diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3bb8b64..70f841e 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -970,7 +970,7 @@ pyzor = module
#
# Policy for qmail
#
-qmail = on
+qmail = base
# Layer: admin
# Module: quota
@@ -1599,3 +1599,10 @@ staff = base
#
user = base
+# Layer: services
+# Module: prelude
+#
+#
+#
+prelude = module
+
diff --git a/policy-20071130.patch b/policy-20071130.patch
index fa11367..b03939d 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -4710,7 +4710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.5/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/wine.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/wine.te 2008-01-30 09:39:12.000000000 -0500
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -4719,7 +4719,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
########################################
#
-@@ -20,7 +21,12 @@
+@@ -17,10 +18,16 @@
+
+ optional_policy(`
+ allow wine_t self:process { execstack execmem execheap };
++ domain_mmap_low(wine_t)
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
@@ -5437,7 +5441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-28 10:12:03.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2008-01-30 13:26:28.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -5997,7 +6001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.5/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/amavis.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/amavis.te 2008-01-30 15:55:15.000000000 -0500
@@ -38,6 +38,9 @@
type amavis_spool_t;
files_type(amavis_spool_t)
@@ -7205,8 +7209,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.5/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/automount.if 2008-01-18 12:40:46.000000000 -0500
-@@ -74,3 +74,90 @@
++++ serefpolicy-3.2.5/policy/modules/services/automount.if 2008-01-30 09:22:41.000000000 -0500
+@@ -74,3 +74,109 @@
dontaudit $1 automount_tmp_t:dir getattr;
')
@@ -7231,6 +7235,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+
+########################################
+##
++## Do not audit attempts to write automount daemon unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`automount_dontaudit_write_pipes',`
++ gen_require(`
++ type automount_t;
++ ')
++
++ dontaudit $1 automount_t:fifo_file write;
++')
++
++
++########################################
++##
+## Execute automount server in the automount domain.
+##
+##
@@ -7782,7 +7805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.5/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-30 11:17:07.000000000 -0500
@@ -32,6 +32,9 @@
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
@@ -7802,10 +7825,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
-@@ -127,6 +130,7 @@
+@@ -110,6 +113,8 @@
+ files_read_etc_runtime_files(bluetooth_t)
+ files_read_usr_files(bluetooth_t)
+
++auth_use_nsswitch(bluetooth_t)
++
+ libs_use_ld_so(bluetooth_t)
+ libs_use_shared_libs(bluetooth_t)
+
+@@ -118,19 +123,18 @@
+ miscfiles_read_localization(bluetooth_t)
+ miscfiles_read_fonts(bluetooth_t)
+
+-sysnet_read_config(bluetooth_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+ userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
+ userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
+
+ optional_policy(`
+- dbus_system_bus_client_template(bluetooth,bluetooth_t)
+- dbus_connect_system_bus(bluetooth_t)
++ cups_dbus_chat(bluetooth_t)
+ ')
+
optional_policy(`
- dbus_system_bus_client_template(bluetooth,bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
+- nis_use_ypbind(bluetooth_t)
++ dbus_system_bus_client_template(bluetooth,bluetooth_t)
++ dbus_connect_system_bus(bluetooth_t)
+ dbus_system_domain(bluetooth_t,bluetooth_exec_t)
')
@@ -8193,7 +8241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2008-01-28 11:45:43.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cron.if 2008-01-30 09:22:11.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -9750,8 +9798,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.5/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dcc.te 2008-01-18 12:40:46.000000000 -0500
-@@ -124,7 +124,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/dcc.te 2008-01-30 11:56:42.000000000 -0500
+@@ -105,6 +105,8 @@
+ files_read_etc_files(cdcc_t)
+ files_read_etc_runtime_files(cdcc_t)
+
++auth_use_nsswitch(cdcc_t)
++
+ libs_use_ld_so(cdcc_t)
+ libs_use_shared_libs(cdcc_t)
+
+@@ -112,19 +114,12 @@
+
+ miscfiles_read_localization(cdcc_t)
+
+-sysnet_read_config(cdcc_t)
+-sysnet_dns_name_resolve(cdcc_t)
+-
+-optional_policy(`
+- nscd_socket_use(cdcc_t)
+-')
+-
+ ########################################
+ #
# dcc procmail interface local policy
#
@@ -9760,7 +9829,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
-@@ -148,6 +148,10 @@
+@@ -141,6 +136,7 @@
+
+ corenet_all_recvfrom_unlabeled(dcc_client_t)
+ corenet_all_recvfrom_netlabel(dcc_client_t)
++corenet_udp_bind_all_nodes(dcc_client_t)
+ corenet_udp_sendrecv_generic_if(dcc_client_t)
+ corenet_udp_sendrecv_all_nodes(dcc_client_t)
+ corenet_udp_sendrecv_all_ports(dcc_client_t)
+@@ -148,6 +144,10 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
@@ -9771,7 +9848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
-@@ -155,11 +159,8 @@
+@@ -155,11 +155,8 @@
miscfiles_read_localization(dcc_client_t)
@@ -9784,17 +9861,103 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
')
########################################
-@@ -275,9 +276,7 @@
- userdom_dontaudit_use_unpriv_user_fds(dccd_t)
- userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
+@@ -191,6 +188,8 @@
+ files_read_etc_files(dcc_dbclean_t)
+ files_read_etc_runtime_files(dcc_dbclean_t)
+
++auth_use_nsswitch(dcc_dbclean_t)
++
+ libs_use_ld_so(dcc_dbclean_t)
+ libs_use_shared_libs(dcc_dbclean_t)
+
+@@ -198,13 +197,6 @@
+
+ miscfiles_read_localization(dcc_dbclean_t)
+-sysnet_read_config(dcc_dbclean_t)
+-sysnet_dns_name_resolve(dcc_dbclean_t)
+-
-optional_policy(`
-- nscd_socket_use(dccd_t)
+- nscd_socket_use(dcc_dbclean_t)
-')
+-
+ ########################################
+ #
+ # Server daemon local policy
+@@ -262,6 +254,8 @@
+ fs_getattr_all_fs(dccd_t)
+ fs_search_auto_mountpoints(dccd_t)
+
+auth_use_nsswitch(dccd_t)
++
+ libs_use_ld_so(dccd_t)
+ libs_use_shared_libs(dccd_t)
+
+@@ -276,10 +270,6 @@
+ userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
optional_policy(`
+- nscd_socket_use(dccd_t)
+-')
+-
+-optional_policy(`
seutil_sigchld_newrole(dccd_t)
+ ')
+
+@@ -335,6 +325,8 @@
+ fs_getattr_all_fs(dccifd_t)
+ fs_search_auto_mountpoints(dccifd_t)
+
++auth_use_nsswitch(dccifd_t)
++
+ libs_use_ld_so(dccifd_t)
+ libs_use_shared_libs(dccifd_t)
+
+@@ -342,17 +334,10 @@
+
+ miscfiles_read_localization(dccifd_t)
+
+-sysnet_read_config(dccifd_t)
+-sysnet_dns_name_resolve(dccifd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
+
+ optional_policy(`
+- nscd_socket_use(dccifd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(dccifd_t)
+ ')
+
+@@ -407,6 +392,8 @@
+ fs_getattr_all_fs(dccm_t)
+ fs_search_auto_mountpoints(dccm_t)
+
++auth_use_nsswitch(dccm_t)
++
+ libs_use_ld_so(dccm_t)
+ libs_use_shared_libs(dccm_t)
+
+@@ -414,17 +401,10 @@
+
+ miscfiles_read_localization(dccm_t)
+
+-sysnet_read_config(dccm_t)
+-sysnet_dns_name_resolve(dccm_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+ userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
+
+ optional_policy(`
+- nscd_socket_use(dccm_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(dccm_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.fc serefpolicy-3.2.5/policy/modules/services/ddclient.fc
--- nsaserefpolicy/policy/modules/services/ddclient.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ddclient.fc 2008-01-18 12:40:46.000000000 -0500
@@ -14170,7 +14333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.fc 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postfix.fc 2008-01-30 11:28:13.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -14186,7 +14349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-24 13:33:34.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-30 11:25:20.000000000 -0500
@@ -206,9 +206,8 @@
type postfix_etc_t;
')
@@ -14357,7 +14520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2008-01-30 11:27:45.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -14624,13 +14787,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.2.5/policy/modules/services/postgrey.fc
--- nsaserefpolicy/policy/modules/services/postgrey.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postgrey.fc 2008-01-18 12:40:46.000000000 -0500
-@@ -7,3 +7,5 @@
++++ serefpolicy-3.2.5/policy/modules/services/postgrey.fc 2008-01-30 11:29:02.000000000 -0500
+@@ -7,3 +7,7 @@
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/etc/rc.d/init.d/postgrey -- gen_context(system_u:object_r:postgrey_script_exec_t,s0)
++
++/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.2.5/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgrey.if 2008-01-18 12:40:46.000000000 -0500
@@ -14711,8 +14876,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.2.5/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postgrey.te 2008-01-18 15:11:00.000000000 -0500
-@@ -19,12 +19,15 @@
++++ serefpolicy-3.2.5/policy/modules/services/postgrey.te 2008-01-30 16:04:16.000000000 -0500
+@@ -13,26 +13,37 @@
+ type postgrey_etc_t;
+ files_config_file(postgrey_etc_t)
+
++type postgrey_spool_t;
++files_type(postgrey_spool_t)
++
+ type postgrey_var_lib_t;
+ files_type(postgrey_var_lib_t)
+
type postgrey_var_run_t;
files_pid_file(postgrey_var_run_t)
@@ -14729,7 +14903,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
-@@ -85,6 +88,11 @@
++allow postgrey_t self:fifo_file create_fifo_file_perms;
+
+ allow postgrey_t postgrey_etc_t:dir list_dir_perms;
+ read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
+ read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
+
++manage_dirs_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
++manage_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
++manage_fifo_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
++
+ manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t)
+ files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
+
+@@ -85,6 +96,11 @@
')
optional_policy(`
@@ -14880,6 +15067,263 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.2.5/policy/modules/services/prelude.fc
+--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/prelude.fc 2008-01-30 15:51:42.000000000 -0500
+@@ -0,0 +1,14 @@
++
++/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
++
++/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
++
++/etc/rc.d/init.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
++
++/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
++
++/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
++/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
++/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.2.5/policy/modules/services/prelude.if
+--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/prelude.if 2008-01-30 15:42:04.000000000 -0500
+@@ -0,0 +1,116 @@
++
++## policy for prelude
++
++########################################
++##
++## Execute a domain transition to run prelude.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`prelude_domtrans',`
++ gen_require(`
++ type prelude_t;
++ type prelude_exec_t;
++ ')
++
++ domtrans_pattern($1,prelude_exec_t,prelude_t)
++')
++
++
++########################################
++##
++## Execute prelude server in the prelude domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`prelude_script_domtrans',`
++ gen_require(`
++ type prelude_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,prelude_script_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an prelude environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the syslog domain.
++##
++##
++##
++##
++## The type of the user terminal.
++##
++##
++##
++#
++interface(`prelude_admin',`
++ gen_require(`
++ type prelude_t;
++ ')
++
++ allow $1 prelude_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, prelude_t, prelude_t)
++
++
++ # Allow prelude_t to restart the apache service
++ prelude_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 prelude_script_exec_t system_r;
++ allow $2 system_r;
++
++')
++
++########################################
++##
++## Execute a domain transition to run audisp_prelude.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`audisp_prelude_domtrans',`
++ gen_require(`
++ type audisp_prelude_t;
++ type audisp_prelude_exec_t;
++ ')
++
++ domtrans_pattern($1,audisp_prelude_exec_t,audisp_prelude_t)
++')
++
++########################################
++##
++## Signal the audisp_prelude domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`audisp_prelude_signal',`
++ gen_require(`
++ type audisp_prelude_t;
++ ')
++
++ allow $1 audisp_prelude_t:process signal;
++')
+Binary files nsaserefpolicy/policy/modules/services/prelude.pp and serefpolicy-3.2.5/policy/modules/services/prelude.pp differ
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.5/policy/modules/services/prelude.te
+--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/prelude.te 2008-01-30 15:55:36.000000000 -0500
+@@ -0,0 +1,114 @@
++policy_module(prelude,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type prelude_t;
++type prelude_exec_t;
++domain_type(prelude_t)
++init_daemon_domain(prelude_t, prelude_exec_t)
++
++type prelude_var_run_t;
++files_pid_file(prelude_var_run_t)
++
++type prelude_var_lib_t;
++files_type(prelude_var_lib_t)
++
++type prelude_spool_t;
++files_type(prelude_spool_t)
++
++type prelude_script_exec_t;
++init_script_type(prelude_script_exec_t)
++
++type audisp_prelude_t;
++type audisp_prelude_exec_t;
++domain_type(audisp_prelude_t)
++init_daemon_domain(audisp_prelude_t, audisp_prelude_exec_t)
++
++type audisp_prelude_var_run_t;
++files_pid_file(audisp_prelude_var_run_t)
++
++########################################
++#
++# prelude local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(prelude_t)
++
++## internal communication is often done using fifo and unix sockets.
++allow prelude_t self:fifo_file rw_file_perms;
++allow prelude_t self:unix_stream_socket create_stream_socket_perms;
++
++allow prelude_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
++allow prelude_t self:tcp_socket { bind create setopt listen };
++
++dev_read_rand(prelude_t)
++dev_read_urand(prelude_t)
++
++manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
++files_pid_filetrans(prelude_t, prelude_var_run_t, file)
++
++files_read_etc_files(prelude_t)
++files_read_usr_files(prelude_t)
++
++files_search_var_lib(prelude_t)
++manage_dirs_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
++manage_files_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
++
++files_search_spool(prelude_t)
++manage_dirs_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
++manage_files_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
++
++libs_use_ld_so(prelude_t)
++libs_use_shared_libs(prelude_t)
++
++logging_send_audit_msgs(prelude_t)
++logging_send_syslog_msg(prelude_t)
++
++miscfiles_read_localization(prelude_t)
++
++corenet_all_recvfrom_unlabeled(prelude_t)
++corenet_all_recvfrom_netlabel(prelude_t)
++corenet_tcp_sendrecv_all_if(prelude_t)
++corenet_tcp_sendrecv_all_nodes(prelude_t)
++corenet_tcp_bind_all_nodes(prelude_t)
++#corenet_tcp_bind_generic_port(prelude_t)
++
++corecmd_search_bin(prelude_t)
++
++optional_policy(`
++ mysql_search_db(prelude_t)
++ mysql_stream_connect(prelude_t)
++')
++
++########################################
++#
++# audisp_prelude local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(audisp_prelude_t)
++
++## internal communication is often done using fifo and unix sockets.
++allow audisp_prelude_t self:fifo_file rw_file_perms;
++allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t)
++files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file)
++
++files_read_etc_files(audisp_prelude_t)
++
++libs_use_ld_so(audisp_prelude_t)
++libs_use_shared_libs(audisp_prelude_t)
++
++logging_send_syslog_msg(audisp_prelude_t)
++
++miscfiles_read_localization(audisp_prelude_t)
++
++corecmd_search_bin(audisp_prelude_t)
++allow audisp_prelude_t self:unix_dgram_socket create_socket_perms;
++
++logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.2.5/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/privoxy.fc 2008-01-18 12:40:46.000000000 -0500
@@ -15266,7 +15710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmai
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te
--- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-30 16:02:09.000000000 -0500
@@ -85,6 +85,8 @@
libs_use_ld_so(qmail_inject_t)
libs_use_shared_libs(qmail_inject_t)
@@ -15289,7 +15733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmai
+auth_use_nsswitch(qmail_local_t)
+
-+logging_send_syslog(qmail_local_t)
++logging_send_syslog_msg(qmail_local_t)
+
mta_append_spool(qmail_local_t)
@@ -15308,7 +15752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmai
+corecmd_exec_bin(qmail_queue_t)
+
-+logging_send_syslog(qmail_queue_t)
++logging_send_syslog_msg(qmail_queue_t)
+
optional_policy(`
daemontools_ipc_domain(qmail_queue_t)
@@ -15928,7 +16372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2008-01-30 09:24:13.000000000 -0500
@@ -60,10 +60,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -15945,7 +16389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
-@@ -77,11 +81,17 @@
+@@ -77,11 +81,18 @@
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -15958,12 +16402,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
+# automount -> mount -> rpcd
+optional_policy(`
+ automount_dontaudit_use_fds(rpcd_t)
++ automount_dontaudit_write_pipes(rpcd_t)
+')
+
########################################
#
# NFSD local policy
-@@ -92,9 +102,16 @@
+@@ -92,9 +103,16 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -15980,7 +16425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -124,6 +141,7 @@
+@@ -124,6 +142,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -15988,7 +16433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
-@@ -144,6 +162,7 @@
+@@ -144,6 +163,7 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -15996,7 +16441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -157,8 +176,13 @@
+@@ -157,8 +177,13 @@
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
@@ -17250,7 +17695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-30 16:26:31.000000000 -0500
@@ -22,13 +22,16 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -17305,7 +17750,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
- logging_stream_connect_auditd(setroubleshootd_t)
+-logging_stream_connect_auditd(setroubleshootd_t)
++logging_stream_connect_audisp(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
@@ -20105,7 +20551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-24 13:41:40.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-30 13:26:40.000000000 -0500
@@ -16,6 +16,13 @@
##
@@ -20259,7 +20705,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -245,6 +296,7 @@
+@@ -226,6 +277,7 @@
+ files_read_usr_files(xdm_t)
+ # Poweroff wants to create the /poweroff file when run from xdm
+ files_create_boot_flag(xdm_t)
++files_dontaudit_getattr_boot_dirs(xdm_t)
+
+ fs_getattr_all_fs(xdm_t)
+ fs_search_auto_mountpoints(xdm_t)
+@@ -245,6 +297,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -20267,7 +20721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +308,11 @@
+@@ -256,12 +309,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -20281,7 +20735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,6 +321,10 @@
+@@ -270,6 +322,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -20292,7 +20746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -304,7 +359,16 @@
+@@ -304,7 +360,16 @@
')
optional_policy(`
@@ -20309,7 +20763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -322,6 +386,10 @@
+@@ -322,6 +387,10 @@
')
optional_policy(`
@@ -20320,7 +20774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
-@@ -343,8 +411,8 @@
+@@ -343,8 +412,8 @@
')
optional_policy(`
@@ -20330,7 +20784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +448,7 @@
+@@ -380,7 +449,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -20339,7 +20793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +460,15 @@
+@@ -392,6 +461,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -20355,7 +20809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,6 +481,7 @@
+@@ -404,6 +482,7 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -20363,7 +20817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -420,6 +498,14 @@
+@@ -420,6 +499,14 @@
')
optional_policy(`
@@ -20378,7 +20832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +515,103 @@
+@@ -429,47 +516,103 @@
')
optional_policy(`
@@ -21726,8 +22180,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.5/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/logging.fc 2008-01-18 12:40:46.000000000 -0500
-@@ -42,7 +42,7 @@
++++ serefpolicy-3.2.5/policy/modules/system/logging.fc 2008-01-30 15:33:12.000000000 -0500
+@@ -4,6 +4,7 @@
+ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+
++/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+@@ -42,11 +43,10 @@
')
ifdef(`distro_redhat',`
@@ -21736,17 +22198,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-@@ -57,3 +57,6 @@
+-/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+ /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
+ /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+ /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
+@@ -57,3 +57,9 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
++
++
++/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.5/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/logging.if 2008-01-18 12:40:46.000000000 -0500
-@@ -400,25 +400,6 @@
++++ serefpolicy-3.2.5/policy/modules/system/logging.if 2008-01-30 16:28:40.000000000 -0500
+@@ -213,12 +213,7 @@
+ ##
+ #
+ interface(`logging_stream_connect_auditd',`
+- gen_require(`
+- type auditd_t, auditd_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
++ logging_stream_connect_audisp($1)
+ ')
+
+ ########################################
+@@ -400,25 +395,6 @@
########################################
##
@@ -21772,7 +22255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
-@@ -596,6 +577,8 @@
+@@ -596,6 +572,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -21781,7 +22264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -705,6 +688,7 @@
+@@ -705,6 +683,7 @@
interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
@@ -21789,7 +22272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
type auditd_var_run_t;
')
-@@ -719,6 +703,15 @@
+@@ -719,6 +698,15 @@
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
@@ -21805,7 +22288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -749,6 +742,7 @@
+@@ -749,6 +737,7 @@
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
@@ -21813,7 +22296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
allow $1 syslogd_t:process { ptrace signal_perms };
-@@ -776,6 +770,13 @@
+@@ -776,6 +765,13 @@
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -21827,7 +22310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -804,3 +805,40 @@
+@@ -804,3 +800,125 @@
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
')
@@ -21868,10 +22351,95 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ init_script_domtrans_spec($1,auditd_script_exec_t)
+')
+
++########################################
++##
++## Execute a domain transition to run audisp.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`logging_domtrans_audisp',`
++ gen_require(`
++ type audisp_t;
++ type audisp_exec_t;
++ ')
++
++ domtrans_pattern($1,audisp_exec_t,audisp_t)
++')
++
++########################################
++##
++## Signal the audisp domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`logging_audisp_signal',`
++ gen_require(`
++ type audisp_t;
++ ')
++
++ allow $1 audisp_t:process signal;
++')
++
++########################################
++##
++## Create a domain for processes
++## which can be started by the system audisp
++##
++##
++##
++## Type to be used as a domain.
++##
++##
++##
++##
++## Type of the program to be used as an entry point to this domain.
++##
++##
++#
++interface(`logging_audisp_system_domain',`
++ gen_require(`
++ type audisp_t;
++ role system_r;
++ ')
++
++ domain_type($1)
++ domain_entry_file($1,$2)
++
++ role system_r types $1;
++
++ domtrans_pattern(audisp_t,$2,$1)
++')
++
++########################################
++##
++## Connect to auditdstored over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_stream_connect_audisp',`
++ gen_require(`
++ type audisp_t, audisp_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.5/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/logging.te 2008-01-18 12:40:46.000000000 -0500
-@@ -61,6 +61,12 @@
++++ serefpolicy-3.2.5/policy/modules/system/logging.te 2008-01-30 16:23:21.000000000 -0500
+@@ -61,10 +61,23 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -21884,7 +22452,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
-@@ -165,6 +171,10 @@
+
++type audisp_t;
++type audisp_exec_t;
++init_system_domain(audisp_t, audisp_exec_t)
++
++type audisp_var_run_t;
++files_pid_file(audisp_var_run_t)
++
+ ########################################
+ #
+ # Auditctl local policy
+@@ -165,6 +178,10 @@
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
optional_policy(`
@@ -21895,7 +22474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
seutil_sigchld_newrole(auditd_t)
')
-@@ -202,6 +212,7 @@
+@@ -202,6 +219,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -21903,6 +22482,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(klogd_t)
+@@ -381,3 +399,40 @@
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
++########################################
++#
++# audisp local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(audisp_t)
++
++## internal communication is often done using fifo and unix sockets.
++allow audisp_t self:fifo_file rw_file_perms;
++allow audisp_t self:unix_stream_socket create_stream_socket_perms;
++allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
++
++manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
++files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
++
++files_read_etc_files(audisp_t)
++
++libs_use_ld_so(audisp_t)
++libs_use_shared_libs(audisp_t)
++
++logging_send_syslog_msg(audisp_t)
++
++miscfiles_read_localization(audisp_t)
++
++corecmd_search_bin(audisp_t)
++allow audisp_t self:unix_dgram_socket create_socket_perms;
++
++logging_domtrans_audisp(auditd_t)
++logging_audisp_signal(auditd_t)
++
++#gen_require(`
++# type zos_remote_exec_t, zos_remote_t;
++#')
++
++#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.5/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/lvm.te 2008-01-18 12:40:46.000000000 -0500
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 47134db..63a6cb6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@ exit 0
%endif
%changelog
+* Wed Jan 30 2008 Dan Walsh 3.2.5-22
+- Add audisp policy and prelude
+
* Mon Jan 28 2008 Dan Walsh 3.2.5-21
- Allow all user roles to executae samba net command