rpms/selinux-policy/devel policy-20081111.patch, 1.9, 1.10 selinux-policy.spec, 1.752, 1.753

Daniel J Walsh dwalsh at fedoraproject.org
Mon Dec 8 16:38:39 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv765

Modified Files:
	policy-20081111.patch selinux-policy.spec 
Log Message:
* Thu Dec 4 2008 Dan Walsh <dwalsh at redhat.com> 3.6.1-7
- Allow iptables to talk to terminals
- Fixes for policy kit
- lots of fixes for booting. 


policy-20081111.patch:

Index: policy-20081111.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20081111.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20081111.patch	4 Dec 2008 21:43:54 -0000	1.9
+++ policy-20081111.patch	8 Dec 2008 16:38:09 -0000	1.10
@@ -1,82 +1,3 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.1/Makefile
---- nsaserefpolicy/Makefile	2008-11-11 16:13:50.000000000 -0500
-+++ serefpolicy-3.6.1/Makefile	2008-11-25 09:45:43.000000000 -0500
-@@ -315,20 +315,22 @@
- 
- # parse-rolemap modulename,outputfile
- define parse-rolemap
--	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
--		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+	echo "" >> $2
-+#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
- 
- # perrole-expansion modulename,outputfile
- define perrole-expansion
--	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
--	$(call parse-rolemap,$1,$2)
--	$(verbose) echo "')" >> $2
--
--	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
--	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
--	$(call parse-rolemap-compat,$1,$2)
--	$(verbose) echo "')" >> $2
-+	echo "No longer doing perrole-expansion"
-+#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+#	$(call parse-rolemap,$1,$2)
-+#	$(verbose) echo "')" >> $2
-+
-+#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+#	$(call parse-rolemap-compat,$1,$2)
-+#	$(verbose) echo "')" >> $2
- endef
- 
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -527,6 +529,10 @@
- 	@mkdir -p $(appdir)/users
- 	$(verbose) $(INSTALL) -m 644 $^ $@
- 
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+	@mkdir -p $(appdir)
-+	$(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- 	@mkdir -p $(appdir)
- 	$(verbose) $(INSTALL) -m 644 $< $@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.1/Rules.modular
---- nsaserefpolicy/Rules.modular	2008-11-11 16:13:50.000000000 -0500
-+++ serefpolicy-3.6.1/Rules.modular	2008-11-25 09:45:43.000000000 -0500
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- 	@echo "Compliling $(NAME) $(@F) module"
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
--	$(call perrole-expansion,$(basename $(@F)),$@.role)
--	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+#	$(call perrole-expansion,$(basename $(@F)),$@.role)
-+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
- 
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- 	$(verbose) $(genperm) $(avs) $(secclass) > $@
--	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
- 
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -146,7 +146,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- 	$(verbose) echo "" > $@
--	$(call parse-rolemap,base,$@)
-+#	$(call parse-rolemap,base,$@)
- 
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.1/config/appconfig-mcs/default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/default_contexts	2008-11-11 16:13:50.000000000 -0500
 +++ serefpolicy-3.6.1/config/appconfig-mcs/default_contexts	2008-11-25 09:45:43.000000000 -0500
@@ -176,6 +97,12 @@
 +system_r:initrc_su_t:s0		unconfined_r:unconfined_t:s0
 +unconfined_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
  system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context
+--- nsaserefpolicy/config/appconfig-mcs/userhelper_context	2008-08-07 11:15:14.000000000 -0400
++++ serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context	2008-11-25 09:45:43.000000000 -0500
+@@ -1 +1 @@
+-system_u:sysadm_r:sysadm_t:s0
++system_u:system_r:unconfined_t:s0	
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.1/config/appconfig-mcs/user_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts	2008-11-11 16:13:50.000000000 -0500
 +++ serefpolicy-3.6.1/config/appconfig-mcs/user_u_default_contexts	2008-11-25 09:45:43.000000000 -0500
@@ -191,12 +118,6 @@
 -
 +system_r:initrc_su_t:s0		user_r:user_t:s0
 +user_r:user_t:s0		user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context
---- nsaserefpolicy/config/appconfig-mcs/userhelper_context	2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.6.1/config/appconfig-mcs/userhelper_context	2008-11-25 09:45:43.000000000 -0500
-@@ -1 +1 @@
--system_u:sysadm_r:sysadm_t:s0
-+system_u:system_r:unconfined_t:s0	
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.1/config/appconfig-mcs/xguest_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.1/config/appconfig-mcs/xguest_u_default_contexts	2008-11-25 09:45:43.000000000 -0500
@@ -272,6 +193,53 @@
 +system_r:xdm_t		xguest_r:xguest_t:s0
 +system_r:initrc_su_t:s0	xguest_r:xguest_t:s0
 +xguest_r:xguest_t:s0	xguest_r:xguest_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.1/Makefile
+--- nsaserefpolicy/Makefile	2008-11-11 16:13:50.000000000 -0500
++++ serefpolicy-3.6.1/Makefile	2008-11-25 09:45:43.000000000 -0500
+@@ -315,20 +315,22 @@
+ 
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++	echo "" >> $2
++#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+ 
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+-	$(call parse-rolemap,$1,$2)
+-	$(verbose) echo "')" >> $2
+-
+-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+-	$(call parse-rolemap-compat,$1,$2)
+-	$(verbose) echo "')" >> $2
++	echo "No longer doing perrole-expansion"
++#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++#	$(call parse-rolemap,$1,$2)
++#	$(verbose) echo "')" >> $2
++
++#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++#	$(call parse-rolemap-compat,$1,$2)
++#	$(verbose) echo "')" >> $2
+ endef
+ 
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -527,6 +529,10 @@
+ 	@mkdir -p $(appdir)/users
+ 	$(verbose) $(INSTALL) -m 644 $^ $@
+ 
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++	@mkdir -p $(appdir)
++	$(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ 	@mkdir -p $(appdir)
+ 	$(verbose) $(INSTALL) -m 644 $< $@
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.1/man/man8/samba_selinux.8
 --- nsaserefpolicy/man/man8/samba_selinux.8	2008-08-07 11:15:14.000000000 -0400
 +++ serefpolicy-3.6.1/man/man8/samba_selinux.8	2008-11-25 09:45:43.000000000 -0500
@@ -363,6 +331,18 @@
  logging_send_syslog_msg(certwatch_t)
  
  miscfiles_read_certs(certwatch_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.1/policy/modules/admin/consoletype.te
+--- nsaserefpolicy/policy/modules/admin/consoletype.te	2008-11-11 16:13:49.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/admin/consoletype.te	2008-12-05 09:17:49.000000000 -0500
+@@ -18,7 +18,7 @@
+ # Local declarations
+ #
+ 
+-allow consoletype_t self:capability sys_admin;
++allow consoletype_t self:capability { sys_admin sys_tty_config };
+ allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow consoletype_t self:fd use;
+ allow consoletype_t self:fifo_file rw_fifo_file_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.1/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	2008-11-11 16:13:49.000000000 -0500
 +++ serefpolicy-3.6.1/policy/modules/admin/kismet.te	2008-12-02 11:02:15.000000000 -0500
@@ -1102,7 +1082,7 @@
  		java_domtrans_unconfined(rpm_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.1/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if	2008-12-03 14:12:34.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/admin/sudo.if	2008-12-05 14:31:30.000000000 -0500
 @@ -51,7 +51,7 @@
  	#
  
@@ -1137,7 +1117,7 @@
  
  	dev_read_urand($1_sudo_t)
 +	dev_rw_generic_usb_dev($1_sudo_t)
-+	dev_list_sysfs($1_sudo_t)
++	dev_read_sysfs($1_sudo_t)
  
  	fs_search_auto_mountpoints($1_sudo_t)
  	fs_getattr_xattr_fs($1_sudo_t)
@@ -1457,9 +1437,12 @@
 +#/usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.1/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/gnome.if	2008-12-04 13:27:45.000000000 -0500
-@@ -91,3 +91,150 @@
++++ serefpolicy-3.6.1/policy/modules/apps/gnome.if	2008-12-08 10:37:21.000000000 -0500
+@@ -89,5 +89,154 @@
+ 
+ 	allow $1 gnome_home_t:dir manage_dir_perms;
  	allow $1 gnome_home_t:file manage_file_perms;
++	allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
  	userdom_search_user_home_dirs($1)
  ')
 +
@@ -1526,6 +1509,7 @@
 +		type gconf_etc_t;
 +	')
 +
++	allow $1 gconf_etc_t:dir list_dir_perms;
 +	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
 +')
 +
@@ -1651,6 +1635,37 @@
 -/usr/lib/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 +/usr/lib(64)?/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 +/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.1/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if	2008-11-11 16:13:42.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/apps/gpg.if	2008-12-05 10:36:57.000000000 -0500
+@@ -30,7 +30,7 @@
+ 
+ 	# allow ps to show gpg
+ 	ps_process_pattern($2, gpg_t)
+-	allow $2 gpg_t:process signal;
++	allow $2 gpg_t:process { signal sigkill };
+ 
+ 	# communicate with the user 
+ 	allow gpg_helper_t $2:fd use;
+@@ -46,9 +46,17 @@
+ 	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ 	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ 	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+-
+ 	# Transition from the user domain to the agent domain.
+ 	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
++
++	#Leaked File Descriptors
++	dontaudit gpg_t $2:tcp_socket rw_socket_perms;
++	dontaudit gpg_t $2:udp_socket rw_socket_perms;
++	dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
++	dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
++	dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
++
++	userdom_manage_user_home_content_files(gpg_t)
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.1/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2008-11-11 16:13:42.000000000 -0500
 +++ serefpolicy-3.6.1/policy/modules/apps/gpg.te	2008-11-25 09:45:43.000000000 -0500
@@ -2485,8 +2500,8 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te	2008-12-03 09:00:12.000000000 -0500
-@@ -0,0 +1,273 @@
++++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te	2008-12-05 08:34:32.000000000 -0500
+@@ -0,0 +1,275 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -2553,6 +2568,8 @@
 +manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
 +exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
 +manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
 +manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
 +userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
 +userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
@@ -3806,7 +3823,7 @@
 +xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc	2008-11-25 16:31:05.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc	2008-12-05 08:55:39.000000000 -0500
 @@ -128,6 +128,8 @@
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -3829,6 +3846,17 @@
  /usr/local/linuxprinter/filters(/.*)?   gen_context(system_u:object_r:bin_t,s0)
  
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -221,8 +221,8 @@
+ /usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib64/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vmware-tools/sbin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vmware-tools/sbin64(/.*)?      gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vmware-tools/(s)?bin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vmware-tools/(s)?bin64(/.*)?      gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig\.py --	gen_context(system_u:object_r:bin_t,s0)
 @@ -291,3 +291,12 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
@@ -10168,8 +10196,8 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cups.te	2008-12-02 10:19:15.000000000 -0500
-@@ -20,6 +20,12 @@
++++ serefpolicy-3.6.1/policy/modules/services/cups.te	2008-12-05 08:56:46.000000000 -0500
+@@ -20,9 +20,18 @@
  type cupsd_etc_t;
  files_config_file(cupsd_etc_t)
  
@@ -10182,7 +10210,13 @@
  type cupsd_rw_etc_t;
  files_config_file(cupsd_rw_etc_t)
  
-@@ -48,6 +54,10 @@
++type cupsd_lock_t;
++files_lock_file(cupsd_lock_t)
++
+ type cupsd_log_t;
+ logging_log_file(cupsd_log_t)
+ 
+@@ -48,6 +57,10 @@
  type hplip_t;
  type hplip_exec_t;
  init_daemon_domain(hplip_t, hplip_exec_t)
@@ -10193,7 +10227,7 @@
  
  type hplip_etc_t;
  files_config_file(hplip_etc_t)
-@@ -65,6 +75,16 @@
+@@ -65,6 +78,16 @@
  type ptal_var_run_t;
  files_pid_file(ptal_var_run_t)
  
@@ -10210,7 +10244,7 @@
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
  ')
-@@ -79,13 +99,14 @@
+@@ -79,13 +102,14 @@
  #
  
  # /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -10228,7 +10262,7 @@
  allow cupsd_t self:tcp_socket create_stream_socket_perms;
  allow cupsd_t self:udp_socket create_socket_perms;
  allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -97,6 +118,9 @@
+@@ -97,6 +121,9 @@
  read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
  files_search_etc(cupsd_t)
  
@@ -10238,7 +10272,7 @@
  manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
  manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
  filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -104,8 +128,8 @@
+@@ -104,8 +131,11 @@
  
  # allow cups to execute its backend scripts
  can_exec(cupsd_t, cupsd_exec_t)
@@ -10246,10 +10280,13 @@
 -allow cupsd_t cupsd_exec_t:lnk_file read;
 +allow cupsd_t cupsd_exec_t:dir search_dir_perms;
 +allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
++
++allow cupsd_t cupsd_lock_t:file manage_file_perms;
++files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
  
  manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
  allow cupsd_t cupsd_log_t:dir setattr;
-@@ -116,13 +140,20 @@
+@@ -116,13 +146,20 @@
  manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
  files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
  
@@ -10272,7 +10309,7 @@
  allow cupsd_t hplip_var_run_t:file read_file_perms;
  
  stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-@@ -149,44 +180,49 @@
+@@ -149,44 +186,49 @@
  corenet_tcp_bind_reserved_port(cupsd_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
  corenet_tcp_connect_all_ports(cupsd_t)
@@ -10327,7 +10364,7 @@
  files_list_world_readable(cupsd_t)
  files_read_world_readable_files(cupsd_t)
  files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +231,16 @@
+@@ -195,15 +237,16 @@
  files_read_var_symlinks(cupsd_t)
  # for /etc/printcap
  files_dontaudit_write_etc_files(cupsd_t)
@@ -10348,7 +10385,7 @@
  auth_use_nsswitch(cupsd_t)
  
  # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-@@ -217,17 +254,21 @@
+@@ -217,17 +260,21 @@
  miscfiles_read_fonts(cupsd_t)
  
  seutil_read_config(cupsd_t)
@@ -10373,7 +10410,7 @@
  ')
  
  optional_policy(`
-@@ -244,8 +285,16 @@
+@@ -244,8 +291,16 @@
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
@@ -10390,7 +10427,7 @@
  ')
  
  optional_policy(`
-@@ -261,6 +310,10 @@
+@@ -261,6 +316,10 @@
  ')
  
  optional_policy(`
@@ -10401,7 +10438,7 @@
  	# cups execs smbtool which reads samba_etc_t files
  	samba_read_config(cupsd_t)
  	samba_rw_var_files(cupsd_t)
-@@ -279,7 +332,7 @@
+@@ -279,7 +338,7 @@
  # Cups configuration daemon local policy
  #
  
@@ -10410,7 +10447,7 @@
  dontaudit cupsd_config_t self:capability sys_tty_config;
  allow cupsd_config_t self:process signal_perms;
  allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -311,7 +364,7 @@
+@@ -311,7 +370,7 @@
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
  
  kernel_read_system_state(cupsd_config_t)
@@ -10419,7 +10456,7 @@
  
  corenet_all_recvfrom_unlabeled(cupsd_config_t)
  corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +377,7 @@
+@@ -324,6 +383,7 @@
  dev_read_sysfs(cupsd_config_t)
  dev_read_urand(cupsd_config_t)
  dev_read_rand(cupsd_config_t)
@@ -10427,7 +10464,7 @@
  
  fs_getattr_all_fs(cupsd_config_t)
  fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +395,14 @@
+@@ -341,13 +401,14 @@
  files_read_var_symlinks(cupsd_config_t)
  
  # Alternatives asks for this
@@ -10443,7 +10480,7 @@
  
  seutil_dontaudit_search_config(cupsd_config_t)
  
-@@ -359,14 +414,16 @@
+@@ -359,14 +420,16 @@
  lpd_read_config(cupsd_config_t)
  
  ifdef(`distro_redhat',`
@@ -10462,7 +10499,7 @@
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
-@@ -382,6 +439,7 @@
+@@ -382,6 +445,7 @@
  optional_policy(`
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
@@ -10470,7 +10507,7 @@
  ')
  
  optional_policy(`
-@@ -491,7 +549,8 @@
+@@ -491,7 +555,8 @@
  allow hplip_t self:udp_socket create_socket_perms;
  allow hplip_t self:rawip_socket create_socket_perms;
  
@@ -10480,7 +10517,7 @@
  
  cups_stream_connect(hplip_t)
  
-@@ -500,6 +559,10 @@
+@@ -500,6 +565,10 @@
  read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
  files_search_etc(hplip_t)
  
@@ -10491,7 +10528,7 @@
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
  
-@@ -529,7 +592,8 @@
+@@ -529,7 +598,8 @@
  dev_read_urand(hplip_t)
  dev_read_rand(hplip_t)
  dev_rw_generic_usb_dev(hplip_t)
@@ -10501,7 +10538,7 @@
  
  fs_getattr_all_fs(hplip_t)
  fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +617,9 @@
+@@ -553,7 +623,9 @@
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -10512,7 +10549,7 @@
  
  optional_policy(`
  	dbus_system_bus_client(hplip_t)
-@@ -635,3 +701,39 @@
+@@ -635,3 +707,39 @@
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -10586,8 +10623,25 @@
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/dbus.if	2008-12-04 13:28:31.000000000 -0500
-@@ -160,6 +160,10 @@
++++ serefpolicy-3.6.1/policy/modules/services/dbus.if	2008-12-05 14:40:52.000000000 -0500
+@@ -44,6 +44,7 @@
+ 
+ 		attribute session_bus_type;
+ 		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
++		type $1_t;
+ 	')
+ 
+ 	##############################
+@@ -91,7 +92,7 @@
+ 	allow $3 $1_dbusd_t:process { sigkill signal };
+ 
+ 	# cjp: this seems very broken
+-	corecmd_bin_domtrans($1_dbusd_t, $3)
++	corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ 	allow $1_dbusd_t $3:process sigkill;
+ 	allow $3 $1_dbusd_t:fd use;
+ 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+@@ -160,6 +161,10 @@
  	')
  
  	optional_policy(`
@@ -10598,7 +10652,7 @@
  		hal_dbus_chat($1_dbusd_t)
  	')
  
-@@ -185,10 +189,12 @@
+@@ -185,10 +190,12 @@
  		type system_dbusd_t, system_dbusd_t;
  		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
  		class dbus send_msg;
@@ -10612,7 +10666,7 @@
  
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($1)
-@@ -197,6 +203,10 @@
+@@ -197,6 +204,10 @@
  	files_search_pids($1)
  	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
  	dbus_read_config($1)
@@ -10623,7 +10677,7 @@
  ')
  
  #######################################
-@@ -244,6 +254,35 @@
+@@ -244,6 +255,35 @@
  
  ########################################
  ## <summary>
@@ -10659,7 +10713,7 @@
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -318,3 +357,77 @@
+@@ -318,3 +358,77 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -13223,7 +13277,7 @@
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.1/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.fc	2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/networkmanager.fc	2008-12-05 09:14:39.000000000 -0500
 @@ -1,8 +1,12 @@
 +/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 +
@@ -13237,13 +13291,11 @@
  
  /var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
  
-@@ -10,3 +14,6 @@
+@@ -10,3 +14,4 @@
  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+
-+/usr/libexec/nm-openconnect-service	-- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.1/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2008-09-11 11:28:34.000000000 -0400
 +++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if	2008-11-25 09:45:43.000000000 -0500
@@ -15626,7 +15678,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.1/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/polkit.te	2008-12-04 16:37:06.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/polkit.te	2008-12-08 10:25:12.000000000 -0500
 @@ -0,0 +1,224 @@
 +policy_module(polkit_auth, 1.0.0)
 +
@@ -15747,7 +15799,7 @@
 +')
 +
 +optional_policy(`
-+	dbus_system_domain(polkit_auth_exec_t, polkit_auth_t)
++	dbus_system_domain( polkit_auth_t, polkit_auth_exec_t)
 +
 +	dbus_session_bus_client(polkit_auth_t)
 +
@@ -19811,7 +19863,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/ssh.te	2008-12-04 13:46:29.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/ssh.te	2008-12-05 10:40:21.000000000 -0500
 @@ -75,7 +75,7 @@
  ubac_constrained(ssh_tmpfs_t)
  
@@ -19821,6 +19873,15 @@
  typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
  files_type(home_ssh_t)
  userdom_user_home_content(home_ssh_t)
+@@ -95,7 +95,7 @@
+ allow ssh_t self:sem create_sem_perms;
+ allow ssh_t self:msgq create_msgq_perms;
+ allow ssh_t self:msg { send receive };
+-allow ssh_t self:tcp_socket create_socket_perms;
++allow ssh_t self:tcp_socket create_stream_socket_perms;
+ allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ # Read the ssh key file.
 @@ -115,6 +115,7 @@
  manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
  manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
@@ -19829,7 +19890,24 @@
  
  # Allow the ssh program to communicate with ssh-agent.
  stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -318,6 +319,9 @@
+@@ -139,6 +140,8 @@
+ corenet_tcp_sendrecv_all_ports(ssh_t)
+ corenet_tcp_connect_ssh_port(ssh_t)
+ corenet_sendrecv_ssh_client_packets(ssh_t)
++corenet_tcp_bind_all_nodes(ssh_t)
++corenet_tcp_bind_all_unreserved_ports(ssh_t)
+ 
+ dev_read_urand(ssh_t)
+ 
+@@ -202,6 +205,7 @@
+ # for port forwarding
+ tunable_policy(`user_tcp_server',`
+ 	corenet_tcp_bind_ssh_port(ssh_t)
++	corenet_tcp_bind_all_nodes(ssh_t)
+ ')
+ 
+ optional_policy(`
+@@ -318,6 +322,9 @@
  corenet_tcp_bind_xserver_port(sshd_t)
  corenet_sendrecv_xserver_server_packets(sshd_t)
  
@@ -19839,7 +19917,7 @@
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
  	# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +335,14 @@
+@@ -331,6 +338,14 @@
  ')
  
  optional_policy(`
@@ -19854,7 +19932,7 @@
  	daemontools_service_domain(sshd_t, sshd_exec_t)
  ')
  
-@@ -349,7 +361,11 @@
+@@ -349,7 +364,11 @@
  ')
  
  optional_policy(`
@@ -19867,7 +19945,7 @@
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -408,6 +424,8 @@
+@@ -408,6 +427,8 @@
  init_use_fds(ssh_keygen_t)
  init_use_script_ptys(ssh_keygen_t)
  
@@ -20461,8 +20539,8 @@
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.1/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.fc	2008-11-25 09:45:43.000000000 -0500
-@@ -3,11 +3,13 @@
++++ serefpolicy-3.6.1/policy/modules/services/xserver.fc	2008-12-08 10:44:04.000000000 -0500
+@@ -3,11 +3,14 @@
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
  HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
@@ -20473,10 +20551,11 @@
  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +HOME_DIR/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.dmrc			--	gen_context(system_u:object_r:xdm_home_t,s0)
  
  #
  # /dev
-@@ -32,11 +34,6 @@
+@@ -32,11 +35,6 @@
  /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  
@@ -20488,7 +20567,7 @@
  #
  # /opt
  #
-@@ -61,6 +58,7 @@
+@@ -61,6 +59,7 @@
  /usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -20496,7 +20575,7 @@
  /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
  /usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +87,26 @@
+@@ -89,16 +88,26 @@
  
  /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
@@ -20900,7 +20979,7 @@
  ##	display.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2008-11-18 18:57:20.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.te	2008-12-03 18:27:33.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/xserver.te	2008-12-08 10:28:07.000000000 -0500
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -21034,7 +21113,7 @@
  typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
  files_tmpfs_file(xserver_tmpfs_t)
  ubac_constrained(xserver_tmpfs_t)
-@@ -256,6 +275,9 @@
+@@ -256,13 +275,13 @@
  allow xauth_t xauth_home_t:file manage_file_perms;
  userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
  
@@ -21044,7 +21123,14 @@
  manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
  manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
  files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-@@ -300,13 +322,14 @@
+ 
+-allow xdm_t xauth_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+-
+ domain_use_interactive_fds(xauth_t)
+ 
+ files_read_etc_files(xauth_t)
+@@ -300,13 +319,14 @@
  # XDM Local policy
  #
  
@@ -21062,7 +21148,7 @@
  allow xdm_t self:tcp_socket create_stream_socket_perms;
  allow xdm_t self:udp_socket create_socket_perms;
  allow xdm_t self:socket create_socket_perms;
-@@ -314,6 +337,11 @@
+@@ -314,6 +334,11 @@
  allow xdm_t self:key { search link write };
  
  allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -21070,11 +21156,11 @@
 +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 +
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
-+userdom_user_tmp_filetrans(xdm_t, xdm_home_t, file)
++userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -329,6 +357,8 @@
+@@ -329,6 +354,8 @@
  manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
  files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -21083,7 +21169,7 @@
  
  manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -336,15 +366,30 @@
+@@ -336,15 +363,30 @@
  manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -21116,7 +21202,7 @@
  
  allow xdm_t xserver_t:process signal;
  allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +403,7 @@
+@@ -358,6 +400,7 @@
  allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
  
  allow xdm_t xserver_t:shm rw_shm_perms;
@@ -21124,7 +21210,7 @@
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
-@@ -389,11 +435,13 @@
+@@ -389,11 +432,13 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_all_nodes(xdm_t)
  corenet_udp_bind_all_nodes(xdm_t)
@@ -21138,7 +21224,7 @@
  dev_read_rand(xdm_t)
  dev_read_sysfs(xdm_t)
  dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +449,7 @@
+@@ -401,6 +446,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -21146,7 +21232,7 @@
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -413,14 +462,17 @@
+@@ -413,14 +459,17 @@
  dev_setattr_video_dev(xdm_t)
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
@@ -21166,7 +21252,7 @@
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -431,9 +483,13 @@
+@@ -431,9 +480,13 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -21180,7 +21266,7 @@
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +498,7 @@
+@@ -442,6 +495,7 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -21188,7 +21274,7 @@
  
  term_setattr_console(xdm_t)
  term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +507,7 @@
+@@ -450,6 +504,7 @@
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -21196,7 +21282,7 @@
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -460,10 +518,10 @@
+@@ -460,10 +515,10 @@
  
  logging_read_generic_logs(xdm_t)
  
@@ -21209,7 +21295,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -504,10 +562,12 @@
+@@ -504,10 +559,12 @@
  
  optional_policy(`
  	alsa_domtrans(xdm_t)
@@ -21222,7 +21308,7 @@
  ')
  
  optional_policy(`
-@@ -515,12 +575,35 @@
+@@ -515,12 +572,35 @@
  ')
  
  optional_policy(`
@@ -21258,7 +21344,7 @@
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,6 +625,18 @@
+@@ -542,6 +622,18 @@
  ')
  
  optional_policy(`
@@ -21277,7 +21363,7 @@
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +645,8 @@
+@@ -550,8 +642,8 @@
  ')
  
  optional_policy(`
@@ -21287,7 +21373,7 @@
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -571,6 +666,10 @@
+@@ -571,6 +663,10 @@
  ')
  
  optional_policy(`
@@ -21298,7 +21384,7 @@
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -635,6 +734,15 @@
+@@ -635,6 +731,15 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -21314,7 +21400,7 @@
  # Create files in /var/log with the xserver_log_t type.
  manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
  logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -682,6 +790,7 @@
+@@ -682,6 +787,7 @@
  dev_rw_input_dev(xserver_t)
  dev_rwx_zero(xserver_t)
  
@@ -21322,7 +21408,7 @@
  domain_mmap_low(xserver_t)
  
  files_read_etc_files(xserver_t)
-@@ -697,6 +806,7 @@
+@@ -697,6 +803,7 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -21330,7 +21416,7 @@
  
  mls_xwin_read_to_clearance(xserver_t)
  
-@@ -806,7 +916,7 @@
+@@ -806,7 +913,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -21339,7 +21425,7 @@
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +940,10 @@
+@@ -830,6 +937,10 @@
  
  xserver_use_user_fonts(xserver_t)
  
@@ -21350,7 +21436,7 @@
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +958,14 @@
+@@ -844,11 +955,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -21366,7 +21452,7 @@
  ')
  
  optional_policy(`
-@@ -856,6 +973,11 @@
+@@ -856,6 +970,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -21378,7 +21464,7 @@
  ########################################
  #
  # Rules common to all X window domains
-@@ -972,6 +1094,21 @@
+@@ -972,6 +1091,21 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -21400,7 +21486,7 @@
  ifdef(`TODO',`
  tunable_policy(`allow_polyinstantiation',`
  # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1123,13 @@
+@@ -986,3 +1120,13 @@
  #
  allow xdm_t user_home_type:file unlink;
  ') dnl end TODO
@@ -23398,7 +23484,7 @@
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.1/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/mount.te	2008-11-27 06:40:08.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/mount.te	2008-12-08 11:14:40.000000000 -0500
 @@ -18,17 +18,18 @@
  init_system_domain(mount_t,mount_exec_t)
  role system_r types mount_t;
@@ -23498,7 +23584,15 @@
  
  auth_use_nsswitch(mount_t)
  
-@@ -133,7 +146,7 @@
+@@ -116,6 +129,7 @@
+ seutil_read_config(mount_t)
+ 
+ userdom_use_all_users_fds(mount_t)
++userdom_manage_user_home_content_dirs(mount_t)
+ 
+ ifdef(`distro_redhat',`
+ 	optional_policy(`
+@@ -133,7 +147,7 @@
  
  tunable_policy(`allow_mount_anyfile',`
  	auth_read_all_dirs_except_shadow(mount_t)
@@ -23507,7 +23601,7 @@
  	files_mounton_non_security(mount_t)
  ')
  
-@@ -164,6 +177,8 @@
+@@ -164,6 +178,8 @@
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -23516,7 +23610,7 @@
  ')
  
  optional_policy(`
-@@ -171,6 +186,15 @@
+@@ -171,6 +187,15 @@
  ')
  
  optional_policy(`
@@ -23532,7 +23626,7 @@
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +202,11 @@
+@@ -178,6 +203,11 @@
  	')
  ')
  
@@ -23544,7 +23638,7 @@
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -185,6 +214,7 @@
+@@ -185,6 +215,7 @@
  
  optional_policy(`
  	samba_domtrans_smbmount(mount_t)
@@ -23552,7 +23646,7 @@
  ')
  
  ########################################
-@@ -195,4 +225,26 @@
+@@ -195,4 +226,26 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -25461,7 +25555,7 @@
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-04 16:31:37.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-08 11:32:11.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -25642,18 +25736,50 @@
  	')
  ')
  
-@@ -232,7 +246,10 @@
+@@ -220,9 +234,10 @@
+ interface(`userdom_manage_home_role',`
+ 	gen_require(`
+ 		type user_home_t, user_home_dir_t;
++		attribute user_home_type;
+ 	')
+ 
+-	role $1 types { user_home_t user_home_dir_t };
++	role $1 types { user_home_type user_home_dir_t };
+ 
+ 	##############################
+ 	#
+@@ -232,17 +247,20 @@
  	type_member $2 user_home_dir_t:dir user_home_dir_t;
  
  	# full control of the home directory
 +	allow $2 user_home_t:dir mounton;
  	allow $2 user_home_t:file entrypoint;
-+
-+	allow $2 user_home_t:dir_file_class_set { relabelto relabelfrom };
- 	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- 	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- 	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-@@ -250,25 +267,23 @@
+-	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+-	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
++
++	allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
++	manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ 	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ 	files_list_home($2)
+ 
+@@ -250,25 +268,23 @@
  	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
  
  	tunable_policy(`use_nfs_home_dirs',`
@@ -25683,7 +25809,7 @@
  	')
  ')
  
-@@ -303,6 +318,7 @@
+@@ -303,6 +319,7 @@
  	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
  	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
  	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -25691,7 +25817,7 @@
  ')
  
  #######################################
-@@ -368,46 +384,41 @@
+@@ -368,46 +385,41 @@
  
  #######################################
  ## <summary>
@@ -25713,12 +25839,10 @@
 -	gen_require(`
 -		type $1_t;
 -	')
-+interface(`userdom_basic_networking',`
- 
+-
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
 -	allow $1_t self:udp_socket create_socket_perms;
-+	allow $1 self:tcp_socket create_stream_socket_perms;
-+	allow $1 self:udp_socket create_socket_perms;
++interface(`userdom_basic_networking',`
  
 -	corenet_all_recvfrom_unlabeled($1_t)
 -	corenet_all_recvfrom_netlabel($1_t)
@@ -25730,7 +25854,9 @@
 -	corenet_udp_sendrecv_all_ports($1_t)
 -	corenet_tcp_connect_all_ports($1_t)
 -	corenet_sendrecv_all_client_packets($1_t)
--
++	allow $1 self:tcp_socket create_stream_socket_perms;
++	allow $1 self:udp_socket create_socket_perms;
+ 
 -	corenet_all_recvfrom_labeled($1_t, $1_t)
 +	corenet_all_recvfrom_unlabeled($1)
 +	corenet_all_recvfrom_netlabel($1)
@@ -25758,7 +25884,7 @@
  ')
  
  #######################################
-@@ -420,34 +431,39 @@
+@@ -420,34 +432,39 @@
  ##	is the prefix for user_t).
  ##	</summary>
  ## </param>
@@ -25816,7 +25942,7 @@
  ')
  
  #######################################
-@@ -497,11 +513,7 @@
+@@ -497,11 +514,7 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -25829,7 +25955,7 @@
  
  	##############################
  	#
-@@ -512,189 +524,192 @@
+@@ -512,189 +525,194 @@
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
@@ -25847,26 +25973,26 @@
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
+-
+-	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
  
--	corecmd_exec_bin($1_t)
+-	corenet_udp_bind_all_nodes($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	corenet_udp_bind_all_nodes($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	corenet_udp_bind_all_nodes($1_t)
--	corenet_udp_bind_generic_port($1_t)
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
--	dev_read_rand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
--
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -25976,6 +26102,8 @@
  	optional_policy(`
 -		dbus_system_bus_client($1_t)
 +		dbus_system_bus_client($1_usertype)
++
++		allow $1_usertype $1_usertype:dbus  send_msg;
  
  		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
@@ -26065,16 +26193,16 @@
 -			postgresql_stream_connect($1_t)
 -			postgresql_tcp_connect($1_t)
 +			postgresql_stream_connect($1_usertype)
++		')
  		')
++
++	optional_policy(`
++		# to allow monitoring of pcmcia status
++		pcmcia_read_pid($1_usertype)
  	')
  
  	optional_policy(`
 -		resmgr_stream_connect($1_t)
-+		# to allow monitoring of pcmcia status
-+		pcmcia_read_pid($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		pcscd_read_pub_files($1_usertype)
 +		pcscd_stream_connect($1_usertype)
  	')
@@ -26104,25 +26232,25 @@
  ')
  
  #######################################
-@@ -722,15 +737,27 @@
+@@ -722,15 +740,27 @@
  
  	userdom_base_user_template($1)
  
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_change_password_template($1)
++
++	userdom_manage_home_role($1_r, $1_usertype)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
-+	userdom_manage_home_role($1_r, $1_usertype)
++	userdom_manage_tmp_role($1_r, $1_usertype)
++	userdom_manage_tmpfs_role($1_r, $1_usertype)
  
 -	userdom_exec_user_tmp_files($1_t)
 -	userdom_exec_user_home_content_files($1_t)
-+	userdom_manage_tmp_role($1_r, $1_usertype)
-+	userdom_manage_tmpfs_role($1_r, $1_usertype)
++	gen_tunable(allow_$1_exec_content, true)
  
 -	userdom_change_password_template($1)
-+	gen_tunable(allow_$1_exec_content, true)
-+
 +	tunable_policy(`allow_$1_exec_content',`
 +		userdom_exec_user_tmp_files($1_usertype)
 +		userdom_exec_user_home_content_files($1_usertype)
@@ -26138,7 +26266,7 @@
  
  	##############################
  	#
-@@ -746,70 +773,72 @@
+@@ -746,70 +776,72 @@
  
  	allow $1_t self:context contains;
  
@@ -26244,7 +26372,7 @@
  	')
  ')
  
-@@ -846,6 +875,27 @@
+@@ -846,6 +878,28 @@
  	# Local policy
  	#
  
@@ -26256,8 +26384,9 @@
 +	')
 +
 +	optional_policy(`
-+		dbus_role_template($1, $1_r, $1_t)
-+		dbus_system_bus_client($1_t)
++		dbus_role_template($1, $1_r, $1_usertype)
++		dbus_system_bus_client($1_usertype)
++		allow $1_usertype $1_usertype:dbus send_msg;
 +
 +		optional_policy(`
 +			consolekit_dbus_chat($1_usertype)
@@ -26272,7 +26401,7 @@
  	optional_policy(`
  		loadkeys_run($1_t,$1_r)
  	')
-@@ -876,7 +926,7 @@
+@@ -876,7 +930,7 @@
  
  	userdom_restricted_user_template($1)
  
@@ -26281,7 +26410,7 @@
  
  	##############################
  	#
-@@ -884,14 +934,18 @@
+@@ -884,14 +938,18 @@
  	#
  
  	auth_role($1_r, $1_t)
@@ -26305,7 +26434,7 @@
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +953,24 @@
+@@ -899,28 +957,24 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
@@ -26340,7 +26469,7 @@
  	')
  ')
  
-@@ -931,8 +981,7 @@
+@@ -931,8 +985,7 @@
  ## </summary>
  ## <desc>
  ##	<p>
@@ -26350,7 +26479,7 @@
  ##	</p>
  ##	<p>
  ##	This template creates a user domain, types, and
-@@ -954,8 +1003,8 @@
+@@ -954,8 +1007,8 @@
  	# Declarations
  	#
  
@@ -26360,7 +26489,7 @@
  	userdom_common_user_template($1)
  
  	##############################
-@@ -964,11 +1013,10 @@
+@@ -964,11 +1017,10 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -26373,7 +26502,7 @@
  	# cjp: why?
  	files_read_kernel_symbol_table($1_t)
  
-@@ -986,36 +1034,37 @@
+@@ -986,36 +1038,37 @@
  		')
  	')
  
@@ -26424,7 +26553,7 @@
  	')
  ')
  
-@@ -1050,7 +1099,7 @@
+@@ -1050,7 +1103,7 @@
  #
  template(`userdom_admin_user_template',`
  	gen_require(`
@@ -26433,7 +26562,7 @@
  	')
  
  	##############################
-@@ -1059,8 +1108,7 @@
+@@ -1059,8 +1112,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -26443,7 +26572,7 @@
  
  	domain_obj_id_change_exemption($1_t)
  	role system_r types $1_t;
-@@ -1083,7 +1131,8 @@
+@@ -1083,7 +1135,8 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -26453,7 +26582,7 @@
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1106,8 +1155,6 @@
+@@ -1106,8 +1159,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -26462,7 +26591,7 @@
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1209,6 @@
+@@ -1162,20 +1213,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -26483,7 +26612,7 @@
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1221,6 +1254,7 @@
+@@ -1221,6 +1258,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -26491,16 +26620,23 @@
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1291,6 +1325,8 @@
+@@ -1286,11 +1324,15 @@
+ interface(`userdom_user_home_content',`
+ 	gen_require(`
+ 		type user_home_t;
++		attribute user_home_type;
+ 	')
+ 
  	allow $1 user_home_t:filesystem associate;
  	files_type($1)
  	ubac_constrained($1)
 +
 +	files_poly_member($1)
++	typeattribute $1  user_home_type;
  ')
  
  ########################################
-@@ -1387,7 +1423,7 @@
+@@ -1387,7 +1429,7 @@
  
  ########################################
  ## <summary>
@@ -26509,7 +26645,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1420,6 +1456,14 @@
+@@ -1420,6 +1462,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -26524,7 +26660,7 @@
  ')
  
  ########################################
-@@ -1435,9 +1479,11 @@
+@@ -1435,9 +1485,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -26536,7 +26672,7 @@
  ')
  
  ########################################
-@@ -1494,6 +1540,25 @@
+@@ -1494,6 +1546,25 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -26562,7 +26698,7 @@
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1547,9 +1612,9 @@
+@@ -1547,9 +1618,9 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -26574,7 +26710,7 @@
  ')
  
  ########################################
-@@ -1568,6 +1633,8 @@
+@@ -1568,6 +1639,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -26583,7 +26719,15 @@
  ')
  
  ########################################
-@@ -1741,6 +1808,62 @@
+@@ -1643,6 +1716,7 @@
+ 		type user_home_dir_t, user_home_t;
+ 	')
+ 
++	list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
+ 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ 	files_search_home($1)
+ ')
+@@ -1741,6 +1815,62 @@
  
  ########################################
  ## <summary>
@@ -26646,7 +26790,7 @@
  ##	Execute user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1757,14 +1880,6 @@
+@@ -1757,14 +1887,6 @@
  
  	files_search_home($1)
  	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -26661,7 +26805,7 @@
  ')
  
  ########################################
-@@ -1787,6 +1902,46 @@
+@@ -1787,6 +1909,46 @@
  
  ########################################
  ## <summary>
@@ -26708,7 +26852,7 @@
  ##	Create, read, write, and delete files
  ##	in a user home subdirectory.
  ## </summary>
-@@ -2819,6 +2974,24 @@
+@@ -2819,6 +2981,24 @@
  
  ########################################
  ## <summary>
@@ -26733,7 +26877,7 @@
  ##	Do not audit attempts to use user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -2965,6 +3138,24 @@
+@@ -2965,6 +3145,24 @@
  
  ########################################
  ## <summary>
@@ -26758,7 +26902,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -2981,3 +3172,263 @@
+@@ -2981,3 +3179,263 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -27024,7 +27168,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.1/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.te	2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.te	2008-12-08 10:35:36.000000000 -0500
 @@ -8,13 +8,6 @@
  
  ## <desc>
@@ -27053,20 +27197,32 @@
  ## Allow user to r/w files on filesystems
  ## that do not have extended attributes (FAT, CDROM, FLOPPY)
  ## </p>
-@@ -58,6 +44,12 @@
- attribute untrusted_content_type;
- attribute untrusted_content_tmp_type;
- 
+@@ -55,8 +41,14 @@
+ # unprivileged user domains
+ attribute unpriv_userdomain;
+ 
+-attribute untrusted_content_type;
+-attribute untrusted_content_tmp_type;
++# unprivileged user domains
++attribute user_home_type;
++
 +type admin_home_t;
 +files_type(admin_home_t)
 +files_associate_tmp(admin_home_t)
 +fs_associate_tmpfs(admin_home_t)
 +files_mountpoint(admin_home_t)
-+
+ 
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
- files_type(user_home_dir_t)
-@@ -95,3 +87,7 @@
+@@ -70,6 +62,7 @@
+ 
+ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+ typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
++typeattribute user_home_t user_home_type;
+ userdom_user_home_content(user_home_t)
+ fs_associate_tmpfs(user_home_t)
+ files_associate_tmp(user_home_t)
+@@ -95,3 +88,7 @@
  type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
  dev_node(user_tty_device_t)
  ubac_constrained(user_tty_device_t)
@@ -27451,6 +27607,38 @@
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.1/Rules.modular
+--- nsaserefpolicy/Rules.modular	2008-11-11 16:13:50.000000000 -0500
++++ serefpolicy-3.6.1/Rules.modular	2008-11-25 09:45:43.000000000 -0500
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ 	@echo "Compliling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+-	$(call perrole-expansion,$(basename $(@F)),$@.role)
+-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++#	$(call perrole-expansion,$(basename $(@F)),$@.role)
++	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+ 
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ 	$(verbose) $(genperm) $(avs) $(secclass) > $@
+-	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+ 
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -146,7 +146,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ 	$(verbose) echo "" > $@
+-	$(call parse-rolemap,base,$@)
++#	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.1/support/Makefile.devel
 --- nsaserefpolicy/support/Makefile.devel	2008-11-11 16:13:50.000000000 -0500
 +++ serefpolicy-3.6.1/support/Makefile.devel	2008-11-25 09:45:43.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.752
retrieving revision 1.753
diff -u -r1.752 -r1.753
--- selinux-policy.spec	4 Dec 2008 21:43:55 -0000	1.752
+++ selinux-policy.spec	8 Dec 2008 16:38:09 -0000	1.753
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz

More information about the fedora-extras-commits mailing list