diff --git a/policy-20071130.patch b/policy-20071130.patch
index 8465ee9..fadb74c 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -703,8 +703,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.7/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/admin/kismet.te 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,58 @@
++++ serefpolicy-3.2.7/policy/modules/admin/kismet.te 2008-02-08 14:32:32.000000000 -0500
+@@ -0,0 +1,55 @@
++
+policy_module(kismet,1.0.0)
+
+########################################
@@ -717,7 +718,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+application_domain(kismet_t, kismet_exec_t)
+role system_r types kismet_t;
+
-+
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
+
@@ -732,8 +732,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+# kismet local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
-+#============= kismet_t ==============
+allow kismet_t self:capability { net_admin setuid setgid };
+
+corecmd_exec_bin(kismet_t)
@@ -750,7 +748,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+
+miscfiles_read_localization(kismet_t)
+
-+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir })
@@ -2137,7 +2134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.7/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/gpg.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/gpg.if 2008-02-11 14:15:31.000000000 -0500
@@ -38,6 +38,10 @@
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
@@ -2149,7 +2146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
')
########################################
-@@ -45,275 +49,51 @@
+@@ -45,275 +49,53 @@
# Declarations
#
@@ -2387,8 +2384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
- #
- # Pinentry local policy
- #
-+ userdom_use_user_terminals($1,gpg_agent_t)
-
+-
- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
@@ -2423,7 +2419,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
- ')
--
++ userdom_use_user_terminals($1,gpg_agent_t)
+
- ifdef(`TODO',`
- allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
@@ -2435,14 +2432,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
- dontaudit $1_gpg_pinentry_t nfs_t:dir write;
- dontaudit $1_gpg_pinentry_t nfs_t:file write;
- ')
--
++ # communicate with the user
++ allow gpg_helper_t $2:fd use;
++ allow gpg_helper_t $2:fifo_file rw_fifo_file_perms;
+
- tunable_policy(`use_samba_home_dirs',`
- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
- dontaudit $1_gpg_pinentry_t cifs_t:file write;
- ')
-+ # communicate with the user
-+ allow gpg_helper_t $2:fd use;
-+ allow gpg_helper_t $2:fifo_file write;
++ userdom_manage_user_home_content_files(user, gpg_helper_t)
- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
- ') dnl end TODO
@@ -2454,8 +2452,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.7/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/gpg.te 2008-02-06 11:02:29.000000000 -0500
-@@ -7,15 +7,225 @@
++++ serefpolicy-3.2.7/policy/modules/apps/gpg.te 2008-02-11 14:16:30.000000000 -0500
+@@ -7,15 +7,232 @@
#
# Type for gpg or pgp executables.
@@ -2551,6 +2549,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+# GPG helper local policy
+#
+
++allow gpg_helper_t self:process getsched;
++
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
@@ -2575,17 +2575,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
-+dev_read_urand(gpg_helper_t)
-+
+files_read_etc_files(gpg_helper_t)
-+# for nscd
-+files_dontaudit_search_var(gpg_helper_t)
++
++fs_list_inotifyfs(gpg_helper_t)
++
++auth_use_nsswitch(gpg_helper_t)
+
+libs_use_ld_so(gpg_helper_t)
+libs_use_shared_libs(gpg_helper_t)
+
-+sysnet_read_config(gpg_helper_t)
-+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
@@ -2616,8 +2614,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+
+# allow gpg to connect to the gpg agent
++manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
++
+stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t)
+
++manage_dirs_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
++manage_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
++manage_sock_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir })
+
+corecmd_search_bin(gpg_agent_t)
@@ -2762,7 +2767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.7/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/java.fc 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/java.fc 2008-02-11 14:02:02.000000000 -0500
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2771,7 +2776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,11 @@
+@@ -20,5 +21,13 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2783,7 +2788,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
-+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib64/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
++
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.7/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
@@ -3801,7 +3808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.7/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-08 14:05:36.000000000 -0500
@@ -0,0 +1,337 @@
+
+## <summary>policy for nsplugin</summary>
@@ -4142,8 +4149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.7/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.te 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,136 @@
++++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.te 2008-02-08 14:33:18.000000000 -0500
+@@ -0,0 +1,133 @@
++
+policy_module(nsplugin,1.0.0)
+
+########################################
@@ -4236,7 +4244,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+# nsplugin_config local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched getsched execmem };
+allow nsplugin_t self:sem create_sem_perms;
@@ -4276,10 +4283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+userdom_search_all_users_home_content(nsplugin_config_t)
+
-+
+nsplugin_domtrans(nsplugin_config_t)
-+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.7/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.7/policy/modules/apps/screen.fc 2008-02-06 11:02:29.000000000 -0500
@@ -4548,7 +4552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.7/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-11 17:52:05.000000000 -0500
@@ -1,9 +1,9 @@
#
# HOME_DIR/
@@ -4588,13 +4592,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
ifdef(`distro_gentoo',`
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-@@ -49,3 +55,6 @@
+@@ -49,3 +55,8 @@
/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
')
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
++/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0)
++/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.7/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/apps/vmware.if 2008-02-06 11:02:29.000000000 -0500
@@ -4769,7 +4775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc 2008-02-11 14:27:33.000000000 -0500
@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4814,16 +4820,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -147,7 +157,7 @@
+@@ -147,7 +157,8 @@
/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/drivers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -186,7 +196,10 @@
+@@ -186,7 +197,10 @@
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -4834,7 +4841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +297,7 @@
+@@ -284,3 +298,9 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4842,6 +4849,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.7/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.if 2008-02-06 11:02:29.000000000 -0500
@@ -4853,9 +4862,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.2.7/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-02-01 09:12:53.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.if.in 2008-02-11 14:37:57.000000000 -0500
+@@ -1441,10 +1441,11 @@
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type hi_reserved_port_t, reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1459,10 +1460,10 @@
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ type hi_reserved_port_t, reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in 2008-02-07 12:49:50.000000000 -0500
@@ -82,6 +82,7 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -4903,12 +4942,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
-@@ -171,6 +177,8 @@
+@@ -170,7 +176,11 @@
+ network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
++network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
++
network_port(vnc, tcp,5900,s0)
-+# Reserve 50 ports for vnc/virt machines
-+portcon tcp 5901-5950 gen_context(system_u:object_r:vnc_port_t, s0)
++# Reserve 100 ports for vnc/virt machines
++portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0)
network_port(wccp, udp,2048,s0)
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
@@ -5261,7 +5303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.7/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-07 11:04:37.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -5442,7 +5484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.7/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/kernel/domain.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/domain.te 2008-02-11 16:43:14.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5474,7 +5516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -148,3 +156,21 @@
+@@ -148,3 +156,25 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5485,6 +5527,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
+
+optional_policy(`
++ cron_dontaudit_write_system_job_tmp_files(domain)
++')
++
++optional_policy(`
+ rpm_rw_pipes(domain)
+ rpm_dontaudit_use_script_fds(domain)
+')
@@ -5498,7 +5544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/kernel/files.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/files.if 2008-02-07 11:46:14.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -5715,7 +5761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.7/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/kernel/kernel.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/kernel/kernel.if 2008-02-08 12:06:51.000000000 -0500
@@ -851,9 +851,8 @@
type proc_t, proc_afs_t;
')
@@ -6476,7 +6522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/apache.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/apache.te 2008-02-07 12:22:21.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -6814,7 +6860,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -638,6 +717,12 @@
+@@ -628,6 +707,7 @@
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+ ')
+
++domain_entry_file(httpd_sys_script_t,httpd_sys_content_t)
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ ')
+@@ -638,6 +718,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -6827,7 +6881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +740,6 @@
+@@ -655,10 +741,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -6838,7 +6892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -668,7 +749,8 @@
+@@ -668,7 +750,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6848,7 +6902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +764,44 @@
+@@ -682,15 +765,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -6894,7 +6948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +811,15 @@
+@@ -700,9 +812,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -6910,7 +6964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -724,3 +841,46 @@
+@@ -724,3 +842,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -6968,7 +7022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+/etc/rc.d/init.d/apcupsd -- gen_context(system_u:object_r:apcupsd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.7/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/apcupsd.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/apcupsd.if 2008-02-11 13:25:12.000000000 -0500
@@ -90,10 +90,102 @@
## </summary>
## </param>
@@ -7831,7 +7885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
+/etc/rc.d/init.d/pand -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.2.7/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-07 13:14:54.000000000 -0500
@@ -226,3 +226,88 @@
dontaudit $1 bluetooth_helper_domain:dir search;
dontaudit $1 bluetooth_helper_domain:file { read getattr };
@@ -8260,16 +8314,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.7/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/consolekit.fc 2008-02-06 11:02:29.000000000 -0500
-@@ -1,3 +1,5 @@
++++ serefpolicy-3.2.7/policy/modules/services/consolekit.fc 2008-02-11 13:56:47.000000000 -0500
+@@ -1,3 +1,6 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
++/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
++
++/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.2.7/policy/modules/services/consolekit.if
+--- nsaserefpolicy/policy/modules/services/consolekit.if 2007-03-20 09:23:13.000000000 -0400
++++ serefpolicy-3.2.7/policy/modules/services/consolekit.if 2008-02-11 13:28:12.000000000 -0500
+@@ -38,3 +38,24 @@
+ allow $1 consolekit_t:dbus send_msg;
+ allow consolekit_t $1:dbus send_msg;
+ ')
++
++########################################
++## <summary>
++## Read consolekit log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`consolekit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, consolekit_log_t, consolekit_log_t)
++')
++
+
-+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.7/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/consolekit.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/consolekit.te 2008-02-11 13:56:27.000000000 -0500
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -8280,15 +8363,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
########################################
#
# consolekit local policy
-@@ -24,20 +27,26 @@
+@@ -24,20 +27,27 @@
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
allow consolekit_t self:unix_dgram_socket create_socket_perms;
+manage_files_pattern(consolekit_t,consolekit_log_t,consolekit_log_t)
+logging_log_filetrans(consolekit_t,consolekit_log_t, file)
+
++manage_dirs_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
- files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
+-files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
++files_pid_filetrans(consolekit_t,consolekit_var_run_t, { file dir })
kernel_read_system_state(consolekit_t)
@@ -8307,7 +8392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
-@@ -47,16 +56,32 @@
+@@ -47,16 +57,32 @@
auth_use_nsswitch(consolekit_t)
@@ -8343,7 +8428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
optional_policy(`
unconfined_dbus_chat(consolekit_t)
-@@ -64,6 +89,33 @@
+@@ -64,6 +90,33 @@
')
optional_policy(`
@@ -8396,7 +8481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.7/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/cron.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/cron.if 2008-02-11 17:02:24.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -8646,7 +8731,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
## Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
-@@ -583,3 +495,23 @@
+@@ -558,11 +470,14 @@
+ #
+ interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+- type system_crond_tmp_t;
++ type system_crond_tmp_t, cron_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_crond_tmp_t:file read_file_perms;
++
++ files_search_pids($1)
++ allow $1 cron_var_run_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -583,3 +498,45 @@
dontaudit $1 system_crond_tmp_t:file append;
')
@@ -8654,6 +8755,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+
+########################################
+## <summary>
++## Do not audit attempts to write temporary
++## files from the system cron jobs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`cron_dontaudit_write_system_job_tmp_files',`
++ gen_require(`
++ type system_crond_tmp_t;
++ type system_crond_var_run_t;
++ ')
++
++ dontaudit $1 system_crond_tmp_t:file write_file_perms;
++ dontaudit $1 cron_var_run_t:file write_file_perms;
++')
++
++
++########################################
++## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
@@ -8672,7 +8795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.7/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/cron.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/cron.te 2008-02-11 17:01:41.000000000 -0500
@@ -12,14 +12,6 @@
## <desc>
@@ -8688,7 +8811,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
## Enable extra rules in the cron domain
## to support fcron.
## </p>
-@@ -50,6 +42,7 @@
+@@ -38,6 +30,10 @@
+ type cron_var_lib_t;
+ files_type(cron_var_lib_t)
+
++# var/lib files
++type cron_var_run_t;
++files_type(cron_var_run_t)
++
+ # var/log files
+ type cron_log_t;
+ logging_log_file(cron_log_t)
+@@ -50,6 +46,7 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
@@ -8696,7 +8830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-@@ -71,6 +64,12 @@
+@@ -71,6 +68,12 @@
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
@@ -8709,7 +8843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
-@@ -80,7 +79,7 @@
+@@ -80,7 +83,7 @@
# Cron Local policy
#
@@ -8718,7 +8852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -99,15 +98,14 @@
+@@ -99,15 +102,14 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -8737,7 +8871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
-@@ -133,6 +131,8 @@
+@@ -133,6 +135,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -8746,7 +8880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
-@@ -142,13 +142,16 @@
+@@ -142,13 +146,16 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -8763,7 +8897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -163,9 +166,6 @@
+@@ -163,9 +170,6 @@
mta_send_mail(crond_t)
ifdef(`distro_debian',`
@@ -8773,7 +8907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
optional_policy(`
# Debian logcheck has the home dir set to its cache
logwatch_search_cache_dir(crond_t)
-@@ -180,21 +180,45 @@
+@@ -180,21 +184,45 @@
')
')
@@ -8820,7 +8954,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -267,9 +291,16 @@
+@@ -236,6 +264,9 @@
+ allow system_crond_t cron_var_lib_t:file manage_file_perms;
+ files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
+
++allow system_crond_t cron_var_run_t:file manage_file_perms;
++files_pid_filetrans(system_crond_t,cron_var_run_t,file)
++
+ allow system_crond_t system_cron_spool_t:file read_file_perms;
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+@@ -267,9 +298,13 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@@ -8828,9 +8972,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+files_search_var_lib(system_crond_t)
+manage_files_pattern(system_crond_t,system_crond_var_lib_t,system_crond_var_lib_t)
+
-+allow system_crond_t system_crond_var_run_t:file manage_file_perms;
-+files_pid_filetrans(system_crond_t,system_crond_var_run_t,file)
-+
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir list_dir_perms;
-allow system_crond_t cron_spool_t:file read_file_perms;
@@ -8838,7 +8979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -323,7 +354,7 @@
+@@ -323,7 +358,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -8847,7 +8988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
auth_use_nsswitch(system_crond_t)
-@@ -333,6 +364,7 @@
+@@ -333,6 +368,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -8855,7 +8996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -348,18 +380,6 @@
+@@ -348,18 +384,6 @@
')
')
@@ -8874,7 +9015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
-@@ -383,6 +403,14 @@
+@@ -383,6 +407,14 @@
')
optional_policy(`
@@ -8889,7 +9030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
mrtg_append_create_logs(system_crond_t)
')
-@@ -415,8 +443,7 @@
+@@ -415,8 +447,7 @@
')
optional_policy(`
@@ -8899,7 +9040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -424,8 +451,13 @@
+@@ -424,15 +455,12 @@
')
optional_policy(`
@@ -8907,12 +9048,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_crond_t)
-+')
+-
+- userdom_priveleged_home_dir_manager(system_crond_t)
+ ')
+-ifdef(`TODO',`
+-ifdef(`mta.te', `
+-allow system_crond_t mail_spool_t:lnk_file read;
+-allow mta_user_agent system_crond_t:fd use;
+-r_dir_file(system_mail_t, crond_tmp_t)
+optional_policy(`
- userdom_priveleged_home_dir_manager(system_crond_t)
++ userdom_priveleged_home_dir_manager(system_crond_t)
')
-
+-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.7/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/services/cups.fc 2008-02-06 11:02:29.000000000 -0500
@@ -9507,8 +9655,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.2.7/policy/modules/services/cyphesis.te
--- nsaserefpolicy/policy/modules/services/cyphesis.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/cyphesis.te 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,97 @@
++++ serefpolicy-3.2.7/policy/modules/services/cyphesis.te 2008-02-08 14:51:33.000000000 -0500
+@@ -0,0 +1,92 @@
+policy_module(cyphesis,1.0.0)
+
+########################################
@@ -9569,7 +9717,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
+
+logging_send_syslog_msg(cyphesis_t)
+
-+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(cyphesis_t)
+corenet_tcp_sendrecv_all_if(cyphesis_t)
+corenet_tcp_sendrecv_all_nodes(cyphesis_t)
@@ -9578,10 +9725,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph
+corenet_tcp_cyphesis_bind(cyphesis_t)
+corenet_tcp_sendrecv_all_ports(cyphesis_t)
+
-+# DAN Do you really need this?
-+# For communication with the metaserver
-+# allow cyphesis_t port_t:udp_socket { recv_msg send_msg };
-+
+# Init script handling
+domain_use_interactive_fds(cyphesis_t)
+
@@ -9695,7 +9838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.2.7/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/cyrus.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/cyrus.te 2008-02-07 11:31:04.000000000 -0500
@@ -19,6 +19,9 @@
type cyrus_var_run_t;
files_pid_file(cyrus_var_run_t)
@@ -9708,7 +9851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.7/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/dbus.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/dbus.if 2008-02-11 17:07:47.000000000 -0500
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -9761,7 +9904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
-@@ -161,12 +168,22 @@
+@@ -161,12 +168,23 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
@@ -9769,6 +9912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ userdom_dontaudit_search_sysadm_home_dirs($1_dbusd_t)
+ userdom_read_unpriv_users_home_content_files($1_dbusd_t)
+ userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t)
++ userdom_dontaudit_use_user_terminals($1, $1_dbusd_t)
ifdef(`hide_broken_symptoms', `
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
@@ -9785,7 +9929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
tunable_policy(`read_default_t',`
files_list_default($1_dbusd_t)
files_read_default_files($1_dbusd_t)
-@@ -182,6 +199,7 @@
+@@ -182,6 +200,7 @@
optional_policy(`
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
@@ -9793,16 +9937,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
')
-@@ -214,7 +232,7 @@
+@@ -214,7 +233,8 @@
# SE-DBus specific permissions
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
- allow $2 { system_dbusd_t self }:dbus send_msg;
+ allow $2 { system_dbusd_t $2 }:dbus send_msg;
++ allow system_dbusd_t $2:dbus send_msg;
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
-@@ -223,6 +241,10 @@
+@@ -223,6 +243,10 @@
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
dbus_read_config($2)
@@ -9813,7 +9958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
#######################################
-@@ -251,6 +273,7 @@
+@@ -251,6 +275,7 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
@@ -9821,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
class dbus send_msg;
')
-@@ -263,6 +286,7 @@
+@@ -263,6 +288,7 @@
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
@@ -9829,7 +9974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
########################################
-@@ -292,6 +316,59 @@
+@@ -292,6 +318,59 @@
########################################
## <summary>
@@ -9889,7 +10034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Read dbus configuration.
## </summary>
## <param name="domain">
-@@ -366,3 +443,55 @@
+@@ -366,3 +445,55 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -10670,7 +10815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.7/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/dnsmasq.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/dnsmasq.te 2008-02-07 11:09:49.000000000 -0500
@@ -16,6 +16,9 @@
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
@@ -11039,7 +11184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.7/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/exim.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/exim.te 2008-02-08 14:51:51.000000000 -0500
@@ -21,9 +21,20 @@
## </desc>
gen_tunable(exim_manage_user_files,false)
@@ -11189,7 +11334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ cyrus_stream_connect(exim_t)
+')
+
-+## receipt & validation
++# receipt & validation
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
@@ -11670,7 +11815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.2.7/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/gnomeclock.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/gnomeclock.te 2008-02-08 14:53:00.000000000 -0500
@@ -0,0 +1,51 @@
+policy_module(gnomeclock,1.0.0)
+########################################
@@ -11690,7 +11835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+allow gnomeclock_t self:capability sys_time;
+allow gnomeclock_t self:process getsched;
+
-+## internal communication is often done using fifo and unix sockets.
++# internal communication is often done using fifo and unix sockets.
+allow gnomeclock_t self:fifo_file rw_file_perms;
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -12570,8 +12715,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.2.7/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/kerneloops.te 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.2.7/policy/modules/services/kerneloops.te 2008-02-08 14:53:20.000000000 -0500
+@@ -0,0 +1,56 @@
+policy_module(kerneloops,1.0.0)
+
+########################################
@@ -12597,9 +12742,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern
+# Init script handling
+domain_use_interactive_fds(kerneloops_t)
+
-+## internal communication is often done using fifo and unix sockets.
++# internal communication is often done using fifo and unix sockets.
+allow kerneloops_t self:fifo_file rw_file_perms;
+allow kerneloops_t self:unix_stream_socket create_stream_socket_perms;
++allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_all_recvfrom_unlabeled(kerneloops_t)
+corenet_all_recvfrom_netlabel(kerneloops_t)
@@ -12893,7 +13039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.7/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/mta.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/mta.if 2008-02-11 17:47:53.000000000 -0500
@@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
@@ -13794,7 +13940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.7/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/networkmanager.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/networkmanager.if 2008-02-11 14:21:11.000000000 -0500
@@ -97,3 +97,21 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
@@ -13819,7 +13965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.7/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/networkmanager.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/networkmanager.te 2008-02-11 13:33:00.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -13839,7 +13985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-@@ -38,6 +41,9 @@
+@@ -38,10 +41,14 @@
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
@@ -13849,7 +13995,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -67,6 +73,7 @@
+ kernel_load_module(NetworkManager_t)
++kernel_read_debugfs(NetworkManager_t)
+
+ corenet_all_recvfrom_unlabeled(NetworkManager_t)
+ corenet_all_recvfrom_netlabel(NetworkManager_t)
+@@ -67,6 +74,7 @@
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
@@ -13857,7 +14008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
mls_file_read_all_levels(NetworkManager_t)
-@@ -86,6 +93,8 @@
+@@ -86,6 +94,8 @@
init_read_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
@@ -13866,14 +14017,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -129,21 +138,25 @@
+@@ -129,21 +139,21 @@
')
optional_policy(`
-+ allow NetworkManager_t self:dbus send_msg;
-+
- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
+- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
+- dbus_connect_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
')
@@ -13895,7 +14044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,19 +168,20 @@
+@@ -155,19 +165,20 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -14793,8 +14942,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.7/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/polkit.if 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,119 @@
++++ serefpolicy-3.2.7/policy/modules/services/polkit.if 2008-02-08 14:58:02.000000000 -0500
+@@ -0,0 +1,189 @@
+
+## <summary>policy for polkit_auth</summary>
+
@@ -14903,21 +15052,91 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+interface(`polkit_run_grant',`
+ gen_require(`
+ type polkit_grant_t;
-+ type polkit_auth_t;
+ ')
+
+ polkit_domtrans_grant($1)
+ role $2 types polkit_grant_t;
-+ role $2 types polkit_auth_t;
+ allow polkit_grant_t $3:chr_file rw_term_perms;
+ allow $1 polkit_grant_t:process signal;
+ read_files_pattern(polkit_grant_t, $1, $1)
+ allow polkit_grant_t $1:process getattr;
+')
++
++########################################
++## <summary>
++## Execute a policy_auth in the policy_auth domain, and
++## allow the specified role the policy_auth domain,
++## and use the caller's terminal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the load_policy domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the load_policy domain to use.
++## </summary>
++## </param>
++#
++interface(`polkit_run_auth',`
++ gen_require(`
++ type polkit_auth_t;
++ ')
++
++ polkit_domtrans_auth($1)
++ role $2 types polkit_auth_t;
++ allow polkit_auth_t $3:chr_file rw_term_perms;
++')
++
++#######################################
++## <summary>
++## The per role template for the nsplugin module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for nsplugin web browser.
++## </p>
++## <p>
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++template(`polkit_per_role_template',`
++ polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t })
++ polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t })
++ polkit_read_lib($2)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.7/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/polkit.te 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,154 @@
++++ serefpolicy-3.2.7/policy/modules/services/polkit.te 2008-02-11 14:24:37.000000000 -0500
+@@ -0,0 +1,156 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -15020,6 +15239,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
+files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir })
+
++userdom_append_unpriv_users_home_content_files(polkit_auth_t)
++
+optional_policy(`
+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
+ consolekit_dbus_chat(polkit_auth_t)
@@ -15960,8 +16181,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.7/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/prelude.te 2008-02-06 11:02:29.000000000 -0500
-@@ -0,0 +1,122 @@
++++ serefpolicy-3.2.7/policy/modules/services/prelude.te 2008-02-08 14:54:04.000000000 -0500
+@@ -0,0 +1,140 @@
+policy_module(prelude,1.0.0)
+
+########################################
@@ -16004,11 +16225,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
+allow prelude_t self:capability sys_tty_config;
+
-+## internal communication is often done using fifo and unix sockets.
++# internal communication is often done using fifo and unix sockets.
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
+
-+allow prelude_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
++allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_t self:tcp_socket { bind create setopt listen };
+
+dev_read_rand(prelude_t)
@@ -16064,13 +16285,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+# Init script handling
+domain_use_interactive_fds(audisp_prelude_t)
+
-+## internal communication is often done using fifo and unix sockets.
++# internal communication is often done using fifo and unix sockets.
+allow audisp_prelude_t self:fifo_file rw_file_perms;
+allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms;
++allow audisp_prelude_t self:netlink_route_socket r_netlink_socket_perms;
++allow audisp_prelude_t self:tcp_socket create_socket_perms;
+
+manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t)
+files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file)
+
++dev_read_rand(audisp_prelude_t)
++dev_read_urand(audisp_prelude_t)
++
+files_read_etc_files(audisp_prelude_t)
+
+libs_use_ld_so(audisp_prelude_t)
@@ -16084,6 +16310,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+allow audisp_prelude_t self:unix_dgram_socket create_socket_perms;
+
+logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t)
++
++files_search_spool(audisp_prelude_t)
++manage_dirs_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
++manage_files_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
++
++corenet_all_recvfrom_unlabeled(audisp_prelude_t)
++corenet_all_recvfrom_netlabel(audisp_prelude_t)
++corenet_tcp_sendrecv_all_if(audisp_prelude_t)
++corenet_tcp_sendrecv_all_nodes(audisp_prelude_t)
++corenet_tcp_bind_all_nodes(audisp_prelude_t)
++corenet_tcp_connect_prelude_port(audisp_prelude_t)
++
++allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.2.7/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/services/privoxy.fc 2008-02-06 11:02:29.000000000 -0500
@@ -16238,7 +16477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.7/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/procmail.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/procmail.te 2008-02-07 12:12:59.000000000 -0500
@@ -14,6 +14,10 @@
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
@@ -16297,7 +16536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
sendmail_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
-@@ -129,7 +147,9 @@
+@@ -129,7 +147,10 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
@@ -16305,6 +16544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
- spamassassin_exec_client(procmail_t)
- spamassassin_read_lib_files(procmail_t)
+ spamassassin_domtrans(procmail_t)
++ spamassassin_domtrans_spamc(procmail_t)
+')
+
+optional_policy(`
@@ -17781,7 +18021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.7/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/samba.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/samba.te 2008-02-08 14:53:50.000000000 -0500
@@ -26,28 +26,28 @@
## <desc>
@@ -18073,7 +18313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+# smbcontrol local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
++# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -19024,7 +19264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.7/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-07 12:12:50.000000000 -0500
@@ -37,7 +37,9 @@
gen_require(`
@@ -19588,7 +19828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.7/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/spamassassin.te 2008-02-06 11:02:29.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/spamassassin.te 2008-02-07 13:26:22.000000000 -0500
@@ -21,8 +21,9 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -21474,7 +21714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-06 11:02:30.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-11 14:21:09.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -21679,7 +21919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -304,7 +363,16 @@
+@@ -304,7 +363,23 @@
')
optional_policy(`
@@ -21687,16 +21927,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
+
+optional_policy(`
++ consolekit_read_log(xdm_t)
++')
++
++optional_policy(`
consolekit_dbus_chat(xdm_t)
+ dbus_system_bus_client_template(xdm, xdm_t)
+ dbus_per_role_template(xdm, xdm_t, system_r)
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
++ optional_policy(`
++ networkmanager_dbus_chat(xdm_t)
++ ')
')
optional_policy(`
-@@ -322,6 +390,10 @@
+@@ -322,6 +397,10 @@
')
optional_policy(`
@@ -21707,7 +21954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
-@@ -335,6 +407,11 @@
+@@ -335,6 +414,11 @@
')
optional_policy(`
@@ -21719,7 +21966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +420,8 @@
+@@ -343,8 +427,8 @@
')
optional_policy(`
@@ -21729,7 +21976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +457,7 @@
+@@ -380,7 +464,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -21738,7 +21985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +469,15 @@
+@@ -392,6 +476,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -21754,7 +22001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,6 +490,7 @@
+@@ -404,6 +497,7 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -21762,7 +22009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -420,6 +507,14 @@
+@@ -420,6 +514,14 @@
')
optional_policy(`
@@ -21777,7 +22024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +524,103 @@
+@@ -429,47 +531,103 @@
')
optional_policy(`
@@ -21801,15 +22048,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
-+')
-+
-+
-+tunable_policy(`allow_xserver_execmem', `
-+ allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
-+ifndef(`distro_redhat',`
-+ allow xdm_xserver_t self:process { execheap execmem };
')
-ifdef(`TODO',`
@@ -21833,10 +22071,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-+ifdef(`distro_rhel4',`
-+ allow xdm_xserver_t self:process { execheap execmem };
++
++tunable_policy(`allow_xserver_execmem', `
++ allow xdm_xserver_t self:process { execheap execmem execstack };
')
++ifndef(`distro_redhat',`
++ allow xdm_xserver_t self:process { execheap execmem };
++')
++
++ifdef(`distro_rhel4',`
++ allow xdm_xserver_t self:process { execheap execmem };
++')
++
+##############################
#
-# Wants to delete .xsession-errors file
@@ -22292,7 +22539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.7/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/authlogin.te 2008-02-06 11:06:09.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/authlogin.te 2008-02-11 17:22:21.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -22472,6 +22719,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.2.7/policy/modules/system/init.fc
+--- nsaserefpolicy/policy/modules/system/init.fc 2007-10-12 08:56:08.000000000 -0400
++++ serefpolicy-3.2.7/policy/modules/system/init.fc 2008-02-11 16:58:09.000000000 -0500
+@@ -4,8 +4,7 @@
+ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+-/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
+-/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.7/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.7/policy/modules/system/init.if 2008-02-06 11:02:30.000000000 -0500
@@ -22772,7 +23032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/init.te 2008-02-06 15:09:41.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/init.te 2008-02-11 16:57:34.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -23007,7 +23267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
allow iscsid_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.7/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/libraries.fc 2008-02-06 11:02:30.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/libraries.fc 2008-02-11 16:26:03.000000000 -0500
@@ -133,6 +133,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23050,12 +23310,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +309,5 @@
+@@ -304,3 +309,6 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.7/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/system/libraries.te 2008-02-06 11:06:35.000000000 -0500
@@ -23650,7 +23911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.7/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/miscfiles.if 2008-02-06 11:02:30.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/miscfiles.if 2008-02-07 11:09:32.000000000 -0500
@@ -489,3 +489,44 @@
manage_lnk_files_pattern($1,locale_t,locale_t)
')
@@ -24013,8 +24274,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.2.7/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-06 11:02:30.000000000 -0500
-@@ -0,0 +1,105 @@
++++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-07 10:20:14.000000000 -0500
+@@ -0,0 +1,151 @@
+
+## <summary>policy for qemu</summary>
+
@@ -24120,6 +24381,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ role $2 types qemu_t;
+ allow qemu_t $3:chr_file rw_file_perms;
+')
++
++########################################
++## <summary>
++## Execute qemu programs in the qemu domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the PAM domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the PAM domain to use.
++## </summary>
++## </param>
++#
++interface(`qemu_runas',`
++ gen_require(`
++ type qemu_t;
++ ')
++
++ qemu_domtrans($1)
++ allow qemu_t $3:chr_file rw_file_perms;
++')
++########################################
++## <summary>
++## Execute qemu programs in the qemu domain.
++## </summary>
++## <param name="role">
++## <summary>
++## The role to allow the PAM domain.
++## </summary>
++## </param>
++#
++interface(`qemu_role',`
++ gen_require(`
++ type qemu_t;
++ ')
++ role $1 types qemu_t;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.7/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-06 11:02:30.000000000 -0500
@@ -25332,8 +25639,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.7/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-06 11:02:30.000000000 -0500
-@@ -6,35 +6,59 @@
++++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-07 10:19:49.000000000 -0500
+@@ -6,35 +6,66 @@
# Declarations
#
@@ -25344,6 +25651,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+## </desc>
+gen_tunable(allow_unconfined_nsplugin_transition,false)
+
++## <desc>
++## <p>
++## Transition to confined qemu domains from unconfined user
++## </p>
++## </desc>
++gen_tunable(allow_unconfined_qemu_transition,false)
++
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
@@ -25397,7 +25711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,7 +66,10 @@
+@@ -42,7 +73,10 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -25408,7 +25722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -51,13 +78,25 @@
+@@ -51,13 +85,25 @@
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
@@ -25436,7 +25750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
unconfined_domain(httpd_unconfined_script_t)
')
-@@ -69,11 +108,11 @@
+@@ -69,11 +115,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
@@ -25453,7 +25767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
optional_policy(`
init_dbus_chat_script(unconfined_t)
-@@ -101,12 +140,24 @@
+@@ -101,12 +147,24 @@
')
optional_policy(`
@@ -25478,7 +25792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -118,11 +169,7 @@
+@@ -118,11 +176,7 @@
')
optional_policy(`
@@ -25491,7 +25805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -134,14 +181,6 @@
+@@ -134,14 +188,6 @@
')
optional_policy(`
@@ -25506,7 +25820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,38 +193,32 @@
+@@ -154,38 +200,34 @@
')
optional_policy(`
@@ -25518,13 +25832,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-
-optional_policy(`
- pyzor_per_role_template(unconfined)
-+ qemu_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- ')
-
+-')
+-
-optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
--')
++ tunable_policy(`allow_unconfined_qemu_transition', `
++ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ ')
++ qemu_role(unconfined_r)
+ ')
optional_policy(`
rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -25552,7 +25869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -205,11 +238,30 @@
+@@ -205,11 +247,30 @@
')
optional_policy(`
@@ -25585,7 +25902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +271,34 @@
+@@ -219,14 +280,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -25640,7 +25957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-06 14:51:11.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-11 17:21:21.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -26634,7 +26951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,32 +1093,17 @@
+@@ -1085,32 +1093,21 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -26652,15 +26969,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- optional_policy(`
- cups_dbus_chat($1_t)
- ')
-- ')
--
-- optional_policy(`
-- java_per_role_template($1, $1_t, $1_r)
+ alsa_read_rw_config($1_usertype)
')
- optional_policy(`
-- mono_per_role_template($1, $1_t, $1_r)
+- java_per_role_template($1, $1_t, $1_r)
- ')
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
+ corenet_tcp_connect_soundd_port($1_t)
@@ -26669,12 +26982,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ corenet_tcp_sendrecv_lo_node($1_t)
optional_policy(`
-- setroubleshoot_dontaudit_stream_connect($1_t)
+- mono_per_role_template($1, $1_t, $1_r)
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
')
+
+ optional_policy(`
+- setroubleshoot_dontaudit_stream_connect($1_t)
++ polkit_per_role_template($1, $1_usertype, $1_r)
+ ')
')
-@@ -1121,10 +1114,10 @@
+@@ -1121,10 +1118,10 @@
## </summary>
## <desc>
## <p>
@@ -26689,7 +27007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,12 +1180,11 @@
+@@ -1187,12 +1184,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -26704,16 +27022,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
-@@ -1201,7 +1193,7 @@
+@@ -1201,7 +1197,11 @@
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
++ ')
++
++ optional_policy(`
++ polkit_per_role_template($1, $1_usertype, $1_r)
')
')
-@@ -1278,8 +1270,6 @@
+@@ -1278,8 +1278,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -26722,7 +27044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1357,13 +1347,6 @@
+@@ -1357,13 +1355,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -26736,7 +27058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1416,6 +1399,7 @@
+@@ -1416,6 +1407,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -26744,7 +27066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1765,14 @@
+@@ -1781,10 +1773,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -26760,7 +27082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1880,11 +1868,11 @@
+@@ -1880,11 +1876,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -26774,7 +27096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1914,11 +1902,11 @@
+@@ -1914,11 +1910,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -26788,7 +27110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1962,12 +1950,12 @@
+@@ -1962,12 +1958,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -26804,7 +27126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1997,10 +1985,10 @@
+@@ -1997,10 +1993,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -26817,7 +27139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2032,11 +2020,47 @@
+@@ -2032,11 +2028,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -26867,7 +27189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2068,10 +2092,10 @@
+@@ -2068,10 +2100,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -26880,7 +27202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2101,11 +2125,11 @@
+@@ -2101,11 +2133,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -26894,7 +27216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2135,11 +2159,11 @@
+@@ -2135,11 +2167,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -26909,7 +27231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2169,10 +2193,10 @@
+@@ -2169,10 +2201,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -26919,10 +27241,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- dontaudit $2 $1_home_t:file write;
+ dontaudit $2 user_home_t:file write;
++ fs_dontaudit_list_nfs($2)
++ fs_dontaudit_rw_nfs_files($2)
++ fs_dontaudit_list_cifs($2)
++ fs_dontaudit_rw_cifs_files($2)
')
########################################
-@@ -2202,11 +2226,11 @@
+@@ -2202,11 +2238,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -26936,7 +27262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2236,11 +2260,11 @@
+@@ -2236,11 +2272,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -26950,7 +27276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2270,10 +2294,10 @@
+@@ -2270,10 +2306,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -26963,7 +27289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2305,12 +2329,12 @@
+@@ -2305,12 +2341,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -26979,7 +27305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2342,10 +2366,10 @@
+@@ -2342,10 +2378,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -26992,7 +27318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2377,12 +2401,12 @@
+@@ -2377,12 +2413,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -27008,7 +27334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2414,12 +2438,12 @@
+@@ -2414,12 +2450,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -27024,7 +27350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2451,12 +2475,12 @@
+@@ -2451,12 +2487,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -27040,7 +27366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2501,11 +2525,11 @@
+@@ -2501,11 +2537,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -27054,7 +27380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2550,11 +2574,11 @@
+@@ -2550,11 +2586,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -27068,7 +27394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2594,11 +2618,11 @@
+@@ -2594,11 +2630,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -27082,7 +27408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2628,11 +2652,11 @@
+@@ -2628,11 +2664,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -27096,7 +27422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2662,11 +2686,11 @@
+@@ -2662,11 +2698,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -27110,7 +27436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2698,10 +2722,10 @@
+@@ -2698,10 +2734,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -27123,7 +27449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2733,10 +2757,10 @@
+@@ -2733,10 +2769,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -27136,7 +27462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2766,12 +2790,12 @@
+@@ -2766,12 +2802,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -27152,7 +27478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2803,10 +2827,10 @@
+@@ -2803,10 +2839,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -27165,7 +27491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2838,10 +2862,48 @@
+@@ -2838,10 +2874,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -27216,7 +27542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2871,12 +2933,12 @@
+@@ -2871,12 +2945,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -27232,7 +27558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2908,10 +2970,10 @@
+@@ -2908,10 +2982,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -27245,7 +27571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2943,12 +3005,12 @@
+@@ -2943,12 +3017,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -27261,7 +27587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2980,11 +3042,11 @@
+@@ -2980,11 +3054,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -27275,7 +27601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3016,11 +3078,11 @@
+@@ -3016,11 +3090,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -27289,7 +27615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3052,11 +3114,11 @@
+@@ -3052,11 +3126,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -27303,7 +27629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3088,11 +3150,11 @@
+@@ -3088,11 +3162,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -27317,7 +27643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3124,11 +3186,11 @@
+@@ -3124,11 +3198,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -27331,7 +27657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3173,10 +3235,10 @@
+@@ -3173,10 +3247,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -27344,7 +27670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3217,10 +3279,10 @@
+@@ -3217,10 +3291,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -27357,7 +27683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3248,6 +3310,42 @@
+@@ -3248,6 +3322,42 @@
## </summary>
## </param>
#
@@ -27400,7 +27726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4225,11 +4323,11 @@
+@@ -4225,11 +4335,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -27414,7 +27740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4245,10 +4343,10 @@
+@@ -4245,10 +4355,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -27427,7 +27753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4264,11 +4362,11 @@
+@@ -4264,11 +4374,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -27441,7 +27767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4283,16 +4381,16 @@
+@@ -4283,16 +4393,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -27461,7 +27787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
## </summary>
## <param name="domain">
-@@ -4301,38 +4399,32 @@
+@@ -4301,38 +4411,32 @@
## </summary>
## </param>
#
@@ -27509,7 +27835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -4340,7 +4432,28 @@
+@@ -4340,7 +4444,28 @@
## </summary>
## </param>
#
@@ -27539,7 +27865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
gen_require(`
type sysadm_t;
')
-@@ -4525,10 +4638,10 @@
+@@ -4525,10 +4650,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -27552,7 +27878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4545,10 +4658,10 @@
+@@ -4545,10 +4670,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -27565,7 +27891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4563,10 +4676,10 @@
+@@ -4563,10 +4688,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -27578,7 +27904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4582,10 +4695,10 @@
+@@ -4582,10 +4707,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -27591,7 +27917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4600,10 +4713,10 @@
+@@ -4600,10 +4725,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -27604,7 +27930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4619,10 +4732,10 @@
+@@ -4619,10 +4744,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -27617,7 +27943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4638,12 +4751,11 @@
+@@ -4638,12 +4763,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -27633,7 +27959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4670,10 +4782,10 @@
+@@ -4670,10 +4794,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -27646,7 +27972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4688,10 +4800,10 @@
+@@ -4688,10 +4812,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -27659,7 +27985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4706,13 +4818,13 @@
+@@ -4706,13 +4830,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -27677,7 +28003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4748,11 +4860,49 @@
+@@ -4748,11 +4872,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -27728,7 +28054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4772,6 +4922,14 @@
+@@ -4772,6 +4934,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -27743,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4833,6 +4991,26 @@
+@@ -4833,6 +5003,26 @@
########################################
## <summary>
@@ -27770,7 +28096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4853,6 +5031,25 @@
+@@ -4853,6 +5043,25 @@
########################################
## <summary>
@@ -27796,7 +28122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4873,6 +5070,26 @@
+@@ -4873,6 +5082,26 @@
########################################
## <summary>
@@ -27823,7 +28149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5109,7 +5326,7 @@
+@@ -5109,7 +5338,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -27832,7 +28158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5298,6 +5515,50 @@
+@@ -5298,6 +5527,50 @@
########################################
## <summary>
@@ -27883,7 +28209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5503,6 +5764,42 @@
+@@ -5503,6 +5776,42 @@
########################################
## <summary>
@@ -27926,7 +28252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5965,42 @@
+@@ -5668,6 +5977,42 @@
########################################
## <summary>
@@ -27969,7 +28295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +6031,277 @@
+@@ -5698,3 +6043,301 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -28247,9 +28573,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ files_tmp_filetrans($2, user_tmp_t, $3)
+')
+
++################################################
++## <summary>
++## Allow unpriv users read domains system state
++## </summary>
++## <desc>
++## Allow the ps command visibility to processes in
++## the specified domain when used by an
++## unprivileged user
++## </desc>
++## <param name="domain_allowed_access">
++## <summary>
++## Domain for which the ps command will have access
++## </summary>
++## </param>
++## <rolebase/>
++##
++#
++interface(`userdom_readable_process',`
++ gen_require(`
++ attribute unpriv_process;
++ ')
++
++ typeattribute $1 unpriv_process;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/userdomain.te 2008-02-06 11:02:30.000000000 -0500
++++ serefpolicy-3.2.7/policy/modules/system/userdomain.te 2008-02-08 14:50:33.000000000 -0500
@@ -2,12 +2,7 @@
policy_module(userdomain,2.5.0)
@@ -28296,7 +28646,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -101,40 +92,49 @@
+@@ -97,44 +88,54 @@
+
+ # unprivileged user domains
+ attribute unpriv_userdomain;
++attribute unpriv_process;
+
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
@@ -28374,7 +28729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
#
-@@ -154,6 +154,11 @@
+@@ -154,6 +155,11 @@
init_exec(sysadm_t)
@@ -28386,7 +28741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Following for sending reboot and wall messages
userdom_use_unpriv_users_ptys(sysadm_t)
userdom_use_unpriv_users_ttys(sysadm_t)
-@@ -170,46 +175,7 @@
+@@ -170,46 +176,7 @@
')
')
@@ -28434,7 +28789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
-@@ -224,6 +190,10 @@
+@@ -224,6 +191,10 @@
')
optional_policy(`
@@ -28445,7 +28800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
-@@ -279,14 +249,6 @@
+@@ -279,14 +250,6 @@
')
optional_policy(`
@@ -28460,7 +28815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
cron_admin_template(sysadm, sysadm_t, sysadm_r)
')
-@@ -302,12 +264,9 @@
+@@ -302,12 +265,9 @@
optional_policy(`
dmesg_exec(sysadm_t)
@@ -28474,7 +28829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -352,6 +311,10 @@
+@@ -352,6 +312,10 @@
')
optional_policy(`
@@ -28485,7 +28840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
lvm_run(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -387,6 +350,10 @@
+@@ -387,6 +351,10 @@
')
optional_policy(`
@@ -28496,7 +28851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
netutils_run(sysadm_t, sysadm_r, admin_terminal)
netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
-@@ -436,15 +403,19 @@
+@@ -436,15 +404,19 @@
optional_policy(`
samba_run_net(sysadm_t, sysadm_r, admin_terminal)
@@ -28517,7 +28872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
', `
userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -487,3 +458,8 @@
+@@ -487,3 +459,13 @@
optional_policy(`
yam_run(sysadm_t, sysadm_r, admin_terminal)
')
@@ -28526,6 +28881,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ term_use_console(userdomain)
+')
+
++# Allow unpriv users to read system state of unpriv processes
++read_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process)
++read_lnk_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process)
++allow unpriv_userdomain unpriv_process:process getattr;
++dontaudit unpriv_userdomain unpriv_process:process ptrace;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.7/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.7/policy/modules/system/virt.fc 2008-02-06 11:02:30.000000000 -0500
@@ -28873,8 +29233,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.7/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/system/virt.te 2008-02-06 11:02:30.000000000 -0500
-@@ -0,0 +1,137 @@
++++ serefpolicy-3.2.7/policy/modules/system/virt.te 2008-02-07 11:31:40.000000000 -0500
+@@ -0,0 +1,158 @@
+
+policy_module(virt,1.0.0)
+
@@ -28963,12 +29323,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+corenet_tcp_sendrecv_all_nodes(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_all_nodes(virtd_t)
++corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t)
++corenet_tcp_connect_vnc_port(virtd_t)
++corenet_tcp_connect_soundd_port(virtd_t)
+corenet_rw_tun_tap_dev(virtd_t)
+
++dev_read_sysfs(virtd_t)
++
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
+kernel_rw_net_sysctls(virtd_t)
++kernel_write_xen_state(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
@@ -28981,6 +29347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+libs_use_shared_libs(virtd_t)
+
+miscfiles_read_localization(virtd_t)
++miscfiles_read_certs(virtd_t)
+
+auth_use_nsswitch(virtd_t)
+
@@ -28991,10 +29358,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+')
+
+optional_policy(`
-+ qemu_domtrans(virtd_t)
-+ qemu_read_state(virtd_t)
-+ qemu_signal(virtd_t)
-+ qemu_sigkill(virtd_t)
++ dbus_system_bus_client_template(virtd,virtd_t)
++ optional_policy(`
++ avahi_dbus_chat(virtd_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(virtd_t)
++ ')
+')
+
+optional_policy(`
@@ -29007,15 +29378,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+')
+
+optional_policy(`
-+ dbus_system_bus_client_template(virtd,virtd_t)
-+ optional_policy(`
-+ avahi_dbus_chat(virtd_t)
-+ ')
++ qemu_domtrans(virtd_t)
++ qemu_read_state(virtd_t)
++ qemu_signal(virtd_t)
++ qemu_sigkill(virtd_t)
+')
++
++optional_policy(`
++ sasl_connect(virtd_t)
++')
++
++optional_policy(`
++ xen_stream_connect(virtd_t)
++ xen_stream_connect_xenstore(virtd_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.7/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
-+++ serefpolicy-3.2.7/policy/modules/system/xen.if 2008-02-06 11:02:30.000000000 -0500
-@@ -191,3 +191,24 @@
++++ serefpolicy-3.2.7/policy/modules/system/xen.if 2008-02-07 11:26:47.000000000 -0500
+@@ -167,11 +167,14 @@
+ #
+ interface(`xen_stream_connect',`
+ gen_require(`
+- type xend_t, xend_var_run_t;
++ type xend_t, xend_var_run_t, xend_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t)
++
++ files_search_var_lib($1)
++ stream_connect_pattern($1,xend_var_lib_t,xend_var_lib_t,xend_t)
+ ')
+
+ ########################################
+@@ -191,3 +194,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
@@ -29395,8 +29792,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.7/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-06 15:11:44.000000000 -0500
-@@ -0,0 +1,65 @@
++++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-08 14:13:09.000000000 -0500
+@@ -0,0 +1,60 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@@ -29455,11 +29852,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+')
+
+optional_policy(`
-+ polkit_run_grant(staff_t, staff_r, { staff_devpts_t staff_tty_device_t })
-+ polkit_read_lib(staff_t)
-+')
-+
-+optional_policy(`
+ xserver_per_role_template(staff, staff_t, staff_r)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.7/policy/modules/users/user.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3605061..ab3c4b7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.7
-Release: 1%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,13 @@ exit 0
%endif
%changelog
+* Thu Feb 5 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-3
+- More fixes for polkit
+
+* Thu Feb 5 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-2
+- Eliminate transition from unconfined_t to qemu by default
+- Fixes for gpg
+
* Tue Feb 5 2008 Dan Walsh <dwalsh@redhat.com> 3.2.7-1
- Update to upstream