rpms/selinux-policy/devel policy-20060608.patch, NONE, 1.1 modules-targeted.conf, 1.28, 1.29 policy-20060505.patch, 1.17, 1.18 selinux-policy.spec, 1.202, 1.203

[fedora-cvs-commits at redhat.com]

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9904

Modified Files:
	modules-targeted.conf policy-20060505.patch 
	selinux-policy.spec 
Added Files:
	policy-20060608.patch 
Log Message:
* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.44-1
- Update from upstream


policy-20060608.patch:
 config/appconfig-strict-mls/default_type |    1 
 policy/modules/admin/consoletype.te      |    7 ++++-
 policy/modules/admin/rpm.te              |    8 ++++-
 policy/modules/apps/webalizer.te         |    1 
 policy/modules/kernel/files.if           |   15 ++++++++++
 policy/modules/kernel/filesystem.te      |    3 +-
 policy/modules/kernel/kernel.te          |    1 
 policy/modules/services/cups.te          |    4 ++
 policy/modules/services/hal.te           |    2 +
 policy/modules/services/mysql.te         |    2 -
 policy/modules/services/ntp.te           |    2 +
 policy/modules/services/pegasus.if       |   31 ++++++++++++++++++++++
 policy/modules/services/pegasus.te       |    5 +--
 policy/modules/services/procmail.te      |    5 +++
 policy/modules/services/pyzor.te         |    4 ++
 policy/modules/services/xfs.te           |    2 +
 policy/modules/system/hostname.te        |    5 ++-
 policy/modules/system/init.te            |    1 
 policy/modules/system/libraries.fc       |    3 ++
 policy/modules/system/logging.fc         |    6 ++--
 policy/modules/system/logging.te         |   10 +++----
 policy/modules/system/unconfined.fc      |    7 ++---
 policy/modules/system/unconfined.if      |   28 ++++++++++++++++++++
 policy/modules/system/unconfined.te      |   13 +++++++--
 policy/modules/system/userdomain.if      |   28 --------------------
 policy/modules/system/userdomain.te      |   43 +++++++++++++++++++++++++++----
 policy/rolemap                           |    1 
 policy/support/misc_macros.spt           |    2 -
 policy/users                             |    6 ++--
 29 files changed, 185 insertions(+), 61 deletions(-)

--- NEW FILE policy-20060608.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.44/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type	2006-06-08 09:43:08.000000000 -0400
@@ -2,3 +2,4 @@
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.44/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te	2006-06-08 09:43:08.000000000 -0400
@@ -8,7 +8,12 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
 mls_file_read_up(consoletype_t)
 mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.44/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/admin/rpm.te	2006-06-08 09:49:46.000000000 -0400
@@ -341,12 +341,16 @@
 	optional_policy(`
 		mono_domtrans(rpm_script_t)
 	')
-',`
+
 	optional_policy(`
-		bootloader_domtrans(rpm_script_t)
+		unconfined_domtrans(rpm_script_t)
 	')
 ')
 
+optional_policy(`
+	bootloader_domtrans(rpm_script_t)
+')
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		mta_send_mail(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.44/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te	2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te	2006-06-08 09:43:08.000000000 -0400
@@ -44,6 +44,7 @@
 allow webalizer_t self:unix_dgram_socket sendto;
 allow webalizer_t self:unix_stream_socket connectto;
 allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
 allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow webalizer_t webalizer_etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.44/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-06-06 22:21:53.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/kernel/files.if	2006-06-08 09:43:08.000000000 -0400
@@ -1913,6 +1913,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.44/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te	2006-06-08 09:43:08.000000000 -0400
@@ -23,7 +23,7 @@
 # Requires that a security xattr handler exist for the filesystem.
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 
@@ -174,6 +174,7 @@
 genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.44/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-06-06 22:21:53.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te	2006-06-08 09:43:08.000000000 -0400
@@ -28,6 +28,7 @@
 
 ifdef(`enable_mls',`
 	role secadm_r;
+	role auditadm_r;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.44/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/cups.te	2006-06-08 09:50:22.000000000 -0400
@@ -655,6 +655,10 @@
 ')
 
 optional_policy(`
+	mount_send_nfs_client_request(hplip_t)
+')
+
+optional_policy(`
 	udev_read_db(hplip_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.44/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-06-06 22:21:54.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/hal.te	2006-06-08 09:47:42.000000000 -0400
@@ -140,6 +140,8 @@
 
 sysnet_read_config(hald_t)
 
+auth_use_nsswitch(hald_t)
+
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_sysadm_home_dirs(hald_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.44/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/mysql.te	2006-06-08 09:48:34.000000000 -0400
@@ -101,7 +101,7 @@
 
 miscfiles_read_localization(mysqld_t)
 
-sysnet_use_ldap(mysqld_t)
+auth_use_nsswitch(mysqld_t)
 sysnet_read_config(mysqld_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.44/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te	2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/ntp.te	2006-06-08 09:48:01.000000000 -0400
@@ -112,6 +112,8 @@
 
 sysnet_read_config(ntpd_t)
 
+auth_use_nsswitch(ntpd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_sysadm_home_dirs(ntpd_t)
 userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.44/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if	2005-10-25 13:40:18.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/pegasus.if	2006-06-08 09:43:08.000000000 -0400
@@ -1 +1,32 @@
 ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+	gen_require(`
+		type pegasus_t, pegasus_exec_t;
+	')
+
+	ifdef(`targeted_policy',`
+		if(pegasus_disable_trans) {
+			can_exec($1,pegasus_exec_t)
+		} else {
+			domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+		}
+	', `
+		domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+	')
+
+	allow $1 pegasus_t:fd use;
+	allow pegasus_t $1:fd use;
+	allow pegasus_t $1:fifo_file rw_file_perms;
+	allow pegasus_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.44/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/pegasus.te	2006-06-08 09:43:08.000000000 -0400
@@ -100,13 +100,12 @@
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.44/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/procmail.te	2006-06-08 09:43:08.000000000 -0400
@@ -109,3 +109,8 @@
 	spamassassin_exec(procmail_t)
 	spamassassin_exec_client(procmail_t)
 ')
+
+optional_policy(`
+	clamav_domtrans_clamscan(procmail_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.44/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/pyzor.te	2006-06-08 09:46:23.000000000 -0400
@@ -126,3 +126,7 @@
 optional_policy(`
 	nscd_socket_use(pyzord_t)
 ')
+
+ifdef(`targeted_policy',`
+	userdom_read_generic_user_home_content_files(pyzord_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.44/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/xfs.te	2006-06-08 09:47:04.000000000 -0400
@@ -69,6 +69,8 @@
 miscfiles_read_localization(xfs_t)
 miscfiles_read_fonts(xfs_t)
 
+auth_use_nsswitch(xfs_t)
+
 userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.44/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2006-03-02 18:45:56.000000000 -0500
+++ serefpolicy-2.2.44/policy/modules/system/hostname.te	2006-06-08 09:43:08.000000000 -0400
@@ -8,7 +8,10 @@
 
 type hostname_t;
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.44/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/init.te	2006-06-08 09:43:08.000000000 -0400
@@ -345,6 +345,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.44/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/libraries.fc	2006-06-08 09:43:08.000000000 -0400
@@ -48,6 +48,9 @@
 /lib32/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
 ')
 
+/lib/security/pam_poldi.so  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/lib64/security/pam_poldi.so  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 #
 # /opt
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.2.44/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc	2006-02-02 16:12:27.000000000 -0500
+++ serefpolicy-2.2.44/policy/modules/system/logging.fc	2006-06-08 09:56:16.000000000 -0400
@@ -1,9 +1,6 @@
 
 /dev/log			-s	gen_context(system_u:object_r:devlog_t,s0)
 
-/etc/auditd.conf		--	gen_context(system_u:object_r:auditd_etc_t,s0)
-/etc/audit.rules		--	gen_context(system_u:object_r:auditd_etc_t,s0)
-
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -39,3 +36,6 @@
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.44/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/logging.te	2006-06-08 09:58:43.000000000 -0400
@@ -17,7 +17,7 @@
 files_security_file(auditd_etc_t)
 
 type auditd_log_t;
-files_security_file(auditd_log_t)
+fies_security_file(auditd_log_t)
 
 type auditd_t;
 # real declaration moved to mls until
@@ -123,9 +123,8 @@
 files_pid_filetrans(auditd_t,auditd_var_run_t,file)
 
 kernel_read_kernel_sysctls(auditd_t)
-# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
-# Probably want a transition, and a new auditd_helper app
-kernel_read_system_state(auditd_t)
+kernel_list_proc(auditd_t)
+kernel_read_proc_symlinks(auditd_t)
 
 dev_read_sysfs(auditd_t)
 
@@ -134,11 +133,12 @@
 
 term_dontaudit_use_console(auditd_t)
 
+# cjp: why?
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app
 corecmd_exec_sbin(auditd_t)
 corecmd_exec_bin(auditd_t)
-
+kernel_read_system_state(auditd_t)
 
 domain_use_interactive_fds(auditd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.44/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc	2006-06-08 09:43:08.000000000 -0400
@@ -4,7 +4,6 @@
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
 /usr/bin/vncserver	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
-ifdef(`targeted_policy',`
-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
+/usr/lib/openoffice.org.*/program/.*\.bin	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.44/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-05-19 13:46:37.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/unconfined.if	2006-06-08 09:43:08.000000000 -0400
@@ -449,3 +449,31 @@
 
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
+
+########################################
+## <summary>
+##	Execute the application that requires dexecmem program in the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type unconfined_execmem_t, unconfined_execmem_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+		allow $1 unconfined_execmem_t:fd use;
+		allow unconfined_execmem_t $1:fd use;
+		allow unconfined_execmem_t $1:fifo_file rw_file_perms;
+		allow unconfined_execmem_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.44/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/unconfined.te	2006-06-08 09:43:08.000000000 -0400
@@ -33,8 +33,6 @@
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;
 
-	domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
-
 	files_create_boot_flag(unconfined_t)
 
 	init_domtrans_script(unconfined_t)
@@ -114,6 +112,10 @@
 	')
 
 	optional_policy(`
+		unconfined_execmem_domtrans(unconfined_t)
+	')
+
+	optional_policy(`
 		lpd_domtrans_checkpc(unconfined_t)
 	')
 
@@ -180,11 +182,16 @@
 	optional_policy(`
 		xserver_domtrans_xdm_xserver(unconfined_t)
 	')
+
+	optional_policy(`
+		pegasus_domtrans(unconfined_t)
+	')
+
 ')
 
 ########################################
 #
-# Unconfined Execmem Local policy
+# Local policy
 #
 
 ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.44/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/userdomain.if	2006-06-08 10:02:36.000000000 -0400
@@ -474,34 +474,6 @@
 		xserver_create_xdm_tmp_sockets($1_t)
 	')
 
-	ifdef(`TODO',`
-	#
-	# Cups daemon running as user tries to write /etc/printcap
-	#
-	dontaudit $1_t usr_t:file setattr;
-
-	# /initrd is left mounted, various programs try to look at it
-	dontaudit $1_t ramfs_t:dir getattr;
-
-	#
-	# Running ifconfig as a user generates the following
-	#
-	dontaudit $1_t sysctl_net_t:dir search;
-
-	r_dir_file($1_t, usercanread)
-
-	# old browser_domain():
-	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
-	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
-	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-
-	allow $1_t usbtty_device_t:chr_file read;
-
-	ifdef(`xdm.te', `
-		allow $1_t xdm_var_lib_t:file r_file_perms;
-	')
-	') dnl endif TODO
-
 ')
 
 #######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.44/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/userdomain.te	2006-06-08 09:43:08.000000000 -0400
@@ -1,11 +1,12 @@
 
-policy_module(userdomain,1.3.27)
+policy_module(userdomain,1.3.26)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
 
 	ifdef(`enable_mls',`
 		role secadm_r;
+		role auditadm_r;
 	')
 ')
 
@@ -67,6 +68,7 @@
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
@@ -82,6 +84,7 @@
 
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@@ -105,8 +108,10 @@
 
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
+		allow auditadm_r system_r;
 		allow secadm_r user_r;
 		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
 	')
 
 	optional_policy(`
@@ -126,9 +131,21 @@
 	role_change(staff, sysadm)
 
 	ifdef(`enable_mls',`
-		admin_user_template(secadm)
+#		admin_user_template(secadm)
+#		admin_user_template(auditadm)
+		unpriv_user_template(secadm)
+		unpriv_user_template(auditadm)
+
+		role_change(staff,auditadm)
 		role_change(staff,secadm)
+
 		role_change(sysadm,secadm)
+		role_change(sysadm,auditadm)
+
+		role_change(auditadm,secadm)
+		role_change(auditadm,sysadm)
+
+		role_change(secadm,auditadm)
 		role_change(secadm,sysadm)
 	')
 
@@ -172,19 +189,33 @@
 	')
 
 	ifdef(`enable_mls',`
+		allow secadm_t self:capability dac_override;
 		corecmd_exec_shell(secadm_t)
 		mls_process_read_up(secadm_t)
+		mls_file_read_up(secadm_t)
 		mls_file_write_down(secadm_t)
 		mls_file_upgrade(secadm_t)
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
-		files_relabel_all_files(secadm_t)
+	        auth_relabel_all_files_except_shadow(secadm_t)
 		auth_relabel_shadow(secadm_t)
+		domain_obj_id_change_exemption(secadm_t)
+	        logging_read_generic_logs(secadm_t)
+
+		seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+		domain_kill_all_domains(auditadm_t)
+	        seutil_read_bin_policy(auditadm_t)
+		corecmd_exec_shell(auditadm_t)
+	        logging_read_generic_logs(auditadm_t)
+		logging_manage_audit_log(auditadm_t)
+		logging_manage_audit_config(auditadm_t)
+		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
 	', `
-		logging_read_audit_log(sysadm_t)
+		logging_manage_audit_log(sysadm_t)
+		logging_manage_audit_config(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
@@ -252,6 +283,7 @@
 
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
+			consoletype_exec(auditadm_t)
 		')
 	')
 
@@ -270,6 +302,7 @@
 
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
+			dmesg_exec(auditadm_t)
 		')
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.44/policy/rolemap
--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.44/policy/rolemap	2006-06-08 09:43:08.000000000 -0400
@@ -15,5 +15,6 @@
 
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
+		auditadm_r auditadm auditadm_t
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.44/policy/support/misc_macros.spt
--- nsaserefpolicy/policy/support/misc_macros.spt	2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.44/policy/support/misc_macros.spt	2006-06-08 09:43:08.000000000 -0400
@@ -37,7 +37,7 @@
 #
 # gen_context(context,mls_sensitivity,[mcs_categories])
 #
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.44/policy/users
--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.44/policy/users	2006-06-08 09:43:08.000000000 -0400
@@ -29,7 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -44,8 +44,8 @@
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')


Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- modules-targeted.conf	6 Jun 2006 21:33:13 -0000	1.28
+++ modules-targeted.conf	8 Jun 2006 14:03:38 -0000	1.29
@@ -1064,6 +1064,20 @@
 # 
 clamav = module
 
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+razor = module
+
+# Layer: services
+# Module: dcc
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+dcc = module
+
 # Layer: system
 # Module: setrans
 # Required in base

policy-20060505.patch:
 config/appconfig-strict-mls/default_type |    1 
 policy/modules/admin/consoletype.te      |    7 ++++-
 policy/modules/admin/rpm.te              |    8 ++++-
 policy/modules/apps/webalizer.te         |    1 
 policy/modules/kernel/files.if           |   15 ++++++++++
 policy/modules/kernel/filesystem.te      |    3 +-
 policy/modules/kernel/kernel.te          |    1 
 policy/modules/services/cups.te          |    8 ++++-
 policy/modules/services/hal.te           |    2 +
 policy/modules/services/mysql.te         |    2 -
 policy/modules/services/ntp.te           |    2 +
 policy/modules/services/pegasus.if       |   31 ++++++++++++++++++++++
 policy/modules/services/pegasus.te       |    5 +--
 policy/modules/services/procmail.te      |    5 +++
 policy/modules/services/pyzor.te         |    4 ++
 policy/modules/services/xfs.te           |    2 +
 policy/modules/system/hostname.te        |    5 ++-
 policy/modules/system/init.te            |    1 
 policy/modules/system/libraries.fc       |    3 ++
 policy/modules/system/logging.te         |   12 +++++---
 policy/modules/system/unconfined.fc      |    7 ++---
 policy/modules/system/unconfined.if      |   28 ++++++++++++++++++++
 policy/modules/system/unconfined.te      |   13 +++++++--
 policy/modules/system/userdomain.te      |   43 +++++++++++++++++++++++++++----
 policy/rolemap                           |    1 
 policy/support/misc_macros.spt           |    2 -
 policy/users                             |    6 ++--
 27 files changed, 187 insertions(+), 31 deletions(-)

Index: policy-20060505.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060505.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20060505.patch	6 Jun 2006 21:33:13 -0000	1.17
+++ policy-20060505.patch	8 Jun 2006 14:03:38 -0000	1.18
@@ -1,47 +1,14 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.43/config/appconfig-strict-mls/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.44/config/appconfig-strict-mls/default_type
 --- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.43/config/appconfig-strict-mls/default_type	2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type	2006-06-08 09:43:08.000000000 -0400
 @@ -2,3 +2,4 @@
  secadm_r:secadm_t
  staff_r:staff_t
  user_r:user_t
 +auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.43/policy/global_tunables
---- nsaserefpolicy/policy/global_tunables	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/global_tunables	2006-05-26 14:03:15.000000000 -0400
-@@ -58,6 +58,22 @@
- 
- ## <desc>
- ## <p>
-+## Allow ftp servers to use nfs
-+## used for public file transfer services.
-+## </p>
-+## </desc>
-+gen_tunable(allow_ftpd_use_nfs,false)
-+
-+## <desc>
-+## <p>
-+## Allow ftp servers to use cifs
-+## used for public file transfer services.
-+## </p>
-+## </desc>
-+gen_tunable(allow_ftpd_use_cifs,false)
-+
-+## <desc>
-+## <p>
- ## Allow gssd to read temp directory.
- ## </p>
- ## </desc>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.43/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.44/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/admin/consoletype.te	2006-05-26 14:03:15.000000000 -0400
-@@ -1,5 +1,5 @@
- 
--policy_module(consoletype,1.0.1)
-+policy_module(consoletype,1.0.0)
- 
- ########################################
- #
++++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te	2006-06-08 09:43:08.000000000 -0400
 @@ -8,7 +8,12 @@
  
  type consoletype_t;
@@ -56,109 +23,43 @@
  mls_file_read_up(consoletype_t)
  mls_file_write_down(consoletype_t)
  role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.2.43/policy/modules/admin/rpm.if
---- nsaserefpolicy/policy/modules/admin/rpm.if	2006-03-23 14:33:29.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/admin/rpm.if	2006-06-06 11:10:50.000000000 -0400
-@@ -237,3 +237,23 @@
- 	dontaudit $1 rpm_var_lib_t:file create_file_perms;
- 	dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
- ')
-+
-+########################################
-+## <summary>
-+##	Execute the rpm client in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_exec',`
-+	gen_require(`
-+		type rpm_exec_t;
-+	')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.44/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te	2006-06-08 08:45:57.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/admin/rpm.te	2006-06-08 09:49:46.000000000 -0400
+@@ -341,12 +341,16 @@
+ 	optional_policy(`
+ 		mono_domtrans(rpm_script_t)
+ 	')
+-',`
 +
-+	corecmd_search_bin($1)
-+	can_exec($1,rpm_exec_t)
+ 	optional_policy(`
+-		bootloader_domtrans(rpm_script_t)
++		unconfined_domtrans(rpm_script_t)
+ 	')
+ ')
+ 
++optional_policy(`
++	bootloader_domtrans(rpm_script_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.43/policy/modules/admin/rpm.te
---- nsaserefpolicy/policy/modules/admin/rpm.te	2006-04-19 17:43:32.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/admin/rpm.te	2006-05-26 14:03:15.000000000 -0400
-@@ -334,6 +334,15 @@
- 
- ifdef(`targeted_policy',`
- 	unconfined_domain(rpm_script_t)
-+	optional_policy(`
-+		java_domtrans(rpm_script_t)
-+	')
-+	optional_policy(`
-+		mono_domtrans(rpm_script_t)
-+	')
-+	optional_policy(`
-+		unconfined_execmem_domtrans(rpm_script_t)
-+	')
- ',`
+ ifdef(`distro_redhat',`
  	optional_policy(`
- 		bootloader_domtrans(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.43/policy/modules/apps/webalizer.te
---- nsaserefpolicy/policy/modules/apps/webalizer.te	2006-03-24 11:15:44.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/webalizer.te	2006-05-26 14:03:15.000000000 -0400
-@@ -45,6 +45,7 @@
+ 		mta_send_mail(rpm_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.44/policy/modules/apps/webalizer.te
+--- nsaserefpolicy/policy/modules/apps/webalizer.te	2006-06-08 08:45:57.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te	2006-06-08 09:43:08.000000000 -0400
+@@ -44,6 +44,7 @@
+ allow webalizer_t self:unix_dgram_socket sendto;
  allow webalizer_t self:unix_stream_socket connectto;
  allow webalizer_t self:tcp_socket connected_stream_socket_perms;
- allow webalizer_t self:udp_socket { connect connected_socket_perms };
-+allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
++allow webalizer_t self:udp_socket { connect connected_socket_perms };
+ allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
  
  allow webalizer_t webalizer_etc_t:file { getattr read };
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.2.43/policy/modules/apps/wine.fc
---- nsaserefpolicy/policy/modules/apps/wine.fc	2006-01-19 18:02:04.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/wine.fc	2006-05-28 06:42:33.000000000 -0400
-@@ -1 +1,2 @@
- /usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.43/policy/modules/apps/wine.te
---- nsaserefpolicy/policy/modules/apps/wine.te	2006-03-07 10:31:08.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/wine.te	2006-05-28 07:09:11.000000000 -0400
-@@ -22,4 +22,9 @@
- 	unconfined_domain_noaudit(wine_t)
- 	role system_r types wine_t;
- 	allow wine_t file_type:file execmod;
-+
-+	optional_policy(`
-+		hal_dbus_chat(wine_t)
-+	')
-+
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.43/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/corecommands.fc	2006-05-26 14:03:15.000000000 -0400
-@@ -120,11 +120,6 @@
- /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
--# these two lines are separate because of a
--# sorting issue with the java module
--/usr/lib/jvm/java.*/bin -d		gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/jvm/java.*/bin/.*		gen_context(system_u:object_r:bin_t,s0)
--
- /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -135,6 +130,7 @@
- /usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:sbin_t,s0)
- /usr/lib(64)?/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/nagios/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.43/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if	2006-05-12 09:22:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/files.if	2006-06-06 11:06:54.000000000 -0400
-@@ -1882,6 +1882,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.44/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if	2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/files.if	2006-06-08 09:43:08.000000000 -0400
+@@ -1913,6 +1913,21 @@
  ')
  
  ########################################
@@ -180,46 +81,29 @@
  ## <summary>
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.43/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-05-12 09:22:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/filesystem.if	2006-05-26 14:03:15.000000000 -0400
-@@ -434,6 +434,26 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.44/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-06-08 08:45:57.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te	2006-06-08 09:43:08.000000000 -0400
+@@ -23,7 +23,7 @@
+ # Requires that a security xattr handler exist for the filesystem.
+ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+-fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+ 
+@@ -174,6 +174,7 @@
+ genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
  
  ########################################
- ## <summary>
-+##	Read directories of binary file types.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_getattr_binfmt_misc_dirs',`
-+	gen_require(`
-+		type binfmt_misc_t;
-+	')
-+
-+	allow $1 binfmt_misc_t:dir getattr;
-+
-+')
-+
-+
-+########################################
-+## <summary>
- ##	Mount a CIFS or SMB network filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -3240,3 +3260,6 @@
- 	allow $1 noxattrfs:blk_file { getattr relabelfrom };
- 	allow $1 noxattrfs:chr_file { getattr relabelfrom };
- ')
-+
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.43/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/kernel.te	2006-06-06 15:30:41.000000000 -0400
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.44/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te	2006-06-08 09:43:08.000000000 -0400
 @@ -28,6 +28,7 @@
  
  ifdef(`enable_mls',`
@@ -228,432 +112,66 @@
  ')
  
  #
-@@ -50,6 +51,15 @@
- genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
- 
- #
-+# Oprofilefs
-+#
-+
-+type oprofilefs_t;
-+fs_type(oprofilefs_t)
-+allow oprofilefs_t self:filesystem associate;
-+genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
-+
-+#
- # Procfs types
- #
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.43/policy/modules/services/amavis.fc
---- nsaserefpolicy/policy/modules/services/amavis.fc	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/amavis.fc	2006-05-26 14:03:15.000000000 -0400
-@@ -7,6 +7,6 @@
- /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
- /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
- /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
--/var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
-+/var/run/amavis(d)?(/.*)?		gen_context(system_u:object_r:amavis_var_run_t,s0)
- /var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
- /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-2.2.43/policy/modules/services/amavis.if
---- nsaserefpolicy/policy/modules/services/amavis.if	2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/services/amavis.if	2006-05-26 14:03:15.000000000 -0400
-@@ -104,3 +104,65 @@
- 	allow $1 amavis_var_run_t:file setattr;
- 	files_search_pids($1)
- ')
-+
-+########################################
-+## <summary>
-+##	Create socket files under the amavis spool
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="socket_type">
-+##	<summary>
-+##	Type for socket file
-+##	</summary>
-+## </param>
-+#
-+interface(`amavis_spool_create_socket',`
-+	gen_require(`
-+		type amavis_spool_t;
-+	')
-+
-+	allow $1 amavis_spool_t:dir rw_dir_perms;
-+	allow $1 $2:sock_file manage_file_perms;
-+	type_transition $1 amavis_spool_t:sock_file $2;
-+')
-+
-+########################################
-+## <summary>
-+##	Read amavis spool files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`amavis_read_spool_file',`
-+	gen_require(`
-+		type amavis_spool_t;
-+	')
-+
-+	allow $1 amavis_spool_t:file { getattr read };
-+')
-+
-+########################################
-+## <summary>
-+##	Manage amavis spool files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`amavis_manage_spool_files',`
-+	gen_require(`
-+		type amavis_spool_t;
-+	')
-+	files_search_spool($1)
-+	allow $1 amavis_spool_t:dir create_dir_perms;
-+	allow $1 amavis_spool_t:file create_file_perms;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.43/policy/modules/services/amavis.te
---- nsaserefpolicy/policy/modules/services/amavis.te	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/amavis.te	2006-05-26 14:03:15.000000000 -0400
-@@ -64,6 +64,7 @@
- # Spool Files
- allow amavis_t amavis_spool_t:dir manage_dir_perms;
- allow amavis_t amavis_spool_t:file manage_file_perms;
-+allow amavis_t amavis_spool_t:sock_file create_file_perms;
- files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
- 
- # tmp files
-@@ -93,13 +94,21 @@
- kernel_read_kernel_sysctls(amavis_t)
- # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
- kernel_dontaudit_list_proc(amavis_t)
-+kernel_dontaudit_read_proc_symlinks(amavis_t)
- kernel_dontaudit_read_system_state(amavis_t)
- 
-+# dontaudit terminal access
-+ifdef(`targeted_policy',`
-+	term_dontaudit_use_generic_ptys(amavis_t)
-+')
-+
- # find perl
- corecmd_exec_bin(amavis_t)
- corecmd_search_sbin(amavis_t)
- 
- corenet_non_ipsec_sendrecv(amavis_t)
-+corenet_tcp_bind_all_nodes(amavis_t)
-+corenet_udp_bind_all_nodes(amavis_t)
- corenet_tcp_sendrecv_all_if(amavis_t)
- corenet_tcp_sendrecv_all_nodes(amavis_t)
- # amavis uses well-defined ports
-@@ -111,6 +120,7 @@
- corenet_tcp_connect_amavisd_send_port(amavis_t)
- # bind to incoming port
- corenet_tcp_bind_amavisd_recv_port(amavis_t)
-+corenet_udp_bind_generic_port(amavis_t)
- 
- dev_read_rand(amavis_t)
- dev_read_urand(amavis_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.43/policy/modules/services/apache.if
---- nsaserefpolicy/policy/modules/services/apache.if	2006-05-12 16:31:53.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/apache.if	2006-05-27 08:04:08.000000000 -0400
-@@ -115,6 +115,7 @@
- 	seutil_dontaudit_search_config(httpd_$1_script_t)
- 
- 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-+		allow httpd_$1_script_t httpdcontent:file entrypoint;
- 		allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
- 		allow httpd_$1_script_t httpdcontent:file create_file_perms;
- 		allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.43/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/bluetooth.te	2006-05-26 14:03:15.000000000 -0400
-@@ -129,6 +129,8 @@
- 
- logging_send_syslog_msg(bluetooth_t)
- 
-+locallogin_dontaudit_use_fds(bluetooth_helper_t)
-+
- miscfiles_read_localization(bluetooth_t)
- miscfiles_read_fonts(bluetooth_t)
- 
-@@ -225,6 +227,9 @@
- 		xserver_stream_connect_xdm(bluetooth_helper_t)
- 		xserver_use_xdm_fds(bluetooth_helper_t)
- 		xserver_rw_xdm_pipes(bluetooth_helper_t)
-+		# when started via startx 
-+		xserver_stream_connect(bluetooth_helper_t)
-+		xserver_write_xdm_xserver_tmp_sockets(bluetooth_helper_t)
- 	')
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.43/policy/modules/services/clamav.te
---- nsaserefpolicy/policy/modules/services/clamav.te	2006-05-17 16:57:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/clamav.te	2006-05-26 14:03:15.000000000 -0400
-@@ -39,6 +39,10 @@
- type clamscan_exec_t;
- init_daemon_domain(clamscan_t, clamscan_exec_t)
- 
-+# tmp files
-+type clamscan_tmp_t;
-+files_tmp_file(clamscan_tmp_t)
-+
- type freshclam_t;
- type freshclam_exec_t;
- init_daemon_domain(freshclam_t, freshclam_exec_t)
-@@ -63,6 +67,13 @@
- allow clamd_t clamd_etc_t:file r_file_perms;
- allow clamd_t clamd_etc_t:lnk_file { getattr read };
- 
-+# Spool Files
-+files_search_spool(clamd_t)
-+optional_policy(`
-+	amavis_spool_create_socket(clamd_t, clamd_var_run_t)
-+	amavis_read_spool_file(clamd_t)
-+')
-+
- # socket file
- allow clamd_t clamd_sock_t:file manage_file_perms;
- allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-@@ -86,6 +97,7 @@
- allow clamd_t clamd_var_log_t:sock_file create_file_perms;
- allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
- logging_log_filetrans(clamd_t,clamd_var_log_t,file)
-+logging_send_syslog_msg(clamd_t)
- 
- # pid file
- allow clamd_t clamd_var_run_t:file manage_file_perms;
-@@ -94,6 +106,10 @@
- files_pid_filetrans(clamd_t,clamd_var_run_t,file)
- 
- kernel_dontaudit_list_proc(clamd_t)
-+# dontaudit terminal access
-+ifdef(`targeted_policy',`
-+	term_dontaudit_use_generic_ptys(clamd_t)
-+')
- 
- corenet_non_ipsec_sendrecv(clamd_t)
- corenet_tcp_sendrecv_all_if(clamd_t)
-@@ -217,6 +233,11 @@
- allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
- allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
- 
-+# tmp files
-+allow clamscan_t clamscan_tmp_t:file create_file_perms;
-+allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
-+files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
-+
- kernel_read_kernel_sysctls(clamscan_t)
- 
- files_read_etc_files(clamscan_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.43/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te	2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/cups.te	2006-05-28 10:28:11.000000000 -0400
-@@ -74,14 +74,14 @@
- #
- 
- # /usr/lib/cups/backend/serial needs sys_admin(?!)
--allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
- dontaudit cupsd_t self:capability { sys_tty_config net_admin };
- allow cupsd_t self:process { setsched signal_perms };
- allow cupsd_t self:fifo_file rw_file_perms;
- allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow cupsd_t self:unix_dgram_socket create_socket_perms;
- allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
-+allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
- allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
- allow cupsd_t self:udp_socket create_socket_perms;
- allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -565,6 +565,7 @@
- allow hplip_t self:unix_stream_socket create_socket_perms;
- allow hplip_t self:tcp_socket create_stream_socket_perms;
- allow hplip_t self:udp_socket create_socket_perms;
-+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
- # cjp: raw?
- allow hplip_t self:rawip_socket create_socket_perms;
- 
-@@ -645,6 +646,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.44/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/cups.te	2006-06-08 09:43:08.000000000 -0400
+@@ -647,11 +647,15 @@
  ')
  
  optional_policy(`
+-	seutil_sigchld_newrole(hplip_t)
 +	snmp_read_snmp_var_lib_files(hplip_t)
-+')
-+
-+optional_policy(`
- 	mount_send_nfs_client_request(hplip_t)
  ')
  
-@@ -658,6 +663,7 @@
- 
- allow hplip_t devpts_t:dir search;
- allow hplip_t devpts_t:chr_file { getattr ioctl };
-+userdom_dontaudit_search_all_users_home_content(hplip_t)
- 
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.43/policy/modules/services/cvs.te
---- nsaserefpolicy/policy/modules/services/cvs.te	2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/services/cvs.te	2006-05-26 14:03:15.000000000 -0400
-@@ -8,6 +8,7 @@
- 
- type cvs_t;
- type cvs_exec_t;
-+corecmd_executable_file(cvs_exec_t)
- inetd_tcp_service_domain(cvs_t,cvs_exec_t)
- role system_r types cvs_t;
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.43/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te	2006-04-12 12:59:10.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/dbus.te	2006-05-27 07:39:54.000000000 -0400
-@@ -38,6 +38,7 @@
- allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
- allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
- allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
- # Receive notifications of policy reloads and enforcing status changes.
- allow system_dbusd_t self:netlink_selinux_socket { create bind read };
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.43/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te	2006-05-17 16:57:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/dovecot.te	2006-05-27 07:42:52.000000000 -0400
-@@ -42,6 +42,7 @@
- allow dovecot_t self:tcp_socket create_stream_socket_perms;
- allow dovecot_t self:unix_dgram_socket create_socket_perms;
- allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
- 
- domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
- allow dovecot_t dovecot_auth_t:fd use;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.43/policy/modules/services/ftp.te
---- nsaserefpolicy/policy/modules/services/ftp.te	2006-05-17 16:57:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/ftp.te	2006-05-26 14:03:15.000000000 -0400
-@@ -162,15 +162,35 @@
- ')
- 
- tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
-+	fs_manage_nfs_files(ftpd_t)
-+	fs_read_nfs_symlinks(ftpd_t)
-+')
-+
-+tunable_policy(`allow_ftpd_use_cifs',`
- 	fs_read_nfs_files(ftpd_t)
- 	fs_read_nfs_symlinks(ftpd_t)
- ')
- 
-+tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
-+	fs_manage_nfs_files(ftpd_t)
-+	fs_read_nfs_symlinks(ftpd_t)
-+')
-+
- tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
-+	fs_manage_cifs_files(ftpd_t)
-+	fs_read_cifs_symlinks(ftpd_t)
+ optional_policy(`
+-	snmp_read_snmp_var_lib_files(hplip_t)
++	mount_send_nfs_client_request(hplip_t)
 +')
 +
-+tunable_policy(`allow_ftpd_use_cifs',`
- 	fs_read_cifs_files(ftpd_t)
- 	fs_read_cifs_symlinks(ftpd_t)
++optional_policy(`
++	seutil_sigchld_newrole(hplip_t)
  ')
  
-+tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
-+	fs_manage_cifs_files(ftpd_t)
-+	fs_read_cifs_symlinks(ftpd_t)
-+')
-+
  optional_policy(`
- 	corecmd_exec_shell(ftpd_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.43/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/hal.te	2006-06-06 11:58:26.000000000 -0400
-@@ -144,6 +144,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.44/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te	2006-06-06 22:21:54.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/hal.te	2006-06-08 09:47:42.000000000 -0400
+@@ -140,6 +140,8 @@
  
  sysnet_read_config(hald_t)
  
-+# needed for nss_ldap
-+sysnet_use_ldap(hald_t)
-+miscfiles_read_certs(hald_t)
++auth_use_nsswitch(hald_t)
 +
  userdom_dontaudit_use_unpriv_user_fds(hald_t)
  userdom_dontaudit_search_sysadm_home_dirs(hald_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-2.2.43/policy/modules/services/ldap.fc
---- nsaserefpolicy/policy/modules/services/ldap.fc	2005-10-06 17:29:17.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/ldap.fc	2006-05-26 14:03:15.000000000 -0400
-@@ -8,3 +8,4 @@
- 
- /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
- /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
-+/var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.43/policy/modules/services/mysql.te
---- nsaserefpolicy/policy/modules/services/mysql.te	2006-04-12 12:59:10.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/mysql.te	2006-05-26 14:03:15.000000000 -0400
-@@ -33,6 +33,7 @@
- allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
- dontaudit mysqld_t self:capability sys_tty_config;
- allow mysqld_t self:process { setsched getsched setrlimit signal_perms };
-+allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
- allow mysqld_t self:fifo_file { read write };
- allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
- allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
-@@ -103,6 +104,7 @@
- logging_send_syslog_msg(mysqld_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.44/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/mysql.te	2006-06-08 09:48:34.000000000 -0400
+@@ -101,7 +101,7 @@
  
  miscfiles_read_localization(mysqld_t)
-+miscfiles_read_certs(mysqld_t)
  
- sysnet_use_ldap(mysqld_t)
+-sysnet_use_ldap(mysqld_t)
++auth_use_nsswitch(mysqld_t)
  sysnet_read_config(mysqld_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.2.43/policy/modules/services/networkmanager.fc
---- nsaserefpolicy/policy/modules/services/networkmanager.fc	2006-02-06 17:51:14.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/services/networkmanager.fc	2006-05-26 14:03:15.000000000 -0400
-@@ -2,3 +2,4 @@
- /usr/(s)?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /var/run/NetworkManager.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.2.43/policy/modules/services/nscd.te
---- nsaserefpolicy/policy/modules/services/nscd.te	2006-04-12 12:59:10.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/nscd.te	2006-05-26 14:03:15.000000000 -0400
-@@ -133,3 +133,8 @@
- optional_policy(`
- 	udev_read_db(nscd_t)
- ')
-+
-+optional_policy(`
-+	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
-+	xen_append_log(nscd_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.43/policy/modules/services/ntp.te
---- nsaserefpolicy/policy/modules/services/ntp.te	2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/ntp.te	2006-05-27 07:43:26.000000000 -0400
-@@ -112,6 +112,10 @@
+ 
+ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.44/policy/modules/services/ntp.te
+--- nsaserefpolicy/policy/modules/services/ntp.te	2006-06-06 22:21:55.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/ntp.te	2006-06-08 09:48:01.000000000 -0400
+@@ -112,6 +112,8 @@
  
  sysnet_read_config(ntpd_t)
  
-+# nss_ldap
-+sysnet_use_ldap(ntpd_t)
-+miscfiles_read_certs(ntpd_t)
++auth_use_nsswitch(ntpd_t)
 +
  userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
  userdom_list_sysadm_home_dirs(ntpd_t)
  userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.43/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.44/policy/modules/services/pegasus.if
 --- nsaserefpolicy/policy/modules/services/pegasus.if	2005-10-25 13:40:18.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/pegasus.if	2006-06-06 10:37:18.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.if	2006-06-08 09:43:08.000000000 -0400
 @@ -1 +1,32 @@
  ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
 +
@@ -687,35 +205,10 @@
 +	allow pegasus_t $1:fifo_file rw_file_perms;
 +	allow pegasus_t $1:process sigchld;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.43/policy/modules/services/pegasus.te
---- nsaserefpolicy/policy/modules/services/pegasus.te	2006-04-26 11:23:32.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/pegasus.te	2006-06-06 11:11:18.000000000 -0400
-@@ -30,7 +30,7 @@
- # Local policy
- #
- 
--allow pegasus_t self:capability { dac_override net_bind_service audit_write }; 
-+allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write }; 
- dontaudit pegasus_t self:capability sys_tty_config;
- allow pegasus_t self:process signal;
- allow pegasus_t self:fifo_file rw_file_perms;
-@@ -65,6 +65,7 @@
- kernel_read_fs_sysctls(pegasus_t)
- kernel_read_system_state(pegasus_t)
- kernel_search_vm_sysctl(pegasus_t)
-+kernel_read_net_sysctls(pegasus_t)
- 
- corenet_tcp_sendrecv_all_if(pegasus_t)
- corenet_raw_sendrecv_all_if(pegasus_t)
-@@ -82,6 +83,7 @@
- corecmd_exec_sbin(pegasus_t)
- corecmd_exec_bin(pegasus_t)
- corecmd_exec_shell(pegasus_t)
-+can_exec(pegasus_t,pegasus_exec_t)
- 
- dev_read_sysfs(pegasus_t)
- dev_read_urand(pegasus_t)
-@@ -94,13 +96,12 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.44/policy/modules/services/pegasus.te
+--- nsaserefpolicy/policy/modules/services/pegasus.te	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.te	2006-06-08 09:43:08.000000000 -0400
+@@ -100,13 +100,12 @@
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -731,232 +224,44 @@
  files_read_var_lib_symlinks(pegasus_t)
  
  hostname_exec(pegasus_t)
-@@ -108,6 +109,7 @@
- init_use_fds(pegasus_t)
- init_use_script_ptys(pegasus_t)
- init_rw_utmp(pegasus_t)
-+init_stream_connect_script(pegasus_t)
- 
- libs_use_ld_so(pegasus_t)
- libs_use_shared_libs(pegasus_t)
-@@ -126,11 +128,16 @@
- 	unconfined_signull(pegasus_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.44/policy/modules/services/procmail.te
+--- nsaserefpolicy/policy/modules/services/procmail.te	2006-06-06 22:21:55.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/procmail.te	2006-06-08 09:43:08.000000000 -0400
+@@ -109,3 +109,8 @@
+ 	spamassassin_exec(procmail_t)
+ 	spamassassin_exec_client(procmail_t)
  ')
- 
 +
- optional_policy(`
- 	logging_send_syslog_msg(pegasus_t)
- ')
- 
- optional_policy(`
-+	rpm_exec(pegasus_t)
++optional_policy(`
++	clamav_domtrans_clamscan(procmail_t)
 +')
 +
-+optional_policy(`
- 	nscd_socket_use(pegasus_t)
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.43/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te	2006-05-12 09:22:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/postfix.te	2006-05-26 14:03:15.000000000 -0400
-@@ -289,12 +289,12 @@
- mta_read_config(postfix_local_t)
- 
- optional_policy(`
--#	for postalias
--	mailman_read_data_files(postfix_local_t)
-+	procmail_domtrans(postfix_local_t)
- ')
- 
- optional_policy(`
--	procmail_domtrans(postfix_local_t)
-+#	for postalias
-+	mailman_manage_data_files(postfix_local_t)
- ')
- 
- ########################################
-@@ -603,3 +603,4 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.44/policy/modules/services/pyzor.te
+--- nsaserefpolicy/policy/modules/services/pyzor.te	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pyzor.te	2006-06-08 09:46:23.000000000 -0400
+@@ -126,3 +126,7 @@
  optional_policy(`
- 	sasl_connect(postfix_smtpd_t)
+ 	nscd_socket_use(pyzord_t)
  ')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.43/policy/modules/services/pyzor.te
---- nsaserefpolicy/policy/modules/services/pyzor.te	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/pyzor.te	2006-05-26 14:03:15.000000000 -0400
-@@ -35,10 +35,20 @@
- allow pyzor_t pyzor_var_lib_t:file r_file_perms;
- files_search_var_lib(pyzor_t)
- 
-+corenet_udp_sendrecv_all_if(pyzor_t)
-+corenet_udp_sendrecv_all_ports(pyzor_t)
-+
- files_read_etc_files(pyzor_t)
- 
- auth_use_nsswitch(pyzor_t)
- 
-+dev_read_urand(pyzor_t)
-+
-+corecmd_list_bin(pyzor_t)
-+corecmd_getattr_bin_files(pyzor_t)
-+kernel_read_kernel_sysctls(pyzor_t)  
-+kernel_read_system_state(pyzor_t)
-+
- libs_use_ld_so(pyzor_t)
- libs_use_shared_libs(pyzor_t)
- 
-@@ -46,6 +56,7 @@
- 
- optional_policy(`
- 	amavis_manage_lib_files(pyzor_t)
-+	amavis_manage_spool_files(pyzor_t)
- ')
- 
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.43/policy/modules/services/rsync.te
---- nsaserefpolicy/policy/modules/services/rsync.te	2006-04-28 14:40:40.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/rsync.te	2006-05-26 14:03:15.000000000 -0400
-@@ -8,6 +8,7 @@
- 
- type rsync_t;
- type rsync_exec_t;
-+corecmd_executable_file(rsync_exec_t)
- init_daemon_domain(rsync_t,rsync_exec_t)
- role system_r types rsync_t;
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.43/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te	2006-05-02 18:59:59.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/samba.te	2006-05-26 14:03:15.000000000 -0400
-@@ -222,9 +222,13 @@
- 
- allow smbd_t winbind_var_run_t:sock_file { read write getattr };
- 
-+rpc_search_nfs_state_data(smbd_t)
-+fs_getattr_rpc_dirs(smbd_t)
-+
- kernel_getattr_core_if(smbd_t)
- kernel_getattr_message_if(smbd_t)
- kernel_read_network_state(smbd_t)
-+kernel_read_fs_sysctls(smbd_t)
- kernel_read_kernel_sysctls(smbd_t)
- kernel_read_software_raid_state(smbd_t)
- kernel_read_system_state(smbd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.2.43/policy/modules/services/spamassassin.fc
---- nsaserefpolicy/policy/modules/services/spamassassin.fc	2006-04-19 11:26:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/spamassassin.fc	2006-05-26 14:03:15.000000000 -0400
-@@ -5,6 +5,7 @@
- 
- /usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
- /usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
-+/var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
- 
- ifdef(`strict_policy',`
- HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.43/policy/modules/services/spamassassin.te
---- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-05-05 16:44:48.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/spamassassin.te	2006-05-26 14:03:15.000000000 -0400
-@@ -20,6 +20,9 @@
- type spamd_var_run_t;
- files_pid_file(spamd_var_run_t)
- 
-+type spamd_spool_t;
-+files_type(spamd_spool_t)
-+
- type spamassassin_exec_t;
- corecmd_executable_file(spamassassin_exec_t)
- 
-@@ -57,6 +60,10 @@
- allow spamd_t spamd_var_run_t:dir rw_dir_perms;
- files_pid_filetrans(spamd_t,spamd_var_run_t,file)
- 
-+allow spamd_t spamd_spool_t:file create_file_perms;
-+allow spamd_t spamd_spool_t:dir create_dir_perms;
-+files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
-+
- kernel_read_all_sysctls(spamd_t)
- kernel_read_system_state(spamd_t)
- kernel_tcp_recvfrom(spamd_t)
-@@ -98,6 +105,7 @@
- files_read_usr_files(spamd_t)
- files_read_etc_files(spamd_t)
- files_read_etc_runtime_files(spamd_t)
-+files_search_var_lib(spamd_t)
- 
- init_use_fds(spamd_t)
- init_use_script_ptys(spamd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.43/policy/modules/services/xfs.te
++ifdef(`targeted_policy',`
++	userdom_read_generic_user_home_content_files(pyzord_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.44/policy/modules/services/xfs.te
 --- nsaserefpolicy/policy/modules/services/xfs.te	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/xfs.te	2006-05-27 07:43:52.000000000 -0400
-@@ -69,6 +69,10 @@
++++ serefpolicy-2.2.44/policy/modules/services/xfs.te	2006-06-08 09:47:04.000000000 -0400
+@@ -69,6 +69,8 @@
  miscfiles_read_localization(xfs_t)
  miscfiles_read_fonts(xfs_t)
  
-+# nss_ldap
-+sysnet_use_ldap(xfs_t)
-+miscfiles_read_certs(xfs_t)
++auth_use_nsswitch(xfs_t)
 +
  userdom_dontaudit_use_unpriv_user_fds(xfs_t)
  userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.43/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if	2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/xserver.if	2006-05-26 14:03:15.000000000 -0400
-@@ -1073,6 +1073,7 @@
- 	allow $1 xdm_xserver_tmp_t:file { getattr read };
- ')
- 
-+
- ########################################
- ## <summary>
- ##	Kill XDM X servers
-@@ -1109,3 +1110,45 @@
- 
- 	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
- ')
-+
-+
-+########################################
-+## <summary>
-+##	Connect to xdm_xserver over a unix domain
-+##	stream socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`xserver_stream_connect',`
-+	gen_require(`
-+		type xdm_xserver_t;
-+	')
-+
-+	allow $1 xdm_xserver_t:unix_stream_socket connectto;
-+')
-+
-+
-+
-+########################################
-+## <summary>
-+##	write xdm temporary socket files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit
-+##	</summary>
-+## </param>
-+#
-+interface(`xserver_write_xdm_xserver_tmp_sockets',`
-+	gen_require(`
-+		type xdm_xserver_tmp_t;
-+	')
-+
-+	allow $1 xdm_xserver_tmp_t:sock_file write;
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.43/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.44/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/system/hostname.te	2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/hostname.te	2006-06-08 09:43:08.000000000 -0400
 @@ -8,7 +8,10 @@
  
  type hostname_t;
@@ -969,10 +274,10 @@
  role system_r types hostname_t;
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.43/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te	2006-05-19 13:46:37.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/init.te	2006-05-26 14:03:15.000000000 -0400
-@@ -348,6 +348,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.44/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te	2006-06-06 22:21:56.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/init.te	2006-06-08 09:43:08.000000000 -0400
+@@ -345,6 +345,7 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -980,23 +285,10 @@
  
  libs_rw_ld_so_cache(initrc_t)
  libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.43/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/libraries.fc	2006-06-06 15:41:44.000000000 -0400
-@@ -34,8 +34,10 @@
- #
- /lib(/.*)?					gen_context(system_u:object_r:lib_t,s0)
- /lib64(/.*)?					gen_context(system_u:object_r:lib_t,s0)
--/lib(64)?/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
--/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
-+/lib/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
-+/lib64/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
-+/lib/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
-+/lib64/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
- 
- ifdef(`distro_gentoo',`
- /lib32(/.*)?					gen_context(system_u:object_r:lib_t,s0)
-@@ -43,6 +45,9 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.44/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/libraries.fc	2006-06-08 09:43:08.000000000 -0400
+@@ -48,6 +48,9 @@
  /lib32/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
  ')
  
@@ -1006,45 +298,9 @@
  #
  # /opt
  #
-@@ -56,6 +61,7 @@
- /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/(.*/)?jre.*/libawt.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/cisco-vpnclient/lib/libvpnapi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
- ifdef(`distro_gentoo',`
- /opt/netscape/plugins/libflashplayer.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -115,6 +121,7 @@
- 
- /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
- ifdef(`distro_redhat',`
-@@ -226,7 +233,14 @@
- /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/matlab.*/bin/glnx86/libmwlapack.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/acroread/(.*/)?sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/(.*/)?nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- ') dnl end distro_redhat
- 
- #
-@@ -248,3 +262,4 @@
- /var/spool/postfix/lib(64)?/lib.*\.so.*	--	gen_context(system_u:object_r:shlib_t,s0)
- /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
- /var/spool/postfix/lib(64)?/devfsd/.*\.so.* --	gen_context(system_u:object_r:shlib_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.43/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te	2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/logging.te	2006-05-26 14:03:15.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.44/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/logging.te	2006-06-08 09:43:08.000000000 -0400
 @@ -14,10 +14,14 @@
  role system_r types auditctl_t;
  
@@ -1060,32 +316,49 @@
  
  type auditd_t;
  # real declaration moved to mls until
-@@ -134,7 +138,11 @@
+@@ -123,9 +127,8 @@
+ files_pid_filetrans(auditd_t,auditd_var_run_t,file)
+ 
+ kernel_read_kernel_sysctls(auditd_t)
+-# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+-# Probably want a transition, and a new auditd_helper app
+-kernel_read_system_state(auditd_t)
++kernel_list_proc(auditd_t)
++kernel_read_proc_symlinks(auditd_t)
+ 
+ dev_read_sysfs(auditd_t)
+ 
+@@ -134,11 +137,12 @@
+ 
  term_dontaudit_use_console(auditd_t)
  
- # cjp: why?
-+# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
-+# Probably want a transition, and a new auditd_helper app
++# cjp: why?
+ # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
  corecmd_exec_sbin(auditd_t)
-+corecmd_exec_bin(auditd_t)
+ corecmd_exec_bin(auditd_t)
+-
 +kernel_read_system_state(auditd_t)
  
  domain_use_interactive_fds(auditd_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.43/policy/modules/system/unconfined.fc
---- nsaserefpolicy/policy/modules/system/unconfined.fc	2006-01-06 17:55:18.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/system/unconfined.fc	2006-06-06 12:30:30.000000000 -0400
-@@ -3,3 +3,7 @@
- # /usr/local/bin/appsrv	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.44/policy/modules/system/unconfined.fc
+--- nsaserefpolicy/policy/modules/system/unconfined.fc	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc	2006-06-08 09:43:08.000000000 -0400
+@@ -4,7 +4,6 @@
  # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
  /usr/bin/vncserver	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
-+
+ 
+-ifdef(`targeted_policy',`
+-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-')
 +/usr/lib/openoffice.org.*/program/.*\.bin	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/valgrind 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/mplayer 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.43/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.44/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2006-05-19 13:46:37.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/unconfined.if	2006-06-06 12:30:13.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.if	2006-06-08 09:43:08.000000000 -0400
 @@ -449,3 +449,31 @@
  
  	allow $1 unconfined_t:dbus acquire_svc;
@@ -1118,23 +391,19 @@
 +		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
 +	')
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.43/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te	2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/unconfined.te	2006-06-06 12:29:22.000000000 -0400
-@@ -13,7 +13,11 @@
- ')
- type unconfined_exec_t;
- init_system_domain(unconfined_t,unconfined_exec_t)
--role system_r types unconfined_t;
-+
-+type unconfined_execmem_t;
-+type unconfined_execmem_exec_t;
-+init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
-+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.44/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.te	2006-06-08 09:43:08.000000000 -0400
+@@ -33,8 +33,6 @@
+ 	allow unconfined_t self:system syslog_read;
+ 	dontaudit unconfined_t self:capability sys_module;
  
- ########################################
- #
-@@ -107,6 +111,10 @@
+-	domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
+-
+ 	files_create_boot_flag(unconfined_t)
+ 
+ 	init_domtrans_script(unconfined_t)
+@@ -114,6 +112,10 @@
  	')
  
  	optional_policy(`
@@ -1145,7 +414,7 @@
  		lpd_domtrans_checkpc(unconfined_t)
  	')
  
-@@ -173,4 +181,19 @@
+@@ -180,11 +182,16 @@
  	optional_policy(`
  		xserver_domtrans_xdm_xserver(unconfined_t)
  	')
@@ -1154,21 +423,25 @@
 +		pegasus_domtrans(unconfined_t)
 +	')
 +
-+')
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+	allow unconfined_execmem_t self:process { execstack execmem };
-+	unconfined_domain_noaudit(unconfined_execmem_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.43/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te	2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/userdomain.te	2006-05-26 14:03:15.000000000 -0400
-@@ -6,6 +6,7 @@
+ 
+ ########################################
+ #
+-# Unconfined Execmem Local policy
++# Local policy
+ #
+ 
+ ifdef(`targeted_policy',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.44/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/userdomain.te	2006-06-08 09:43:08.000000000 -0400
+@@ -1,11 +1,12 @@
+ 
+-policy_module(userdomain,1.3.27)
++policy_module(userdomain,1.3.26)
+ 
+ gen_require(`
+ 	role sysadm_r, staff_r, user_r;
  
  	ifdef(`enable_mls',`
  		role secadm_r;
@@ -1263,7 +536,7 @@
  		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
  	')
  
-@@ -248,6 +279,7 @@
+@@ -252,6 +283,7 @@
  
  		ifdef(`enable_mls',`
  			consoletype_exec(secadm_t)
@@ -1271,7 +544,7 @@
  		')
  	')
  
-@@ -266,6 +298,7 @@
+@@ -270,6 +302,7 @@
  
  		ifdef(`enable_mls',`
  			dmesg_exec(secadm_t)
@@ -1279,106 +552,9 @@
  		')
  	')
  
-@@ -428,6 +461,7 @@
- 	optional_policy(`
- 		sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
- 		sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
-+		consoletype_run(sysadm_t,sysadm_r,admin_terminal)
- 	')
- 
- 	optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.43/policy/modules/system/xen.fc
---- nsaserefpolicy/policy/modules/system/xen.fc	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/xen.fc	2006-05-26 14:03:15.000000000 -0400
-@@ -16,3 +16,4 @@
- /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
- /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
- /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
-+/xen(/.*)?			gen_context(system_u:object_r:xen_image_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.43/policy/modules/system/xen.if
---- nsaserefpolicy/policy/modules/system/xen.if	2006-05-03 16:01:26.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/xen.if	2006-05-26 14:03:15.000000000 -0400
-@@ -124,6 +124,6 @@
- 
- 	domain_auto_trans($1,xm_exec_t,xm_t)
- 	allow xm_t $1:fd use;
--	allow xm_t:$1:fifo_file rw_file_perms;
-+	allow xm_t $1:fifo_file rw_file_perms;
- 	allow xm_t $1:process sigchld;
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.43/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/xen.te	2006-05-26 14:03:15.000000000 -0400
-@@ -50,6 +50,10 @@
- domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
- role system_r types xenconsoled_t;
- 
-+# Xen Image files
-+type xen_image_t; # customizable
-+files_type(xen_image_t)
-+
- # pid files
- type xenconsoled_var_run_t;
- files_pid_file(xenconsoled_var_run_t)
-@@ -74,6 +78,11 @@
- allow xend_t self:tcp_socket create_stream_socket_perms;
- allow xend_t self:packet_socket create_socket_perms;
- 
-+files_etc_filetrans_etc_runtime(xend_t,file)
-+
-+allow xend_t xen_image_t:dir r_dir_perms;
-+allow xend_t xen_image_t:file r_file_perms;
-+
- # pid file
- allow xend_t xend_var_run_t:file manage_file_perms;
- allow xend_t xend_var_run_t:sock_file manage_file_perms;
-@@ -89,8 +98,9 @@
- # var/lib files for xend
- allow xend_t xend_var_lib_t:file create_file_perms;
- allow xend_t xend_var_lib_t:sock_file create_file_perms;
-+allow xend_t xend_var_lib_t:fifo_file create_file_perms;
- allow xend_t xend_var_lib_t:dir create_dir_perms;
--files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
-+files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
- 
- # transition to store
- domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-@@ -113,6 +123,7 @@
- corecmd_exec_bin(xend_t)
- corecmd_exec_shell(xend_t)
- 
-+corenet_tcp_bind_all_nodes(xend_t)
- corenet_tcp_sendrecv_all_if(xend_t)
- corenet_tcp_sendrecv_all_nodes(xend_t)
- corenet_tcp_sendrecv_all_ports(xend_t)
-@@ -242,7 +253,7 @@
- # xm local policy
- #
- 
--allow xm_t self:capability dac_override;
-+allow xm_t self:capability { dac_override ipc_lock };
- # internal communication is often done using fifo and unix sockets.
- allow xm_t self:fifo_file { read write };
- allow xm_t self:unix_stream_socket create_stream_socket_perms;
-@@ -270,3 +281,15 @@
- xen_append_log(xm_t)
- xen_stream_connect(xm_t)
- xen_stream_connect_xenstore(xm_t)
-+
-+files_list_mnt(xm_t)
-+
-+init_rw_script_stream_sockets(xm_t)
-+
-+files_read_etc_runtime_files(xm_t)
-+files_read_usr_files(xm_t)
-+
-+files_search_var_lib(xm_t)
-+allow xm_t xend_var_lib_t:dir rw_dir_perms;
-+allow xm_t xend_var_lib_t:fifo_file create_file_perms;
-+allow xm_t xend_var_lib_t:file create_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.43/policy/rolemap
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.44/policy/rolemap
 --- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.43/policy/rolemap	2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/rolemap	2006-06-08 09:43:08.000000000 -0400
 @@ -15,5 +15,6 @@
  
  	ifdef(`enable_mls',`
@@ -1386,9 +562,9 @@
 +		auditadm_r auditadm auditadm_t
  	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.43/policy/support/misc_macros.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.44/policy/support/misc_macros.spt
 --- nsaserefpolicy/policy/support/misc_macros.spt	2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/support/misc_macros.spt	2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/support/misc_macros.spt	2006-06-08 09:43:08.000000000 -0400
 @@ -37,7 +37,7 @@
  #
  # gen_context(context,mls_sensitivity,[mcs_categories])
@@ -1398,9 +574,9 @@
  
  ########################################
  #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.43/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.44/policy/users
 --- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.43/policy/users	2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/users	2006-06-08 09:43:08.000000000 -0400
 @@ -29,7 +29,7 @@
  gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
  ',`
@@ -1421,15 +597,3 @@
 +		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
  	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.43/Rules.modular
---- nsaserefpolicy/Rules.modular	2006-05-26 14:02:26.000000000 -0400
-+++ serefpolicy-2.2.43/Rules.modular	2006-05-26 14:03:15.000000000 -0400
-@@ -31,7 +31,7 @@
- vpath %.if $(ALL_LAYERS)
- vpath %.fc $(ALL_LAYERS)
- 
--.SECONDARY:
-+#.SECONDARY:
- 
- ########################################
- #


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.202
retrieving revision 1.203
diff -u -r1.202 -r1.203
--- selinux-policy.spec	6 Jun 2006 21:33:13 -0000	1.202
+++ selinux-policy.spec	8 Jun 2006 14:03:38 -0000	1.203
@@ -15,12 +15,12 @@
 %define CHECKPOLICYVER 1.30.4-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.2.43
-Release: 4
+Version: 2.2.44
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
-patch: policy-20060505.patch
+patch: policy-20060608.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -335,6 +335,9 @@
 %endif
 
 %changelog
+* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.44-1
+- Update from upstream
+
 * Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.43-4
 - Add oprofilefs