From 3369721b66006339b740f7636446061675e13285 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jun 23 2008 12:20:17 +0000
Subject: - Apply unconfined_execmem_exec_t to haskell programs


---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index ad927e9..d011bad 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -21090,8 +21090,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc
 --- nsaserefpolicy/policy/modules/services/prelude.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.fc	2008-06-22 20:42:15.000000000 -0400
-@@ -0,0 +1,16 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.fc	2008-06-23 08:14:28.000000000 -0400
+@@ -0,0 +1,17 @@
 +
 +/sbin/audisp-prelude		--	gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
 +
@@ -21107,13 +21107,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
 +/usr/bin/prelude-lml   --      gen_context(system_u:object_r:prelude_lml_exec_t,s0)
 +/var/run/prelude-lml.pid       --      gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
++
 +/etc/rc\.d/init\.d/prelude-lml --      gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
 --- nsaserefpolicy/policy/modules/services/prelude.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.if	2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,128 @@
-+
-+## <summary>policy for prelude</summary>
++++ serefpolicy-3.3.1/policy/modules/services/prelude.if	2008-06-23 08:18:35.000000000 -0400
+@@ -0,0 +1,190 @@
++## <summary>Prelude hybrid intrusion detection system</summary>
 +
 +########################################
 +## <summary>
@@ -21127,13 +21127,85 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +#
 +interface(`prelude_domtrans',`
 +	gen_require(`
-+		type prelude_t;
-+                type prelude_exec_t;
++		type prelude_t, prelude_exec_t;
++	')
++
++	domtrans_pattern($1, prelude_exec_t, prelude_t)
++')
++
++########################################
++## <summary>
++##	Execute a domain transition to run prelude_audisp.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prelude_domtrans_audisp',`
++	gen_require(`
++		type prelude_audisp_t, prelude_audisp_exec_t;
 +	')
 +
-+	domtrans_pattern($1,prelude_exec_t,prelude_t)
++	domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
 +')
 +
++########################################
++## <summary>
++##	Signal the prelude_audisp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prelude_signal_audisp',`
++	gen_require(`
++		type prelude_audisp_t;
++	')
++
++	allow $1 prelude_audisp_t:process signal;
++')
++
++########################################
++## <summary>
++##	Read the prelude spool files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`prelude_read_spool',`
++	gen_require(`
++		type prelude_spool_t;
++	')
++
++	files_search_spool($1)
++	read_files_pattern($1, prelude_spool_t, prelude_spool_t)
++')
++
++########################################
++## <summary>
++##	Read/Write to prelude-manager spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prelude_rw_spool',`
++	gen_require(`
++		type prelude_spool_t;
++	')
++
++	files_search_spool($1)
++	rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
++')
 +
 +########################################
 +## <summary>
@@ -21155,6 +21227,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +
 +########################################
 +## <summary>
++##	Execute prelude lml server in the prelude lml domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`prelude_lml_script_domtrans',`
++	gen_require(`
++		type prelude_lml_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,prelude_lml_script_exec_t)
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate 
 +##	an prelude environment
 +## </summary>
@@ -21177,74 +21267,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +#
 +interface(`prelude_admin',`
 +	gen_require(`
-+		type prelude_t;
-+		type prelude_spool_t;
-+		type prelude_var_run_t;
-+		type prelude_var_lib_t;
++		type prelude_t, prelude_spool_t;
++		type prelude_var_run_t, prelude_var_lib_t;
++		type prelude_audisp_t, prelude_audisp_var_run_t;
 +		type prelude_script_exec_t;
-+		type audisp_prelude_t;
-+		type audisp_prelude_var_run_t;
++
++		type prelude_lml_t, prelude_lml_tmp_t;
++		type prelude_lml_var_run_t;
++		type prelude_lml_script_exec_t;
 +	')
 +
-+	allow $1 prelude_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, prelude_t, prelude_t)
-+	        
-+	allow $1 audisp_prelude_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, audisp_prelude_t, audisp_prelude_t)
-+	        
++	allow $1 prelude_t:process { ptrace signal_perms };
++	ps_process_pattern($1, prelude_t)
++
++	allow $1 prelude_audisp_t:process { ptrace signal_perms };
++	ps_process_pattern($1, prelude_audisp_t)
++
++	allow $1 prelude_lml_t:process { ptrace signal_perms };
++	ps_process_pattern($1, prelude_lml_t)
++
 +	# Allow prelude_t to restart the apache service
 +	prelude_script_domtrans($1)
 +	domain_system_change_exemption($1)
 +	role_transition $2 prelude_script_exec_t system_r;
 +	allow $2 system_r;
 +
++	# Allow prelude_t to restart the apache service
++	prelude_lml_script_domtrans($1)
++	role_transition $2 prelude_lml_script_exec_t system_r;
++
 +        manage_all_pattern($1, prelude_spool_t)
 +        manage_all_pattern($1, prelude_var_lib_t)
 +        manage_all_pattern($1, prelude_var_run_t)
-+	manage_all_pattern($1, audisp_prelude_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute a domain transition to run audisp_prelude.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`audisp_prelude_domtrans',`
-+	gen_require(`
-+		type audisp_prelude_t;
-+                type audisp_prelude_exec_t;
-+	')
-+
-+	domtrans_pattern($1,audisp_prelude_exec_t,audisp_prelude_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Signal the audisp_prelude domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`audisp_prelude_signal',`
-+	gen_require(`
-+		type audisp_prelude_t;
-+	')
-+
-+	allow $1 audisp_prelude_t:process signal;
++	manage_all_pattern($1, prelude_audisp_var_run_t)
++        manage_all_pattern($1, prelude_lml_tmp_t)
++        manage_all_pattern($1, prelude_lml_var_run_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-06-22 07:53:37.000000000 -0400
-@@ -0,0 +1,246 @@
-+policy_module(prelude,1.0.0)
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-06-23 08:14:23.000000000 -0400
+@@ -0,0 +1,244 @@
++
++policy_module(prelude, 1.0.0)
 +
 +########################################
 +#
@@ -21253,7 +21317,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +
 +type prelude_t;
 +type prelude_exec_t;
-+domain_type(prelude_t)
 +init_daemon_domain(prelude_t, prelude_exec_t)
 +
 +type prelude_spool_t;
@@ -21268,13 +21331,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +type prelude_script_exec_t;
 +init_script_type(prelude_script_exec_t)
 +
-+type audisp_prelude_t;
-+type audisp_prelude_exec_t;
-+domain_type(audisp_prelude_t)
-+init_daemon_domain(audisp_prelude_t, audisp_prelude_exec_t)
++type prelude_audisp_t;
++type prelude_audisp_exec_t;
++init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
++typealias prelude_audisp_t alias audisp_prelude_t;
++typealias prelude_audisp_exec_t alias audisp_prelude_exec_t;
 +
-+type audisp_prelude_var_run_t;
-+files_pid_file(audisp_prelude_var_run_t)
++type prelude_audisp_var_run_t;
++files_pid_file(prelude_audisp_var_run_t)
++typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t;
 +
 +type prelude_lml_t;
 +type prelude_lml_exec_t;
@@ -21294,37 +21359,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +# prelude local policy
 +#
 +
-+# Init script handling
-+domain_use_interactive_fds(prelude_t)
-+
 +allow prelude_t self:capability sys_tty_config;
-+
-+# internal communication is often done using fifo and unix sockets.
 +allow prelude_t self:fifo_file rw_file_perms;
 +allow prelude_t self:unix_stream_socket create_stream_socket_perms;
-+
 +allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
 +allow prelude_t self:tcp_socket create_stream_socket_perms;
 +
-+dev_read_rand(prelude_t)
-+dev_read_urand(prelude_t)
++manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
++manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
++files_search_spool(prelude_t)
 +
-+fs_rw_anon_inodefs_files(prelude_t)
++manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
++manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
++files_search_var_lib(prelude_t)
 +
 +manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
 +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
 +files_pid_filetrans(prelude_t, prelude_var_run_t, file)
 +
++corecmd_search_bin(prelude_t)
++
++corenet_all_recvfrom_unlabeled(prelude_t)
++corenet_all_recvfrom_netlabel(prelude_t)
++corenet_tcp_sendrecv_all_if(prelude_t)
++corenet_tcp_sendrecv_all_nodes(prelude_t)
++corenet_tcp_bind_all_nodes(prelude_t)
++corenet_tcp_bind_prelude_port(prelude_t)
++corenet_tcp_connect_prelude_port(prelude_t)
++
++dev_read_rand(prelude_t)
++dev_read_urand(prelude_t)
++
++# Init script handling
++domain_use_interactive_fds(prelude_t)
++
 +files_read_etc_files(prelude_t)
 +files_read_usr_files(prelude_t)
 +
-+files_search_var_lib(prelude_t)
-+manage_dirs_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
-+manage_files_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
-+
-+files_search_spool(prelude_t)
-+manage_dirs_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
-+manage_files_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
++fs_rw_anon_inodefs_files(prelude_t)
 +
 +auth_use_nsswitch(prelude_t)
 +
@@ -21336,16 +21408,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +
 +miscfiles_read_localization(prelude_t)
 +
-+corenet_all_recvfrom_unlabeled(prelude_t)
-+corenet_all_recvfrom_netlabel(prelude_t)
-+corenet_tcp_sendrecv_all_if(prelude_t)
-+corenet_tcp_sendrecv_all_nodes(prelude_t)
-+corenet_tcp_bind_all_nodes(prelude_t)
-+corenet_tcp_bind_prelude_port(prelude_t)
-+corenet_tcp_connect_prelude_port(prelude_t)
-+
-+corecmd_search_bin(prelude_t)
-+
 +optional_policy(`
 +	mysql_search_db(prelude_t)
 +	mysql_stream_connect(prelude_t)
@@ -21357,48 +21419,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +
 +########################################
 +#
-+# audisp_prelude local policy
++# prelude_audisp local policy
 +#
 +
-+# Init script handling
-+domain_use_interactive_fds(audisp_prelude_t)
++allow prelude_audisp_t self:fifo_file rw_file_perms;
++allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
++allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
++allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
++allow prelude_audisp_t self:tcp_socket create_socket_perms;
 +
-+# internal communication is often done using fifo and unix sockets.
-+allow audisp_prelude_t self:fifo_file rw_file_perms;
-+allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms;
-+allow audisp_prelude_t self:netlink_route_socket r_netlink_socket_perms;
-+allow audisp_prelude_t self:tcp_socket create_socket_perms;
++manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
++manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
++files_search_spool(prelude_audisp_t)
 +
-+manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t)
-+files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file)
++manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
++files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
 +
-+dev_read_rand(audisp_prelude_t)
-+dev_read_urand(audisp_prelude_t)
++corecmd_search_bin(prelude_audisp_t)
 +
-+files_read_etc_files(audisp_prelude_t)
++corenet_all_recvfrom_unlabeled(prelude_audisp_t)
++corenet_all_recvfrom_netlabel(prelude_audisp_t)
++corenet_tcp_sendrecv_all_if(prelude_audisp_t)
++corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
++corenet_tcp_bind_all_nodes(prelude_audisp_t)
++corenet_tcp_connect_prelude_port(prelude_audisp_t)
 +
-+libs_use_ld_so(audisp_prelude_t)
-+libs_use_shared_libs(audisp_prelude_t)
++dev_read_rand(prelude_audisp_t)
++dev_read_urand(prelude_audisp_t)
 +
-+logging_send_syslog_msg(audisp_prelude_t)
++# Init script handling
++domain_use_interactive_fds(prelude_audisp_t)
 +
-+miscfiles_read_localization(audisp_prelude_t)
++files_read_etc_files(prelude_audisp_t)
 +
-+corecmd_search_bin(audisp_prelude_t)
-+allow audisp_prelude_t self:unix_dgram_socket create_socket_perms;
++libs_use_ld_so(prelude_audisp_t)
++libs_use_shared_libs(prelude_audisp_t)
 +
-+logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t)
++logging_send_syslog_msg(prelude_audisp_t)
 +
-+files_search_spool(audisp_prelude_t)
-+manage_dirs_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
-+manage_files_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
++miscfiles_read_localization(prelude_audisp_t)
 +
-+corenet_all_recvfrom_unlabeled(audisp_prelude_t)
-+corenet_all_recvfrom_netlabel(audisp_prelude_t)
-+corenet_tcp_sendrecv_all_if(audisp_prelude_t)
-+corenet_tcp_sendrecv_all_nodes(audisp_prelude_t)
-+corenet_tcp_bind_all_nodes(audisp_prelude_t)
-+corenet_tcp_connect_prelude_port(audisp_prelude_t)
++logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t)
 +
 +########################################
 +#
@@ -24518,11 +24579,135 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
  
  fs_getattr_all_dirs(snmpd_t)
  fs_getattr_all_fs(snmpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.3.1/policy/modules/services/snort.fc
+--- nsaserefpolicy/policy/modules/services/snort.fc	2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/snort.fc	2008-06-23 08:04:51.000000000 -0400
+@@ -1,6 +1,10 @@
++/usr/s?bin/snort	--	gen_context(system_u:object_r:snort_exec_t,s0)
++/usr/sbin/snort-plain	--	gen_context(system_u:object_r:snort_exec_t,s0)
+ 
+-/etc/snort(/.*)?	gen_context(system_u:object_r:snort_etc_t,s0)
++/etc/snort(/.*)?		gen_context(system_u:object_r:snort_etc_t,s0)
+ 
+-/usr/s?bin/snort --	gen_context(system_u:object_r:snort_exec_t,s0)
++/var/run/snort.*	--	gen_context(system_u:object_r:snort_var_run_t,s0)		
+ 
+-/var/log/snort(/.*)?	gen_context(system_u:object_r:snort_log_t,s0)
++/var/log/snort(/.*)?		gen_context(system_u:object_r:snort_log_t,s0)
++
++/etc/rc\.d/init\.d/snortd	--	gen_context(system_u:object_r:snort_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.3.1/policy/modules/services/snort.if
+--- nsaserefpolicy/policy/modules/services/snort.if	2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/snort.if	2008-06-23 08:04:54.000000000 -0400
+@@ -1 +1,95 @@
+-## <summary>Snort network intrusion detection system</summary>
++## <summary>SELinux policy for Snort IDS</summary>
++## <desc>
++##	<p>
++##		Applies SELinux security to Snort IDS
++##	</p>
++## </desc>
++
++########################################
++## <summary>
++##	Execute a domain transition to run snort.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`snort_domtrans',`
++	gen_require(`
++		type snort_t, snort_exec_t;
++	')
++
++	domtrans_pattern($1, snort_exec_t, snort_t)
++')
++
++########################################
++## <summary>
++##	Execute snort IDS in the snort domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`snort_script_domtrans',`
++	gen_require(`
++		type snort_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1, snort_script_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an snort environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`snort_admin',`
++	gen_require(`
++		type snort_t, snort_var_run_t, snort_script_exec_t, snort_etc_t, snort_log_t;
++	')
++
++	allow $1 snort_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, snort_t, snort_t)
++	        
++    manage_all_pattern($1, snort_etc_t)
++	manage_all_pattern($1, snort_var_run_t)
++	manage_all_pattern($1, snort_log_t)
++')
++
++########################################
++## <summary>
++##	Signal the snort domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`snort_signal',`
++	gen_require(`
++		type snort_t;
++	')
++
++	allow $1 snort_t:process signal;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.3.1/policy/modules/services/snort.te
 --- nsaserefpolicy/policy/modules/services/snort.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/snort.te	2008-06-12 23:38:03.000000000 -0400
-@@ -11,7 +11,7 @@
- init_daemon_domain(snort_t,snort_exec_t)
++++ serefpolicy-3.3.1/policy/modules/services/snort.te	2008-06-23 08:17:50.000000000 -0400
+@@ -8,10 +8,13 @@
+ 
+ type snort_t;
+ type snort_exec_t;
+-init_daemon_domain(snort_t,snort_exec_t)
++init_daemon_domain(snort_t, snort_exec_t)
++
++type snort_script_exec_t;
++init_script_type(snort_script_exec_t)
  
  type snort_etc_t;
 -files_type(snort_etc_t)
@@ -24530,6 +24715,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
  
  type snort_log_t;
  logging_log_file(snort_log_t)
+@@ -65,8 +68,11 @@
+ corenet_raw_sendrecv_all_nodes(snort_t)
+ corenet_tcp_sendrecv_all_ports(snort_t)
+ corenet_udp_sendrecv_all_ports(snort_t)
++corenet_tcp_connect_prelude_port(snort_t)
+ 
+ dev_read_sysfs(snort_t)
++dev_read_rand(snort_t)
++dev_read_urand(snort_t)
+ 
+ domain_use_interactive_fds(snort_t)
+ 
+@@ -79,6 +85,8 @@
+ libs_use_ld_so(snort_t)
+ libs_use_shared_libs(snort_t)
+ 
++init_read_utmp(snort_t)
++
+ logging_send_syslog_msg(snort_t)
+ 
+ miscfiles_read_localization(snort_t)
+@@ -89,6 +97,10 @@
+ userdom_dontaudit_search_sysadm_home_dirs(snort_t)
+ 
+ optional_policy(`
++	prelude_rw_spool(snort_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(snort_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.3.1/policy/modules/services/soundserver.fc
 --- nsaserefpolicy/policy/modules/services/soundserver.fc	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/soundserver.fc	2008-06-12 23:38:03.000000000 -0400
@@ -33114,8 +33331,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc	2008-06-12 23:38:02.000000000 -0400
-@@ -1,16 +1,18 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc	2008-06-23 06:28:07.000000000 -0400
+@@ -1,16 +1,24 @@
  # Add programs here which should not be confined by SELinux
  # e.g.:
 -# /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -33140,6 +33357,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/lib/erlang/erts-[^/]+/bin/beam.smp --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/haddock.*  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/hasktags  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/runghc  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/runhaskell  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/libexec/ghc-[^/]+/.*bin  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/libexec/ghc-[^/]+/ghc-.*  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-06-12 23:38:02.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5cacf30..f05bbbe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 69%{?dist}
+Release: 70%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-69
+- Apply unconfined_execmem_exec_t to haskell programs
+
 * Sun Jun 22 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-69
 - Fix prelude file context