From 6d594365f7b39d2788be2fe6484f05b1af6c9f04 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jan 17 2008 13:48:11 +0000
Subject: - Allow procmal to signal pyzor


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 861116e..8c59509 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -4147,7 +4147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2007-12-31 07:13:11.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2008-01-16 16:09:09.000000000 -0500
 @@ -55,6 +55,11 @@
  type reserved_port_t, port_type, reserved_port_type;
  
@@ -4182,7 +4182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(innd, tcp,119,s0)
  network_port(ipp, tcp,631,s0, udp,631,s0)
  network_port(ircd, tcp,6667,s0)
-@@ -108,12 +115,16 @@
+@@ -108,12 +115,17 @@
  network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
  network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
  network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -4195,13 +4195,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(monopd, tcp,1234,s0)
 -network_port(mysqld, tcp,3306,s0)
 +network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(munin, tcp,4949,s0, udp,4949,s0)
 +network_port(mythtv, tcp,6543,s0, udp,6543,s0)
 +network_port(mysqld, tcp,3306,s0, tcp,1186,s0)
 +portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
  network_port(nessus, tcp,1241,s0)
  network_port(netsupport, tcp,5405,s0, udp,5405,s0)
  network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -122,6 +133,7 @@
+@@ -122,6 +134,7 @@
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
@@ -4209,7 +4210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postgresql, tcp,5432,s0)
-@@ -141,12 +153,12 @@
+@@ -141,12 +154,12 @@
  network_port(rsh, tcp,514,s0)
  network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rwho, udp,513,s0)
@@ -4224,7 +4225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
  network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +172,19 @@
+@@ -160,13 +173,19 @@
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
  network_port(vnc, tcp,5900,s0)
@@ -4684,7 +4685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2008-01-08 06:14:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2008-01-16 08:57:05.000000000 -0500
 @@ -343,8 +343,7 @@
  
  ########################################
@@ -5064,7 +5065,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -4560,6 +4712,8 @@
+@@ -4285,6 +4437,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Delete generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_unlink_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	list_dirs_pattern($1,var_t,var_run_t)
++	delete_files_pattern($1,var_run_t,var_run_t)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to write to daemon runtime data files.
+ ## </summary>
+ ## <param name="domain">
+@@ -4560,6 +4731,8 @@
  	# Need to give access to /selinux/member
  	selinux_compute_member($1)
  
@@ -5073,7 +5100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  	# Need sys_admin capability for mounting
  	allow $1 self:capability { chown fsetid sys_admin };
  
-@@ -4582,6 +4736,11 @@
+@@ -4582,6 +4755,11 @@
  	# Default type for mountpoints
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
@@ -5085,7 +5112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -4619,3 +4778,28 @@
+@@ -4619,3 +4797,28 @@
  
  	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
  ')
@@ -10298,7 +10325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te	2008-01-11 14:43:25.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.te	2008-01-16 06:23:56.000000000 -0500
 @@ -1,11 +1,13 @@
  
 -policy_module(mta,1.7.1)
@@ -10383,7 +10410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	logrotate_read_tmp_files(system_mail_t)
  ')
  
-@@ -136,11 +158,30 @@
+@@ -136,11 +158,33 @@
  ')
  
  optional_policy(`
@@ -10399,6 +10426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
 -# should break this up among sections:
++init_stream_connect_script(mailserver_delivery)
++init_rw_script_stream_sockets(mailserver_delivery)
++
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_dirs(mailserver_delivery)
 +	fs_manage_cifs_files(mailserver_delivery)
@@ -10415,33 +10445,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +195,4 @@
+@@ -154,3 +198,4 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.0.8/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/munin.fc	2007-12-26 20:33:19.000000000 -0500
-@@ -6,6 +6,6 @@
++++ serefpolicy-3.0.8/policy/modules/services/munin.fc	2008-01-16 16:07:35.000000000 -0500
+@@ -6,6 +6,7 @@
  /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
  
  /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
 -/var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
 +/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
  /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
- /var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
+-/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
++/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if
 --- nsaserefpolicy/policy/modules/services/munin.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/munin.if	2007-12-02 21:15:34.000000000 -0500
-@@ -61,3 +61,21 @@
++++ serefpolicy-3.0.8/policy/modules/services/munin.if	2008-01-16 16:07:44.000000000 -0500
+@@ -61,3 +61,22 @@
  	allow $1 munin_var_lib_t:dir search_dir_perms;
  	files_search_var_lib($1)
  ')
 +
 +#######################################
 +## <summary>
-+##	dontaudit Search munin library directories.
++##	Do not audit attempts to search
++##	munin library directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -10456,6 +10489,71 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +
 +	dontaudit $1 munin_var_lib_t:dir search_dir_perms;
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.0.8/policy/modules/services/munin.te
+--- nsaserefpolicy/policy/modules/services/munin.te	2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/munin.te	2008-01-16 16:07:27.000000000 -0500
+@@ -1,5 +1,5 @@
+ 
+-policy_module(munin,1.3.0)
++policy_module(munin,1.4.0)
+ 
+ ########################################
+ #
+@@ -30,21 +30,25 @@
+ # Local policy
+ #
+ 
+-allow munin_t self:capability { setgid setuid };
++allow munin_t self:capability { dac_override setgid setuid };
+ dontaudit munin_t self:capability sys_tty_config;
+ allow munin_t self:process { getsched setsched signal_perms };
+ allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow munin_t self:tcp_socket create_stream_socket_perms;
+ allow munin_t self:udp_socket create_socket_perms;
++allow munin_t self:fifo_file manage_fifo_file_perms;
++
++can_exec(munin_t, munin_exec_t)
+ 
+ allow munin_t munin_etc_t:dir list_dir_perms;
+ read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
+ read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
+ files_search_etc(munin_t)
+ 
+-allow munin_t munin_log_t:file manage_file_perms;
+-logging_log_filetrans(munin_t,munin_log_t,file)
++manage_dirs_pattern(munin_t, munin_log_t,  munin_log_t)
++manage_files_pattern(munin_t, munin_log_t,  munin_log_t)
++logging_log_filetrans(munin_t,munin_log_t,{ file dir })
+ 
+ manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
+ manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
+@@ -73,6 +77,7 @@
+ corenet_udp_sendrecv_all_nodes(munin_t)
+ corenet_tcp_sendrecv_all_ports(munin_t)
+ corenet_udp_sendrecv_all_ports(munin_t)
++corenet_tcp_connect_munin_port(munin_t)
+ 
+ dev_read_sysfs(munin_t)
+ dev_read_urand(munin_t)
+@@ -91,6 +96,7 @@
+ 
+ logging_send_syslog_msg(munin_t)
+ 
++miscfiles_read_fonts(munin_t)
+ miscfiles_read_localization(munin_t)
+ 
+ sysnet_read_config(munin_t)
+@@ -118,3 +124,9 @@
+ optional_policy(`
+ 	udev_read_db(munin_t)
+ ')
++
++#============= http munin policy ==============
++apache_content_template(munin)
++
++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.0.8/policy/modules/services/mysql.fc
 --- nsaserefpolicy/policy/modules/services/mysql.fc	2007-10-22 13:21:36.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/mysql.fc	2007-12-02 21:15:34.000000000 -0500
@@ -10789,7 +10887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2007-12-26 20:31:56.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-01-16 08:25:11.000000000 -0500
 @@ -13,6 +13,9 @@
  type NetworkManager_var_run_t;
  files_pid_file(NetworkManager_var_run_t)
@@ -10819,7 +10917,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  kernel_read_system_state(NetworkManager_t)
  kernel_read_network_state(NetworkManager_t)
  kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -129,15 +135,13 @@
+@@ -82,6 +88,8 @@
+ files_read_etc_files(NetworkManager_t)
+ files_read_etc_runtime_files(NetworkManager_t)
+ files_read_usr_files(NetworkManager_t)
++files_read_all_pids(NetworkManager_t)
++files_unlink_generic_pids(NetworkManager_t)
+ 
+ init_read_utmp(NetworkManager_t)
+ init_domtrans_script(NetworkManager_t)
+@@ -129,15 +137,13 @@
  ')
  
  optional_policy(`
@@ -10837,7 +10944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  optional_policy(`
-@@ -151,6 +155,8 @@
+@@ -151,6 +157,8 @@
  optional_policy(`
  	nscd_socket_use(NetworkManager_t)
  	nscd_signal(NetworkManager_t)
@@ -10846,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  optional_policy(`
-@@ -162,6 +168,7 @@
+@@ -162,6 +170,7 @@
  	ppp_domtrans(NetworkManager_t)
  	ppp_read_pid_files(NetworkManager_t)
  	ppp_signal(NetworkManager_t)
@@ -10854,7 +10961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  optional_policy(`
-@@ -173,8 +180,10 @@
+@@ -173,8 +182,10 @@
  ')
  
  optional_policy(`
@@ -12107,7 +12214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/procmail.te	2008-01-08 11:06:01.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/procmail.te	2008-01-16 15:44:12.000000000 -0500
 @@ -30,6 +30,8 @@
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -12125,16 +12232,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  
  auth_use_nsswitch(procmail_t)
  
-@@ -65,6 +68,8 @@
+@@ -65,6 +68,9 @@
  libs_use_ld_so(procmail_t)
  libs_use_shared_libs(procmail_t)
  
 +logging_send_syslog_msg(procmail_t)
++loggin_search_logs(procmail_t)
 +
  miscfiles_read_localization(procmail_t)
  
  # only works until we define a different type for maildir
-@@ -97,17 +102,20 @@
+@@ -97,21 +103,25 @@
  ')
  
  optional_policy(`
@@ -12157,7 +12265,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  ')
  
  optional_policy(`
-@@ -125,7 +133,13 @@
+ 	pyzor_domtrans(procmail_t)
++	pyzor_signal(procmail_t)
+ ')
+ 
+ optional_policy(`
+@@ -125,7 +135,13 @@
  	corenet_udp_bind_generic_port(procmail_t)
  	corenet_dontaudit_udp_bind_all_ports(procmail_t)
  
@@ -17033,7 +17146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2008-01-15 08:23:50.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2008-01-16 15:53:47.000000000 -0500
 @@ -65,11 +65,15 @@
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -17091,15 +17204,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -223,6 +234,7 @@
+@@ -223,8 +234,10 @@
  /usr/lib(64)?/libmp3lame\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # Flash plugin, Macromedia
 +HOME_DIR/\.gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/.*/libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,6 +248,8 @@
+ /usr/local/(.*/)?libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ HOME_DIR/.*/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -236,6 +249,8 @@
  /usr/lib(64)?/libdivxdecore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libdivxencore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -17108,7 +17224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # vmware 
-@@ -284,3 +298,14 @@
+@@ -284,3 +299,15 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -17123,6 +17239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +
 +/usr/lib/libswscale\.so.*				 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib64/libswscale\.so.*				 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavdevice\.so.*	 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/libraries.te	2007-12-10 16:27:26.000000000 -0500
@@ -18099,7 +18216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.te	2008-01-14 10:34:46.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/mount.te	2008-01-16 10:54:29.000000000 -0500
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -18182,7 +18299,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  libs_use_ld_so(mount_t)
  libs_use_shared_libs(mount_t)
-@@ -127,10 +141,15 @@
+@@ -118,6 +132,7 @@
+ seutil_read_config(mount_t)
+ 
+ userdom_use_all_users_fds(mount_t)
++userdom_read_sysadm_home_content_files(mount_t)
+ 
+ ifdef(`distro_redhat',`
+ 	optional_policy(`
+@@ -127,10 +142,15 @@
  	')
  ')
  
@@ -18199,7 +18324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -159,13 +178,9 @@
+@@ -159,13 +179,9 @@
  
  	fs_search_rpc(mount_t)
  
@@ -18214,7 +18339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -180,17 +195,18 @@
+@@ -180,17 +196,18 @@
  	')
  ')
  
@@ -18237,7 +18362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  ########################################
-@@ -201,4 +217,29 @@
+@@ -201,4 +218,29 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -18894,7 +19019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if	2008-01-16 08:56:54.000000000 -0500
 @@ -145,6 +145,25 @@
  
  ########################################
@@ -19747,7 +19872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2008-01-15 13:51:31.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2008-01-16 10:54:03.000000000 -0500
 @@ -29,8 +29,9 @@
  	')