,6 +601,7 @@
+@@ -564,7 +598,8 @@
+ userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
- lpd_read_config(cupsd_t)
+-lpd_read_config(cupsd_t)
++lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
optional_policy(`
@@ -14156,7 +14251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-03-10 09:28:37.000000000 -0400
@@ -0,0 +1,51 @@
+policy_module(gnomeclock,1.0.0)
+########################################
@@ -14173,7 +14268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+#
+# gnomeclock local policy
+#
-+allow gnomeclock_t self:capability sys_time;
++allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:process getsched;
+
+# internal communication is often done using fifo and unix sockets.
@@ -14951,8 +15046,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern
+/etc/rc.d/init.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.3.1/policy/modules/services/kerneloops.if
--- nsaserefpolicy/policy/modules/services/kerneloops.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if 2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,104 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if 2008-03-09 08:34:14.000000000 -0400
+@@ -0,0 +1,125 @@
+
+## <summary>policy for kerneloops</summary>
+
@@ -15017,6 +15112,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern
+
+########################################
+## <summary>
++## dontaudit attempts to Send and receive messages from
++## kerneloops over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kerneloops_dontaudit_dbus_chat',`
++ gen_require(`
++ type kerneloops_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 kerneloops_t:dbus send_msg;
++ dontaudit kerneloops_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an kerneloops environment
+## </summary>
@@ -21013,8 +21129,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+/etc/rc.d/init.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.3.1/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-09-04 15:22:23.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.if 2008-02-26 08:29:22.000000000 -0500
-@@ -16,8 +16,8 @@
++++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.if 2008-03-10 11:51:45.000000000 -0400
+@@ -16,14 +16,13 @@
')
files_search_pids($1)
@@ -21025,9 +21141,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
')
########################################
-@@ -39,3 +39,74 @@
- dontaudit $1 setroubleshoot_var_run_t:sock_file write;
+ ## <summary>
+-## Dontaudit attempts to connect to setroubleshootd
+-## over an unix stream socket.
++## dontaudit attempts to connect to setroubleshootd over an unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -36,6 +35,77 @@
+ type setroubleshootd_t, setroubleshoot_var_run_t;
+ ')
+
+- dontaudit $1 setroubleshoot_var_run_t:sock_file write;
dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
++ dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
')
+
+########################################
@@ -23256,7 +23383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-06 17:09:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 14:41:25.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -23577,15 +23704,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
--
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
+
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-
+-
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-
- allow $2 $1_xauth_t:process signal;
@@ -23599,10 +23726,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
+-
+- domain_use_interactive_fds($1_xauth_t)
+ ps_process_pattern($2,xauth_t)
-- domain_use_interactive_fds($1_xauth_t)
--
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
-
@@ -23652,42 +23779,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# allow ps to show iceauth
- ps_process_pattern($2,$1_iceauth_t)
+ ps_process_pattern($2,iceauth_t)
-
-- allow $2 $1_iceauth_home_t:file manage_file_perms;
-- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
++
+ allow $2 user_iceauth_home_t:file manage_file_perms;
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
-- allow xdm_t $1_iceauth_home_t:file read_file_perms;
+- allow $2 $1_iceauth_home_t:file manage_file_perms;
+- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
+ userdom_use_user_terminals($1,iceauth_t)
-- fs_search_auto_mountpoints($1_iceauth_t)
+- allow xdm_t $1_iceauth_home_t:file read_file_perms;
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
-- libs_use_ld_so($1_iceauth_t)
-- libs_use_shared_libs($1_iceauth_t)
+- fs_search_auto_mountpoints($1_iceauth_t)
+ ##############################
+ #
+ # User X object manager local policy
+ #
-- userdom_use_user_terminals($1,$1_iceauth_t)
+- libs_use_ld_so($1_iceauth_t)
+- libs_use_shared_libs($1_iceauth_t)
+ # Device rules
+ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
+- userdom_use_user_terminals($1,$1_iceauth_t)
++ allow $2 { input_xevent_t }:x_event send;
++ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
+
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
-+ allow $2 { input_xevent_t }:x_event send;
-+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
++ mls_xwin_read_to_clearance($2)
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
- ')
-+ mls_xwin_read_to_clearance($2)
-+
+ xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
')
@@ -23720,7 +23847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +540,474 @@
+@@ -542,25 +540,540 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -23870,13 +23997,189 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ attribute xdm_x_domain;
+ ')
+
++ allow $1 self:x_cursor { create use setattr };
++ allow $1 self:x_drawable { write getattr read destroy create add_child };
++ allow $1 self:x_gc { destroy create use setattr };
++ allow $1 self:x_resource { write read };
++
++ allow $1 xevent_type:x_event receive;
++
++ allow $1 std_xext_t:x_extension query;
++ allow $1 x_rootwindow_t:x_drawable { get_property getattr };
++
++
++ # Hacks
++ # everyone can get the input focus of everyone else
++ # this is a fundamental brokenness in the X protocol
++ allow $1 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab force_cursor };
++
++ allow $1 { x_domain xserver_unconfined_type }:x_drawable { receive get_property set_property setattr send };
++ allow $1 { x_domain xserver_unconfined_type }:x_event receive;
++
++ tunable_policy(`allow_read_x_device',`
++ allow $1 { x_domain x_server_domain }:x_device read;
++ ')
++
++ # everyone can grab the server
++ # everyone does it, it is basically a free DOS attack
++ allow $1 x_server_domain:x_server grab;
++ # everyone can get the font path, etc.
++ # this could leak out sensitive information
++ allow $1 x_server_domain:x_server { getattr manage };
++ # everyone can do override-redirect windows.
++ # this could be used to spoof labels
++ allow $1 $1:x_drawable override;
++ # everyone can receive management events on the root window
++ # allows to know when new windows appear, among other things
++ allow $1 manage_xevent_t:x_event receive;
++
++ allow $1 accelgraphics_xext_t:x_extension use;
++
++ # X Server
++ # can read server-owned resources
++ allow $1 x_server_domain:x_resource read;
++ # can mess with own clients
++ allow $1 $1:x_client { manage destroy };
++
++ # X Protocol Extensions
++ allow $1 std_xext_t:x_extension { use };
++ allow $1 shmem_xext_t:x_extension { use };
++ allow $1 xextension_type:x_extension query;
++
++ # X Properties
++ # can read and write client properties
++ allow $1 $1:x_property { create destroy read write };
++ allow $1 default_xproperty_t:x_property { read write destroy create };
++ allow $1 output_xext_t:x_extension { use };
++ allow $1 output_xext_t:x_property read;
++ allow $1 xserver_unconfined_type:x_property read;
++
++# type_transition $2_t default_xproperty_t:x_property $2_t;
++ # can read and write cut buffers
++ allow $1 clipboard_xproperty_t:x_property { create read write };
++ # can read/write info properties
++ allow $1 info_xproperty_t:x_property { read write };
++
++ # can change properties of root window
++ allow $1 x_rootwindow_t:x_drawable { list_property get_property set_property };
++ # can change properties of own windows
++ allow $1 $1:x_drawable { list_property get_property set_property };
++
++ # X Windows
++ # operations allowed on root windows
++ allow $1 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show override destroy create hide };
++
++ # operations allowed on my windows
++ allow $1 $1:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
++
++ # X Colormaps
++ # can use the default colormap
++ allow $1 x_rootcolormap_t:x_colormap { read use add_color install uninstall };
++
++ allow $1 $1:x_client destroy;
++ allow $1 $1:x_drawable { receive get_property getattr list_child };
++
++ # X Input
++ # can receive own events
++ allow $1 input_xevent_t:{ x_event x_synthetic_event } receive;
++ allow $1 $1:{ x_event x_synthetic_event } { send receive };
++ allow $1 default_xevent_t:x_event receive;
++
++ # can receive certain root window events
++ allow $1 focus_xevent_t:x_event receive;
++ allow $1 property_xevent_t:x_event receive;
++ allow $1 client_xevent_t:x_synthetic_event receive;
++ allow $1 manage_xevent_t:x_synthetic_event receive;
++ # can send ICCCM events to myself
++ allow $1 $1:x_synthetic_event send;
++ # can send ICCCM events to the root window
++ allow $1 manage_xevent_t:x_synthetic_event send;
++ allow $1 client_xevent_t:x_synthetic_event send;
++
++ # X Selections
++ # can use the clipboard
++ allow $1 clipboard_xselection_t:x_selection { getattr setattr read };
++ # can query all other selections
++ allow $1 default_xselection_t:x_selection { getattr setattr read };
++
++ # Other X Objects
++ # can create and use cursors
++ allow $1 $1:x_cursor *;
++ # can create and use graphics contexts
++ allow $1 $1:x_gc *;
++ # can create and use colormaps
++ allow $1 $1:x_colormap *;
++ # can read and write own objects
++ allow $1 $1:x_resource { read write };
++
++ allow $1 screensaver_xext_t:x_extension { use };
++ allow $1 unknown_xext_t:x_extension { use };
++
++ allow $1 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
++
++ allow $1 disallowed_xext_t:x_extension { use };
++
++ allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr };
++ allow $1 xdm_xserver_t:x_resource read;
++ allow $1 xdm_xserver_t:x_server grab;
++
++')
++
++#######################################
++## <summary>
++## Interface to provide X object permissions on an X Application
++## Provides the minimal set required by a basic X client application.
++## </summary>
++## <param name="user">
++## <summary>
++## The X user domain (e.g., user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Client domain allowed access.
++## </summary>
++## </param>
++#
++template(`xserver_common_app_to_user',`
++ gen_require(`
++ type x_rootwindow_t, x_rootcolormap_t, std_xext_t, shmem_xext_t;
++ type default_xproperty_t, info_xproperty_t, clipboard_xproperty_t;
++ type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
++ type default_xevent_t, client_xevent_t;
++ type clipboard_xselection_t, default_xselection_t;
++ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
++ type disallowed_xext_t;
++ type output_xext_t;
++
++ attribute x_server_domain, x_domain;
++ attribute xproperty_type;
++ attribute xevent_type, xextension_type;
++ class x_drawable all_x_drawable_perms;
++ class x_screen all_x_screen_perms;
++ class x_gc all_x_gc_perms;
++ class x_font all_x_font_perms;
++ class x_colormap all_x_colormap_perms;
++ class x_property all_x_property_perms;
++ class x_selection all_x_selection_perms;
++ class x_cursor all_x_cursor_perms;
++ class x_client all_x_client_perms;
++ class x_device all_x_device_perms;
++ class x_server all_x_server_perms;
++ class x_extension all_x_extension_perms;
++ class x_resource all_x_resource_perms;
++ class x_event all_x_event_perms;
++ class x_synthetic_event all_x_synthetic_event_perms;
++
++ attribute xdm_x_domain;
++ ')
++
++ xserver_common_app_template($2)
++
+ allow $2 $1:x_drawable { hide setattr show receive create manage add_child write read getattr remove_child list_child destroy set_property };
+ allow $2 $1:x_event receive;
+ allow $2 $1:x_synthetic_event receive;
+ allow $1 $2:x_property read;
-+
-+ allow $2 std_xext_t:x_extension query;
-+ allow $2 x_rootwindow_t:x_drawable { get_property getattr };
+')
+
+#######################################
@@ -23963,125 +24266,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # Local Policy
+ #
+
-+ # Hacks
-+ # everyone can get the input focus of everyone else
-+ # this is a fundamental brokenness in the X protocol
-+ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab force_cursor };
-+
-+ allow $3 { x_domain xserver_unconfined_type }:x_drawable receive;
-+ allow $3 { x_domain xserver_unconfined_type }:x_event receive;
-+
-+ tunable_policy(`allow_read_x_device',`
-+ allow $3 { x_domain x_server_domain }:x_device read;
-+ ')
-+
-+ # everyone can grab the server
-+ # everyone does it, it is basically a free DOS attack
-+ allow $3 x_server_domain:x_server grab;
-+ # everyone can get the font path, etc.
-+ # this could leak out sensitive information
-+ allow $3 x_server_domain:x_server { getattr manage };
-+ # everyone can do override-redirect windows.
-+ # this could be used to spoof labels
-+ allow $3 $3:x_drawable override;
-+ # everyone can receive management events on the root window
-+ # allows to know when new windows appear, among other things
-+ allow $3 manage_xevent_t:x_event receive;
-+
-+ allow $3 accelgraphics_xext_t:x_extension use;
-+
-+ # X Server
-+ # can read server-owned resources
-+ allow $3 x_server_domain:x_resource read;
-+ # can mess with own clients
-+ allow $3 $3:x_client { manage destroy };
-+
-+ # X Protocol Extensions
-+ allow $3 std_xext_t:x_extension { use };
-+ allow $3 shmem_xext_t:x_extension { use };
-+ allow $3 xextension_type:x_extension query;
-+
-+ # X Properties
-+ # can read and write client properties
-+ allow $3 $3:x_property { create destroy read write };
-+ allow $3 default_xproperty_t:x_property { read write destroy create };
-+ allow $3 output_xext_t:x_extension { use };
-+ allow $3 output_xext_t:x_property read;
-+
-+ type_transition $2_t default_xproperty_t:x_property $2_t;
-+ # can read and write cut buffers
-+ allow $3 clipboard_xproperty_t:x_property { create read write };
-+ # can read/write info properties
-+ allow $3 info_xproperty_t:x_property { read write };
-+
-+ # can change properties of root window
-+ allow $3 x_rootwindow_t:x_drawable { list_property get_property set_property };
-+ # can change properties of own windows
-+ allow $3 $3:x_drawable { list_property get_property set_property };
-+
-+ # X Windows
-+ # operations allowed on root windows
-+ allow $3 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show override destroy create hide };
-+
-+ # operations allowed on my windows
-+ allow $3 $3:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-+ type_transition $2_t x_rootwindow_t:x_drawable $2_t;
-+
-+ # X Colormaps
-+ # can use the default colormap
-+ allow $3 x_rootcolormap_t:x_colormap { read use add_color install uninstall };
-+
-+ allow $3 $3:x_client destroy;
-+ allow $3 $3:x_drawable { receive get_property getattr list_child };
-+
-+ # X Input
-+ # can receive own events
-+ allow $3 input_xevent_t:{ x_event x_synthetic_event } receive;
-+ allow $3 $3:{ x_event x_synthetic_event } { send receive };
-+
+ type_transition $2_t input_xevent_t:x_event $2_t;
+ type_transition $2_t property_xevent_t:x_event $2_t;
+ type_transition $2_t focus_xevent_t:x_event $2_t;
+ type_transition $2_t manage_xevent_t:x_event $2_t;
+ type_transition $2_t default_xevent_t:x_event $2_t;
+
-+ allow $3 default_xevent_t:x_event receive;
-+
+ type_transition $2_t client_xevent_t:x_event $2_t;
+
-+ # can receive certain root window events
-+ allow $3 focus_xevent_t:x_event receive;
-+ allow $3 property_xevent_t:x_event receive;
-+ allow $3 client_xevent_t:x_synthetic_event receive;
-+ allow $3 manage_xevent_t:x_synthetic_event receive;
-+ # can send ICCCM events to myself
-+ allow $3 $3:x_synthetic_event send;
-+ # can send ICCCM events to the root window
-+ allow $3 manage_xevent_t:x_synthetic_event send;
-+ allow $3 client_xevent_t:x_synthetic_event send;
-+
-+ # X Selections
-+ # can use the clipboard
-+ allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-+ # can query all other selections
-+ allow $3 default_xselection_t:x_selection { getattr setattr read };
-+
-+ # Other X Objects
-+ # can create and use cursors
-+ allow $3 $3:x_cursor *;
-+ # can create and use graphics contexts
-+ allow $3 $3:x_gc *;
-+ # can create and use colormaps
-+ allow $3 $3:x_colormap *;
-+ # can read and write own objects
-+ allow $3 $3:x_resource { read write };
-+
-+ allow $3 screensaver_xext_t:x_extension { use };
-+ allow $3 unknown_xext_t:x_extension { use };
-+
-+ allow $3 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
-+
-+ allow $3 disallowed_xext_t:x_extension { use };
++ xserver_common_app_template($3)
+
+ tunable_policy(`! xserver_object_manager',`
+ # should be xserver_unconfined($3),
@@ -24201,7 +24394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
-@@ -593,26 +1040,44 @@
+@@ -593,26 +1106,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -24253,14 +24446,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +1103,77 @@
+@@ -638,10 +1169,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_exec_t, xauth_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
@@ -24292,9 +24486,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type user_xauth_home_t;
- ')
-
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++ ')
++
+ allow $2 user_xauth_home_t:file { getattr read };
+')
+
@@ -24333,7 +24526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -671,10 +1203,10 @@
+@@ -671,10 +1269,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -24346,7 +24539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -760,7 +1292,7 @@
+@@ -760,7 +1358,7 @@
type xconsole_device_t;
')
@@ -24355,7 +24548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -860,6 +1392,25 @@
+@@ -860,6 +1458,25 @@
########################################
## <summary>
@@ -24381,7 +24574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1465,7 @@
+@@ -914,6 +1531,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -24389,7 +24582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -955,6 +1507,24 @@
+@@ -955,6 +1573,24 @@
########################################
## <summary>
@@ -24414,7 +24607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1535,47 @@
+@@ -965,15 +1601,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -24463,7 +24656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1725,7 @@
+@@ -1123,7 +1791,7 @@
type xdm_xserver_tmp_t;
')
@@ -24472,7 +24665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1312,3 +1914,82 @@
+@@ -1312,3 +1980,83 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -24555,9 +24748,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ typeattribute $1 xserver_unconfined_type;
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-06 15:35:49.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-10 14:23:28.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -24621,6 +24815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+type debug_xext_t, xextension_type;
+type default_xevent_t, xevent_type;
+type default_xproperty_t, xproperty_type;
++type info_xproperty_t, xproperty_type;
+type default_xselection_t, xselection_type;
+type disallowed_xext_t, xextension_type;
+type focus_xevent_t, xevent_type;
@@ -24630,7 +24825,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-application_executable_file(iceauth_exec_t)
+application_domain(iceauth_t,iceauth_exec_t)
-+type info_xproperty_t, xproperty_type;
+type input_xevent_t, xevent_type;
+type manage_xevent_t, xevent_type;
+type output_xext_t, xextension_type;
@@ -24977,7 +25171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +610,138 @@
+@@ -429,47 +610,139 @@
')
optional_policy(`
@@ -25135,6 +25329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
++allow xserver_unconfined_type xserver_unconfined_type:x_property *;
+
+gen_require(`
+ attribute domain;
@@ -25718,7 +25913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-02-26 14:08:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-03-10 12:24:38.000000000 -0400
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -25747,7 +25942,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -540,18 +547,19 @@
+@@ -463,11 +470,12 @@
+ interface(`init_telinit',`
+ gen_require(`
+ type initctl_t;
++ type init_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+-
++ allow $1 init_t:unix_dgram_socket sendto;
+ init_exec($1)
+ ')
+
+@@ -540,18 +548,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -25771,7 +25980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -567,23 +575,70 @@
+@@ -567,19 +576,66 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -25819,11 +26028,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 $2:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -25836,17 +26045,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -609,11 +664,11 @@
+ ')
+
+ ########################################
+@@ -609,11 +665,11 @@
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
@@ -25860,7 +26065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -684,11 +739,11 @@
+@@ -684,11 +740,11 @@
#
interface(`init_getattr_script_files',`
gen_require(`
@@ -25874,7 +26079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -703,11 +758,11 @@
+@@ -703,11 +759,11 @@
#
interface(`init_exec_script_files',`
gen_require(`
@@ -25888,7 +26093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -931,6 +986,7 @@
+@@ -931,6 +987,7 @@
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
@@ -25896,7 +26101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
########################################
## <summary>
## Send messages to init scripts over dbus.
-@@ -1030,11 +1086,11 @@
+@@ -1030,11 +1087,11 @@
#
interface(`init_read_script_files',`
gen_require(`
@@ -25910,7 +26115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1097,6 +1153,25 @@
+@@ -1097,6 +1154,25 @@
########################################
## <summary>
@@ -25936,7 +26141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1252,7 +1327,7 @@
+@@ -1252,7 +1328,7 @@
type initrc_var_run_t;
')
@@ -25945,7 +26150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1273,3 +1348,114 @@
+@@ -1273,3 +1349,114 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
@@ -26062,7 +26267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-02-26 10:49:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-07 16:07:39.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -26125,7 +26330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -102,6 +128,8 @@
+@@ -102,8 +128,11 @@
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -26133,8 +26338,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
++corecmd_exec_shell(init_t)
+
+ dev_read_sysfs(init_t)
-@@ -154,6 +182,8 @@
+@@ -154,6 +183,8 @@
miscfiles_read_localization(init_t)
@@ -26143,7 +26351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -163,22 +193,31 @@
+@@ -163,22 +194,31 @@
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
')
@@ -26182,7 +26390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
########################################
-@@ -187,7 +226,7 @@
+@@ -187,7 +227,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -26191,7 +26399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -201,10 +240,9 @@
+@@ -201,10 +241,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -26204,7 +26412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -283,7 +321,6 @@
+@@ -283,7 +322,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
@@ -26212,7 +26420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -496,6 +533,31 @@
+@@ -496,6 +534,31 @@
')
')
@@ -26244,7 +26452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +621,6 @@
+@@ -559,14 +622,6 @@
')
optional_policy(`
@@ -26259,7 +26467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ftp_read_config(initrc_t)
')
-@@ -639,12 +693,6 @@
+@@ -639,12 +694,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -26272,7 +26480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -705,6 +753,9 @@
+@@ -705,6 +754,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -26282,7 +26490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -717,9 +768,11 @@
+@@ -717,9 +769,11 @@
squid_manage_logs(initrc_t)
')
@@ -26297,7 +26505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -738,6 +791,11 @@
+@@ -738,6 +792,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -26309,7 +26517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
unconfined_domain(initrc_t)
-@@ -752,6 +810,10 @@
+@@ -752,6 +811,10 @@
')
optional_policy(`
@@ -26320,7 +26528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -774,3 +836,4 @@
+@@ -774,3 +837,4 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -26716,8 +26924,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-02-26 08:29:22.000000000 -0500
-@@ -61,10 +61,23 @@
++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-10 12:22:41.000000000 -0400
+@@ -61,10 +61,24 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -26729,6 +26937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
++ init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh)
')
+type audisp_t;
@@ -26741,7 +26950,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
#
# Auditctl local policy
-@@ -171,6 +184,10 @@
+@@ -158,6 +172,7 @@
+
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_fd_use_all_levels(auditd_t)
+
+ seutil_dontaudit_read_config(auditd_t)
+
+@@ -171,6 +186,10 @@
')
optional_policy(`
@@ -26752,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
seutil_sigchld_newrole(auditd_t)
')
-@@ -208,6 +225,7 @@
+@@ -208,6 +227,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -26760,7 +26977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(klogd_t)
-@@ -252,7 +270,6 @@
+@@ -252,7 +272,6 @@
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
allow syslogd_t self:process { signal_perms setpgid };
@@ -26768,7 +26985,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -327,6 +344,7 @@
+@@ -262,7 +281,7 @@
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ allow syslogd_t syslog_conf_t:file read_file_perms;
+-
++
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
+@@ -274,6 +293,9 @@
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+
++mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_fd_use_all_levels(syslogd_t)
++
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
+ manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
+@@ -327,6 +349,7 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
@@ -26776,7 +27012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -344,14 +362,14 @@
+@@ -344,14 +367,14 @@
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
@@ -26793,7 +27029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-@@ -380,15 +398,11 @@
+@@ -380,15 +403,11 @@
')
optional_policy(`
@@ -26811,7 +27047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
optional_policy(`
-@@ -399,3 +413,40 @@
+@@ -399,3 +418,37 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -26841,17 +27077,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
+miscfiles_read_localization(audisp_t)
+
++mls_file_write_all_levels(audisp_t)
++
+corecmd_search_bin(audisp_t)
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+logging_domtrans_audisp(auditd_t)
+logging_audisp_signal(auditd_t)
+
-+#gen_require(`
-+# type zos_remote_exec_t, zos_remote_t;
-+#')
-+
-+#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500
@@ -27109,8 +27342,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-02-26 08:29:22.000000000 -0500
-@@ -42,7 +42,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-03-10 12:26:24.000000000 -0400
+@@ -22,6 +22,8 @@
+ type insmod_exec_t;
+ application_domain(insmod_t,insmod_exec_t)
+ mls_file_write_all_levels(insmod_t)
++mls_process_write_to_clearance(insmod_t)
++
+ role system_r types insmod_t;
+
+ type depmod_t;
+@@ -42,7 +44,7 @@
# insmod local policy
#
@@ -27119,7 +27361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -63,6 +63,7 @@
+@@ -63,6 +65,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
@@ -27127,7 +27369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
-@@ -76,9 +77,7 @@
+@@ -76,9 +79,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -27138,7 +27380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
fs_getattr_xattr_fs(insmod_t)
-@@ -101,6 +100,7 @@
+@@ -101,6 +102,7 @@
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
@@ -27146,7 +27388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
libs_use_ld_so(insmod_t)
libs_use_shared_libs(insmod_t)
-@@ -118,11 +118,28 @@
+@@ -118,11 +120,28 @@
')
')
@@ -27175,7 +27417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
hotplug_search_config(insmod_t)
')
-@@ -155,10 +172,12 @@
+@@ -155,10 +174,12 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -27188,7 +27430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-@@ -185,6 +204,7 @@
+@@ -185,6 +206,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
@@ -27196,7 +27438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
fs_getattr_xattr_fs(depmod_t)
-@@ -208,9 +228,11 @@
+@@ -208,9 +230,11 @@
# Read System.map from home directories.
files_list_home(depmod_t)
@@ -27209,7 +27451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(depmod_t)
-@@ -219,11 +241,12 @@
+@@ -219,11 +243,12 @@
optional_policy(`
# Read System.map from home directories.
@@ -27389,7 +27631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-06 09:35:23.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-10 10:10:04.000000000 -0400
@@ -0,0 +1,294 @@
+
+## <summary>policy for qemu</summary>
@@ -27605,7 +27847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ type qemu_unconfined_t;
+ ')
+
-+ qemu_domtrans($1)
++ qemu_domtrans_unconfined($1)
+ allow qemu_unconfined_t $3:chr_file rw_file_perms;
+')
+
@@ -28320,7 +28562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.3.1/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/setrans.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/setrans.te 2008-03-10 11:01:35.000000000 -0400
@@ -28,7 +28,7 @@
#
@@ -28330,6 +28572,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
allow setrans_t self:unix_stream_socket create_stream_socket_perms;
allow setrans_t self:unix_dgram_socket create_socket_perms;
allow setrans_t self:netlink_selinux_socket create_socket_perms;
+@@ -58,6 +58,7 @@
+ mls_socket_write_all_levels(setrans_t)
+ mls_process_read_up(setrans_t)
+ mls_socket_read_all_levels(setrans_t)
++mls_fd_use_all_levels(setrans_t)
+
+ selinux_compute_access_vector(setrans_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-06 11:55:26.000000000 -0500
@@ -29265,7 +29515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-06 09:14:52.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-09 08:38:37.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -29750,7 +30000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -568,30 +553,31 @@
+@@ -568,30 +553,32 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -29795,10 +30045,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
+ xserver_manage_xdm_tmp_files($1_usertype)
++ xserver_stream_connect_xdm_xserver($1_usertype)
')
#######################################
-@@ -622,13 +608,7 @@
+@@ -622,13 +609,7 @@
## <summary>
## The template for allowing the user to change roles.
## </summary>
@@ -29813,7 +30064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -692,183 +672,194 @@
+@@ -692,183 +673,194 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -30089,7 +30340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -895,6 +886,8 @@
+@@ -895,6 +887,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -30098,7 +30349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -923,26 +916,26 @@
+@@ -923,26 +917,26 @@
allow $1_t self:context contains;
@@ -30139,7 +30390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
auth_dontaudit_write_login_records($1_t)
-@@ -950,43 +943,43 @@
+@@ -950,43 +944,43 @@
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
@@ -30201,7 +30452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1020,9 +1013,6 @@
+@@ -1020,9 +1014,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -30211,7 +30462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1031,16 +1021,29 @@
+@@ -1031,16 +1022,29 @@
#
# privileged home directory writers
@@ -30247,7 +30498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -1068,6 +1071,13 @@
+@@ -1068,6 +1072,13 @@
userdom_restricted_user_template($1)
@@ -30261,7 +30512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_xwindows_client_template($1)
##############################
-@@ -1076,14 +1086,16 @@
+@@ -1076,14 +1087,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -30283,7 +30534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1103,25 @@
+@@ -1091,32 +1104,25 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -30325,7 +30576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1127,10 +1132,10 @@
+@@ -1127,10 +1133,10 @@
## </summary>
## <desc>
## <p>
@@ -30340,7 +30591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1193,12 +1198,11 @@
+@@ -1193,12 +1199,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -30355,7 +30606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1211,27 @@
+@@ -1207,7 +1212,27 @@
')
optional_policy(`
@@ -30384,7 +30635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1284,8 +1308,6 @@
+@@ -1284,8 +1309,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -30393,7 +30644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1363,13 +1385,6 @@
+@@ -1363,13 +1386,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -30407,7 +30658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1437,7 @@
+@@ -1422,6 +1438,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -30415,7 +30666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1803,14 @@
+@@ -1787,10 +1804,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -30431,7 +30682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1886,11 +1906,11 @@
+@@ -1886,11 +1907,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -30445,7 +30696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1920,11 +1940,11 @@
+@@ -1920,11 +1941,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -30459,7 +30710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1968,12 +1988,12 @@
+@@ -1968,12 +1989,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -30475,7 +30726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2003,10 +2023,10 @@
+@@ -2003,10 +2024,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -30488,7 +30739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2038,11 +2058,47 @@
+@@ -2038,11 +2059,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -30538,7 +30789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2074,10 +2130,10 @@
+@@ -2074,10 +2131,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -30551,7 +30802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2107,11 +2163,11 @@
+@@ -2107,11 +2164,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -30565,7 +30816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2141,11 +2197,11 @@
+@@ -2141,11 +2198,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -30580,7 +30831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2175,10 +2231,14 @@
+@@ -2175,10 +2232,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -30597,7 +30848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2208,11 +2268,11 @@
+@@ -2208,11 +2269,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -30611,7 +30862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2242,11 +2302,11 @@
+@@ -2242,11 +2303,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -30625,7 +30876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2276,10 +2336,10 @@
+@@ -2276,10 +2337,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -30638,7 +30889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2311,12 +2371,12 @@
+@@ -2311,12 +2372,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -30654,7 +30905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2348,10 +2408,10 @@
+@@ -2348,10 +2409,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -30667,7 +30918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2383,12 +2443,12 @@
+@@ -2383,12 +2444,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -30683,7 +30934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2420,12 +2480,12 @@
+@@ -2420,12 +2481,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -30699,7 +30950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2457,12 +2517,12 @@
+@@ -2457,12 +2518,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -30715,7 +30966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2507,11 +2567,11 @@
+@@ -2507,11 +2568,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -30729,7 +30980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2556,11 +2616,11 @@
+@@ -2556,11 +2617,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -30743,7 +30994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2600,11 +2660,11 @@
+@@ -2600,11 +2661,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -30757,7 +31008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2634,11 +2694,11 @@
+@@ -2634,11 +2695,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -30771,7 +31022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2668,11 +2728,11 @@
+@@ -2668,11 +2729,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -30785,7 +31036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2704,10 +2764,10 @@
+@@ -2704,10 +2765,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -30798,7 +31049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2739,10 +2799,10 @@
+@@ -2739,10 +2800,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -30811,7 +31062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2772,12 +2832,12 @@
+@@ -2772,12 +2833,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -30827,7 +31078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2809,10 +2869,10 @@
+@@ -2809,10 +2870,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -30840,7 +31091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2844,10 +2904,48 @@
+@@ -2844,10 +2905,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -30891,7 +31142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2877,12 +2975,12 @@
+@@ -2877,12 +2976,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -30907,7 +31158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2914,10 +3012,10 @@
+@@ -2914,10 +3013,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -30920,7 +31171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2949,12 +3047,12 @@
+@@ -2949,12 +3048,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -30936,7 +31187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2986,11 +3084,11 @@
+@@ -2986,11 +3085,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -30950,7 +31201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3022,11 +3120,11 @@
+@@ -3022,11 +3121,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -30964,7 +31215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3058,11 +3156,11 @@
+@@ -3058,11 +3157,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -30978,7 +31229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3094,11 +3192,11 @@
+@@ -3094,11 +3193,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -30992,7 +31243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3130,11 +3228,11 @@
+@@ -3130,11 +3229,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -31006,7 +31257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3179,10 +3277,10 @@
+@@ -3179,10 +3278,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -31019,7 +31270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3223,10 +3321,10 @@
+@@ -3223,10 +3322,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -31032,7 +31283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3254,6 +3352,42 @@
+@@ -3254,6 +3353,42 @@
## </summary>
## </param>
#
@@ -31075,7 +31326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4231,11 +4365,11 @@
+@@ -4231,11 +4366,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -31089,7 +31340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4251,10 +4385,10 @@
+@@ -4251,10 +4386,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -31102,7 +31353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4270,11 +4404,11 @@
+@@ -4270,11 +4405,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -31116,7 +31367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4289,16 +4423,16 @@
+@@ -4289,16 +4424,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -31136,7 +31387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4441,27 @@
+@@ -4307,12 +4442,27 @@
## </summary>
## </param>
#
@@ -31167,7 +31418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4327,13 +4476,13 @@
+@@ -4327,13 +4477,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -31185,7 +31436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4531,10 +4680,10 @@
+@@ -4531,10 +4681,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -31198,7 +31449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4551,10 +4700,10 @@
+@@ -4551,10 +4701,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -31211,7 +31462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4569,10 +4718,10 @@
+@@ -4569,10 +4719,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -31224,7 +31475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4588,10 +4737,10 @@
+@@ -4588,10 +4738,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -31237,7 +31488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4606,10 +4755,10 @@
+@@ -4606,10 +4756,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -31250,7 +31501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4625,10 +4774,10 @@
+@@ -4625,10 +4775,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -31263,7 +31514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4644,12 +4793,11 @@
+@@ -4644,12 +4794,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -31279,7 +31530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4676,10 +4824,10 @@
+@@ -4676,10 +4825,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -31292,7 +31543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4694,10 +4842,10 @@
+@@ -4694,10 +4843,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -31305,7 +31556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4712,13 +4860,13 @@
+@@ -4712,13 +4861,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -31323,7 +31574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4754,11 +4902,49 @@
+@@ -4754,11 +4903,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -31374,7 +31625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4778,6 +4964,14 @@
+@@ -4778,6 +4965,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -31389,7 +31640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4839,6 +5033,26 @@
+@@ -4839,6 +5034,26 @@
########################################
## <summary>
@@ -31416,7 +31667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5073,25 @@
+@@ -4859,6 +5074,25 @@
########################################
## <summary>
@@ -31442,7 +31693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5112,26 @@
+@@ -4879,6 +5113,26 @@
########################################
## <summary>
@@ -31469,7 +31720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5368,7 @@
+@@ -5115,7 +5369,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -31478,7 +31729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5304,6 +5557,50 @@
+@@ -5304,6 +5558,50 @@
########################################
## <summary>
@@ -31529,7 +31780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5806,42 @@
+@@ -5509,6 +5807,42 @@
########################################
## <summary>
@@ -31572,7 +31823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5674,6 +6007,42 @@
+@@ -5674,6 +6008,42 @@
########################################
## <summary>
@@ -31615,7 +31866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6073,368 @@
+@@ -5704,3 +6074,368 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -33213,11 +33464,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if
+## <summary>Policy for user user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.3.1/policy/modules/users/user.te
--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-03-10 11:57:48.000000000 -0400
+@@ -0,0 +1,17 @@
+policy_module(user,1.0.1)
+userdom_unpriv_user_template(user)
+
++optional_policy(`
++ kerneloops_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++ setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.3.1/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500