From d13b227f2f134aa080a5987ed152f6b1bb7b9262 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Nov 17 2008 21:12:45 +0000
Subject: - Allow sambagui to use nsswitch


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 45ce607..7b7d3ef 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -564,7 +564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  cron_search_spool(logrotate_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.13/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te	2008-11-11 16:22:02.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te	2008-11-17 10:22:55.000000000 -0500
 @@ -54,18 +54,19 @@
  domain_read_all_domains_state(logwatch_t)
  
@@ -588,7 +588,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  term_dontaudit_getattr_pty_dirs(logwatch_t)
  term_dontaudit_list_ptys(logwatch_t)
-@@ -131,4 +132,5 @@
+@@ -87,6 +88,7 @@
+ selinux_dontaudit_getattr_dir(logwatch_t)
+ 
+ sysnet_dns_name_resolve(logwatch_t)
++sysnet_exec_ifconfig(logwatch_t)
+ 
+ mta_send_mail(logwatch_t)
+ 
+@@ -131,4 +133,5 @@
  
  optional_policy(`
  	samba_read_log(logwatch_t)
@@ -4997,7 +5005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if
 --- nsaserefpolicy/policy/modules/apps/qemu.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if	2008-11-14 10:55:17.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.if	2008-11-17 15:59:46.000000000 -0500
 @@ -46,6 +46,96 @@
  	qemu_domtrans($1)
  	role $2 types qemu_t;
@@ -5160,7 +5168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send a signal to qemu.
  ## </summary>
  ## <param name="domain">
-@@ -104,114 +252,194 @@
+@@ -104,114 +252,190 @@
  
  ########################################
  ## <summary>
@@ -5194,10 +5202,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
 +	qemu_domtrans($1)
 +	allow qemu_t $3:chr_file rw_file_perms;
-+
-+	optional_policy(`
-+		samba_domtrans_smb(qemu_t)
-+	')
  ')
  
  ########################################
@@ -5428,7 +5432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te	2008-11-14 10:33:08.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te	2008-11-17 16:00:21.000000000 -0500
 @@ -6,6 +6,9 @@
  # Declarations
  #
@@ -5542,7 +5546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`qemu_full_network',`
  	allow qemu_t self:udp_socket create_socket_perms;
  
-@@ -35,6 +124,26 @@
+@@ -35,6 +124,30 @@
  	corenet_tcp_connect_all_ports(qemu_t)
  ')
  
@@ -5555,6 +5559,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
++	samba_domtrans_smb(qemu_t)
++')
++
++optional_policy(`
 +	virt_manage_images(qemu_t)
 +')
 +
@@ -6480,8 +6488,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2008-11-13 17:54:07.000000000 -0500
-@@ -79,26 +79,31 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2008-11-17 14:37:16.000000000 -0500
+@@ -1,5 +1,5 @@
+ 
+-policy_module(corenetwork, 1.10.0)
++policy_module(corenetwork, 1.10.2)
+ 
+ ########################################
+ #
+@@ -79,26 +79,30 @@
  network_port(auth, tcp,113,s0)
  network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
  type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -6497,7 +6512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(dbskkd, tcp,1178,s0)
  network_port(dhcpc, udp,68,s0)
 -network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
-+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp, 7911,s0)
++network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
  network_port(dns, udp,53,s0, tcp,53,s0)
@@ -6510,10 +6525,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
 +portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
-+
  network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+@@ -109,6 +113,7 @@
+ network_port(ipp, tcp,631,s0, udp,631,s0)
+ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+ network_port(ircd, tcp,6667,s0)
++network_port(ipmi, udp,623,s0, udp,664,s0)
+ network_port(isakmp, udp,500,s0)
+ network_port(iscsi, tcp,3260,s0)
+ network_port(isns, tcp,3205,s0, udp,3205,s0)
 @@ -117,6 +122,8 @@
  network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
  network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
@@ -6531,10 +6553,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
  network_port(nessus, tcp,1241,s0)
-@@ -136,12 +144,20 @@
+@@ -136,12 +144,21 @@
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
++network_port(pingd, tcp,9125,s0)
 +network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
 +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
 +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
@@ -6552,7 +6575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pxe, udp,4011,s0)
-@@ -159,9 +175,10 @@
+@@ -159,9 +176,10 @@
  network_port(rwho, udp,513,s0)
  network_port(smbd, tcp,137-139,s0, tcp,445,s0)
  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6564,7 +6587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +187,16 @@
+@@ -170,13 +188,16 @@
  network_port(syslogd, udp,514,s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -16906,7 +16929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.13/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/mta.if	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/mta.if	2008-11-17 14:03:15.000000000 -0500
 @@ -133,6 +133,15 @@
  		sendmail_create_log($1_mail_t)
  	')
@@ -17693,7 +17716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc	2008-11-17 14:48:12.000000000 -0500
 @@ -1,8 +1,12 @@
 +/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 +
@@ -17707,11 +17730,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
  
-@@ -10,3 +14,4 @@
+@@ -10,3 +14,5 @@
  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/usr/libexec/nm-openconnect-service	-- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if	2008-11-11 16:22:03.000000000 -0500
@@ -17742,7 +17766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2008-11-17 15:44:33.000000000 -0500
 @@ -33,9 +33,9 @@
  
  # networkmanager will ptrace itself if gdb is installed
@@ -17807,7 +17831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  libs_use_ld_so(NetworkManager_t)
  libs_use_shared_libs(NetworkManager_t)
  
-@@ -119,27 +129,40 @@
+@@ -119,27 +129,41 @@
  
  seutil_read_config(NetworkManager_t)
  
@@ -17820,6 +17844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +sysnet_kill_dhcpc(NetworkManager_t)
 +sysnet_manage_config(NetworkManager_t)
 +sysnet_read_dhcp_config(NetworkManager_t)
++sysnet_delete_dhcpc_state(NetworkManager_t)
  sysnet_read_dhcpc_pid(NetworkManager_t)
 -sysnet_delete_dhcpc_pid(NetworkManager_t)
  sysnet_search_dhcp_state(NetworkManager_t)
@@ -17854,13 +17879,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -151,8 +174,21 @@
+@@ -151,8 +175,25 @@
  ')
  
  optional_policy(`
 -	dbus_system_bus_client_template(NetworkManager, NetworkManager_t)
 -	dbus_connect_system_bus(NetworkManager_t)
 +	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
++
++	optional_policy(`
++		consolekit_dbus_chat(NetworkManager_t)
++	')
 +')
 +
 +optional_policy(`
@@ -17878,7 +17907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -160,23 +196,48 @@
+@@ -160,23 +201,48 @@
  ')
  
  optional_policy(`
@@ -17929,7 +17958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -194,7 +255,9 @@
+@@ -194,7 +260,9 @@
  
  optional_policy(`
  	vpn_domtrans(NetworkManager_t)
@@ -18961,6 +18990,182 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xen_stream_connect(pegasus_t)
 +	xen_stream_connect_xenstore(pegasus_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.5.13/policy/modules/services/pingd.fc
+--- nsaserefpolicy/policy/modules/services/pingd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pingd.fc	2008-11-17 14:36:38.000000000 -0500
+@@ -0,0 +1,11 @@
++
++/etc/pingd.conf				--	gen_context(system_u:object_r:pingd_etc_t,s0)
++
++/etc/rc\.d/init\.d/whatsup-pingd  	--  	gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
++
++/usr/lib/pingd(/.*)?		      		gen_context(system_u:object_r:pingd_modules_t,s0)
++
++/usr/sbin/pingd				--	gen_context(system_u:object_r:pingd_exec_t,s0)
++
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.5.13/policy/modules/services/pingd.if
+--- nsaserefpolicy/policy/modules/services/pingd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pingd.if	2008-11-17 14:36:38.000000000 -0500
+@@ -0,0 +1,99 @@
++## <summary>policy for pingd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run pingd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pingd_domtrans',`
++	gen_require(`
++		type pingd_t, pingd_exec_t;
++	')
++
++	domtrans_pattern($1,pingd_exec_t,pingd_t)
++')
++
++#######################################
++## <summary>
++##      Read pingd etc configuration files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`pingd_read_etc',`
++        gen_require(`
++                type pingd_etc_t;
++        ')
++
++        files_search_etc($1)
++        read_files_pattern($1, pingd_etc_t, pingd_etc_t)
++')
++
++#######################################
++## <summary>
++##      Manage pingd etc configuration files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`pingd_manage_etc',`
++        gen_require(`
++                type pingd_etc_t;
++        ')
++
++        files_search_etc($1)
++        manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
++        manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
++
++')
++
++#######################################
++## <summary>
++##      All of the rules required to administrate 
++##      an pingd environment
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <param name="role">
++##      <summary>
++##      The role to be allowed to manage the pingd domain.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pingd_admin',`
++        gen_require(`
++                type pingd_t, pingd_etc_t;
++                type pingd_initrc_exec_t, pingd_modules_t;
++        ')
++
++        allow $1 pingd_t:process { ptrace signal_perms };
++        ps_process_pattern($1, pingd_t)
++
++        init_labeled_script_domtrans($1, pingd_initrc_exec_t)
++        domain_system_change_exemption($1)
++        role_transition $2 pingd_initrc_exec_t system_r;
++        allow $2 system_r;
++
++        files_list_etc($1)
++        admin_pattern($1, pingd_etc_t)
++
++	files_list_usr($1)
++        admin_pattern($1, pingd_modules_t)
++
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.5.13/policy/modules/services/pingd.te
+--- nsaserefpolicy/policy/modules/services/pingd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pingd.te	2008-11-17 14:36:38.000000000 -0500
+@@ -0,0 +1,54 @@
++policy_module(pingd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pingd_t;
++type pingd_exec_t;
++init_daemon_domain(pingd_t, pingd_exec_t)
++
++type pingd_initrc_exec_t;
++init_script_file(pingd_initrc_exec_t)
++
++# type for config
++type pingd_etc_t;
++files_type(pingd_etc_t);
++
++# type for pingd modules
++type pingd_modules_t;
++files_type(pingd_modules_t)
++
++########################################
++#
++# pingd local policy
++#
++
++allow pingd_t self:capability net_raw;
++allow pingd_t self:tcp_socket create_stream_socket_perms;
++allow pingd_t self:rawip_socket { write read create bind };
++
++read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
++
++read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
++mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
++
++corenet_raw_bind_all_nodes(pingd_t)
++corenet_tcp_bind_all_nodes(pingd_t)
++corenet_tcp_bind_pingd_port(pingd_t)
++
++auth_use_nsswitch(pingd_t)
++
++files_search_usr(pingd_t)
++
++libs_use_ld_so(pingd_t)
++libs_use_shared_libs(pingd_t)
++miscfiles_read_localization(pingd_t)
++
++logging_send_syslog_msg(pingd_t)
++
++permissive pingd_t;
++
++
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.5.13/policy/modules/services/pki.fc
 --- nsaserefpolicy/policy/modules/services/pki.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.13/policy/modules/services/pki.fc	2008-11-13 18:17:36.000000000 -0500
@@ -22022,8 +22227,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.13/policy/modules/services/pyzor.te
 --- nsaserefpolicy/policy/modules/services/pyzor.te	2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/pyzor.te	2008-11-11 16:22:03.000000000 -0500
-@@ -6,6 +6,37 @@
++++ serefpolicy-3.5.13/policy/modules/services/pyzor.te	2008-11-14 15:44:34.000000000 -0500
+@@ -6,6 +6,38 @@
  # Declarations
  #
  
@@ -22055,13 +22260,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	typealias spamd_var_lib_t alias pyzor_var_lib_t;
 +	typealias spamd_etc_t alias pyzor_etc_t;
 +	typealias spamc_home_t alias pyzor_home_t;
++	typealias spamc_home_t alias user_pyzor_home_t;
 +
 +',`
 +
  type pyzor_t;
  type pyzor_exec_t;
  application_domain(pyzor_t, pyzor_exec_t)
-@@ -17,7 +48,7 @@
+@@ -17,7 +49,7 @@
  init_daemon_domain(pyzord_t, pyzord_exec_t)
  
  type pyzor_etc_t;
@@ -22070,7 +22276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  type pyzord_log_t;
  logging_log_file(pyzord_log_t)
-@@ -28,6 +59,14 @@
+@@ -28,6 +60,14 @@
  type pyzor_var_lib_t;
  files_type(pyzor_var_lib_t)
  
@@ -22085,7 +22291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Pyzor local policy
-@@ -68,6 +107,8 @@
+@@ -68,6 +108,8 @@
  
  miscfiles_read_localization(pyzor_t)
  
@@ -22094,7 +22300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  sysadm_dontaudit_search_home_dirs(pyzor_t)
  
  optional_policy(`
-@@ -76,8 +117,13 @@
+@@ -76,8 +118,13 @@
  ')
  
  optional_policy(`
@@ -23644,7 +23850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.13/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/sendmail.if	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/sendmail.if	2008-11-17 14:01:56.000000000 -0500
 @@ -89,7 +89,7 @@
  		type sendmail_t;
  	')
@@ -24912,7 +25118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2008-11-17 14:00:06.000000000 -0500
 @@ -21,16 +21,24 @@
  gen_tunable(spamd_enable_home_dirs, true)
  
@@ -25118,7 +25324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 +manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+userdom_user_home_dir_filetrans($1, spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_user_home_dir_filetrans(user, spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
 +
 +manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 +manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
@@ -26274,7 +26480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-11-17 09:25:42.000000000 -0500
 @@ -16,6 +16,7 @@
  	gen_require(`
  		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26283,6 +26489,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		attribute x_server_domain;
  		class x_drawable all_x_drawable_perms;
  		class x_colormap all_x_colormap_perms;
+@@ -99,7 +100,7 @@
+ 	# Labeling rules for default windows and colormaps
+ 	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
+ 	ifdef(`enable_mls',`
+-		range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
++		range_transition $1_xserver_t $1_xserver_t:x_drawable s0 - mls_systemhigh;
+ 	')
+ 
+ 	kernel_read_system_state($1_xserver_t)
 @@ -134,18 +135,24 @@
  	dev_rw_agp($1_xserver_t)
  	dev_rw_framebuffer($1_xserver_t)
@@ -31233,8 +31448,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if	2008-11-13 17:40:46.000000000 -0500
-@@ -553,6 +553,7 @@
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if	2008-11-17 10:48:10.000000000 -0500
+@@ -198,7 +198,25 @@
+ 		type dhcpc_state_t;
+ 	')
+ 
+-	allow $1 dhcpc_state_t:file { getattr read };
++	read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
++')
++
++#######################################
++## <summary>
++##	Delete the dhcp client state files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`sysnet_delete_dhcpc_state',`
++	gen_require(`
++		type dhcpc_state_t;
++	')
++
++	delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ ')
+ 
+ #######################################
+@@ -553,6 +571,7 @@
  		type net_conf_t;
  	')
  
@@ -31242,7 +31484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 self:tcp_socket create_socket_perms;
  	allow $1 self:udp_socket create_socket_perms;
  
-@@ -569,6 +570,14 @@
+@@ -569,6 +588,14 @@
  
  	files_search_etc($1)
  	allow $1 net_conf_t:file read_file_perms;
@@ -31257,7 +31499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -598,6 +607,8 @@
+@@ -598,6 +625,8 @@
  
  	files_search_etc($1)
  	allow $1 net_conf_t:file read_file_perms;
@@ -31266,7 +31508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -632,3 +643,49 @@
+@@ -632,3 +661,49 @@
  	files_search_etc($1)
  	allow $1 net_conf_t:file read_file_perms;
  ')
@@ -32385,7 +32627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if	2008-11-13 14:05:51.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if	2008-11-17 14:00:40.000000000 -0500
 @@ -28,10 +28,14 @@
  		class context contains;
  	')