diff --git a/policy-20080710.patch b/policy-20080710.patch
index afa5c31..5d8bb6e 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -1691,8 +1691,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-28 08:40:54.000000000 -0400
-@@ -22,12 +22,16 @@
++++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te 2008-07-31 07:13:29.000000000 -0400
+@@ -22,12 +22,18 @@
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
@@ -1706,10 +1706,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
+files_getattr_lost_found_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
++files_delete_usr_dirs(tmpreaper_t)
++files_delete_usr_files(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -42,6 +46,26 @@
+@@ -42,6 +48,23 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
@@ -1717,9 +1719,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
+userdom_delete_all_users_home_content_files(tmpreaper_t)
+userdom_delete_all_users_home_content_symlinks(tmpreaper_t)
+
-+files_manage_isid_type_dirs(tmpreaper_t)
-+files_delete_isid_type_files(tmpreaper_t)
-+
+optional_policy(`
+ amavis_manage_spool_files(tmpreaper_t)
+')
@@ -5195,7 +5194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.1/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-07-10 14:13:44.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/apps/qemu.if 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/apps/qemu.if 2008-08-01 08:42:09.000000000 -0400
@@ -104,7 +104,71 @@
########################################
@@ -5306,91 +5305,94 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
## Creates types and rules for a basic
## qemu process domain.
## </summary>
-@@ -133,24 +227,23 @@
+@@ -132,86 +226,91 @@
+ ## </param>
#
template(`qemu_domain_template',`
++ gen_require(`
++ attribute qemutype;
++ ')
- ##############################
- #
- # Local Policy
- #
-
- type $1_t;
+- type $1_t;
++ type $1_t, qemutype;
domain_type($1_t)
type $1_tmp_t;
files_tmp_file($1_tmp_t)
+- ##############################
+- #
+- # Local Policy
+- #
+-
+- allow $1_t self:capability { dac_read_search dac_override };
+- allow $1_t self:process { execstack execmem signal getsched };
+- allow $1_t self:fifo_file rw_file_perms;
+- allow $1_t self:shm create_shm_perms;
+- allow $1_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_t self:tcp_socket create_stream_socket_perms;
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
- ##############################
- #
- # Local Policy
- #
-
- allow $1_t self:capability { dac_read_search dac_override };
-- allow $1_t self:process { execstack execmem signal getsched };
-+ allow $1_t self:process { execstack execmem signal getsched signull };
++ type $1_image_t;
++ virt_image($1_image_t)
+
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
-@@ -160,6 +253,11 @@
++ manage_dirs_pattern($1, $1_image_t, $1_image_t)
++ manage_files_pattern($1, $1_image_t, $1_image_t)
++ read_lnk_files_pattern($1, $1_image_t, $1_image_t)
++ rw_blk_files_pattern($1, $1_image_t, $1_image_t)
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+- kernel_read_system_state($1_t)
+-
+- corenet_all_recvfrom_unlabeled($1_t)
+- corenet_all_recvfrom_netlabel($1_t)
+- corenet_tcp_sendrecv_all_if($1_t)
+- corenet_tcp_sendrecv_all_nodes($1_t)
+- corenet_tcp_sendrecv_all_ports($1_t)
+- corenet_tcp_bind_all_nodes($1_t)
+- corenet_tcp_bind_vnc_port($1_t)
+- corenet_rw_tun_tap_dev($1_t)
+-
+-# dev_rw_kvm($1_t)
+-
+- domain_use_interactive_fds($1_t)
+-
+- files_read_etc_files($1_t)
+- files_read_usr_files($1_t)
+- files_read_var_files($1_t)
+- files_search_all($1_t)
+-
+- fs_list_inotifyfs($1_t)
+- fs_rw_anon_inodefs_files($1_t)
+- fs_rw_tmpfs_files($1_t)
+-
+- storage_raw_write_removable_device($1_t)
+- storage_raw_read_removable_device($1_t)
+-
+- term_use_ptmx($1_t)
+- term_getattr_pty_fs($1_t)
+- term_use_generic_ptys($1_t)
+-
+- libs_use_ld_so($1_t)
+- libs_use_shared_libs($1_t)
+-
+- miscfiles_read_localization($1_t)
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-+
- kernel_read_system_state($1_t)
-
- corenet_all_recvfrom_unlabeled($1_t)
-@@ -171,7 +269,10 @@
- corenet_tcp_bind_vnc_port($1_t)
- corenet_rw_tun_tap_dev($1_t)
-
--# dev_rw_kvm($1_t)
-+ dev_read_sound($1_t)
-+ dev_write_sound($1_t)
-+ dev_rw_kvm($1_t)
-+ dev_rw_qemu($1_t)
-
- domain_use_interactive_fds($1_t)
-
-@@ -191,6 +292,8 @@
- term_getattr_pty_fs($1_t)
- term_use_generic_ptys($1_t)
-
-+ auth_use_nsswitch($1_t)
-+
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
-
-@@ -198,9 +301,9 @@
-
- sysnet_read_config($1_t)
-
--# optional_policy(`
--# samba_domtrans_smb($1_t)
--# ')
-+ optional_policy(`
-+ samba_domtrans_smb($1_t)
-+ ')
++')
- optional_policy(`
- virt_manage_images($1_t)
-@@ -212,6 +315,24 @@
- xserver_stream_connect_xdm_xserver($1_t)
- xserver_read_xdm_tmp_files($1_t)
- xserver_read_xdm_pid($1_t)
--# xserver_xdm_rw_shm($1_t)
-+ xserver_xdm_rw_shm($1_t)
- ')
- ')
-+
+- sysnet_read_config($1_t)
+########################################
+## <summary>
+## Set the schedule on qemu.
@@ -5405,13 +5407,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
+ gen_require(`
+ type qemu_t;
+ ')
-+
+
+-# optional_policy(`
+-# samba_domtrans_smb($1_t)
+-# ')
+ allow $1 qemu_t:process setsched;
+')
+
+- optional_policy(`
+- virt_manage_images($1_t)
+- virt_read_config($1_t)
+- virt_read_lib_files($1_t)
++########################################
++## <summary>
++## Execute qemu_exec_t
++## in the specified domain but do not
++## do it automatically. This is an explicit
++## transition, requiring the caller to use setexeccon().
++## </summary>
++## <desc>
++## <p>
++## Execute qemu_exec_t
++## in the specified domain. This allows
++## the specified domain to qemu programs
++## on these filesystems in the specified
++## domain.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`qemu_spec_domtrans',`
++ gen_require(`
++ type qemu_exec_t;
+ ')
+
+- optional_policy(`
+- xserver_stream_connect_xdm_xserver($1_t)
+- xserver_read_xdm_tmp_files($1_t)
+- xserver_read_xdm_pid($1_t)
+-# xserver_xdm_rw_shm($1_t)
+- ')
++ read_lnk_files_pattern($1,qemu_exec_t,qemu_exec_t)
++ domain_transition_pattern($1,qemu_exec_t,$2)
++
++ allow $3 $1:fd use;
++ allow $3 $1:fifo_file rw_fifo_file_perms;
++ allow $3 $1:process sigchld;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.1/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-07-10 11:38:45.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/apps/qemu.te 2008-07-25 12:35:13.000000000 -0400
-@@ -13,6 +13,20 @@
++++ serefpolicy-3.5.1/policy/modules/apps/qemu.te 2008-08-01 08:11:51.000000000 -0400
+@@ -6,6 +6,8 @@
+ # Declarations
+ #
+
++attribute qemutype;
++
+ ## <desc>
+ ## <p>
+ ## Allow qemu to connect fully to the network
+@@ -13,6 +15,20 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -5432,7 +5496,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
type qemu_exec_t;
qemu_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
-@@ -35,6 +49,22 @@
+@@ -20,9 +36,74 @@
+
+ ########################################
+ #
++# qemu common policy
++#
++allow qemutype self:capability { dac_read_search dac_override };
++allow qemutype self:process { execstack execmem signal getsched signull };
++
++allow qemutype self:fifo_file rw_file_perms;
++allow qemutype self:shm create_shm_perms;
++allow qemutype self:unix_stream_socket create_stream_socket_perms;
++allow qemutype self:tcp_socket create_stream_socket_perms;
++
++kernel_read_system_state(qemutype)
++
++corenet_all_recvfrom_unlabeled(qemutype)
++corenet_all_recvfrom_netlabel(qemutype)
++corenet_tcp_sendrecv_all_if(qemutype)
++corenet_tcp_sendrecv_all_nodes(qemutype)
++corenet_tcp_sendrecv_all_ports(qemutype)
++corenet_tcp_bind_all_nodes(qemutype)
++corenet_tcp_bind_vnc_port(qemutype)
++corenet_rw_tun_tap_dev(qemutype)
++
++dev_read_sound(qemutype)
++dev_write_sound(qemutype)
++dev_rw_kvm(qemutype)
++dev_rw_qemu(qemutype)
++
++domain_use_interactive_fds(qemutype)
++
++files_read_etc_files(qemutype)
++files_read_usr_files(qemutype)
++files_read_var_files(qemutype)
++files_search_all(qemutype)
++
++fs_list_inotifyfs(qemutype)
++fs_rw_anon_inodefs_files(qemutype)
++fs_rw_tmpfs_files(qemutype)
++
++term_use_ptmx(qemutype)
++term_getattr_pty_fs(qemutype)
++term_use_generic_ptys(qemutype)
++
++auth_use_nsswitch(qemutype)
++
++libs_use_ld_so(qemutype)
++libs_use_shared_libs(qemutype)
++
++miscfiles_read_localization(qemutype)
++
++optional_policy(`
++ virt_read_config(qemutype)
++ virt_read_lib_files(qemutype)
++')
++
++optional_policy(`
++ xserver_stream_connect_xdm_xserver(qemutype)
++ xserver_read_xdm_tmp_files(qemutype)
++ xserver_read_xdm_pid(qemutype)
++ xserver_xdm_rw_shm(qemutype)
++')
++
++########################################
++#
+ # qemu local policy
+ #
+
++storage_raw_write_removable_device(qemu_t)
++storage_raw_read_removable_device(qemu_t)
++
+ tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+
+@@ -35,6 +116,30 @@
corenet_tcp_connect_all_ports(qemu_t)
')
@@ -5445,6 +5584,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
+')
+
+optional_policy(`
++ samba_domtrans_smb(qemu_t)
++')
++
++optional_policy(`
++ virt_manage_images(qemu_t)
++')
++
++optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
@@ -6050,7 +6197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshar
fs_manage_nfs_dirs($1_wireshark_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-07-10 11:38:44.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc 2008-07-29 15:02:20.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.fc 2008-07-30 15:57:01.000000000 -0400
@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -6090,15 +6237,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -190,6 +189,7 @@
- /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -184,12 +183,11 @@
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -231,7 +231,6 @@
+@@ -231,7 +229,6 @@
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
@@ -6106,7 +6261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -292,3 +291,13 @@
+@@ -292,3 +289,13 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6122,7 +6277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.1/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-06-12 23:25:03.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.if 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/kernel/corecommands.if 2008-08-01 08:34:00.000000000 -0400
@@ -894,6 +894,7 @@
read_lnk_files_pattern($1,bin_t,bin_t)
@@ -6133,7 +6288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:25:03.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/kernel/corenetwork.te.in 2008-08-01 11:17:33.000000000 -0400
@@ -75,6 +75,7 @@
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
@@ -6211,7 +6366,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
-@@ -170,7 +181,12 @@
+@@ -165,12 +176,17 @@
+ network_port(syslogd, udp,514,s0)
+ network_port(telnetd, tcp,23,s0)
+ network_port(tftp, udp,69,s0)
+-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
++network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+ network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -12371,18 +12532,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.1/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/clamav.fc 2008-07-25 12:35:13.000000000 -0400
-@@ -5,16 +5,20 @@
++++ serefpolicy-3.5.1/policy/modules/services/clamav.fc 2008-07-30 15:27:51.000000000 -0400
+@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
-+/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -12545,7 +12707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.1/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/clamav.te 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/clamav.te 2008-07-30 15:31:06.000000000 -0400
@@ -13,7 +13,7 @@
# configuration files
@@ -12596,6 +12758,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# Freshclam local policy
+@@ -197,7 +210,7 @@
+ allow clamscan_t self:fifo_file rw_file_perms;
+ allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
+ allow clamscan_t self:unix_dgram_socket create_socket_perms;
+-allow clamscan_t self:tcp_socket { listen accept };
++allow clamscan_t self:tcp_socket create_stream_socket_perms;
+
+ # configuration files
+ allow clamscan_t clamd_etc_t:dir list_dir_perms;
@@ -233,3 +246,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
@@ -13545,7 +13716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.1/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/cups.fc 2008-07-29 15:03:16.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/cups.fc 2008-07-30 11:32:44.000000000 -0400
@@ -8,24 +8,28 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13589,12 +13760,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -50,3 +54,12 @@
+@@ -50,3 +54,13 @@
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/rc.d/init.d/cups -- gen_context(system_u:object_r:cups_script_exec_t,s0)
@@ -15744,7 +15916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+/etc/rc.d/init.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.1/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/dovecot.if 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/dovecot.if 2008-07-30 16:47:19.000000000 -0400
@@ -21,7 +21,46 @@
########################################
@@ -18504,7 +18676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/mta.te 2008-07-28 08:30:18.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/mta.te 2008-07-30 09:59:10.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -18514,7 +18686,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
-@@ -27,6 +29,7 @@
+@@ -20,13 +22,14 @@
+ files_config_file(etc_mail_t)
+
+ type mqueue_spool_t;
+-files_type(mqueue_spool_t)
++files_mountpoint(mqueue_spool_t)
+
+ type mail_spool_t;
+-files_type(mail_spool_t)
++files_mountpoint(mail_spool_t)
type sendmail_exec_t;
application_executable_file(sendmail_exec_t)
@@ -22298,7 +22479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.1/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/procmail.te 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/procmail.te 2008-07-30 16:18:46.000000000 -0400
@@ -14,6 +14,10 @@
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -22343,7 +22524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
mta_manage_spool(procmail_t)
ifdef(`hide_broken_symptoms',`
-@@ -103,6 +111,10 @@
+@@ -103,6 +111,14 @@
')
optional_policy(`
@@ -22351,10 +22532,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+')
+
+optional_policy(`
++ dovecot_domtrans_deliver(procmail_t)
++')
++
++optional_policy(`
munin_dontaudit_search_lib(procmail_t)
')
-@@ -117,11 +129,13 @@
+@@ -117,11 +133,13 @@
optional_policy(`
pyzor_domtrans(procmail_t)
@@ -22368,7 +22553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
sendmail_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
-@@ -130,7 +144,16 @@
+@@ -130,7 +148,16 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
@@ -23139,6 +23324,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis
+
+ init_script_domtrans_spec($1,rdisc_script_exec_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.te serefpolicy-3.5.1/policy/modules/services/rdisc.te
+--- nsaserefpolicy/policy/modules/services/rdisc.te 2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/rdisc.te 2008-08-01 12:03:39.000000000 -0400
+@@ -45,6 +45,8 @@
+ libs_use_ld_so(rdisc_t)
+ libs_use_shared_libs(rdisc_t)
+
++miscfiles_read_localization(rdisc_t)
++
+ logging_send_syslog_msg(rdisc_t)
+
+ sysnet_read_config(rdisc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.5.1/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/services/remotelogin.te 2008-07-25 12:35:13.000000000 -0400
@@ -25667,8 +25864,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.1/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/spamassassin.if 2008-07-30 09:34:32.000000000 -0400
-@@ -34,10 +34,11 @@
++++ serefpolicy-3.5.1/policy/modules/services/spamassassin.if 2008-08-01 12:25:22.000000000 -0400
+@@ -34,10 +34,10 @@
# cjp: when tunables are available, spamc stuff should be
# toggled on activation of spamc, and similarly for spamd.
template(`spamassassin_per_role_template',`
@@ -25677,12 +25874,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
type spamc_exec_t, spamassassin_exec_t;
- type spamd_t, spamd_tmp_t;
+ type spamc_t, spamd_t, spamassassin_t, spamd_tmp_t;
-+ type spamassassin_home_t, spamassassin_tmp_t;
-+ type spamc_tmp_t;
++ type spamc_home_t, spamc_tmp_t;
')
##############################
-@@ -45,278 +46,26 @@
+@@ -45,278 +45,24 @@
# Declarations
#
@@ -25868,33 +26064,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
- corecmd_read_bin_sockets($1_spamassassin_t)
-
- domain_use_interactive_fds($1_spamassassin_t)
-+ typealias spamc_t alias $1_spamc_t;
-+ role $3 types spamc_t;
-
+-
- files_read_etc_files($1_spamassassin_t)
- files_read_etc_runtime_files($1_spamassassin_t)
- files_list_home($1_spamassassin_t)
- files_read_usr_files($1_spamassassin_t)
- files_dontaudit_search_var($1_spamassassin_t)
-+ typealias spamassassin_t alias $1_spamassassin_t;
-+ role $3 types spamassassin_t;
++ typealias spamc_t alias $1_spamc_t;
++ role $3 types spamc_t;
- libs_use_ld_so($1_spamassassin_t)
- libs_use_shared_libs($1_spamassassin_t)
-+ typealias spamassassin_home_t alias $1_spamassassin_home_t;
-+ typealias spamassassin_tmp_t alias $1_spamassassin_tmp_t;
-+ typealias spamc_tmp_t alias $1_spamc_tmp_t;
-+
-+ manage_dirs_pattern($2, spamassassin_home_t,spamassassin_home_t)
-+ manage_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
-+ manage_lnk_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
-+ relabel_dirs_pattern($2, spamassassin_home_t,spamassassin_home_t)
-+ relabel_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
-+ relabel_lnk_files_pattern($2, spamassassin_home_t,spamassassin_home_t)
++ typealias spamassassin_t alias $1_spamassassin_t;
++ role $3 types spamassassin_t;
- logging_send_syslog_msg($1_spamassassin_t)
-+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
-+ domtrans_pattern($2, spamc_exec_t, spamc_t)
++ typealias spamc_home_t alias $1_spamassassin_home_t;
++ typealias spamc_tmp_t alias $1_spamassassin_tmp_t;
++ typealias spamc_tmp_t alias $1_spamc_tmp_t;
++
++ manage_dirs_pattern($2, spamc_home_t,spamc_home_t)
++ manage_files_pattern($2, spamc_home_t,spamc_home_t)
++ manage_lnk_files_pattern($2, spamc_home_t,spamc_home_t)
++ relabel_dirs_pattern($2, spamc_home_t,spamc_home_t)
++ relabel_files_pattern($2, spamc_home_t,spamc_home_t)
++ relabel_lnk_files_pattern($2, spamc_home_t,spamc_home_t)
- miscfiles_read_localization($1_spamassassin_t)
-
@@ -25974,10 +26168,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
- mta_read_config($1_spamassassin_t)
- sendmail_stub($1_spamassassin_t)
- ')
++ domtrans_pattern($2, spamc_exec_t, spamc_t)
')
########################################
-@@ -370,7 +119,7 @@
+@@ -332,10 +78,10 @@
+ #
+ interface(`spamassassin_exec',`
+ gen_require(`
+- type spamassassin_exec_t;
++ type spamc_exec_t;
+ ')
+
+- can_exec($1,spamassassin_exec_t)
++ can_exec($1,spamc_exec_t)
+
+ ')
+
+@@ -370,7 +116,7 @@
#
interface(`spamassassin_exec_spamd',`
gen_require(`
@@ -25986,7 +26194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
can_exec($1,spamd_exec_t)
-@@ -398,11 +147,66 @@
+@@ -398,11 +144,66 @@
## </param>
#
template(`spamassassin_domtrans_user_client',`
@@ -26010,10 +26218,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+## </param>
+#
+interface(`spamassassin_domtrans_spamc',`
-+ gen_require(`
+ gen_require(`
+- type $1_spamc_t, spamc_exec_t;
+ type spamc_t, spamc_exec_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2,spamc_exec_t,$1_spamc_t)
+ domtrans_pattern($1,spamc_exec_t,spamc_t)
+ allow $1 spamc_exec_t:file ioctl;
+')
@@ -26044,24 +26254,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+## </param>
+#
+template(`spamassassin_read_user_home_files',`
- gen_require(`
-- type $1_spamc_t, spamc_exec_t;
++ gen_require(`
+ type spamassassin_home_t;
- ')
-
-- domtrans_pattern($2,spamc_exec_t,$1_spamc_t)
++ ')
++
+ allow $1 spamassassin_home_t:dir list_dir_perms;
+ allow $1 spamassassin_home_t:file read_file_perms;
')
########################################
-@@ -446,11 +250,32 @@
+@@ -446,11 +247,27 @@
## </param>
#
template(`spamassassin_domtrans_user_local_client',`
+- gen_require(`
+- type $1_spamassassin_t, spamassassin_exec_t;
+- ')
+ spamassassin_domtrans($2)
+')
-+
+
+- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t)
+########################################
+## <summary>
+## Execute spamassassin in the user spamassassin domain.
@@ -26079,18 +26291,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+## </param>
+#
+interface(`spamassassin_domtrans',`
- gen_require(`
-- type $1_spamassassin_t, spamassassin_exec_t;
-+ type spamassassin_t, spamassassin_exec_t;
- ')
-
-- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t)
-+ domtrans_pattern($1,spamassassin_exec_t,spamassassin_t)
-+ allow $1 spamassassin_exec_t:file ioctl;
++ spamassassin_domtrans_spamc($1)
')
########################################
-@@ -469,6 +294,7 @@
+@@ -469,6 +286,7 @@
')
files_search_var_lib($1)
@@ -26098,7 +26303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
-@@ -528,3 +354,133 @@
+@@ -528,3 +346,133 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -26234,7 +26439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/spamassassin.te 2008-07-30 09:37:58.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/spamassassin.te 2008-08-01 12:22:03.000000000 -0400
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -26257,7 +26462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
-@@ -41,8 +46,22 @@
+@@ -41,8 +46,23 @@
type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
@@ -26275,6 +26480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+type spamc_home_t;
+userdom_user_home_content(user,spamc_home_t)
+typealias spamc_home_t alias spamassassin_home_t;
++typealias spamc_home_t alias user_spamassassin_home_t;
+
+type spamc_tmp_t;
+files_tmp_file(spamc_tmp_t)
@@ -26282,7 +26488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
########################################
#
-@@ -53,7 +72,7 @@
+@@ -53,7 +73,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -26291,7 +26497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -71,6 +90,9 @@
+@@ -71,6 +91,9 @@
allow spamd_t self:udp_socket create_socket_perms;
allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -26301,7 +26507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
-@@ -81,10 +103,11 @@
+@@ -81,10 +104,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -26314,7 +26520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -147,14 +170,33 @@
+@@ -147,14 +171,33 @@
userdom_use_unpriv_users_fds(spamd_t)
userdom_search_unpriv_users_home_dirs(spamd_t)
@@ -26349,7 +26555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -172,6 +214,7 @@
+@@ -172,6 +215,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -26357,7 +26563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -199,6 +242,10 @@
+@@ -199,6 +243,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -26368,7 +26574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
optional_policy(`
-@@ -213,3 +260,121 @@
+@@ -213,3 +261,121 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -27226,7 +27432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.1/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/virt.if 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/virt.if 2008-08-01 08:40:25.000000000 -0400
@@ -68,12 +68,30 @@
## </summary>
## </param>
@@ -27282,7 +27488,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
## <summary>
## Allow the specified domain to read virt's log files.
-@@ -214,6 +232,7 @@
+@@ -196,6 +214,35 @@
+
+ ########################################
+ ## <summary>
++## Make the specified type usable as a virt image
++## </summary>
++## <desc>
++## <p>
++## Make the specified type usable as a virt image
++## </p>
++## </desc>
++## <param name="type">
++## <summary>
++## Type to be used as a virtual image
++## </summary>
++## </param>
++#
++#
++interface(`virt_image',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ typeattribute $1 virt_image_type;
++
++ files_type($1)
++
++ # virt images can be assigned to blk devices
++ dev_node($1)
++')
++
++########################################
++## <summary>
+ ## Allow domain to manage virt image files
+ ## </summary>
+ ## <param name="domain">
+@@ -214,6 +261,7 @@
manage_dirs_pattern($1, virt_image_t, virt_image_t)
manage_files_pattern($1, virt_image_t, virt_image_t)
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
@@ -27290,7 +27532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -243,10 +262,17 @@
+@@ -243,10 +291,17 @@
interface(`virt_admin',`
gen_require(`
type virtd_t;
@@ -27310,7 +27552,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.1/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/virt.te 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/virt.te 2008-08-01 08:26:59.000000000 -0400
+@@ -1,6 +1,8 @@
+
+ policy_module(virt, 1.0.0)
+
++attribute virt_image_type;
++
+ ########################################
+ #
+ # Declarations
+@@ -28,9 +30,7 @@
+
+ # virt Image files
+ type virt_image_t; # customizable
+-files_type(virt_image_t)
+-# virt_image_t can be assigned to blk devices
+-dev_node(virt_image_t)
++virt_image(virt_image_t)
+
+ type virt_log_t;
+ logging_log_file(virt_log_t)
@@ -45,13 +45,15 @@
type virtd_exec_t;
init_daemon_domain(virtd_t, virtd_exec_t)
@@ -27329,6 +27591,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
+@@ -64,7 +66,7 @@
+ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+-manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
++manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+
+ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+ manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -82,6 +84,8 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -27532,7 +27803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/xserver.if 2008-07-29 15:12:59.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/xserver.if 2008-07-31 17:44:32.000000000 -0400
@@ -16,7 +16,8 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -27832,7 +28103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -643,13 +624,175 @@
+@@ -643,11 +624,80 @@
xserver_read_xdm_tmp_files($2)
@@ -27874,7 +28145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ attribute x_domain;
+ type $1_xserver_t;
+# type $2_input_xevent_t;
-+ ')
+ ')
+
+# typeattribute $2_input_xevent_t $1_input_xevent_type;
+
@@ -27914,20 +28185,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ # setattr: metacity X11:InstallColormap
+ allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr };
-+')
-+
-+#######################################
-+## <summary>
-+## Interface to provide X object permissions on a given X server to
-+## an X client domain. Provides the minimal set required by a basic
-+## X client application.
-+## </summary>
-+## <param name="user">
-+## <summary>
-+## The prefix of the X server domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
+ ')
+
+ #######################################
+@@ -662,6 +712,99 @@
+ ## is the prefix for user_t).
+ ## </summary>
+ ## </param>
+## <param name="domain">
+## <summary>
+## Client domain allowed access.
@@ -27967,7 +28231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ type manage_xevent_t, output_xext_t, property_xevent_t;
+ type shmem_xext_t, xselection_t;
+ attribute xevent_type, xextension_type;
- ')
++ ')
+ # can receive certain root window events
+ allow $2 self:x_cursor { destroy create use setattr };
+ allow $2 self:x_drawable { write getattr read destroy create add_child };
@@ -28006,12 +28270,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+# xserver_use($1,$1,$2)
+ xserver_use(xdm,$1,$2)
- ')
-
++')
+
- #######################################
- ## <summary>
- ## Interface to provide X object permissions on a given X server to
++
++#######################################
++## <summary>
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Provides the minimal set required by a basic
++## X client application.
++## </summary>
++## <param name="user">
++## <summary>
++## The prefix of the X server domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
+ ## <param name="prefix">
+ ## <summary>
+ ## The prefix of the X client domain (e.g., user
@@ -676,7 +819,7 @@
#
template(`xserver_common_x_domain_template',`
@@ -28509,7 +28785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1686,8 +2039,87 @@
+@@ -1686,8 +2039,90 @@
#
interface(`xserver_unconfined',`
gen_require(`
@@ -28572,11 +28848,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+interface(`xserver_manage_home_fonts',`
+ gen_require(`
+ type fonts_home_t;
++ type fonts_config_home_t;
+ ')
+
+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
+ manage_files_pattern($1, fonts_home_t, fonts_home_t)
+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
++
++ manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t)
+')
+
+########################################
@@ -31298,7 +31577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/system/libraries.fc 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/system/libraries.fc 2008-08-01 10:49:58.000000000 -0400
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -31370,7 +31649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -308,3 +313,11 @@
+@@ -308,3 +313,13 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -31382,6 +31661,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.1/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/libraries.te 2008-07-25 12:35:13.000000000 -0400
@@ -34895,7 +35176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/system/userdomain.if 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/system/userdomain.if 2008-07-30 10:07:07.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -34913,7 +35194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -45,66 +49,80 @@
+@@ -45,66 +49,82 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -35037,12 +35318,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ libs_use_shared_libs($1_usertype)
+ libs_exec_ld_so($1_usertype)
+
-+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
++ miscfiles_read_localization($1_usertype)
++ miscfiles_read_man_pages($1_usertype)
++ miscfiles_read_public_files($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -115,6 +133,10 @@
+@@ -115,6 +135,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -35053,7 +35336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -141,33 +163,13 @@
+@@ -141,33 +165,13 @@
#
template(`userdom_ro_home_template',`
gen_require(`
@@ -35092,7 +35375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -175,13 +177,14 @@
+@@ -175,13 +179,14 @@
#
# read-only home directory
@@ -35114,7 +35397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -190,9 +193,6 @@
+@@ -190,9 +195,6 @@
fs_read_nfs_symlinks($1_t)
fs_read_nfs_named_sockets($1_t)
fs_read_nfs_named_pipes($1_t)
@@ -35124,7 +35407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
tunable_policy(`use_samba_home_dirs',`
-@@ -201,9 +201,6 @@
+@@ -201,9 +203,6 @@
fs_read_cifs_symlinks($1_t)
fs_read_cifs_named_sockets($1_t)
fs_read_cifs_named_pipes($1_t)
@@ -35134,7 +35417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -231,30 +228,14 @@
+@@ -231,30 +230,14 @@
#
template(`userdom_manage_home_template',`
gen_require(`
@@ -35171,7 +35454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -262,43 +243,44 @@
+@@ -262,43 +245,44 @@
#
# full control of the home directory
@@ -35246,7 +35529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -316,14 +298,20 @@
+@@ -316,14 +300,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@@ -35272,7 +35555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -341,11 +329,10 @@
+@@ -341,11 +331,10 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -35288,7 +35571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -369,18 +356,18 @@
+@@ -369,18 +358,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
@@ -35317,7 +35600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -396,7 +383,13 @@
+@@ -396,7 +385,13 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@@ -35332,7 +35615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -439,18 +432,18 @@
+@@ -439,18 +434,18 @@
#
template(`userdom_manage_tmpfs_template',`
gen_require(`
@@ -35359,7 +35642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -468,17 +461,17 @@
+@@ -468,17 +463,17 @@
#
template(`userdom_untrusted_content_template',`
gen_require(`
@@ -35380,7 +35663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_tmp_file($1_untrusted_content_tmp_t)
# Allow user to relabel untrusted content
-@@ -510,10 +503,6 @@
+@@ -510,10 +505,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -35391,18 +35674,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_exec_bin($1_t)
')
-@@ -531,27 +520,20 @@
+@@ -531,27 +522,20 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
- gen_require(`
- type $1_t;
- ')
-
+-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1_usertype self:tcp_socket create_stream_socket_perms;
-+ allow $1_usertype self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -35414,7 +35695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
--
++ allow $1_usertype self:tcp_socket create_stream_socket_perms;
++ allow $1_usertype self:udp_socket create_socket_perms;
+
- optional_policy(`
- ipsec_match_default_spd($1_t)
- ')
@@ -35431,7 +35714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -568,30 +550,33 @@
+@@ -568,30 +552,33 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -35481,7 +35764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -622,13 +607,7 @@
+@@ -622,13 +609,7 @@
## <summary>
## The template for allowing the user to change roles.
## </summary>
@@ -35496,7 +35779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -692,188 +671,202 @@
+@@ -692,188 +673,202 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -35652,36 +35935,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1,$1_t)
- evolution_alarm_dbus_chat($1,$1_t)
-+ evolution_dbus_chat($1,$1_usertype)
-+ evolution_alarm_dbus_chat($1,$1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ networkmanager_dbus_chat($1_usertype)
++ evolution_dbus_chat($1,$1_usertype)
++ evolution_alarm_dbus_chat($1,$1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ vpnc_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
++ vpnc_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ hal_dbus_chat($1_usertype)
')
')
@@ -35783,7 +36066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -895,9 +888,7 @@
+@@ -895,9 +890,7 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -35794,7 +36077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_base_user_template($1)
-@@ -927,70 +918,73 @@
+@@ -927,70 +920,72 @@
allow $1_t self:context contains;
@@ -35855,7 +36138,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
-+ miscfiles_read_man_pages($1_usertype)
# for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
@@ -35901,7 +36183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1024,9 +1018,6 @@
+@@ -1024,9 +1019,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -35911,7 +36193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1035,16 +1026,29 @@
+@@ -1035,16 +1027,29 @@
#
# privileged home directory writers
@@ -35948,7 +36230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -1071,7 +1075,6 @@
+@@ -1071,7 +1076,6 @@
template(`userdom_restricted_xwindows_user_template',`
userdom_restricted_user_template($1)
@@ -35956,7 +36238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_xwindows_client_template($1)
##############################
-@@ -1080,14 +1083,16 @@
+@@ -1080,14 +1084,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -35978,7 +36260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1095,28 +1100,23 @@
+@@ -1095,28 +1101,23 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -36014,7 +36296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1127,10 +1127,9 @@
+@@ -1127,10 +1128,9 @@
## </summary>
## <desc>
## <p>
@@ -36027,7 +36309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1163,6 @@
+@@ -1164,7 +1164,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -36035,7 +36317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1182,36 +1180,45 @@
+@@ -1182,36 +1181,45 @@
')
')
@@ -36070,9 +36352,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
+
@@ -36086,15 +36369,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ mono_per_role_template($1, $1_t, $1_r)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ gpg_per_role_template($1, $1_usertype, $1_r)
')
')
-@@ -1288,8 +1295,6 @@
+@@ -1288,8 +1296,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -36103,7 +36385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1311,8 +1316,6 @@
+@@ -1311,8 +1317,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -36112,7 +36394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1367,13 +1370,6 @@
+@@ -1367,13 +1371,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36126,7 +36408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1425,6 +1421,7 @@
+@@ -1425,6 +1422,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36134,7 +36416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1454,10 +1451,6 @@
+@@ -1454,10 +1452,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -36145,7 +36427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1477,12 +1470,30 @@
+@@ -1477,12 +1471,30 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -36176,7 +36458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
-@@ -1492,8 +1503,7 @@
+@@ -1492,8 +1504,7 @@
## <rolecap/>
#
template(`userdom_role_change_generic_user',`
@@ -36186,7 +36468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1520,14 +1530,23 @@
+@@ -1520,14 +1531,23 @@
## <rolecap/>
#
template(`userdom_role_change_from_generic_user',`
@@ -36212,7 +36494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
-@@ -1537,8 +1556,7 @@
+@@ -1537,8 +1557,7 @@
## <rolecap/>
#
template(`userdom_role_change_staff',`
@@ -36222,7 +36504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1565,14 +1583,23 @@
+@@ -1565,14 +1584,23 @@
## <rolecap/>
#
template(`userdom_role_change_from_staff',`
@@ -36248,7 +36530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
-@@ -1582,8 +1609,7 @@
+@@ -1582,8 +1610,7 @@
## <rolecap/>
#
template(`userdom_role_change_sysadm',`
@@ -36258,7 +36540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1610,14 +1636,23 @@
+@@ -1610,14 +1637,23 @@
## <rolecap/>
#
template(`userdom_role_change_from_sysadm',`
@@ -36284,7 +36566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <param name="prefix">
## <summary>
## The prefix of the user role (e.g., user
-@@ -1627,8 +1662,11 @@
+@@ -1627,8 +1663,11 @@
## <rolecap/>
#
template(`userdom_role_change_secadm',`
@@ -36298,7 +36580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1655,14 +1693,27 @@
+@@ -1655,14 +1694,27 @@
## <rolecap/>
#
template(`userdom_role_change_from_secadm',`
@@ -36328,7 +36610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <param name="prefix">
## <summary>
## The prefix of the auditadm role (e.g., user
-@@ -1672,8 +1723,11 @@
+@@ -1672,8 +1724,11 @@
## <rolecap/>
#
template(`userdom_role_change_auditadm',`
@@ -36342,7 +36624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1700,8 +1754,11 @@
+@@ -1700,8 +1755,11 @@
## <rolecap/>
#
template(`userdom_role_change_from_auditadm',`
@@ -36356,7 +36638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1734,11 +1791,15 @@
+@@ -1734,11 +1792,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -36375,7 +36657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1834,11 +1895,11 @@
+@@ -1834,11 +1896,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -36389,7 +36671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1868,11 +1929,11 @@
+@@ -1868,11 +1930,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -36403,7 +36685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1916,12 +1977,12 @@
+@@ -1916,12 +1978,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -36419,7 +36701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1951,10 +2012,11 @@
+@@ -1951,10 +2013,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -36433,7 +36715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1986,11 +2048,47 @@
+@@ -1986,11 +2049,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -36483,7 +36765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2022,10 +2120,10 @@
+@@ -2022,10 +2121,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -36496,7 +36778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2055,11 +2153,11 @@
+@@ -2055,11 +2154,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -36510,7 +36792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2089,11 +2187,11 @@
+@@ -2089,11 +2188,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36525,7 +36807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2123,10 +2221,14 @@
+@@ -2123,10 +2222,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -36542,7 +36824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2156,11 +2258,11 @@
+@@ -2156,11 +2259,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -36556,7 +36838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2190,11 +2292,11 @@
+@@ -2190,11 +2293,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -36570,7 +36852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2224,10 +2326,10 @@
+@@ -2224,10 +2327,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -36583,7 +36865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2259,12 +2361,12 @@
+@@ -2259,12 +2362,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -36599,7 +36881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2296,10 +2398,10 @@
+@@ -2296,10 +2399,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -36612,7 +36894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2331,12 +2433,12 @@
+@@ -2331,12 +2434,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -36628,7 +36910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2368,12 +2470,12 @@
+@@ -2368,12 +2471,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -36644,7 +36926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2405,12 +2507,12 @@
+@@ -2405,12 +2508,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -36660,7 +36942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2455,11 +2557,11 @@
+@@ -2455,11 +2558,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -36674,7 +36956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2504,11 +2606,11 @@
+@@ -2504,11 +2607,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -36688,7 +36970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2548,11 +2650,11 @@
+@@ -2548,11 +2651,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -36702,7 +36984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2582,11 +2684,11 @@
+@@ -2582,11 +2685,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -36716,7 +36998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2616,11 +2718,11 @@
+@@ -2616,11 +2719,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -36730,7 +37012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2652,10 +2754,10 @@
+@@ -2652,10 +2755,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -36743,7 +37025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2687,10 +2789,10 @@
+@@ -2687,10 +2790,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -36756,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2720,12 +2822,12 @@
+@@ -2720,12 +2823,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -36772,7 +37054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2757,10 +2859,10 @@
+@@ -2757,10 +2860,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -36785,7 +37067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2792,10 +2894,10 @@
+@@ -2792,10 +2895,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -36798,7 +37080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2825,12 +2927,12 @@
+@@ -2825,12 +2928,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -36814,7 +37096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2862,10 +2964,10 @@
+@@ -2862,10 +2965,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -36827,7 +37109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2897,12 +2999,12 @@
+@@ -2897,12 +3000,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -36843,7 +37125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2934,11 +3036,11 @@
+@@ -2934,11 +3037,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -36857,7 +37139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2970,11 +3072,11 @@
+@@ -2970,11 +3073,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -36871,7 +37153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3006,11 +3108,11 @@
+@@ -3006,11 +3109,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -36885,7 +37167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3042,11 +3144,11 @@
+@@ -3042,11 +3145,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -36899,7 +37181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3078,11 +3180,11 @@
+@@ -3078,11 +3181,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -36913,7 +37195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3127,10 +3229,10 @@
+@@ -3127,10 +3230,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -36926,7 +37208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3171,19 +3273,19 @@
+@@ -3171,19 +3274,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -36950,7 +37232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </p>
## <p>
## This is a templated interface, and should only
-@@ -4609,11 +4711,11 @@
+@@ -4609,11 +4712,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -36964,13 +37246,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4633,9 +4735,17 @@
+@@ -4633,10 +4736,18 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
-')
-########################################
+-## <summary>
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -36981,10 +37264,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
+
+########################################
- ## <summary>
++## <summary>
## Search all users home directories.
## </summary>
-@@ -4670,6 +4780,8 @@
+ ## <param name="domain">
+@@ -4670,6 +4781,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -36993,7 +37277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4714,6 +4826,25 @@
+@@ -4714,6 +4827,25 @@
########################################
## <summary>
@@ -37019,7 +37303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4939,7 +5070,7 @@
+@@ -4939,7 +5071,7 @@
########################################
## <summary>
@@ -37028,7 +37312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -5311,6 +5442,42 @@
+@@ -5311,6 +5443,42 @@
########################################
## <summary>
@@ -37071,7 +37355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5361,7 +5528,7 @@
+@@ -5361,7 +5529,7 @@
attribute userdomain;
')
@@ -37080,7 +37364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -5476,6 +5643,42 @@
+@@ -5476,6 +5644,42 @@
########################################
## <summary>
@@ -37123,7 +37407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5506,3 +5709,525 @@
+@@ -5506,3 +5710,525 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -38089,7 +38373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-25 12:35:13.000000000 -0400
++++ serefpolicy-3.5.1/policy/support/obj_perm_sets.spt 2008-07-30 16:47:18.000000000 -0400
@@ -316,3 +316,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')