From 9914335e783649a4f1a2c368602bb7fb20548712 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jun 22 2008 12:09:00 +0000
Subject: - Allow virt to getsched and setsched on qemu

- Allow networkmanager to getattr on fixed disk

---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index b9d2c38..5d36de2 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1443,6 +1443,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.3.1
  
  
  #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.3.1/policy/modules/admin/amanda.fc
+--- nsaserefpolicy/policy/modules/admin/amanda.fc	2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/amanda.fc	2008-06-22 06:32:54.000000000 -0400
+@@ -3,6 +3,7 @@
+ /etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
+ /etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
+ /etc/dumpdates				gen_context(system_u:object_r:amanda_dumpdates_t,s0)
++/etc/amanda/.*/index(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
+ 
+ /root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te
 --- nsaserefpolicy/policy/modules/admin/amanda.te	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/admin/amanda.te	2008-06-12 23:38:02.000000000 -0400
@@ -7160,7 +7171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in	2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in	2008-06-22 07:34:11.000000000 -0400
 @@ -1441,10 +1441,11 @@
  #
  interface(`corenet_tcp_bind_all_unreserved_ports',`
@@ -8734,8 +8745,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.3.1/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te	2008-06-12 23:38:04.000000000 -0400
-@@ -25,6 +25,8 @@
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te	2008-06-22 07:46:16.000000000 -0400
+@@ -21,10 +21,11 @@
+ 
+ # Use xattrs for the following filesystem types.
+ # Requires that a security xattr handler exist for the filesystem.
+-fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -8744,7 +8759,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
-@@ -135,6 +137,11 @@
+@@ -74,6 +75,11 @@
+ allow cpusetfs_t self:filesystem associate;
+ genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+ 
++type ecryptfs_t;
++fs_noxattr_type(ecryptfs_t)
++files_mountpoint(ecryptfs_t)
++genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ type eventpollfs_t;
+ fs_type(eventpollfs_t)
+ # change to task SID 20060628
+@@ -135,6 +141,11 @@
  genfscon squash / gen_context(system_u:object_r:squash_t,s0)
  files_mountpoint(squash_t)
  
@@ -8756,7 +8783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
-@@ -199,6 +206,7 @@
+@@ -199,6 +210,7 @@
  allow fusefs_t fs_t:filesystem associate;
  genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
  genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
@@ -8764,7 +8791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  
  #
  # iso9660_t is the type for CD filesystems
-@@ -231,6 +239,9 @@
+@@ -231,6 +243,9 @@
  genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -9947,7 +9974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-06-22 07:01:55.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -10440,15 +10467,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +851,7 @@
+@@ -703,6 +851,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
 +	mysql_read_config(httpd_sys_script_t)
++	mysql_stream_connect(httpd_suexec_t)
++	mysql_rw_db_sockets(httpd_suexec_t)
++	mysql_read_config(httpd_suexec_t)
  ')
  
  ########################################
-@@ -724,3 +873,60 @@
+@@ -724,3 +876,60 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -11301,7 +11331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.3.1/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/bind.te	2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/bind.te	2008-06-22 07:34:34.000000000 -0400
 @@ -53,6 +53,9 @@
  init_system_domain(ndc_t,ndc_exec_t)
  role system_r types ndc_t;
@@ -11321,6 +11351,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
  allow named_t self:fifo_file rw_fifo_file_perms;
  allow named_t self:unix_stream_socket create_stream_socket_perms;
  allow named_t self:unix_dgram_socket create_socket_perms;
+@@ -113,7 +116,7 @@
+ corenet_tcp_bind_all_nodes(named_t)
+ corenet_udp_bind_all_nodes(named_t)
+ corenet_tcp_bind_dns_port(named_t)
+-corenet_udp_bind_dns_port(named_t)
++corenet_udp_bind_all_ports(named_t)
+ corenet_tcp_bind_rndc_port(named_t)
+ corenet_tcp_connect_all_ports(named_t)
+ corenet_sendrecv_dns_server_packets(named_t)
 @@ -222,6 +225,7 @@
  corenet_tcp_sendrecv_all_nodes(ndc_t)
  corenet_tcp_sendrecv_all_ports(ndc_t)
@@ -18535,7 +18574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te	2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te	2008-06-16 07:11:37.000000000 -0400
 @@ -13,6 +13,13 @@
  type NetworkManager_var_run_t;
  files_pid_file(NetworkManager_var_run_t)
@@ -18555,7 +18594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  # networkmanager will ptrace itself if gdb is installed
  # and it receives a unexpected signal (rh bug #204161) 
 -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
  dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 -allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched signal_perms };
@@ -18589,9 +18628,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  
  mls_file_read_all_levels(NetworkManager_t)
  
-@@ -84,8 +97,11 @@
+@@ -83,9 +96,14 @@
+ files_read_etc_runtime_files(NetworkManager_t)
  files_read_usr_files(NetworkManager_t)
  
++storage_getattr_fixed_disk_dev(NetworkManager_t)
++
  init_read_utmp(NetworkManager_t)
 +init_dontaudit_write_utmp(NetworkManager_t)
  init_domtrans_script(NetworkManager_t)
@@ -18601,34 +18643,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  libs_use_ld_so(NetworkManager_t)
  libs_use_shared_libs(NetworkManager_t)
  
-@@ -113,6 +129,7 @@
+@@ -113,6 +131,9 @@
  userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
  # Read gnome-keyring
  userdom_read_unpriv_users_home_content_files(NetworkManager_t)
 +userdom_unpriv_users_stream_connect(NetworkManager_t)
++
++cron_read_system_job_lib_files(NetworkManager_t)
  
  optional_policy(`
  	bind_domtrans(NetworkManager_t)
-@@ -129,21 +146,25 @@
+@@ -129,21 +150,21 @@
  ')
  
  optional_policy(`
 -	dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
 -	dbus_connect_system_bus(NetworkManager_t)
-+	cron_read_system_job_lib_files(NetworkManager_t)
++	dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
  ')
  
  optional_policy(`
 -	howl_signal(NetworkManager_t)
-+	dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
++	hal_write_log(NetworkManager_t)
  ')
  
  optional_policy(`
 -	nis_use_ypbind(NetworkManager_t)
-+	hal_write_log(NetworkManager_t)
-+')
-+
-+optional_policy(`
 +	howl_signal(NetworkManager_t)
  ')
  
@@ -21040,14 +21080,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc
 --- nsaserefpolicy/policy/modules/services/prelude.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.fc	2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,13 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.fc	2008-06-22 07:10:13.000000000 -0400
+@@ -0,0 +1,19 @@
 +
 +/sbin/audisp-prelude		--	gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
 +
 +/usr/bin/prelude-manager	--	gen_context(system_u:object_r:prelude_exec_t,s0)
 +
-+/etc/rc.d/init.d/prelude-manager	--	gen_context(system_u:object_r:prelude_script_exec_t,s0)
++/etc/rc\.d/init\.d/prelude-manager	--	gen_context(system_u:object_r:prelude_script_exec_t,s0)
 +
 +/var/lib/prelude-lml(/.*)?	gen_context(system_u:object_r:prelude_var_lib_t,s0)
 +
@@ -21055,6 +21095,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +/var/spool/prelude-manager(/.*)?	gen_context(system_u:object_r:prelude_spool_t,s0)
 +/var/spool/prelude(/.*)?	gen_context(system_u:object_r:prelude_spool_t,s0)
 +/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
++/usr/bin/prelude-lml   --      gen_context(system_u:object_r:prelude_lml_exec_t
++,s0)
++/var/run/prelude-lml.pid       --      gen_context(system_u:object_r:prelude_lm
++l_var_run_t,s0)
++/etc/rc\.d/init\.d/prelude-lml --      gen_context(system_u:object_r:prelude_lm
++l_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
 --- nsaserefpolicy/policy/modules/services/prelude.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/prelude.if	2008-06-12 23:38:04.000000000 -0400
@@ -21189,8 +21235,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,162 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-06-22 07:53:37.000000000 -0400
+@@ -0,0 +1,246 @@
 +policy_module(prelude,1.0.0)
 +
 +########################################
@@ -21223,6 +21269,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +type audisp_prelude_var_run_t;
 +files_pid_file(audisp_prelude_var_run_t)
 +
++type prelude_lml_t;
++type prelude_lml_exec_t;
++init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
++
++type prelude_lml_script_exec_t;
++init_script_type(prelude_lml_script_exec_t)
++
++type prelude_lml_var_run_t;
++files_pid_file(prelude_lml_var_run_t)
++
++type prelude_lml_tmp_t;
++files_tmp_file(prelude_lml_tmp_t)
++
 +########################################
 +#
 +# prelude local policy
@@ -21336,6 +21395,74 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +
 +########################################
 +#
++# prelude_lml local declarations
++#
++
++# Init script handling
++# Test me
++domain_use_interactive_fds(prelude_lml_t)
++
++allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
++allow prelude_lml_t self:unix_dgram_socket { write create connect };
++allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
++allow prelude_lml_t self:unix_stream_socket connectto;
++
++files_list_tmp(prelude_lml_t)
++manage_dirs_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t)
++manage_files_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t)
++files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
++
++files_search_spool(prelude_lml_t)
++manage_dirs_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t)
++manage_files_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t)
++
++files_search_var_lib(prelude_lml_t)
++manage_dirs_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t)
++manage_files_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t)
++
++manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
++files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
++
++corecmd_search_bin(prelude_lml_t)
++
++corenet_tcp_sendrecv_generic_if(prelude_lml_t)
++corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
++corenet_tcp_recvfrom_netlabel(prelude_lml_t)
++corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
++corenet_sendrecv_unlabeled_packets(prelude_lml_t)
++corenet_tcp_connect_prelude_port(prelude_lml_t)
++
++dev_read_rand(prelude_lml_t)
++dev_read_urand(prelude_lml_t)
++
++files_list_etc(prelude_lml_t)
++files_read_etc_files(prelude_lml_t)
++files_read_etc_runtime_files(prelude_lml_t)
++
++files_search_spool(prelude_lml_t)
++files_search_usr(prelude_lml_t)
++files_search_var_lib(prelude_lml_t)
++
++fs_list_inotifyfs(prelude_lml_t)
++
++auth_use_nsswitch(prelude_lml_t)
++
++libs_use_ld_so(prelude_lml_t)
++libs_use_shared_libs(prelude_lml_t)
++libs_exec_lib_files(prelude_lml_t)
++libs_read_lib_files(prelude_lml_t)
++
++logging_send_syslog_msg(prelude_lml_t)
++logging_read_generic_logs(prelude_lml_t)
++
++miscfiles_read_localization(prelude_lml_t)
++
++optional_policy(`
++	apache_read_log(prelude_lml_t)
++')
++
++########################################
++#
 +# prewikka_cgi Declarations
 +#
 +
@@ -21343,6 +21470,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +	apache_content_template(prewikka)
 +	files_read_etc_files(httpd_prewikka_script_t)
 +
++	auth_use_nsswitch(httpd_prewikka_script_t)
++
++	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++
 +	optional_policy(`
 +		mysql_search_db(httpd_prewikka_script_t)
 +		mysql_stream_connect(httpd_prewikka_script_t)
@@ -21352,7 +21483,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +		postgresql_stream_connect(httpd_prewikka_script_t)
 +	')
 +')
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc
 --- nsaserefpolicy/policy/modules/services/privoxy.fc	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc	2008-06-12 23:38:03.000000000 -0400
@@ -27837,7 +27967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-06-14 07:17:28.000000000 -0400
 @@ -8,6 +8,14 @@
  
  ## <desc>
@@ -28141,7 +28271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -256,22 +385,29 @@
+@@ -256,22 +385,30 @@
  libs_exec_lib_files(xdm_t)
  
  logging_read_generic_logs(xdm_t)
@@ -28156,6 +28286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
++userdom_dontaudit_read_sysadm_home_sym_links(xdm_t)
  userdom_create_all_users_keys(xdm_t)
  # for .dmrc
  userdom_read_unpriv_users_home_content_files(xdm_t)
@@ -28174,7 +28305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_t)
-@@ -297,14 +433,20 @@
+@@ -297,14 +434,20 @@
  #	xserver_rw_session_template(xdm,unpriv_userdomain)
  #	dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
  #	allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
@@ -28196,7 +28327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -312,6 +454,23 @@
+@@ -312,6 +455,23 @@
  ')
  
  optional_policy(`
@@ -28220,7 +28351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	# Talk to the console mouse server.
  	gpm_stream_connect(xdm_t)
  	gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +481,10 @@
+@@ -322,6 +482,10 @@
  ')
  
  optional_policy(`
@@ -28231,7 +28362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	loadkeys_exec(xdm_t)
  ')
  
-@@ -335,6 +498,11 @@
+@@ -335,6 +499,11 @@
  ')
  
  optional_policy(`
@@ -28243,7 +28374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -343,8 +511,8 @@
+@@ -343,8 +512,8 @@
  ')
  
  optional_policy(`
@@ -28253,7 +28384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +548,7 @@
+@@ -380,7 +549,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -28262,7 +28393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +560,15 @@
+@@ -392,6 +561,15 @@
  can_exec(xdm_xserver_t, xkb_var_lib_t)
  files_search_var_lib(xdm_xserver_t)
  
@@ -28278,7 +28409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  # VNC v4 module in X server
  corenet_tcp_bind_vnc_port(xdm_xserver_t)
  
-@@ -404,9 +581,18 @@
+@@ -404,9 +582,18 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -28297,7 +28428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_xserver_t)
  	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +606,22 @@
+@@ -420,6 +607,22 @@
  ')
  
  optional_policy(`
@@ -28320,7 +28451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -429,47 +631,138 @@
+@@ -429,47 +632,138 @@
  ')
  
  optional_policy(`
@@ -28670,7 +28801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.3.1/policy/modules/services/zebra.te
 --- nsaserefpolicy/policy/modules/services/zebra.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/zebra.te	2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zebra.te	2008-06-16 07:15:14.000000000 -0400
 @@ -30,6 +30,9 @@
  type zebra_var_run_t;
  files_pid_file(zebra_var_run_t)
@@ -28690,6 +28821,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
  allow zebra_t self:file { ioctl read write getattr lock append };
  allow zebra_t self:unix_dgram_socket create_socket_perms;
  allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+@@ -64,6 +67,7 @@
+ files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
+ 
+ kernel_read_system_state(zebra_t)
++kernel_read_network_state(zebra_t)
+ kernel_read_kernel_sysctls(zebra_t)
+ kernel_rw_net_sysctls(zebra_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.3.1/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc	2008-06-12 23:38:02.000000000 -0400
@@ -31286,8 +31425,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
 +/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
 --- nsaserefpolicy/policy/modules/system/qemu.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-06-12 23:38:02.000000000 -0400
-@@ -0,0 +1,313 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-06-22 08:07:19.000000000 -0400
+@@ -0,0 +1,335 @@
 +
 +## <summary>policy for qemu</summary>
 +
@@ -31348,6 +31487,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +
 +########################################
 +## <summary>
++##	Set the schedule on qemu.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`qemu_setsched',`
++	gen_require(`
++		type qemu_t;
++	')
++
++	allow $1 qemu_t:process setsched;
++')
++
++########################################
++## <summary>
 +##	Send a sigill to qemu
 +## </summary>
 +## <param name="domain">
@@ -31594,6 +31751,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +	')
 +
 +	optional_policy(`
++		xen_rw_image_files($1_t)
++	')
++
++	optional_policy(`
 +		xserver_stream_connect_xdm_xserver($1_t)
 +		xserver_read_xdm_tmp_files($1_t)
 +		xserver_read_xdm_pid($1_t)
@@ -33638,7 +33799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-06-14 07:17:14.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -35816,7 +35977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4644,12 +4858,11 @@
+@@ -4644,12 +4858,29 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -35829,10 +35990,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	dontaudit $1 sysadm_home_t:file read_file_perms;
 +	dontaudit $1 admin_home_t:dir search_dir_perms;
 +	dontaudit $1 admin_home_t:file read_file_perms;
++')
++########################################
++## <summary>
++##	Do not audit attempts to read sysadm
++##	users home directory sym links.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_sysadm_home_sym_links',`
++	gen_require(`
++		type admin_home_t;
++	')
++
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
  ')
  
  ########################################
-@@ -4676,10 +4889,10 @@
+@@ -4676,10 +4907,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -35845,7 +36024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4694,10 +4907,10 @@
+@@ -4694,10 +4925,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -35858,7 +36037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4712,13 +4925,13 @@
+@@ -4712,13 +4943,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -35876,7 +36055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4754,11 +4967,49 @@
+@@ -4754,11 +4985,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -35927,7 +36106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4778,6 +5029,14 @@
+@@ -4778,6 +5047,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -35942,7 +36121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4839,6 +5098,26 @@
+@@ -4839,6 +5116,26 @@
  
  ########################################
  ## <summary>
@@ -35969,7 +36148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5138,25 @@
+@@ -4859,6 +5156,25 @@
  
  ########################################
  ## <summary>
@@ -35995,7 +36174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5177,26 @@
+@@ -4879,6 +5195,26 @@
  
  ########################################
  ## <summary>
@@ -36022,7 +36201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5433,7 @@
+@@ -5115,7 +5451,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -36031,25 +36210,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5622,63 @@
+@@ -5304,8 +5640,8 @@
  
  ########################################
  ## <summary>
+-##	Create, read, write, and delete directories in
+-##	unprivileged users home directories.
 +##	append all unprivileged users home directory
 +##	files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5313,19 +5649,26 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_manage_unpriv_users_home_content_dirs',`
 +interface(`userdom_append_unpriv_users_home_content_files',`
-+	gen_require(`
-+		attribute user_home_dir_type, user_home_type;
-+	')
-+
-+	files_search_home($1)
+ 	gen_require(`
+ 		attribute user_home_dir_type, user_home_type;
+ 	')
+ 
+ 	files_search_home($1)
+-	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
 +	allow $1 user_home_type:dir list_dir_perms;
 +	append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
 +	tunable_policy(`use_nfs_home_dirs',`
@@ -36058,25 +36241,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_append_cifs_files($1)
 +	')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files in
+-##	unprivileged users home directories.
 +##	dontaudit Read all unprivileged users home directory
 +##	files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5333,18 +5676,29 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_manage_unpriv_users_home_content_files',`
 +interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
-+	gen_require(`
-+		attribute user_home_dir_type, user_home_type;
-+	')
-+
-+	files_search_home($1)
+ 	gen_require(`
+ 		attribute user_home_dir_type, user_home_type;
+ 	')
+ 
+ 	files_search_home($1)
+-	manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
 +	dontaudit $1 user_home_type:dir list_dir_perms;
 +	dontaudit $1 user_home_type:file read_file_perms;
 +	dontaudit $1 user_home_type:file read_lnk_file_perms;
@@ -36088,62 +36275,79 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_dontaudit_read_cifs_files($1)
 +	')
-+')
-+
-+########################################
-+## <summary>
- ##	Create, read, write, and delete directories in
- ##	unprivileged users home directories.
- ## </summary>
-@@ -5509,7 +5884,7 @@
+ ')
  
  ########################################
  ## <summary>
--##	Read and write unprivileged user ttys.
-+##	Write all unprivileged users files in /tmp
+-##	Set the attributes of user ptys.
++##	Create, read, write, and delete directories in
++##	unprivileged users home directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5517,18 +5892,17 @@
+@@ -5352,17 +5706,19 @@
  ##	</summary>
  ## </param>
  #
--interface(`userdom_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_files',`
+-interface(`userdom_setattr_unpriv_users_ptys',`
++interface(`userdom_manage_unpriv_users_home_content_dirs',`
  	gen_require(`
--		attribute user_ttynode;
-+		type user_tmp_t;
+-		attribute user_ptynode;
++		attribute user_home_dir_type, user_home_type;
  	')
  
--	allow $1 user_ttynode:chr_file rw_term_perms;
-+	manage_files_pattern($1, user_tmp_t,  user_tmp_t)
+-	allow $1 user_ptynode:chr_file setattr;
++	files_search_home($1)
++	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to use unprivileged
--##	user ttys.
-+##	Write all unprivileged users lnk_files in /tmp
+-##	Read and write unprivileged user ptys.
++##	Create, read, write, and delete files in
++##	unprivileged users home directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5536,9 +5910,46 @@
+@@ -5370,14 +5726,51 @@
  ##	</summary>
  ## </param>
  #
--interface(`userdom_dontaudit_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+-interface(`userdom_use_unpriv_users_ptys',`
++interface(`userdom_manage_unpriv_users_home_content_files',`
  	gen_require(`
--		attribute user_ttynode;
-+		type user_tmp_t;
+-		attribute user_ptynode;
++		attribute user_home_dir_type, user_home_type;
+ 	')
+ 
+-	term_search_ptys($1)
+-	allow $1 user_ptynode:chr_file rw_file_perms;
+-')
++	files_search_home($1)
++	manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
++')
++
++########################################
++## <summary>
++##	Set the attributes of user ptys.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_setattr_unpriv_users_ptys',`
++	gen_require(`
++		attribute user_ptynode;
 +	')
 +
-+	manage_lnk_files_pattern($1, user_tmp_t,  user_tmp_t)
++	allow $1 user_ptynode:chr_file setattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write unprivileged user ttys.
++##	Read and write unprivileged user ptys.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -36151,18 +36355,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_use_unpriv_users_ttys',`
++interface(`userdom_use_unpriv_users_ptys',`
 +	gen_require(`
-+		attribute user_ttynode;
++		attribute user_ptynode;
 +	')
 +
-+	allow $1 user_ttynode:chr_file rw_term_perms;
++	term_search_ptys($1)
++	allow $1 user_ptynode:chr_file rw_file_perms;
++')
+ 
+ ########################################
+ ## <summary>
+@@ -5509,6 +5902,42 @@
+ 
+ ########################################
+ ## <summary>
++##	Write all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_unpriv_users_tmp_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	manage_files_pattern($1, user_tmp_t,  user_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to use unprivileged
-+##	user ttys.
++##	Write all unprivileged users lnk_files in /tmp
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -36170,13 +36396,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
 +	gen_require(`
-+		attribute user_ttynode;
- 	')
- 
- 	dontaudit $1 user_ttynode:chr_file rw_file_perms;
-@@ -5559,7 +5970,7 @@
++		type user_tmp_t;
++	')
++
++	manage_lnk_files_pattern($1, user_tmp_t,  user_tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write unprivileged user ttys.
+ ## </summary>
+ ## <param name="domain">
+@@ -5559,7 +5988,7 @@
  		attribute userdomain;
  	')
  
@@ -36185,7 +36418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -5674,6 +6085,42 @@
+@@ -5674,6 +6103,42 @@
  
  ########################################
  ## <summary>
@@ -36228,7 +36461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6151,408 @@
+@@ -5704,3 +6169,408 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -37306,8 +37539,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-06-14 07:00:58.000000000 -0400
-@@ -0,0 +1,198 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-06-22 06:50:55.000000000 -0400
+@@ -0,0 +1,199 @@
 +
 +policy_module(virt,1.0.0)
 +
@@ -37484,6 +37717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +	qemu_read_state(virtd_t)
 +	qemu_signal(virtd_t)
 +	qemu_sigkill(virtd_t)
++	qemu_setsched(virtd_t)
 +')
 +
 +optional_policy(`
@@ -37508,7 +37742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/xen.if	2008-06-12 23:38:02.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/xen.if	2008-06-22 08:04:22.000000000 -0400
 @@ -167,11 +167,14 @@
  #
  interface(`xen_stream_connect',`