rpms/selinux-policy/devel Makefile.devel, 1.6, 1.7 modules-targeted.conf, 1.25, 1.26 policy-20060505.patch, 1.7, 1.8 selinux-policy.spec, 1.192, 1.193

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed May 17 00:48:06 UTC 2006 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7065

Modified Files:
	Makefile.devel modules-targeted.conf policy-20060505.patch 
	selinux-policy.spec 
Log Message:
* Tue May 16 2006 Dan Walsh <dwalsh at redhat.com> 2.2.40-1
- Update from upstream



Index: Makefile.devel
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/Makefile.devel,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- Makefile.devel	4 May 2006 17:39:16 -0000	1.6
+++ Makefile.devel	17 May 2006 00:48:04 -0000	1.7
@@ -14,6 +14,6 @@
 endif
 
 TYPE ?= $(NAME)${MCSFLAG}
-HEADERDIR := $(SHAREDIR)/targeted/include
+HEADERDIR := $(SHAREDIR)/devel/include
 include $(HEADERDIR)/Makefile
 


Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- modules-targeted.conf	9 May 2006 21:50:36 -0000	1.25
+++ modules-targeted.conf	17 May 2006 00:48:04 -0000	1.26
@@ -1079,3 +1079,10 @@
 # 
 openvpn = base
 
+# Layer: apps
+# Module: unconfined_execmem
+#
+# unconfined_execmem executable
+# 
+unconfined_execmem = base
+

policy-20060505.patch:
 config/appconfig-strict-mls/default_type  |    1 
 policy/global_booleans                    |    8 ++
 policy/global_tunables                    |    8 ++
 policy/modules/admin/consoletype.te       |   16 ++++
 policy/modules/admin/netutils.te          |    3 
 policy/modules/admin/prelink.te           |    3 
 policy/modules/apps/mono.te               |    5 +
 policy/modules/apps/unconfined_execmem.fc |    2 
 policy/modules/apps/unconfined_execmem.if |   29 ++++++++
 policy/modules/apps/unconfined_execmem.te |   22 ++++++
 policy/modules/kernel/corecommands.fc     |    2 
 policy/modules/kernel/corenetwork.te.in   |    5 -
 policy/modules/kernel/domain.te           |    3 
 policy/modules/kernel/files.if            |   15 ++++
 policy/modules/kernel/files.te            |    4 +
 policy/modules/kernel/kernel.if           |    2 
 policy/modules/kernel/kernel.te           |    1 
 policy/modules/kernel/mls.te              |    1 
 policy/modules/kernel/terminal.if         |    2 
 policy/modules/services/amavis.fc         |    1 
 policy/modules/services/amavis.te         |   17 ++++-
 policy/modules/services/apache.te         |    9 +-
 policy/modules/services/bind.te           |    3 
 policy/modules/services/bluetooth.te      |    5 +
 policy/modules/services/clamav.fc         |    2 
 policy/modules/services/clamav.if         |   24 +++++++
 policy/modules/services/clamav.te         |   45 +++++++++++++
 policy/modules/services/cvs.if            |   20 ++++++
 policy/modules/services/cvs.te            |    1 
 policy/modules/services/dovecot.te        |    5 +
 policy/modules/services/ftp.te            |    1 
 policy/modules/services/hal.te            |   10 ---
 policy/modules/services/inn.if            |   28 ++++++++
 policy/modules/services/nis.te            |    1 
 policy/modules/services/postgresql.te     |    1 
 policy/modules/services/pyzor.fc          |    4 +
 policy/modules/services/pyzor.if          |   34 ++++++++++
 policy/modules/services/rpc.te            |   10 ++-
 policy/modules/services/rsync.te          |    1 
 policy/modules/services/ssh.te            |    2 
 policy/modules/services/xfs.if            |   19 +++++
 policy/modules/services/xfs.te            |    5 +
 policy/modules/services/xserver.if        |   38 +++++++++++
 policy/modules/services/xserver.te        |    2 
 policy/modules/system/hostname.te         |    5 +
 policy/modules/system/init.if             |   19 +++++
 policy/modules/system/init.te             |    1 
 policy/modules/system/libraries.fc        |   15 +++-
 policy/modules/system/logging.if          |   97 ++++++++++++++++++++++++++++++
 policy/modules/system/logging.te          |    8 ++
 policy/modules/system/mount.te            |    4 +
 policy/modules/system/selinuxutil.fc      |    2 
 policy/modules/system/selinuxutil.te      |   18 +++++
 policy/modules/system/setrans.fc          |    4 +
 policy/modules/system/setrans.if          |   24 +++++++
 policy/modules/system/setrans.te          |   71 +++++++++++++++++++++
 policy/modules/system/sysnetwork.te       |    7 ++
 policy/modules/system/unconfined.if       |   21 ++++++
 policy/modules/system/unconfined.te       |   12 +++
 policy/modules/system/userdomain.if       |   23 +++++++
 policy/modules/system/userdomain.te       |   52 ++++++++++++++--
 policy/modules/system/xen.fc              |    1 
 policy/modules/system/xen.if              |    1 
 policy/modules/system/xen.te              |   14 +++-
 policy/rolemap                            |    1 
 policy/users                              |    6 -
 66 files changed, 786 insertions(+), 40 deletions(-)

Index: policy-20060505.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060505.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20060505.patch	15 May 2006 20:48:00 -0000	1.7
+++ policy-20060505.patch	17 May 2006 00:48:04 -0000	1.8
@@ -1,14 +1,14 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.39/config/appconfig-strict-mls/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.40/config/appconfig-strict-mls/default_type
 --- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.39/config/appconfig-strict-mls/default_type	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/config/appconfig-strict-mls/default_type	2006-05-16 10:16:11.000000000 -0400
 @@ -2,3 +2,4 @@
  secadm_r:secadm_t
  staff_r:staff_t
  user_r:user_t
 +auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.2.39/policy/global_booleans
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.2.40/policy/global_booleans
 --- nsaserefpolicy/policy/global_booleans	2006-02-10 17:05:17.000000000 -0500
-+++ serefpolicy-2.2.39/policy/global_booleans	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/global_booleans	2006-05-16 10:16:11.000000000 -0400
 @@ -28,3 +28,11 @@
  ## </p>
  ## </desc>
@@ -21,9 +21,9 @@
 +## </desc>
 +gen_bool(allow_mount_anyfile,false)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.39/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.40/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2006-04-18 22:49:58.000000000 -0400
-+++ serefpolicy-2.2.39/policy/global_tunables	2006-05-15 13:01:41.000000000 -0400
++++ serefpolicy-2.2.40/policy/global_tunables	2006-05-16 10:16:11.000000000 -0400
 @@ -73,6 +73,14 @@
  
  ## <desc>
@@ -39,9 +39,39 @@
  ## Allow java executable stack
  ## </p>
  ## </desc>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.39/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.40/policy/modules/admin/consoletype.te
+--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-04-04 18:06:37.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/admin/consoletype.te	2006-05-16 10:16:11.000000000 -0400
+@@ -8,7 +8,12 @@
+ 
+ type consoletype_t;
+ type consoletype_exec_t;
+-init_domain(consoletype_t,consoletype_exec_t)
++#dont transition from initrc
++#init_domain(consoletype_t,consoletype_exec_t)
++domain_type(consoletype_t)
++domain_entry_file(consoletype_t,consoletype_exec_t)
++role system_r types consoletype_t;
++
+ mls_file_read_up(consoletype_t)
+ mls_file_write_down(consoletype_t)
+ role system_r types consoletype_t;
+@@ -107,3 +112,12 @@
+ optional_policy(`
+ 	userdom_use_unpriv_users_fds(consoletype_t)
+ ')
++
++optional_policy(`
++	xen_append_log(consoletype_t)
++	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
++	kernel_read_xen_state(consoletype_t)
++	kernel_write_xen_state(consoletype_t)
++
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.40/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2006-04-27 10:31:31.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/admin/netutils.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/admin/netutils.te	2006-05-16 10:16:11.000000000 -0400
 @@ -187,6 +187,7 @@
  # traceroute needs this but not tracepath
  corenet_raw_bind_all_nodes(traceroute_t)
@@ -59,31 +89,22 @@
  libs_use_ld_so(traceroute_t)
  libs_use_shared_libs(traceroute_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.39/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.40/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2006-04-20 08:17:35.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/admin/prelink.te	2006-05-15 11:10:54.000000000 -0400
-@@ -46,6 +46,7 @@
++++ serefpolicy-2.2.40/policy/modules/admin/prelink.te	2006-05-16 16:59:39.000000000 -0400
+@@ -46,6 +46,9 @@
  corecmd_manage_all_executables(prelink_t)
  corecmd_relabel_all_executables(prelink_t)
  corecmd_mmap_all_executables(prelink_t)
 +corecmd_read_sbin_symlinks(prelink_t)
++
++domain_obj_id_change_exemption(prelink_t)
  
  dev_read_urand(prelink_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.39/policy/modules/apps/java.fc
---- nsaserefpolicy/policy/modules/apps/java.fc	2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/apps/java.fc	2006-05-15 15:06:08.000000000 -0400
-@@ -10,3 +10,7 @@
- /usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)
-+#
-+# Temporarily until we can find a better solution
-+#
-+/usr/lib(64)?/openoffice.org2.0/program/.*\.bin	gen_context(system_u:object_r:java_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.39/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.40/policy/modules/apps/mono.te
 --- nsaserefpolicy/policy/modules/apps/mono.te	2006-05-03 16:26:07.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/apps/mono.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/apps/mono.te	2006-05-16 10:16:11.000000000 -0400
 @@ -22,6 +22,7 @@
  	unconfined_domain_noaudit(mono_t)
  	unconfined_dbus_chat(mono_t)
@@ -101,9 +122,74 @@
 +		unconfined_dbus_connect_bus(mono_t)
 +	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.39/policy/modules/kernel/corecommands.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.fc
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.fc	2006-05-16 17:24:40.000000000 -0400
+@@ -0,0 +1,2 @@
++/usr/lib/openoffice.org.*/program/.*\.bin	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/valgrind 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.if serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.if
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.if	2006-05-16 17:10:38.000000000 -0400
+@@ -0,0 +1,29 @@
++## <summary>Unconfined domain with execmem/execstack privs</summary>
++
++########################################
++## <summary>
++##	Execute the application that requires dexecmem program in the unconfined_execmem domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_execmem_domtrans',`
++	ifdef(`targeted_policy',`
++		gen_require(`
++			type unconfined_execmem_t, unconfined_execmem_exec_t;
++		')
++
++		corecmd_search_bin($1)
++		domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
++
++		allow $1 unconfined_execmem_t:fd use;
++		allow unconfined_execmem_t $1:fd use;
++		allow unconfined_execmem_t $1:fifo_file rw_file_perms;
++		allow unconfined_execmem_t $1:process sigchld;
++	',`
++		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
++	')
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.te serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.te
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.te	2006-05-16 17:05:11.000000000 -0400
+@@ -0,0 +1,22 @@
++
++policy_module(unconfined_execmem,1.1.2)
++
++########################################
++#
++# Declarations
++#
++
++type unconfined_execmem_t;
++type unconfined_execmem_exec_t;
++init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
++
++########################################
++#
++# Local policy
++#
++
++ifdef(`targeted_policy',`
++	allow unconfined_execmem_t self:process { execstack execmem };
++	unconfined_domain_noaudit(unconfined_execmem_t)
++	role system_r types unconfined_execmem_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.40/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-04-27 10:31:32.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/corecommands.fc	2006-05-15 15:04:17.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/corecommands.fc	2006-05-16 10:16:11.000000000 -0400
 @@ -76,7 +76,7 @@
  #
  
@@ -113,9 +199,9 @@
  ifdef(`distro_gentoo',`
  /lib/rcscripts/addons(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /lib/rcscripts/sh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.39/policy/modules/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.40/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-05-03 16:26:07.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/corenetwork.te.in	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/corenetwork.te.in	2006-05-16 10:16:11.000000000 -0400
 @@ -69,9 +69,9 @@
  network_port(giftd, tcp,1213,s0)
  network_port(gopher, tcp,70,s0, udp,70,s0)
@@ -136,9 +222,9 @@
  network_port(transproxy, tcp,8081,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.39/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.40/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2006-04-20 08:17:36.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/domain.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/domain.te	2006-05-16 10:16:11.000000000 -0400
 @@ -87,6 +87,8 @@
  # list the root directory
  files_list_root(domain)
@@ -156,10 +242,10 @@
  	role sysadm_r types domain;
  	role user_r types domain;
  	role staff_r types domain;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.39/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if	2006-05-03 11:38:52.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/files.if	2006-05-15 11:10:54.000000000 -0400
-@@ -1712,6 +1712,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.40/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/files.if	2006-05-16 10:16:11.000000000 -0400
+@@ -1882,6 +1882,21 @@
  ')
  
  ########################################
@@ -181,9 +267,9 @@
  ## <summary>
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.39/policy/modules/kernel/files.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.40/policy/modules/kernel/files.te
 --- nsaserefpolicy/policy/modules/kernel/files.te	2006-04-28 22:50:56.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/files.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/files.te	2006-05-16 10:16:11.000000000 -0400
 @@ -181,6 +181,10 @@
  fs_associate(file_type)
  fs_associate_noxattr(file_type)
@@ -195,10 +281,10 @@
  ########################################
  #
  # Rules for all tmp file types
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.39/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-05-01 14:39:05.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/kernel.if	2006-05-15 11:10:54.000000000 -0400
-@@ -1413,7 +1413,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.40/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/kernel.if	2006-05-16 10:16:11.000000000 -0400
+@@ -1409,7 +1409,7 @@
  		type proc_t, sysctl_t, sysctl_kernel_t;
  	')
  
@@ -207,9 +293,9 @@
  	allow $1 sysctl_t:dir r_dir_perms;
  	allow $1 sysctl_kernel_t:dir r_dir_perms;
  	allow $1 sysctl_kernel_t:file r_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.39/policy/modules/kernel/kernel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.40/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-05-01 14:39:06.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/kernel.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/kernel.te	2006-05-16 10:16:11.000000000 -0400
 @@ -28,6 +28,7 @@
  
  ifdef(`enable_mls',`
@@ -218,18 +304,18 @@
  ')
  
  #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.39/policy/modules/kernel/mls.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.40/policy/modules/kernel/mls.te
 --- nsaserefpolicy/policy/modules/kernel/mls.te	2006-03-07 10:31:09.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/kernel/mls.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/mls.te	2006-05-16 10:16:11.000000000 -0400
 @@ -62,4 +62,5 @@
  range_transition initrc_t auditd_exec_t s15:c0.c255;
  range_transition kernel_t init_exec_t s0 - s15:c0.c255;
  range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 +range_transition initrc_t setrans_exec_t s15:c0.c255;
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.39/policy/modules/kernel/terminal.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.40/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-04-27 10:31:32.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/terminal.if	2006-05-15 14:20:35.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/terminal.if	2006-05-16 10:16:11.000000000 -0400
 @@ -430,7 +430,7 @@
  		type devpts_t;
  	')
@@ -239,9 +325,17 @@
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.39/policy/modules/services/amavis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.40/policy/modules/services/amavis.fc
+--- nsaserefpolicy/policy/modules/services/amavis.fc	2006-03-07 16:19:28.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/amavis.fc	2006-05-16 10:16:11.000000000 -0400
+@@ -9,3 +9,4 @@
+ /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
+ /var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
+ /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
++/var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.40/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2006-05-08 09:53:05.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/amavis.te	2006-05-15 16:46:20.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/amavis.te	2006-05-16 10:16:11.000000000 -0400
 @@ -31,6 +31,9 @@
  type amavis_tmp_t;
  files_tmp_file(amavis_tmp_t)
@@ -305,10 +399,10 @@
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.39/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te	2006-05-03 11:38:52.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/apache.te	2006-05-15 11:10:54.000000000 -0400
-@@ -454,11 +454,6 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.40/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/apache.te	2006-05-16 10:16:11.000000000 -0400
+@@ -427,11 +427,6 @@
  	yam_read_content(httpd_t)
  ')
  
@@ -320,7 +414,7 @@
  ########################################
  #
  # Apache helper local policy
-@@ -712,6 +707,10 @@
+@@ -672,6 +667,10 @@
  	mysql_rw_db_sockets(httpd_sys_script_t)
  ')
  
@@ -331,9 +425,9 @@
  ########################################
  #
  # Apache unconfined script local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.2.39/policy/modules/services/bind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.2.40/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2006-04-28 22:50:56.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/bind.te	2006-05-15 12:38:47.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/bind.te	2006-05-16 10:16:11.000000000 -0400
 @@ -127,6 +127,8 @@
  
  domain_use_interactive_fds(named_t)
@@ -351,9 +445,9 @@
  
  sysnet_read_config(named_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.39/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.40/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/bluetooth.te	2006-05-15 13:30:50.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/bluetooth.te	2006-05-16 10:16:11.000000000 -0400
 @@ -218,11 +218,14 @@
  
  	unconfined_stream_connect(bluetooth_helper_t)
@@ -370,9 +464,9 @@
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.2.39/policy/modules/services/clamav.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.2.40/policy/modules/services/clamav.fc
 --- nsaserefpolicy/policy/modules/services/clamav.fc	2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/clamav.fc	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.fc	2006-05-16 10:16:11.000000000 -0400
 @@ -1,6 +1,8 @@
  /etc/clamav(/.*)?			gen_context(system_u:object_r:clamd_etc_t,s0)
  
@@ -382,9 +476,9 @@
  
  /usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.39/policy/modules/services/clamav.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.40/policy/modules/services/clamav.if
 --- nsaserefpolicy/policy/modules/services/clamav.if	2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/clamav.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.if	2006-05-16 10:16:11.000000000 -0400
 @@ -61,3 +61,27 @@
  	files_search_etc($1)
  	allow $1 clamd_etc_t:file r_file_perms;
@@ -413,9 +507,9 @@
 +	allow clamscan_t $1:process sigchld;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.39/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.40/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/clamav.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.te	2006-05-16 10:16:11.000000000 -0400
 @@ -39,6 +39,10 @@
  type freshclam_exec_t;
  init_daemon_domain(freshclam_t, freshclam_exec_t)
@@ -472,9 +566,9 @@
 +optional_policy(`
 +	apache_read_sys_content(clamscan_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-2.2.39/policy/modules/services/cvs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-2.2.40/policy/modules/services/cvs.if
 --- nsaserefpolicy/policy/modules/services/cvs.if	2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/cvs.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/cvs.if	2006-05-16 10:16:11.000000000 -0400
 @@ -17,3 +17,23 @@
  
  	allow $1 cvs_data_t:file { getattr read };
@@ -499,9 +593,9 @@
 +	can_exec($1,cvs_exec_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.39/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.40/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/cvs.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/cvs.te	2006-05-16 10:16:11.000000000 -0400
 @@ -8,6 +8,7 @@
  
  type cvs_t;
@@ -510,9 +604,9 @@
  inetd_tcp_service_domain(cvs_t,cvs_exec_t)
  role system_r types cvs_t;
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.39/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.40/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/dovecot.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/dovecot.te	2006-05-16 10:16:11.000000000 -0400
 @@ -95,6 +95,11 @@
  domain_use_interactive_fds(dovecot_t)
  
@@ -525,9 +619,9 @@
  files_search_spool(dovecot_t)
  files_search_tmp(dovecot_t)
  files_dontaudit_list_default(dovecot_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.39/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.40/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/ftp.te	2006-05-15 12:59:51.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/ftp.te	2006-05-16 10:16:11.000000000 -0400
 @@ -149,6 +149,7 @@
  	userdom_manage_all_users_home_content_dirs(ftpd_t)
  	userdom_manage_all_users_home_content_files(ftpd_t)
@@ -536,9 +630,9 @@
  
  	ifdef(`targeted_policy',`
  		userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.39/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.40/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2006-04-20 08:17:39.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/hal.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/hal.te	2006-05-16 10:16:11.000000000 -0400
 @@ -51,9 +51,6 @@
  kernel_rw_vm_sysctls(hald_t)
  kernel_write_proc_files(hald_t)
@@ -577,9 +671,9 @@
  	bind_search_cache(hald_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-2.2.39/policy/modules/services/inn.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-2.2.40/policy/modules/services/inn.if
 --- nsaserefpolicy/policy/modules/services/inn.if	2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/inn.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/inn.if	2006-05-16 10:16:11.000000000 -0400
 @@ -16,7 +16,7 @@
  		type innd_t;
  	')
@@ -619,9 +713,9 @@
 +	allow innd_t $1:process sigchld;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.2.39/policy/modules/services/nis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.2.40/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2006-05-04 12:51:36.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/nis.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/nis.te	2006-05-16 10:16:11.000000000 -0400
 @@ -87,6 +87,7 @@
  corenet_udp_bind_generic_port(ypbind_t)
  corenet_tcp_bind_reserved_port(ypbind_t)
@@ -630,9 +724,9 @@
  corenet_tcp_connect_all_ports(ypbind_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-2.2.39/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-2.2.40/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/postgresql.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/postgresql.te	2006-05-16 10:16:11.000000000 -0400
 @@ -41,6 +41,7 @@
  allow postgresql_t self:udp_socket create_stream_socket_perms;
  allow postgresql_t self:unix_dgram_socket create_socket_perms;
@@ -641,9 +735,20 @@
  dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
  
  allow postgresql_t postgresql_db_t:dir create_dir_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.39/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.40/policy/modules/services/pyzor.fc
+--- nsaserefpolicy/policy/modules/services/pyzor.fc	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/pyzor.fc	2006-05-16 10:20:27.000000000 -0400
+@@ -5,3 +5,7 @@
+ 
+ /var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+ /var/log/pyzord.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
++ifdef(`strict_policy',`
++HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.40/policy/modules/services/pyzor.if
 --- nsaserefpolicy/policy/modules/services/pyzor.if	2006-05-03 16:01:26.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/pyzor.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/pyzor.if	2006-05-16 10:16:11.000000000 -0400
 @@ -44,3 +44,37 @@
  	corecmd_search_bin($1)
  	can_exec($1,pyzor_exec_t)
@@ -682,9 +787,9 @@
 +	allow pyzord_t $1_pyzor_home_t:file create_file_perms;
 +	allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.39/policy/modules/services/rpc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.40/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/rpc.te	2006-05-15 13:01:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/rpc.te	2006-05-16 10:16:11.000000000 -0400
 @@ -65,6 +65,8 @@
  files_manage_mounttab(rpcd_t)
  
@@ -716,9 +821,9 @@
  tunable_policy(`nfs_export_all_rw',`
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.39/policy/modules/services/rsync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.40/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2006-04-28 22:50:57.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/rsync.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/rsync.te	2006-05-16 10:16:11.000000000 -0400
 @@ -8,6 +8,7 @@
  
  type rsync_t;
@@ -727,18 +832,10 @@
  init_daemon_domain(rsync_t,rsync_exec_t)
  role system_r types rsync_t;
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.2.39/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te	2006-05-08 09:53:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/ssh.te	2006-05-15 11:10:54.000000000 -0400
-@@ -17,6 +17,7 @@
- 
- type ssh_keysign_exec_t;
- files_type(ssh_keysign_exec_t)
-+corecmd_executable_file(ssh_keysign_exec_t)
- 
- # real declaration moved to mls until
- # range_transition works in loadable modules
-@@ -73,7 +74,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.2.40/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/ssh.te	2006-05-16 10:16:11.000000000 -0400
+@@ -73,7 +73,7 @@
  ifdef(`strict_policy',`
  	# so a tunnel can point to another ssh tunnel
  	allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
@@ -747,9 +844,61 @@
  	allow sshd_t sshd_tmp_t:dir create_dir_perms;
  	allow sshd_t sshd_tmp_t:file create_file_perms;
  	allow sshd_t sshd_tmp_t:sock_file create_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.39/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.if serefpolicy-2.2.40/policy/modules/services/xfs.if
+--- nsaserefpolicy/policy/modules/services/xfs.if	2006-02-10 17:05:19.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/xfs.if	2006-05-16 10:21:41.000000000 -0400
+@@ -41,3 +41,22 @@
+ 	allow $1 xfs_tmp_t:sock_file write;
+ 	allow $1 xfs_t:unix_stream_socket connectto;
+ ')
++
++
++########################################
++## <summary>
++##	Allow the specified domain to execute xfs
++##	in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xfs_exec',`
++	gen_require(`
++		type xfs_exec_t;
++	')
++	can_exec($1,xfs_exec_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.40/policy/modules/services/xfs.te
+--- nsaserefpolicy/policy/modules/services/xfs.te	2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xfs.te	2006-05-16 10:21:41.000000000 -0400
+@@ -34,6 +34,7 @@
+ allow xfs_t xfs_var_run_t:file create_file_perms;
+ allow xfs_t xfs_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(xfs_t,xfs_var_run_t,file)
++xfs_exec(xfs_t)
+ 
+ # Bind to /tmp/.font-unix/fs-1.
+ # cjp: I do not believe this has an effect.
+@@ -49,6 +50,8 @@
+ 
+ term_dontaudit_use_console(xfs_t)
+ 
++corecmd_list_bin(xfs_t)
++corecmd_list_sbin(xfs_t)
+ domain_use_interactive_fds(xfs_t)
+ 
+ files_read_etc_files(xfs_t)
+@@ -91,3 +94,5 @@
+ optional_policy(`
+ 	udev_read_db(xfs_t)
+ ')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.40/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2006-05-03 11:38:54.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/xserver.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xserver.if	2006-05-16 10:16:11.000000000 -0400
 @@ -1073,3 +1073,41 @@
  
  	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
@@ -792,9 +941,21 @@
 +	allow $1 xdm_t:fifo_file { getattr read write }; 
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.39/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.40/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te	2006-04-20 08:17:39.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xserver.te	2006-05-16 10:16:11.000000000 -0400
+@@ -311,6 +311,8 @@
+ 	allow xdm_t self:process { execheap execmem };
+ 	unconfined_domain(xdm_t)
+ 	unconfined_domtrans(xdm_t)
++	userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
++
+ ')
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.40/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/hostname.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/hostname.te	2006-05-16 10:16:11.000000000 -0400
 @@ -8,7 +8,10 @@
  
  type hostname_t;
@@ -807,10 +968,10 @@
  role system_r types hostname_t;
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.39/policy/modules/system/init.if
---- nsaserefpolicy/policy/modules/system/init.if	2006-04-05 17:08:56.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/init.if	2006-05-15 11:10:54.000000000 -0400
-@@ -690,6 +690,25 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.40/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/init.if	2006-05-16 10:16:11.000000000 -0400
+@@ -772,6 +772,25 @@
  
  ########################################
  ## <summary>
@@ -836,9 +997,9 @@
  ##	Dont audit the specified domain connecting to
  ##	init scripts with a unix domain stream socket.
  ## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.39/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te	2006-05-05 09:51:43.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/init.te	2006-05-15 11:10:54.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.40/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/init.te	2006-05-16 10:16:11.000000000 -0400
 @@ -350,6 +350,7 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
@@ -847,9 +1008,9 @@
  
  libs_rw_ld_so_cache(initrc_t)
  libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.39/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.40/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/libraries.fc	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/libraries.fc	2006-05-16 10:16:11.000000000 -0400
 @@ -40,6 +40,8 @@
  /opt/(.*/)?lib64/.*\.so\.[^/]*		--	gen_context(system_u:object_r:shlib_t,s0)
  /opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -911,15 +1072,15 @@
 +/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
  /usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.39/policy/modules/system/logging.if
---- nsaserefpolicy/policy/modules/system/logging.if	2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/logging.if	2006-05-15 11:10:54.000000000 -0400
-@@ -399,3 +399,100 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.40/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/logging.if	2006-05-16 10:16:11.000000000 -0400
+@@ -459,3 +459,100 @@
  	allow $1 var_log_t:dir rw_dir_perms;
  	allow $1 var_log_t:file create_file_perms;
  ')
@@ -1020,9 +1181,9 @@
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.39/policy/modules/system/logging.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.40/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2006-04-27 10:31:33.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/logging.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/logging.te	2006-05-16 10:16:11.000000000 -0400
 @@ -14,10 +14,14 @@
  role system_r types auditctl_t;
  
@@ -1049,9 +1210,9 @@
  kernel_read_kernel_sysctls(auditctl_t)
  kernel_read_proc_symlinks(auditctl_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.39/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.40/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/mount.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/mount.te	2006-05-16 10:16:11.000000000 -0400
 @@ -169,4 +169,8 @@
  ifdef(`targeted_policy',`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
@@ -1061,22 +1222,55 @@
 +		auth_read_all_files_except_shadow(mount_t)
 +	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.39/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/selinuxutil.te	2006-05-15 11:10:54.000000000 -0400
-@@ -546,6 +546,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.40/policy/modules/system/selinuxutil.fc
+--- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/selinuxutil.fc	2006-05-16 12:45:55.000000000 -0400
+@@ -37,6 +37,8 @@
+ /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
+ /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+ /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+ 
+ ifdef(`distro_debian', `
+ /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.40/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/selinuxutil.te	2006-05-16 14:36:58.000000000 -0400
+@@ -526,6 +526,8 @@
+ #
+ 
+ allow semanage_t self:unix_stream_socket create_stream_socket_perms;
++allow semanage_t self:unix_dgram_socket create_socket_perms;
++allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ 
+ allow semanage_t policy_config_t:file { read write };
+ 
+@@ -535,10 +537,18 @@
+ corecmd_exec_bin(semanage_t)
+ corecmd_exec_sbin(semanage_t)
+ 
++dev_read_urand(semanage_t)
++
+ files_read_etc_files(semanage_t)
  files_read_usr_files(semanage_t)
  files_list_pids(semanage_t)
  
++logging_send_syslog_msg(semanage_t)
++
 +miscfiles_read_localization(semanage_t)
 +
++selinux_set_boolean(semanage_t)
++
  mls_file_write_down(semanage_t)
  mls_rangetrans_target(semanage_t)
  mls_file_read_up(semanage_t)
-@@ -570,6 +572,12 @@
+@@ -563,6 +573,14 @@
  seutil_get_semanage_trans_lock(semanage_t)
  seutil_get_semanage_read_lock(semanage_t)
  
++userdom_search_sysadm_home_dirs(semanage_t)
++
 +ifdef(`targeted_policy',`
 +# Handle pp files created in homedir and /tmp
 +	userdom_read_generic_user_home_content_files(semanage_t)
@@ -1086,17 +1280,17 @@
  optional_policy(`
  	nscd_socket_use(semanage_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.2.39/policy/modules/system/setrans.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.2.40/policy/modules/system/setrans.fc
 --- nsaserefpolicy/policy/modules/system/setrans.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/setrans.fc	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.fc	2006-05-16 10:16:11.000000000 -0400
 @@ -0,0 +1,4 @@
 +
 +/sbin/mcstransd		--	gen_context(system_u:object_r:setrans_exec_t,s0)
 +
 +/var/run/setrans(/.*)?	gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-2.2.39/policy/modules/system/setrans.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-2.2.40/policy/modules/system/setrans.if
 --- nsaserefpolicy/policy/modules/system/setrans.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/setrans.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.if	2006-05-16 10:16:11.000000000 -0400
 @@ -0,0 +1,24 @@
 +## <summary>Policy for setrans.</summary>
 +
@@ -1122,9 +1316,9 @@
 +	allow $1 setrans_var_run_t:sock_file rw_file_perms;
 +	allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.39/policy/modules/system/setrans.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.40/policy/modules/system/setrans.te
 --- nsaserefpolicy/policy/modules/system/setrans.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/setrans.te	2006-05-15 13:40:37.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.te	2006-05-16 10:16:11.000000000 -0400
 @@ -0,0 +1,71 @@
 +
 +policy_module(setrans,1.0.0)
@@ -1159,7 +1353,7 @@
 +kernel_read_proc_symlinks(setrans_t)
 +
 +allow setrans_t self:capability sys_resource;
-+allow setrans_t self:process { setcap signal_perms };
++allow setrans_t self:process { setrlimit setcap signal_perms };
 +
 +libs_use_ld_so(setrans_t)
 +libs_use_shared_libs(setrans_t)
@@ -1197,9 +1391,9 @@
 +can_exec(setrans_t, setrans_exec_t)
 +
 +logging_send_syslog_msg(setrans_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.39/policy/modules/system/sysnetwork.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.40/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/sysnetwork.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/sysnetwork.te	2006-05-16 10:16:11.000000000 -0400
 @@ -86,6 +86,8 @@
  allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
  allow ifconfig_t dhcpc_t:process sigchld;
@@ -1209,9 +1403,26 @@
  kernel_read_system_state(dhcpc_t)
  kernel_read_network_state(dhcpc_t)
  kernel_read_kernel_sysctls(dhcpc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.39/policy/modules/system/unconfined.if
+@@ -249,6 +251,9 @@
+ optional_policy(`
+ 	xen_append_log(dhcpc_t)
+ 	xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
++	kernel_read_xen_state(dhcpc_t)
++	kernel_write_xen_state(dhcpc_t)
++
+ ')
+ 
+ ########################################
+@@ -349,4 +354,6 @@
+ optional_policy(`
+ 	xen_append_log(ifconfig_t)
+ 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
++	kernel_read_xen_state(ifconfig_t)
++	kernel_write_xen_state(ifconfig_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.40/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/unconfined.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/unconfined.if	2006-05-16 10:16:11.000000000 -0400
 @@ -431,3 +431,24 @@
  		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
  	')
@@ -1237,9 +1448,9 @@
 +	allow $1 unconfined_t:dbus acquire_svc;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.39/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.40/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/unconfined.te	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/unconfined.te	2006-05-16 17:11:10.000000000 -0400
 @@ -65,6 +65,10 @@
  	')
  
@@ -1251,7 +1462,18 @@
  		init_dbus_chat_script(unconfined_t)
  
  		dbus_stub(unconfined_t)
-@@ -115,6 +119,10 @@
+@@ -103,6 +107,10 @@
+ 	')
+ 
+ 	optional_policy(`
++		unconfined_execmem_domtrans(unconfined_t)
++	')
++
++	optional_policy(`
+ 		lpd_domtrans_checkpc(unconfined_t)
+ 	')
+ 
+@@ -115,6 +123,10 @@
  	')
  
  	optional_policy(`
@@ -1262,9 +1484,9 @@
  		portmap_domtrans_helper(unconfined_t)
  	')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.39/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.40/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2006-05-03 11:38:54.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/userdomain.if	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/userdomain.if	2006-05-16 16:52:56.000000000 -0400
 @@ -4794,3 +4794,26 @@
  	allow $1 user_home_dir_t:dir create_dir_perms;
  	files_home_filetrans($1,user_home_dir_t,dir)
@@ -1292,9 +1514,9 @@
 +	allow $1 user_home_t:file r_file_perms;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.39/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te	2006-05-05 09:51:43.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/userdomain.te	2006-05-15 11:10:54.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.40/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/userdomain.te	2006-05-16 16:13:10.000000000 -0400
 @@ -6,6 +6,7 @@
  
  	ifdef(`enable_mls',`
@@ -1331,11 +1553,15 @@
  	')
  
  	optional_policy(`
-@@ -128,8 +132,19 @@
+@@ -127,9 +131,22 @@
+ 	role_change(staff, sysadm)
  
  	ifdef(`enable_mls',`
- 		admin_user_template(secadm)
-+		admin_user_template(auditadm)
+-		admin_user_template(secadm)
++#		admin_user_template(secadm)
++#		admin_user_template(auditadm)
++		unpriv_user_template(secadm)
++		unpriv_user_template(auditadm)
 +
 +		role_change(staff,auditadm)
  		role_change(staff,secadm)
@@ -1351,16 +1577,28 @@
  	')
  
  	# this should be tunable_policy, but
-@@ -179,12 +194,21 @@
+@@ -174,17 +191,32 @@
+ 	ifdef(`enable_mls',`
+ 		corecmd_exec_shell(secadm_t)
+ 		mls_process_read_up(secadm_t)
++		mls_file_read_up(secadm_t)
+ 		mls_file_write_down(secadm_t)
+ 		mls_file_upgrade(secadm_t)
  		mls_file_downgrade(secadm_t)
  		init_exec(secadm_t)
  		logging_read_audit_log(secadm_t)
 -		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
  		userdom_dontaudit_append_staff_home_content_files(secadm_t)
- 		files_relabel_all_files(secadm_t)
+-		files_relabel_all_files(secadm_t)
++	        auth_relabel_all_files_except_shadow(secadm_t)
  		auth_relabel_shadow(secadm_t)
++		domain_obj_id_change_exemption(secadm_t)
++	        logging_read_generic_logs(secadm_t)
 +
++		domain_kill_all_domains(auditadm_t)
++	        seutil_read_bin_policy(auditadm_t)
 +		corecmd_exec_shell(auditadm_t)
++	        logging_read_generic_logs(auditadm_t)
 +		logging_manage_audit_log(auditadm_t)
 +		logging_manage_audit_config(auditadm_t)
 +		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
@@ -1375,7 +1613,7 @@
  		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
  	')
  
-@@ -236,10 +260,19 @@
+@@ -240,10 +272,19 @@
  	')
  
  	optional_policy(`
@@ -1395,7 +1633,7 @@
  		')
  	')
  
-@@ -258,6 +291,7 @@
+@@ -262,6 +303,7 @@
  
  		ifdef(`enable_mls',`
  			dmesg_exec(secadm_t)
@@ -1403,9 +1641,96 @@
  		')
  	')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.39/policy/rolemap
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.40/policy/modules/system/xen.fc
+--- nsaserefpolicy/policy/modules/system/xen.fc	2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.fc	2006-05-16 10:16:11.000000000 -0400
+@@ -13,5 +13,6 @@
+ 
+ /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+ /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
++/var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.40/policy/modules/system/xen.if
+--- nsaserefpolicy/policy/modules/system/xen.if	2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.if	2006-05-16 10:16:11.000000000 -0400
+@@ -127,3 +127,4 @@
+ 	allow xm_t:$1:fifo_file rw_file_perms;
+ 	allow xm_t $1:process sigchld;
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.40/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te	2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.te	2006-05-16 10:16:11.000000000 -0400
+@@ -77,7 +77,7 @@
+ # pid file
+ allow xend_t xend_var_run_t:file manage_file_perms;
+ allow xend_t xend_var_run_t:sock_file manage_file_perms;
+-allow xend_t xend_var_run_t:dir rw_dir_perms;
++allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
+ files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
+ 
+ # log files
+@@ -92,6 +92,10 @@
+ allow xend_t xend_var_lib_t:dir create_dir_perms;
+ files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
+ 
++optional_policy(`
++	consoletype_domtrans(xend_t)
++')
++
+ # transition to store
+ domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+ allow xenstored_t xend_t:fd use;
+@@ -153,8 +157,6 @@
+ sysnet_delete_dhcpc_pid(xend_t)
+ sysnet_read_dhcpc_pid(xend_t)
+ 
+-consoletype_exec(xend_t)
+-
+ xen_stream_connect_xenstore(xend_t)
+ 
+ ########################################
+@@ -180,6 +182,7 @@
+ 
+ term_create_pty(xenconsoled_t,xen_devpts_t);
+ term_dontaudit_use_generic_ptys(xenconsoled_t)
++term_use_console(xenconsoled_t)
+ 
+ init_use_fds(xenconsoled_t)
+ 
+@@ -198,6 +201,7 @@
+ 
+ allow xenstored_t self:capability { dac_override mknod ipc_lock };
+ allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
++allow xenstored_t self:unix_dgram_socket create_socket_perms;
+ 
+ # pid file
+ allow xenstored_t xenstored_var_run_t:file manage_file_perms;
+@@ -220,12 +224,15 @@
+ dev_rw_xen(xenstored_t)
+ 
+ term_dontaudit_use_generic_ptys(xenstored_t)
++term_dontaudit_use_console(xenconsoled_t)
+ 
+ init_use_fds(xenstored_t)
+ 
+ libs_use_ld_so(xenstored_t)
+ libs_use_shared_libs(xenstored_t)
+ 
++logging_send_syslog_msg(xenstored_t)
++
+ miscfiles_read_localization(xenstored_t)
+ 
+ xen_append_log(xenstored_t)
+@@ -263,3 +270,4 @@
+ xen_append_log(xm_t)
+ xen_stream_connect(xm_t)
+ xen_stream_connect_xenstore(xm_t)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.40/policy/rolemap
 --- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.39/policy/rolemap	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/rolemap	2006-05-16 10:16:11.000000000 -0400
 @@ -15,5 +15,6 @@
  
  	ifdef(`enable_mls',`
@@ -1413,9 +1738,9 @@
 +		auditadm_r auditadm auditadm_t
  	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.39/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.40/policy/users
 --- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.39/policy/users	2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/users	2006-05-16 10:16:11.000000000 -0400
 @@ -29,7 +29,7 @@
  gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
  ',`


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.192
retrieving revision 1.193
diff -u -r1.192 -r1.193
--- selinux-policy.spec	15 May 2006 20:48:00 -0000	1.192
+++ selinux-policy.spec	17 May 2006 00:48:04 -0000	1.193
@@ -15,8 +15,8 @@
 %define CHECKPOLICYVER 1.30.1-2
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.2.39
-Release: 2
+Version: 2.2.40
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -335,6 +335,9 @@
 %endif
 
 %changelog
+* Tue May 16 2006 Dan Walsh <dwalsh at redhat.com> 2.2.40-1
+- Update from upstream
+
 * Mon May 15 2006 Dan Walsh <dwalsh at redhat.com> 2.2.39-2
 - Fixes for amavis

More information about the fedora-cvs-commits mailing list