+ ##
+@@ -276,9 +274,9 @@
+ xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
+
+ ifdef(`targeted_policy',`
+- unconfined_domain(xdm_t)
++# unconfined_domain(xdm_t)
+ unconfined_domtrans(xdm_t)
+- userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
++# userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+
+ ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+@@ -321,6 +319,8 @@
+
+ optional_policy(`
+ consolekit_dbus_chat(xdm_t)
++ dbus_system_bus_client_template(xdm, xdm_t)
++ dbus_send_system_bus(xdm_t)
+ ')
+
+ optional_policy(`
+@@ -427,7 +427,7 @@
+ ')
+
+ ifdef(`targeted_policy',`
+- unconfined_domain_noaudit(xdm_xserver_t)
++# unconfined_domain_noaudit(xdm_xserver_t)
+ unconfined_domtrans(xdm_xserver_t)
+
+ ifndef(`distro_redhat',`
+@@ -449,28 +449,6 @@
+ ')
+
+ ifdef(`TODO',`
+-# Need to further investigate these permissions and
+-# perhaps define derived types.
+-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
+-allow xdm_t var_lib_t:file { create write unlink };
+-
+-# Do not audit attempts to write to index files under /usr
+-dontaudit xdm_t usr_t:file write;
+-
+-ifdef(`rhgb.te', `
+-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
+-allow xdm_xserver_t ramfs_t:file manage_file_perms;
+-allow rhgb_t xdm_xserver_t:process signal;
+-')
+-
+-tunable_policy(`allow_polyinstantiation',`
+-# xdm needs access for linking .X11-unix to poly /tmp
+-allow xdm_t polymember:dir { add_name remove_name write };
+-allow xdm_t polymember:lnk_file { create unlink };
+-# xdm needs access for copying .Xauthority into new home
+-allow xdm_t polymember:file { create getattr write };
+-')
+-
+ #
+ # Wants to delete .xsession-errors file
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-2.6.5/policy/modules/system/application.fc
--- nsaserefpolicy/policy/modules/system/application.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.5/policy/modules/system/application.fc 2007-05-22 14:41:13.000000000 -0400
@@ -5819,13 +6211,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-2.6.5/policy/modules/system/authlogin.if 2007-05-22 14:41:13.000000000 -0400
++++ serefpolicy-2.6.5/policy/modules/system/authlogin.if 2007-05-24 15:13:17.000000000 -0400
@@ -27,11 +27,9 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
- allow $1_chkpwd_t self:capability { audit_control setuid };
-+ allow $1_chkpwd_t self:capability setuid;
++ allow $1_chkpwd_t self:capability { dac_override setuid };
allow $1_chkpwd_t self:process getattr;
- send_audit_msgs_pattern($1_chkpwd_t)
@@ -5887,17 +6279,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -187,6 +180,9 @@
+@@ -187,6 +180,12 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+
++ logging_send_audit_msg($1)
++ logging_set_loginuid($1)
++
# for SSP/ProPolice
dev_read_urand($1)
-@@ -211,9 +207,11 @@
+@@ -211,9 +210,11 @@
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
@@ -5910,7 +6305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
init_rw_utmp($1)
logging_send_syslog_msg($1)
-@@ -221,6 +219,7 @@
+@@ -221,6 +222,7 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -5918,7 +6313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -320,10 +319,6 @@
+@@ -320,10 +322,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -5929,7 +6324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -357,6 +352,37 @@
+@@ -357,6 +355,37 @@
########################################
##
@@ -5967,7 +6362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -1391,3 +1417,114 @@
+@@ -1391,3 +1420,114 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -6084,7 +6479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-04-30 10:41:38.000000000 -0400
-+++ serefpolicy-2.6.5/policy/modules/system/authlogin.te 2007-05-22 14:41:13.000000000 -0400
++++ serefpolicy-2.6.5/policy/modules/system/authlogin.te 2007-05-24 15:01:06.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -6107,7 +6502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -252,6 +258,8 @@
+@@ -252,12 +258,16 @@
# System check password local policy
#
@@ -6116,7 +6511,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
allow system_chkpwd_t shadow_t:file { getattr read };
corecmd_search_bin(system_chkpwd_t)
-@@ -305,3 +313,30 @@
+
+ domain_dontaudit_use_interactive_fds(system_chkpwd_t)
+
++selinux_get_fs_mount(system_chkpwd_t)
++
+ term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
+ term_dontaudit_use_generic_ptys(system_chkpwd_t)
+
+@@ -305,3 +315,30 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -6342,6 +6745,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.6.5/policy/modules/system/init.fc
+--- nsaserefpolicy/policy/modules/system/init.fc 2006-11-16 17:15:24.000000000 -0500
++++ serefpolicy-2.6.5/policy/modules/system/init.fc 2007-05-25 09:03:41.000000000 -0400
+@@ -14,9 +14,7 @@
+ /etc/x11/startDM.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ ')
+
+-ifdef(`strict_policy',`
+ /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+-')
+
+ #
+ # /dev
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.6.5/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-2.6.5/policy/modules/system/init.if 2007-05-22 14:41:13.000000000 -0400
@@ -6719,7 +7135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.5/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-2.6.5/policy/modules/system/logging.if 2007-05-22 14:41:13.000000000 -0400
++++ serefpolicy-2.6.5/policy/modules/system/logging.if 2007-05-24 15:05:14.000000000 -0400
@@ -223,6 +223,25 @@
########################################
@@ -6834,7 +7250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ typeattribute $1 can_set_loginuid, can_send_audit_msg;
+
+ allow $1 self:capability audit_control;
-+ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay };
++ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay };
+')
+
+########################################
@@ -7330,7 +7746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.5/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-2.6.5/policy/modules/system/selinuxutil.te 2007-05-23 10:42:16.000000000 -0400
++++ serefpolicy-2.6.5/policy/modules/system/selinuxutil.te 2007-05-24 15:37:32.000000000 -0400
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.5.1)
@@ -7403,7 +7819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+domain_type(setfiles_t)
+role system_r types setfiles_t;
+
-+type setfiles_exec_t;
++type setfiles_exec_t alias restorecon_exec_t;
+domain_entry_file(setfiles_t,setfiles_exec_t)
ifdef(`distro_redhat',`
@@ -7502,7 +7918,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
dev_read_urand(semanage_t)
-@@ -492,6 +497,8 @@
+@@ -483,6 +488,7 @@
+ mls_rangetrans_target(semanage_t)
+ mls_file_read_up(semanage_t)
+
++selinux_get_fs_mount(semanage_t)
+ selinux_validate_context(semanage_t)
+ selinux_get_enforce_mode(semanage_t)
+ # for setsebool:
+@@ -492,6 +498,8 @@
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
@@ -7511,7 +7935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-@@ -518,6 +525,15 @@
+@@ -518,6 +526,15 @@
userdom_search_sysadm_home_dirs(semanage_t)
@@ -7754,7 +8178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-2.6.5/policy/modules/system/userdomain.if 2007-05-22 14:41:13.000000000 -0400
++++ serefpolicy-2.6.5/policy/modules/system/userdomain.if 2007-05-24 14:35:27.000000000 -0400
@@ -114,6 +114,18 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
@@ -7862,7 +8286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
#
- allow $1_t self:capability ~sys_module;
-+ allow $1_t self:capability ~{ sys_module audit_control };
++ allow $1_t self:capability ~{ sys_module audit_control audit_write };
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
@@ -8052,7 +8476,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5352,14 +5350,13 @@
+@@ -4682,18 +4680,14 @@
+ ##
+ #
+ interface(`userdom_read_sysadm_home_content_files',`
+- ifdef(`strict_policy',`
+- gen_require(`
+- type sysadm_home_dir_t, sysadm_home_t;
+- ')
+-
+- files_search_home($1)
+- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+- read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
+- read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
+- ',`
+- userdom_read_generic_user_home_content_files($1)
++ gen_require(`
++ type sysadm_home_dir_t, sysadm_home_t;
+ ')
++
++ files_search_home($1)
++ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
++ read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
++ read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
+ ')
+
+ ########################################
+@@ -4707,18 +4701,14 @@
+ ##
+ #
+ interface(`userdom_read_sysadm_tmp_files',`
+- ifdef(`strict_policy',`
+- gen_require(`
+- type sysadm_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- allow $1 sysadm_tmp_t:dir list_dir_perms;
+- read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
+- read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
+- ',`
+- files_read_generic_tmp_files($1)
++ gen_require(`
++ type sysadm_tmp_t;
+ ')
++
++ files_search_tmp($1)
++ allow $1 sysadm_tmp_t:dir list_dir_perms;
++ read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
++ read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
+ ')
+
+ ########################################
+@@ -5352,14 +5342,13 @@
interface(`userdom_use_unpriv_users_ptys',`
ifdef(`targeted_policy',`
term_use_generic_ptys($1)
@@ -8073,7 +8549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5376,13 +5373,13 @@
+@@ -5376,13 +5365,13 @@
interface(`userdom_dontaudit_use_unpriv_users_ptys',`
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys($1)
@@ -8092,7 +8568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5435,13 +5432,12 @@
+@@ -5435,13 +5424,12 @@
interface(`userdom_list_unpriv_users_tmp',`
ifdef(`targeted_policy',`
files_list_tmp($1)
@@ -8111,7 +8587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5457,13 +5453,12 @@
+@@ -5457,13 +5445,12 @@
interface(`userdom_read_unpriv_users_tmp_files',`
ifdef(`targeted_policy',`
files_read_generic_tmp_files($1)
@@ -8130,7 +8606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5479,13 +5474,12 @@
+@@ -5479,13 +5466,12 @@
interface(`userdom_read_unpriv_users_tmp_symlinks',`
ifdef(`targeted_policy',`
files_read_generic_tmp_symlinks($1)
@@ -8149,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5519,13 +5513,12 @@
+@@ -5519,13 +5505,12 @@
interface(`userdom_use_unpriv_users_ttys',`
ifdef(`targeted_policy',`
term_use_unallocated_ttys($1)
@@ -8168,7 +8644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5542,13 +5535,12 @@
+@@ -5542,13 +5527,12 @@
interface(`userdom_dontaudit_use_unpriv_users_ttys',`
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1)
@@ -8187,7 +8663,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5720,3 +5712,112 @@
+@@ -5672,15 +5656,11 @@
+ ##
+ #
+ interface(`userdom_create_all_users_keys',`
+- ifdef(`strict_policy',`
+- gen_require(`
+- attribute userdomain;
+- ')
+-
+- allow $1 userdomain:key create;
+- ',`
+- unconfined_create_keys($1)
++ gen_require(`
++ attribute userdomain;
+ ')
++
++ allow $1 userdomain:key create;
+ ')
+
+ ########################################
+@@ -5720,3 +5700,112 @@
allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -8302,7 +8798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.6.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-2.6.5/policy/modules/system/userdomain.te 2007-05-22 14:41:13.000000000 -0400
++++ serefpolicy-2.6.5/policy/modules/system/userdomain.te 2007-05-25 08:27:29.000000000 -0400
@@ -15,7 +15,6 @@
# Declarations
#
@@ -8329,121 +8825,732 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -101,10 +102,27 @@
+@@ -101,440 +102,421 @@
# Local policy
#
-+userdom_unpriv_user_template(user)
- ifdef(`strict_policy',`
- userdom_admin_user_template(sysadm)
-+
-+ optional_policy(`
-+ cron_admin_template(sysadm,sysadm_t,sysadm_r)
-+ ')
-+
-+ optional_policy(`
-+ ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
-+ ')
-+
-+ optional_policy(`
-+ lpr_admin_template(sysadm,sysadm_t,sysadm_r)
-+ ')
-+
-+ optional_policy(`
-+ mta_admin_template(sysadm,sysadm_t,sysadm_r)
-+ ')
-+
- userdom_unpriv_user_template(staff)
+-ifdef(`strict_policy',`
+- userdom_admin_user_template(sysadm)
+- userdom_unpriv_user_template(staff)
- userdom_unpriv_user_template(user)
+-
+- # user role change rules:
+- # sysadm_r can change to user roles
+- userdom_role_change_template(sysadm, user)
+- userdom_role_change_template(sysadm, staff)
+-
+- # only staff_r can change to sysadm_r
+- userdom_role_change_template(staff, sysadm)
+- dontaudit staff_t admin_terminal:chr_file { read write };
++userdom_unpriv_user_template(user)
++userdom_admin_user_template(sysadm)
- # user role change rules:
- # sysadm_r can change to user roles
-@@ -157,6 +175,11 @@
+- ifdef(`enable_mls',`
+- userdom_unpriv_user_template(secadm)
+- userdom_unpriv_user_template(auditadm)
++optional_policy(`
++ cron_admin_template(sysadm,sysadm_t,sysadm_r)
++')
- init_exec(sysadm_t)
+- userdom_role_change_template(staff,auditadm)
+- userdom_role_change_template(staff,secadm)
++optional_policy(`
++ ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
++')
-+ kernel_sigstop_unlabeled(sysadm_t)
-+ kernel_signal_unlabeled(sysadm_t)
-+ kernel_kill_unlabeled(sysadm_t)
-+ kernel_read_unlabeled_state(sysadm_t)
-+
- # Following for sending reboot and wall messages
- userdom_use_unpriv_users_ptys(sysadm_t)
- userdom_use_unpriv_users_ttys(sysadm_t)
-@@ -227,6 +250,10 @@
- ')
+- userdom_role_change_template(sysadm,secadm)
+- userdom_role_change_template(sysadm,auditadm)
++optional_policy(`
++ lpr_admin_template(sysadm,sysadm_t,sysadm_r)
++')
- optional_policy(`
-+ amtu_run(sysadm_t,sysadm_r,admin_terminal)
-+ ')
-+
-+ optional_policy(`
- apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
- #apache_run_all_scripts(sysadm_t,sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
-@@ -286,18 +313,6 @@
- ')
+- userdom_role_change_template(auditadm,secadm)
+- userdom_role_change_template(auditadm,sysadm)
++optional_policy(`
++ mta_admin_template(sysadm,sysadm_t,sysadm_r)
++')
- optional_policy(`
-- consoletype_exec(sysadm_t)
--
-- ifdef(`enable_mls',`
-- consoletype_exec(auditadm_t)
+- userdom_role_change_template(secadm,auditadm)
+- userdom_role_change_template(secadm,sysadm)
+- ')
++userdom_unpriv_user_template(staff)
+
+- # this should be tunable_policy, but
+- # currently type_change and RBAC allow
+- # do not work in conditionals
+- ifdef(`user_canbe_sysadm',`
+- userdom_role_change_template(user,sysadm)
+- ')
++# user role change rules:
++# sysadm_r can change to user roles
++userdom_role_change_template(sysadm, user)
++userdom_role_change_template(sysadm, staff)
+
+- ########################################
+- #
+- # Sysadm local policy
+- #
++# only staff_r can change to sysadm_r
++userdom_role_change_template(staff, sysadm)
++dontaudit staff_t admin_terminal:chr_file { read write };
+
+- # for su
+- allow sysadm_t userdomain:fd use;
++ifdef(`enable_mls',`
++ userdom_unpriv_user_template(secadm)
++ userdom_unpriv_user_template(auditadm)
+
+- # Add/remove user home directories
+- allow sysadm_t user_home_dir_t:dir manage_dir_perms;
+- files_home_filetrans(sysadm_t,user_home_dir_t,dir)
++ userdom_role_change_template(staff,auditadm)
++ userdom_role_change_template(staff,secadm)
+
+- corecmd_exec_shell(sysadm_t)
++ userdom_role_change_template(sysadm,secadm)
++ userdom_role_change_template(sysadm,auditadm)
+
+- mls_process_read_up(sysadm_t)
++ userdom_role_change_template(auditadm,secadm)
++ userdom_role_change_template(auditadm,sysadm)
+
+- init_exec(sysadm_t)
++ userdom_role_change_template(secadm,auditadm)
++ userdom_role_change_template(secadm,sysadm)
++')
+
+- # Following for sending reboot and wall messages
+- userdom_use_unpriv_users_ptys(sysadm_t)
+- userdom_use_unpriv_users_ttys(sysadm_t)
++# this should be tunable_policy, but
++# currently type_change and RBAC allow
++# do not work in conditionals
++ifdef(`user_canbe_sysadm',`
++ userdom_role_change_template(user,sysadm)
++')
+
+- ifdef(`direct_sysadm_daemon',`
+- optional_policy(`
+- init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
+- ')
+- ',`
+- ifdef(`distro_gentoo',`
+- optional_policy(`
+- seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+- ')
- ')
- ')
++########################################
++#
++# Sysadm local policy
++#
+
+- ifdef(`enable_mls',`
+- allow auditadm_t self:capability { dac_read_search dac_override };
+- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+- domain_kill_all_domains(auditadm_t)
+- seutil_read_bin_policy(auditadm_t)
+- corecmd_exec_shell(auditadm_t)
+- logging_send_syslog_msg(auditadm_t)
+- logging_read_generic_logs(auditadm_t)
+- logging_manage_audit_log(auditadm_t)
+- logging_manage_audit_config(auditadm_t)
+- logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
+- allow secadm_t self:capability { dac_read_search dac_override };
+- corecmd_exec_shell(secadm_t)
+- domain_obj_id_change_exemption(secadm_t)
+- mls_process_read_up(secadm_t)
+- mls_file_read_up(secadm_t)
+- mls_file_write_down(secadm_t)
+- mls_file_upgrade(secadm_t)
+- mls_file_downgrade(secadm_t)
+- auth_relabel_all_files_except_shadow(secadm_t)
+- dev_relabel_all_dev_nodes(secadm_t)
+- auth_relabel_shadow(secadm_t)
+- init_exec(secadm_t)
+- logging_read_audit_log(secadm_t)
+- logging_read_generic_logs(secadm_t)
+- logging_read_audit_config(secadm_t)
+- userdom_dontaudit_append_staff_home_content_files(secadm_t)
+- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
++# for su
++allow sysadm_t userdomain:fd use;
+
+- optional_policy(`
+- aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+- ')
++# Add/remove user home directories
++allow sysadm_t user_home_dir_t:dir manage_dir_perms;
++files_home_filetrans(sysadm_t,user_home_dir_t,dir)
+
++corecmd_exec_shell(sysadm_t)
++
++mls_process_read_up(sysadm_t)
++
++init_exec(sysadm_t)
++
++kernel_sigstop_unlabeled(sysadm_t)
++kernel_signal_unlabeled(sysadm_t)
++kernel_kill_unlabeled(sysadm_t)
++kernel_read_unlabeled_state(sysadm_t)
++
++# Following for sending reboot and wall messages
++userdom_use_unpriv_users_ptys(sysadm_t)
++userdom_use_unpriv_users_ttys(sysadm_t)
++
++ifdef(`direct_sysadm_daemon',`
++ optional_policy(`
++ init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
++ ')
++',`
++ ifdef(`distro_gentoo',`
+ optional_policy(`
+- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
++ seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+ ')
+- ',`
+- logging_manage_audit_log(sysadm_t)
+- logging_manage_audit_config(sysadm_t)
+- logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
+ ')
++')
+
+- tunable_policy(`allow_ptrace',`
+- domain_ptrace_all_domains(sysadm_t)
++ifdef(`enable_mls',`
++ allow auditadm_t self:capability { dac_read_search dac_override };
++ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++ domain_kill_all_domains(auditadm_t)
++ seutil_read_bin_policy(auditadm_t)
++ corecmd_exec_shell(auditadm_t)
++ logging_send_syslog_msg(auditadm_t)
++ logging_read_generic_logs(auditadm_t)
++ logging_manage_audit_log(auditadm_t)
++ logging_manage_audit_config(auditadm_t)
++ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
++ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
++
++ allow secadm_t self:capability { dac_read_search dac_override };
++ corecmd_exec_shell(secadm_t)
++ domain_obj_id_change_exemption(secadm_t)
++ mls_process_read_up(secadm_t)
++ mls_file_read_up(secadm_t)
++ mls_file_write_down(secadm_t)
++ mls_file_upgrade(secadm_t)
++ mls_file_downgrade(secadm_t)
++ auth_relabel_all_files_except_shadow(secadm_t)
++ dev_relabel_all_dev_nodes(secadm_t)
++ auth_relabel_shadow(secadm_t)
++ init_exec(secadm_t)
++ logging_read_audit_log(secadm_t)
++ logging_read_generic_logs(secadm_t)
++ logging_read_audit_config(secadm_t)
++ userdom_dontaudit_append_staff_home_content_files(secadm_t)
++ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
++
++ optional_policy(`
++ aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
+
+ optional_policy(`
+- amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
+- ')
++ netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
++ ')
++',`
++ logging_manage_audit_log(sysadm_t)
++ logging_manage_audit_config(sysadm_t)
++ logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
+- #apache_run_all_scripts(sysadm_t,sysadm_r)
+- #apache_domtrans_sys_script(sysadm_t)
+- ')
++tunable_policy(`allow_ptrace',`
++ domain_ptrace_all_domains(sysadm_t)
++')
+
+- optional_policy(`
+- tzdata_domtrans(sysadm_t)
+- ')
++optional_policy(`
++ amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- raid_domtrans_mdadm(sysadm_t)
+- ')
++optional_policy(`
++ amtu_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- # cjp: why is this not apm_run_client
+- apm_domtrans_client(sysadm_t)
+- ')
++optional_policy(`
++ apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
++ #apache_run_all_scripts(sysadm_t,sysadm_r)
++ #apache_domtrans_sys_script(sysadm_t)
++')
+
+- optional_policy(`
+- apt_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ tzdata_domtrans(sysadm_t)
++')
+
+- optional_policy(`
+- backup_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ raid_domtrans_mdadm(sysadm_t)
++')
+
+- optional_policy(`
+- bootloader_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ # cjp: why is this not apm_run_client
++ apm_domtrans_client(sysadm_t)
++')
+
+- optional_policy(`
+- bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ apt_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ backup_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- consoletype_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ bootloader_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- clock_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- certwatach_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ consoletype_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- cvs_exec(sysadm_t)
+- ')
++optional_policy(`
++ clock_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- consoletype_exec(sysadm_t)
++optional_policy(`
++ clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- ifdef(`enable_mls',`
+- consoletype_exec(auditadm_t)
+- ')
+- ')
++optional_policy(`
++ certwatach_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
- optional_policy(`
- cron_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
--
++optional_policy(`
++ cvs_exec(sysadm_t)
++')
+
- optional_policy(`
- dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
-@@ -325,7 +340,6 @@
+- dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
+- dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
+- dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
++ dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
++ dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
++')
- optional_policy(`
- ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
-- ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
+- optional_policy(`
+- ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- dmesg_exec(sysadm_t)
++optional_policy(`
++ dmesg_exec(sysadm_t)
+
+- ifdef(`enable_mls',`
+- dmesg_exec(auditadm_t)
+- ')
++ ifdef(`enable_mls',`
++ dmesg_exec(auditadm_t)
')
++')
- optional_policy(`
-@@ -368,7 +382,6 @@
+- optional_policy(`
+- dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
++')
- optional_policy(`
- lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
+- optional_policy(`
+- dpkg_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ dpkg_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
+- ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
+- ')
++optional_policy(`
++ ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
+- ')
++optional_policy(`
++ firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
++')
+
+- optional_policy(`
+- fstools_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ fstools_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- hostname_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ hostname_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- # allow system administrator to use the ipsec script to look
+- # at things (e.g., ipsec auto --status)
+- # probably should create an ipsec_admin role for this kind of thing
+- ipsec_exec_mgmt(sysadm_t)
+- ipsec_stream_connect(sysadm_t)
+- # for lsof
+- ipsec_getattr_key_sockets(sysadm_t)
+- ')
++optional_policy(`
++ # allow system administrator to use the ipsec script to look
++ # at things (e.g., ipsec auto --status)
++ # probably should create an ipsec_admin role for this kind of thing
++ ipsec_exec_mgmt(sysadm_t)
++ ipsec_stream_connect(sysadm_t)
++ # for lsof
++ ipsec_getattr_key_sockets(sysadm_t)
++')
+
+- optional_policy(`
+- iptables_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ iptables_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- lvm_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ lvm_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- logrotate_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ logrotate_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
- lpr_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+- ')
++optional_policy(`
++ lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
++')
- optional_policy(`
-@@ -386,11 +399,11 @@
- ')
+- optional_policy(`
+- kudzu_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ kudzu_run(sysadm_t,sysadm_r,admin_terminal)
++')
- optional_policy(`
+- optional_policy(`
+- modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
+- modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
+- modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
++ modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
++ modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- mount_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ mount_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
- mta_admin_template(sysadm,sysadm_t,sysadm_r)
-+ mysql_stream_connect(sysadm_t)
- ')
+- ')
++optional_policy(`
++ mysql_stream_connect(sysadm_t)
++')
- optional_policy(`
+- optional_policy(`
- mysql_stream_connect(sysadm_t)
-+ netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal)
- ')
+- ')
++optional_policy(`
++ netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal)
++')
- optional_policy(`
-@@ -452,6 +465,9 @@
-
- ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-+# tunable_policy(`allow_sysadm_manage_security',`
-+ userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
-+# ')
- ', `
+- optional_policy(`
+- netutils_run(sysadm_t,sysadm_r,admin_terminal)
+- netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
+- netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ netutils_run(sysadm_t,sysadm_r,admin_terminal)
++ netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
++ netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- rpc_domtrans_nfsd(sysadm_t)
+- ')
++optional_policy(`
++ rpc_domtrans_nfsd(sysadm_t)
++')
+
+- optional_policy(`
+- munin_stream_connect(sysadm_t)
+- ')
++optional_policy(`
++ munin_stream_connect(sysadm_t)
++')
+
+- optional_policy(`
+- ntp_stub()
+- corenet_udp_bind_ntp_port(sysadm_t)
+- ')
++optional_policy(`
++ ntp_stub()
++ corenet_udp_bind_ntp_port(sysadm_t)
++')
+
+- optional_policy(`
+- oav_run_update(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ oav_run_update(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- portage_run(sysadm_t,sysadm_r,admin_terminal)
+- portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ portage_run(sysadm_t,sysadm_r,admin_terminal)
++ portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- quota_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ quota_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- rpm_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ rpm_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- rsync_exec(sysadm_t)
+- ')
++optional_policy(`
++ rsync_exec(sysadm_t)
++')
+
+- optional_policy(`
+- samba_run_net(sysadm_t,sysadm_r,admin_terminal)
+- samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ samba_run_net(sysadm_t,sysadm_r,admin_terminal)
++ samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
++optional_policy(`
++ seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
++ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+
+- ifdef(`enable_mls',`
+- userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- ', `
++ ifdef(`enable_mls',`
++ userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
++# tunable_policy(`allow_sysadm_manage_security',`
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
- ')
-@@ -504,15 +520,15 @@
- unconfined_alias_domain(sysadm_t)
+- ')
++# ')
++ ', `
++ userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
+ ')
++')
+
+- optional_policy(`
+- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
+- sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
++ sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
+- tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
+- tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
+- tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
++ tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
++ tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
++ tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
+- usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
+- usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
++ usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
++ usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- vpn_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ vpn_run(sysadm_t,sysadm_r,admin_terminal)
++')
- # User home directory type.
+- optional_policy(`
+- webalizer_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ webalizer_run(sysadm_t,sysadm_r,admin_terminal)
++')
+
+- optional_policy(`
+- yam_run(sysadm_t,sysadm_r,admin_terminal)
+- ')
++optional_policy(`
++ yam_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ ifdef(`targeted_policy',`
+- # Define some type aliases to help with compatibility with
+- # strict policy.
+- unconfined_alias_domain(secadm_t)
+- unconfined_alias_domain(auditadm_t)
+- unconfined_alias_domain(sysadm_t)
+-
+- # User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
@@ -8453,27 +9560,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
-+ typealias user_home_t alias { staff_home_t sysadm_home_t };
-+# files_type(user_home_t)
-+# files_associate_tmp(user_home_t)
-+# fs_associate_tmpfs(user_home_t)
-+
-+ typealias user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t };
-+# files_type(user_home_dir_t)
-+# files_associate_tmp(user_home_dir_t)
-+# fs_associate_tmpfs(user_home_dir_t)
-
- # compatibility for switching from strict
- # dominance { role secadm_r { role system_r; }}
-@@ -548,4 +564,13 @@
- optional_policy(`
- samba_per_role_template(user)
+-
+- # compatibility for switching from strict
+-# dominance { role secadm_r { role system_r; }}
+-# dominance { role auditadm_r { role system_r; }}
+-# dominance { role sysadm_r { role system_r; }}
+-# dominance { role user_r { role system_r; }}
+-# dominance { role staff_r { role system_r; }}
+-
+ # dont need to use the full role_change()
+ allow sysadm_r system_r;
+ allow sysadm_r user_r;
+- allow user_r system_r;
+- allow user_r sysadm_r;
+ allow system_r sysadm_r;
+ allow system_r sysadm_r;
+
+- manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+- manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+- manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+- manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+- manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+- filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
+ files_search_home(privhome)
+
+ ifdef(`enable_mls',`
+@@ -545,7 +527,8 @@
+ allow staff_r auditadm_r;
')
-+
-+ optional_policy(`
-+ gnome_per_role_template(user, user_t, user_r)
-+ ')
-+
+
+- optional_policy(`
+- samba_per_role_template(user)
+- ')
+')
+
+tunable_policy(`allow_console_login', `
@@ -8650,6 +9768,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+fs_read_nfs_files(xend_t)
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.6.5/policy/rolemap
+--- nsaserefpolicy/policy/rolemap 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.6.5/policy/rolemap 2007-05-24 15:51:16.000000000 -0400
+@@ -8,13 +8,11 @@
+ # syntax: role prefix user_domain
+ #
+
+-ifdef(`strict_policy',`
+- user_r user user_t
+- staff_r staff staff_t
+- sysadm_r sysadm sysadm_t
++user_r user user_t
++staff_r staff staff_t
++sysadm_r sysadm sysadm_t
+
+- ifdef(`enable_mls',`
+- secadm_r secadm secadm_t
+- auditadm_r auditadm auditadm_t
+- ')
++ifdef(`enable_mls',`
++ secadm_r secadm secadm_t
++ auditadm_r auditadm auditadm_t
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-2.6.5/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.6.5/policy/support/misc_patterns.spt 2007-05-22 14:41:13.000000000 -0400
@@ -8699,6 +9840,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.6.5/policy/users
+--- nsaserefpolicy/policy/users 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.6.5/policy/users 2007-05-24 15:42:41.000000000 -0400
+@@ -25,13 +25,9 @@
+ # SELinux user identity for a Linux user. If you do not want to
+ # permit any access to such users, then remove this entry.
+ #
+-ifdef(`targeted_policy',`
+-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-',`
+ gen_user(user_u, user, user_r, s0, s0)
+ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-')
+
+ #
+ # The following users correspond to Unix identities.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.6.5/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-03-22 14:30:10.000000000 -0400
+++ serefpolicy-2.6.5/Rules.modular 2007-05-22 14:41:13.000000000 -0400