##
@@ -13216,7 +13517,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -160,6 +168,7 @@
+@@ -121,8 +129,7 @@
+ allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+
+ # Create and modify /var/log/xferlog.
+-allow ftpd_t xferlog_t:dir search_dir_perms;
+-allow ftpd_t xferlog_t:file manage_file_perms;
++manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+ logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+ kernel_read_kernel_sysctls(ftpd_t)
+@@ -160,6 +167,7 @@
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
@@ -13224,7 +13535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
-@@ -222,9 +231,15 @@
+@@ -222,9 +230,15 @@
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
userdom_manage_user_home_content_symlinks(ftpd_t)
@@ -13241,7 +13552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
fs_manage_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
-@@ -258,7 +273,26 @@
+@@ -258,7 +272,26 @@
')
optional_policy(`
@@ -13269,7 +13580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -270,6 +304,14 @@
+@@ -270,6 +303,14 @@
')
optional_policy(`
@@ -15087,7 +15398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.16/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/networkmanager.te 2009-06-15 08:31:33.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/networkmanager.te 2009-06-16 11:24:19.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -15818,6 +16129,217 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.16/policy/modules/services/nslcd.fc
+--- nsaserefpolicy/policy/modules/services/nslcd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.16/policy/modules/services/nslcd.fc 2009-06-18 10:39:36.000000000 -0400
+@@ -0,0 +1,4 @@
++/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
++/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
++/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
++/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.16/policy/modules/services/nslcd.if
+--- nsaserefpolicy/policy/modules/services/nslcd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.16/policy/modules/services/nslcd.if 2009-06-18 10:39:36.000000000 -0400
+@@ -0,0 +1,145 @@
++
++## policy for nslcd
++
++########################################
++##
++## Execute a domain transition to run nslcd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`nslcd_domtrans',`
++ gen_require(`
++ type nslcd_t;
++ type nslcd_exec_t;
++ ')
++
++ domtrans_pattern($1,nslcd_exec_t,nslcd_t)
++')
++
++
++########################################
++##
++## Execute nslcd server in the nslcd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`nslcd_initrc_domtrans',`
++ gen_require(`
++ type nslcd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1,nslcd_initrc_exec_t)
++')
++
++########################################
++##
++## Read nslcd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nslcd_read_pid_files',`
++ gen_require(`
++ type nslcd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 nslcd_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Manage nslcd var_run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nslcd_manage_var_run',`
++ gen_require(`
++ type nslcd_var_run_t;
++ ')
++
++ manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++ manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an nslcd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the nslcd domain.
++##
++##
++##
++##
++## The type of the user terminal.
++##
++##
++##
++#
++interface(`nslcd_admin',`
++ gen_require(`
++ type nslcd_t;
++ ')
++
++ allow $1 nslcd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, nslcd_t, nslcd_t)
++ allow $1 nslcd_conf_t:file read_file_perms;
++
++ gen_require(`
++ type nslcd_initrc_exec_t;
++ ')
++
++ # Allow nslcd_t to restart the apache service
++ nslcd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 nslcd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ nslcd_manage_var_run($1)
++')
++
++
++########################################
++##
++## Connect to nslcd over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nslcd_use',`
++ gen_require(`
++ type nslcd_t, var_run_t, nslcd_var_run_t;
++ ')
++
++# list_dirs_pattern($1, var_run_t, nslcd_var_run_t)
++ write_sock_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
++ allow $1 nslcd_t:unix_stream_socket connectto;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.16/policy/modules/services/nslcd.te
+--- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.16/policy/modules/services/nslcd.te 2009-06-18 10:39:36.000000000 -0400
+@@ -0,0 +1,50 @@
++policy_module(nslcd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type nslcd_t;
++type nslcd_exec_t;
++init_daemon_domain(nslcd_t, nslcd_exec_t)
++
++#permissive nslcd_t;
++
++type nslcd_initrc_exec_t;
++init_script_file(nslcd_initrc_exec_t)
++
++type nslcd_var_run_t;
++files_pid_file(nslcd_var_run_t)
++
++type nslcd_conf_t;
++files_type(nslcd_conf_t)
++allow nslcd_t nslcd_conf_t:file read_file_perms;
++
++########################################
++#
++# nslcd local policy
++#
++
++allow nslcd_t self:capability { setgid setuid dac_override };
++
++# Init script handling
++domain_use_interactive_fds(nslcd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow nslcd_t self:sock_file rw_file_perms;
++allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
++allow nslcd_t self:process signal;
++
++files_read_etc_files(nslcd_t)
++
++miscfiles_read_localization(nslcd_t)
++
++manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
++manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
++files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir })
++allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms;
++
++auth_use_nsswitch(nslcd_t)
++
++logging_send_syslog_msg(nslcd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.16/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-06-08 15:22:17.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/services/ntp.if 2009-06-12 15:59:08.000000000 -0400
@@ -16224,6 +16746,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ prelude_manage_spool(pads_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.16/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/pcscd.te 2009-06-16 09:52:14.000000000 -0400
+@@ -29,6 +29,7 @@
+
+ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
++manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+
+@@ -46,6 +47,8 @@
+ files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
+
++kernel_read_system_state(pcscd_t)
++
+ term_use_unallocated_ttys(pcscd_t)
+ term_dontaudit_getattr_pty_dirs(pcscd_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.16/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.16/policy/modules/services/pegasus.te 2009-06-12 15:59:08.000000000 -0400
@@ -16300,13 +16842,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.16/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/polkit.fc 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/polkit.fc 2009-06-15 16:34:08.000000000 -0400
@@ -0,0 +1,11 @@
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
-+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
++/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
@@ -16315,7 +16857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.16/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/polkit.if 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/polkit.if 2009-06-17 09:17:36.000000000 -0400
@@ -0,0 +1,241 @@
+
+## policy for polkit_auth
@@ -20174,7 +20716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te 2009-06-18 09:22:05.000000000 -0400
@@ -11,6 +11,9 @@
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -20209,7 +20751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +76,24 @@
+@@ -68,16 +76,25 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -20225,6 +20767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
++files_read_all_symlinks(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
@@ -20235,7 +20778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,22 +110,28 @@
+@@ -94,22 +111,28 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -21833,8 +22376,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.16/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/sssd.te 2009-06-12 15:59:08.000000000 -0400
-@@ -0,0 +1,72 @@
++++ serefpolicy-3.6.16/policy/modules/services/sssd.te 2009-06-16 11:24:47.000000000 -0400
+@@ -0,0 +1,74 @@
+policy_module(sssd,1.0.0)
+
+########################################
@@ -21892,6 +22435,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_etc_files(sssd_t)
+files_read_usr_files(sssd_t)
+
++fs_list_inotifyfs(sssd_t)
++
+auth_use_nsswitch(sssd_t)
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
@@ -22484,7 +23029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.16/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/virt.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/virt.te 2009-06-16 11:25:30.000000000 -0400
@@ -8,19 +8,31 @@
##
@@ -22599,7 +23144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,30 +140,50 @@
+@@ -96,30 +140,51 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -22640,6 +23185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
++fs_list_inotifyfs(virtd_t)
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
@@ -22653,7 +23199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -129,7 +193,15 @@
+@@ -129,7 +194,15 @@
logging_send_syslog_msg(virtd_t)
@@ -22669,7 +23215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +239,34 @@
+@@ -167,22 +240,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -22709,7 +23255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -195,8 +279,86 @@
+@@ -195,8 +280,86 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -22820,7 +23366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.16/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/xserver.fc 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/xserver.fc 2009-06-18 08:45:33.000000000 -0400
@@ -3,12 +3,16 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -22850,15 +23396,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /opt
#
-@@ -61,6 +60,7 @@
+@@ -61,7 +60,9 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +89,26 @@
+ ifdef(`distro_debian', `
+@@ -89,16 +90,26 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -22890,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.16/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/xserver.if 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/xserver.if 2009-06-18 08:45:02.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -23117,7 +23665,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -872,6 +936,27 @@
+@@ -797,6 +861,24 @@
+
+ ########################################
+ ##
++## Make an X executable an entrypoint for the specified domain.
++##
++##
++##
++## The domain for which the shell is an entrypoint.
++##
++##
++#
++interface(`xserver_entry_type',`
++ gen_require(`
++ type xserver_exec_t;
++ ')
++
++ domain_entry_file($1, xserver_exec_t)
++')
++
++########################################
++##
+ ## Execute an X session in the target domain. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+@@ -872,6 +954,27 @@
########################################
##
@@ -23145,7 +23718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write the X server
## log files.
##
-@@ -1018,10 +1103,11 @@
+@@ -1018,10 +1121,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -23158,7 +23731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1245,275 @@
+@@ -1159,6 +1263,275 @@
########################################
##
@@ -23434,7 +24007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1172,7 +1527,103 @@
+@@ -1172,7 +1545,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -23465,7 +24038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ gen_require(`
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
- ')
++')
+
+ allow $1 $2:x_drawable all_x_drawable_perms;
+ allow $2 $1:x_drawable all_x_drawable_perms;
@@ -23496,7 +24069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ class x_selection all_x_selection_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
-+ ')
+ ')
+
+ # Type attributes
+ typeattribute $1 x_domain;
@@ -23540,7 +24113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.16/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/xserver.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/xserver.te 2009-06-18 08:43:27.000000000 -0400
@@ -34,6 +34,13 @@
##
@@ -24122,7 +24695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,12 +924,16 @@
+@@ -774,12 +924,20 @@
')
optional_policy(`
@@ -24136,11 +24709,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
++ sandbox_rw_xserver_tmpfs_files(xserver_t)
++')
++
++optional_policy(`
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
-@@ -806,7 +960,7 @@
+@@ -806,7 +964,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -24149,7 +24726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +981,14 @@
+@@ -827,9 +985,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24164,7 +24741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1003,14 @@
+@@ -844,11 +1007,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -24180,7 +24757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -856,6 +1018,11 @@
+@@ -856,6 +1022,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -24192,7 +24769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1048,8 @@
+@@ -881,6 +1052,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -24201,7 +24778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1074,8 @@
+@@ -905,6 +1078,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24210,7 +24787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1143,49 @@
+@@ -972,17 +1147,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -24358,7 +24935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.16/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-12 15:45:03.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/system/authlogin.if 2009-06-15 15:31:30.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/authlogin.if 2009-06-18 10:39:36.000000000 -0400
@@ -46,11 +46,23 @@
')
@@ -24440,12 +25017,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ optional_policy(`
+ nis_authenticate($1)
-+ ')
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ userdom_read_user_home_content_files($1)
- ')
++ ')
+
')
@@ -24464,11 +25041,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
+- optional_policy(`
- kerberos_use($1)
- ')
-
-- optional_policy(`
+ optional_policy(`
- nis_use_ypbind($1)
+ kerberos_read_keytab($1)
+ kerberos_connect_524($1)
@@ -24546,7 +25123,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
-@@ -1395,6 +1494,14 @@
+@@ -1254,6 +1353,25 @@
+
+ ########################################
+ ##
++## dontaudit read login records files (/var/log/wtmp).
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`auth_dontaudit_read_login_records',`
++ gen_require(`
++ type wtmp_t;
++ ')
++
++ dontaudit $1 wtmp_t:file read_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to write to
+ ## login records files.
+ ##
+@@ -1395,6 +1513,14 @@
')
optional_policy(`
@@ -24561,10 +25164,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nis_use_ypbind($1)
')
-@@ -1403,8 +1510,13 @@
+@@ -1403,8 +1529,17 @@
')
optional_policy(`
++ nslcd_use($1)
++ ')
++
++ optional_policy(`
+ sssd_stream_connect($1)
+ ')
+
@@ -24896,7 +25503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.16/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/system/init.te 2009-06-15 10:43:51.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/init.te 2009-06-18 08:29:05.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart,false)
@@ -25442,7 +26049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.16/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/system/iscsi.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/iscsi.te 2009-06-16 09:44:00.000000000 -0400
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
@@ -25451,7 +26058,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -73,6 +74,6 @@
+@@ -68,11 +69,12 @@
+ dev_rw_sysfs(iscsid_t)
+
+ domain_use_interactive_fds(iscsid_t)
++domain_read_all_domains_state(iscsid_t)
+
+ files_read_etc_files(iscsid_t)
logging_send_syslog_msg(iscsid_t)
@@ -27713,6 +28326,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.16/policy/modules/system/udev.fc
+--- nsaserefpolicy/policy/modules/system/udev.fc 2009-03-20 12:39:40.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/udev.fc 2009-06-16 12:04:16.000000000 -0400
+@@ -8,6 +8,8 @@
+
+ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
++/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.16/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/system/udev.te 2009-06-15 11:24:20.000000000 -0400
@@ -28578,7 +29203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.16/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/system/userdomain.if 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/userdomain.if 2009-06-18 09:38:54.000000000 -0400
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e42913d..3a19d54 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.16
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
%endif
%changelog
+* Tue Jun 16 2009 Dan Walsh 3.6.16-3
+- Add label for udev-acl
+
* Mon Jun 15 2009 Dan Walsh 3.6.16-2
- Additional rules for consolekit/udev, privoxy and various other fixes