rpms/selinux-policy/FC-5 policy-20060323.patch,NONE,1.1

Mon Apr 3 21:06:03 UTC 2006

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv11464

Added Files:
	policy-20060323.patch 
Log Message:
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2.fc5
- Rebuild for FC5


policy-20060323.patch:
 admin/rpm.te               |    1 +
 apps/mono.if               |   23 +++++++++++++++++++++++
 apps/mono.te               |    1 +
 kernel/devices.fc          |    1 +
 kernel/devices.if          |   40 ++++++++++++++++++++++++++++++++++++++++
 kernel/files.if            |   15 +++++++++++++++
 kernel/mls.te              |    1 +
 services/apache.if         |   20 ++++++++++++++++++++
 services/automount.te      |    1 +
 services/avahi.te          |    4 ++++
 services/bluetooth.te      |    7 +++++--
 services/dbus.te           |    1 +
 services/hal.te            |   12 +++++++++++-
 services/networkmanager.te |    1 +
 services/nscd.if           |   20 ++++++++++++++++++++
 services/samba.te          |    2 ++
 services/snmp.te           |    1 +
 services/xserver.if        |   21 +++++++++++++++++++++
 system/fstools.te          |    1 +
 system/getty.fc            |    1 +
 system/getty.te            |    2 ++
 system/init.te             |    1 +
 system/libraries.fc        |   22 +++++++++++++++++-----
 system/logging.if          |   32 ++++++++++++++++++++++++++++++++
 system/mount.te            |    4 +++-
 system/unconfined.if       |   17 +++++------------
 system/unconfined.te       |    4 ----
 system/userdomain.te       |    4 ++--
 28 files changed, 233 insertions(+), 27 deletions(-)

--- NEW FILE policy-20060323.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.29/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2006-03-30 10:59:02.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/admin/rpm.te	2006-04-03 16:38:39.000000000 -0400
@@ -117,6 +117,7 @@
 mls_file_read_up(rpm_t)
 mls_file_write_down(rpm_t)
 mls_file_upgrade(rpm_t)
+mls_file_downgrade(rpm_t)
 
 selinux_get_fs_mount(rpm_t)
 selinux_validate_context(rpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.29/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if	2006-03-23 16:46:10.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/apps/mono.if	2006-04-03 10:03:24.000000000 -0400
@@ -23,3 +23,26 @@
 	allow mono_t $1:fifo_file rw_file_perms;
 	allow mono_t $1:process sigchld;
 ')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	mono over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mono_dbus_chat',`
+	gen_require(`
+		type mono_t;
+		class dbus send_msg;
+	')
+
+	allow $1 mono_t:dbus send_msg;
+	allow mono_t $1:dbus send_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.29/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-03-23 16:46:10.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/apps/mono.te	2006-04-03 12:28:33.000000000 -0400
@@ -22,3 +22,4 @@
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
 ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.29/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2006-03-23 16:45:31.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/devices.fc	2006-03-31 11:49:27.000000000 -0500
@@ -59,6 +59,7 @@
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/winradio.		-c	gen_context(system_u:object_r:v4l_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.29/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-03-30 10:03:20.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/devices.if	2006-04-03 11:31:23.000000000 -0400
@@ -2439,6 +2439,26 @@
 
 ########################################
 ## <summary>
+##	Set the attributes of usbfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_usbfs',`
+	gen_require(`
+		type device_t, usbfs_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 usbfs_t:file setattr;
+')
+
+
+########################################
+## <summary>
 ##	Associate a file to a usbfs filesystem.
 ## </summary>
 ## <param name="file_type">
@@ -2860,3 +2880,23 @@
 	allow $1 self:capability sys_rawio;
 	typeattribute $1 memory_raw_write, memory_raw_read;
 ')
+
+########################################
+## <summary>
+##	Dontaudit getattr on all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_device_nodes',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_t:dir_file_class_set getattr;
+	dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.29/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-03-30 10:04:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/files.if	2006-03-31 11:21:52.000000000 -0500
@@ -1643,6 +1643,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.29/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-03-23 16:45:31.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/mls.te	2006-04-03 16:29:39.000000000 -0400
@@ -60,6 +60,7 @@
 
 ifdef(`enable_mls',`
 range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition secadm_t auditctl_exec_t s15:c0.c255;
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.29/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2006-03-24 11:09:14.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/apache.if	2006-04-03 13:02:08.000000000 -0400
@@ -197,6 +197,26 @@
 		allow httpd_$1_script_t self:lnk_file read;
 	')
 
+	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+		corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
+		corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
+		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+		allow httpd_$1_script_t self:udp_socket create_socket_perms;
+
+		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
+		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
+		corenet_raw_sendrecv_all_if(httpd_$1_script_t)
+		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
+		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
+		corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
+		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
+		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
+		corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+		corenet_tcp_bind_all_nodes(httpd_$1_script_t)
+		corenet_udp_bind_all_nodes(httpd_$1_script_t)
+		sysnet_read_config(httpd_$1_script_t)
+	')
+
 	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
 		allow httpd_$1_script_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.29/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-03-24 11:09:13.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/automount.te	2006-03-31 11:21:52.000000000 -0500
@@ -123,6 +123,7 @@
 logging_search_logs(automount_t)
 
 miscfiles_read_localization(automount_t)
+miscfiles_read_certs(automount_t)
 
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.2.29/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te	2006-03-24 11:09:13.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/avahi.te	2006-04-03 10:04:43.000000000 -0400
@@ -92,6 +92,10 @@
 	dbus_system_bus_client_template(avahi,avahi_t)
 	dbus_connect_system_bus(avahi_t)
 	dbus_send_system_bus(avahi_t)
+	optional_policy(`
+		mono_dbus_chat(avahi_t)
+	')
+
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.29/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-03-30 10:59:02.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/bluetooth.te	2006-04-03 10:50:10.000000000 -0400
@@ -41,7 +41,7 @@
 # Bluetooth services local policy
 #
 
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
 dontaudit bluetooth_t self:capability sys_tty_config;
 allow bluetooth_t self:process { getsched signal_perms };
 allow bluetooth_t self:fifo_file rw_file_perms;
@@ -178,7 +178,7 @@
 
 allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
 allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
 
 kernel_read_system_state(bluetooth_helper_t)
 kernel_read_kernel_sysctls(bluetooth_helper_t)
@@ -217,6 +217,8 @@
 
 	userdom_read_all_users_home_content_files(bluetooth_helper_t)
 
+	term_dontaudit_use_generic_ptys(bluetooth_helper_t)
+
 	optional_policy(`
 		xserver_stream_connect_xdm(bluetooth_helper_t)
 	')
@@ -226,6 +228,7 @@
 	dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
 	dbus_connect_system_bus(bluetooth_helper_t)
 	dbus_send_system_bus(bluetooth_helper_t)
+	bluetooth_dbus_chat(bluetooth_helper_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.29/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te	2006-03-24 11:09:14.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/dbus.te	2006-03-31 11:21:52.000000000 -0500
@@ -102,6 +102,7 @@
 logging_send_syslog_msg(system_dbusd_t)
 
 miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_certs(system_dbusd_t)
 
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-03-30 10:59:02.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/hal.te	2006-04-03 11:31:34.000000000 -0400
@@ -22,7 +22,7 @@
 #
 
 # execute openvt which needs setuid
-allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_file_perms;
@@ -52,6 +52,9 @@
 kernel_write_proc_files(hald_t)
 
 files_search_boot(hald_t)
+files_getattr_home_dir(hald_t)
+
+auth_read_pam_console_data(hald_t)
 
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
@@ -77,6 +80,8 @@
 dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_files(hald_t)
 dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs(hald_t)
 
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
@@ -187,6 +192,11 @@
 	optional_policy(`
 		networkmanager_dbus_chat(hald_t)
 	')
+
+	optional_policy(`
+		mono_dbus_chat(hald_t)
+	')
+
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.29/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-03-24 11:09:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/networkmanager.te	2006-04-03 12:24:37.000000000 -0400
@@ -155,6 +155,7 @@
 
 optional_policy(`
 	nscd_socket_use(NetworkManager_t)
+	nscd_signal(NetworkManager_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.2.29/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if	2006-03-23 16:46:11.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/nscd.if	2006-04-03 12:24:28.000000000 -0400
@@ -126,3 +126,23 @@
 
 	allow $1 nscd_t:nscd *;
 ')
+
+
+########################################
+## <summary>
+##	signal NSCD 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_signal',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	allow $1 nscd_t:process signal;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.29/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2006-03-24 11:09:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/samba.te	2006-04-03 14:24:40.000000000 -0400
@@ -105,6 +105,8 @@
 allow samba_net_t samba_net_tmp_t:file create_file_perms;
 files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
+allow smbd_t samba_net_tmp_t:file getattr;
+
 allow samba_net_t samba_var_t:dir rw_dir_perms;
 allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
 allow samba_net_t samba_var_t:file create_lnk_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.2.29/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te	2006-03-24 11:09:13.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/snmp.te	2006-04-03 13:11:33.000000000 -0400
@@ -49,6 +49,7 @@
 allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
 
+kernel_read_device_sysctls(snmpd_t)
 kernel_read_kernel_sysctls(snmpd_t)
 kernel_read_net_sysctls(snmpd_t)
 kernel_read_proc_symlinks(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.29/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-03-30 10:16:43.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/xserver.if	2006-04-03 10:43:12.000000000 -0400
@@ -1015,3 +1015,24 @@
 
 	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Allow read and write to
+##	a XDM X server socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_sockets',`
+	gen_require(`
+		type xdm_xserver_tmp_t;
+	')
+
+	allow $1 xdm_xserver_tmp_t:dir search;
+	allow $1 xdm_xserver_tmp_t:sock_file { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.29/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-03-30 10:59:03.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/fstools.te	2006-03-31 11:21:52.000000000 -0500
@@ -77,6 +77,7 @@
 dev_getattr_usbfs_dirs(fsadm_t)
 # Access to /dev/mapper/control
 dev_rw_lvm_control(fsadm_t)
+dev_dontaudit_getattr_all_device_nodes(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-2.2.29/policy/modules/system/getty.fc
--- nsaserefpolicy/policy/modules/system/getty.fc	2006-03-23 16:46:11.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/getty.fc	2006-04-03 12:51:51.000000000 -0400
@@ -6,3 +6,4 @@
 /var/log/mgetty\.log.*	--	gen_context(system_u:object_r:getty_log_t,s0)
 
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/fax		--	gen_context(system_u:object_r:getty_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.2.29/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te	2006-03-29 10:50:04.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/getty.te	2006-04-03 12:52:46.000000000 -0400
@@ -104,6 +104,8 @@
 
 miscfiles_read_localization(getty_t)
 
+mta_send_mail(getty_t)
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(getty_t)
 	term_dontaudit_use_generic_ptys(getty_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.29/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-03-30 10:13:28.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/init.te	2006-03-31 11:21:52.000000000 -0500
@@ -353,6 +353,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-03-30 10:18:07.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/libraries.fc	2006-04-03 14:29:38.000000000 -0400
@@ -33,6 +33,7 @@
 #
 /opt(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 #
 # /sbin
@@ -55,6 +56,8 @@
 
 /usr(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 /usr/lib(64)?/pgsql/test/regress/.*\.so 	--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
@@ -62,18 +65,27 @@
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 
+/usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
-
+/usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware(.*/)?/VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)*	--		gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -92,6 +104,7 @@
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -170,10 +183,9 @@
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr(/.*)?/intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr(/.*)?/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
 ') dnl end distro_redhat
 
 ifdef(`distro_suse',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.29/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if	2006-03-23 16:46:11.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/logging.if	2006-03-31 11:21:52.000000000 -0500
@@ -368,3 +368,35 @@
 	allow $1 var_log_t:dir rw_dir_perms;
 	allow $1 var_log_t:file create_file_perms;
 ')
+
+########################################
+## <summary>
+##	Execute auditctl in the auditctl domain, and
+##	allow the specified role the auditctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the auditctl domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the auditctl domain to use.
+##	</summary>
+## </param>
+#
+interface(`logging_run_auditctl',`
+	gen_require(`
+		type auditctl_t;
+	')
+
+	logging_domtrans_auditctl($1)
+	role $2 types auditctl_t;
+	allow auditctl_t $3:chr_file rw_term_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.29/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-03-30 10:59:03.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/mount.te	2006-03-31 15:12:44.000000000 -0500
@@ -19,7 +19,8 @@
 # mount local policy
 #
 
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
+# setuid/setgid needed to mount cifs 
+allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 
 allow mount_t mount_tmp_t:file create_file_perms;
 allow mount_t mount_tmp_t:dir create_dir_perms;
@@ -44,6 +45,7 @@
 storage_raw_write_removable_device(mount_t)
 
 fs_getattr_xattr_fs(mount_t)
+fs_getattr_cifs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.29/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-03-29 09:34:53.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/unconfined.if	2006-04-03 11:09:45.000000000 -0400
@@ -55,7 +55,7 @@
 	tunable_policy(`allow_execmem && allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
-		auditallow $1 self:process execstack;
+#		auditallow $1 self:process execstack;
 	', `
 		# These are fairly common but seem to be harmless
 		# caused by using shared libraries built with old tool chains
@@ -89,14 +89,6 @@
 		storage_unconfined($1)
 	')
 
-	ifdef(`TODO',`
-	if (allow_execmod) {
-		ifdef(`targeted_policy', `', `
-			# Allow text relocations on system shared libraries, e.g. libGL.
-			allow $1 home_type:file execmod;
-		')
-	}
-	') dnl end TODO
 ')
 
 ########################################
@@ -118,9 +110,10 @@
 		auditallow $1 self:process execheap;
 	')
 
-	tunable_policy(`allow_execmem',`
-		auditallow $1 self:process execmem;
-	')
+# Turn off this audit for FC5
+#	tunable_policy(`allow_execmem',`
+#		auditallow $1 self:process execmem;
+#	')
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.29/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-03-29 09:34:53.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/unconfined.te	2006-04-03 12:27:56.000000000 -0400
@@ -106,10 +106,6 @@
 	')
 
 	optional_policy(`
-		netutils_domtrans_ping(unconfined_t)
-	')
-
-	optional_policy(`
 		portmap_domtrans_helper(unconfined_t)
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.29/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-03-28 12:58:49.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/userdomain.te	2006-03-31 11:21:52.000000000 -0500
@@ -179,10 +179,10 @@
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_domtrans_auditctl(secadm_t)
+		logging_run_auditctl(secadm_t,secadm_r,admin_terminal)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 	', `
-		logging_domtrans_auditctl(sysadm_t)
+		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 		logging_read_audit_log(sysadm_t)
 	')
 


