From df0091466136296877788aaca9df1d015bfd6a62 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jul 14 2010 13:17:33 +0000
Subject: - Redefine hi_reserved_port_t to include ports from 512 to 599

- Add label for /sbin/sushell
- Fixes for munin plugin policy

---

diff --git a/policy-F13.patch b/policy-F13.patch
index 8147d33..546fbd4 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -8196,7 +8196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-07-13 09:24:53.135752774 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-07-14 11:26:33.298158993 +0200
 @@ -9,8 +9,10 @@
  /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8326,7 +8326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in	2010-06-14 18:31:28.287218510 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in	2010-07-14 11:12:04.568158290 +0200
 @@ -25,6 +25,7 @@
  #
  type tun_tap_device_t;
@@ -8335,6 +8335,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  
  ########################################
  #
+@@ -55,7 +56,7 @@
+ type reserved_port_t, port_type, reserved_port_type;
+ 
+ #
+-# hi_reserved_port_t is the type of INET port numbers between 600-1023.
++# hi_reserved_port_t is the type of INET port numbers between 512-1023.
+ #
+ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+ 
 @@ -65,6 +66,7 @@
  type server_packet_t, packet_type, server_packet_type;
  
@@ -8465,7 +8474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(syslogd, udp,514,s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -201,13 +226,13 @@
+@@ -201,23 +226,23 @@
  network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -8481,6 +8490,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
  network_port(zope, tcp,8021,s0)
  
+ # Defaults for reserved ports.  Earlier portcon entries take precedence;
+ # these entries just cover any remaining reserved ports not otherwise declared.
+ 
+-portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+-portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+-portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+-portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ 
+ ########################################
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.m4
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.m4	2010-07-14 10:38:30.694409837 +0200
+@@ -10,7 +10,7 @@
+ #
+ # return the low port in a range.
+ #
+-# range_start(600) returns "600"
++# range_start(512) returns "512"
+ # range_start(1200-1600) returns "1200"
+ #
+ define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))')
+@@ -80,7 +80,7 @@
+ # bindresvport in glibc starts searching for reserved ports at 600
+ define(`declare_ports',`dnl
+ ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
+-ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
++ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
+ ',`dnl')
+ portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc	2010-06-03 09:52:19.227159326 +0200
@@ -13095,11 +13139,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc
 --- nsaserefpolicy/policy/modules/services/abrt.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.fc	2010-06-21 12:38:42.020073987 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.fc	2010-07-14 12:41:50.667159114 +0200
 @@ -1,11 +1,21 @@
 -/etc/abrt(/.*)?			 gen_context(system_u:object_r:abrt_etc_t,s0)
+-/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
- /etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/abrtd		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
  
 -/usr/sbin/abrt			--	gen_context(system_u:object_r:abrt_exec_t,s0)
 +/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
@@ -18826,6 +18871,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 +	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.fc serefpolicy-3.7.19/policy/modules/services/cyrus.fc
+--- nsaserefpolicy/policy/modules/services/cyrus.fc	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cyrus.fc	2010-07-14 12:43:21.905172641 +0200
+@@ -1,4 +1,4 @@
+-/etc/rc\.d/init\.d/cyrus		--	gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/cyrus-imapd		--	gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
+ 
+ /usr/lib(64)?/cyrus-imapd/cyrus-master	--	gen_context(system_u:object_r:cyrus_exec_t,s0)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.19/policy/modules/services/cyrus.te
 --- nsaserefpolicy/policy/modules/services/cyrus.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/cyrus.te	2010-05-28 09:42:00.094610780 +0200
@@ -19796,7 +19850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-07-08 14:54:56.727152638 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-07-14 14:46:28.086159020 +0200
 @@ -9,6 +9,9 @@
  type dovecot_exec_t;
  init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -19893,7 +19947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
  manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
  dovecot_stream_connect_auth(dovecot_auth_t)
-@@ -197,8 +214,8 @@
+@@ -197,11 +214,13 @@
  files_search_pids(dovecot_auth_t)
  files_read_usr_files(dovecot_auth_t)
  files_read_usr_symlinks(dovecot_auth_t)
@@ -19903,7 +19957,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
  init_rw_utmp(dovecot_auth_t)
  
-@@ -225,6 +242,7 @@
++logging_search_logs(dovecot_auth_t)
++
+ miscfiles_read_localization(dovecot_auth_t)
+ 
+ seutil_dontaudit_search_config(dovecot_auth_t)
+@@ -225,6 +244,7 @@
  ')
  
  optional_policy(`
@@ -19911,7 +19970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -234,18 +252,27 @@
+@@ -234,18 +254,27 @@
  #
  allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
  
@@ -19935,11 +19994,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  auth_use_nsswitch(dovecot_deliver_t)
  
  logging_send_syslog_msg(dovecot_deliver_t)
-+logging_search_logs(dovecot_auth_t)
++logging_search_logs(dovecot_deliver_t)
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -263,15 +290,24 @@
+@@ -263,15 +292,24 @@
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
  tunable_policy(`use_nfs_home_dirs',`
@@ -21566,14 +21625,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.19/policy/modules/services/ldap.fc
 --- nsaserefpolicy/policy/modules/services/ldap.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ldap.fc	2010-05-28 09:42:00.120610656 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ldap.fc	2010-07-14 12:46:27.722157993 +0200
 @@ -1,6 +1,8 @@
  
  /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
 -/etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
 +/etc/openldap/slapd\.d(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
 +
-+/etc/rc\.d/init\.d/sldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/slapd	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
  
  /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
  
@@ -22611,7 +22670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.19/policy/modules/services/munin.if
 --- nsaserefpolicy/policy/modules/services/munin.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.if	2010-05-28 09:42:00.128610403 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.if	2010-07-14 11:31:58.190159729 +0200
 @@ -43,6 +43,24 @@
  	files_search_etc($1)
  ')
@@ -22637,7 +22696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  #######################################
  ## <summary>
  ##	Append to the munin log.
-@@ -102,6 +120,54 @@
+@@ -102,6 +120,56 @@
  	dontaudit $1 munin_var_lib_t:dir search_dir_perms;
  ')
  
@@ -22667,6 +22726,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +	type munin_$1_plugin_tmp_t;
 +	files_tmp_file(munin_$1_plugin_tmp_t)
 +
++	allow munin_t munin_$1_plugin_t:process signal;
++
 +	allow munin_$1_plugin_t self:fifo_file rw_fifo_file_perms;
 +
 +	manage_files_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t)
@@ -22694,7 +22755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.te	2010-05-28 09:42:00.129610615 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.te	2010-07-14 11:34:15.880159804 +0200
 @@ -28,12 +28,26 @@
  type munin_var_run_t alias lrrd_var_run_t;
  files_pid_file(munin_var_run_t)
@@ -22755,7 +22816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ')
  
  optional_policy(`
-@@ -164,3 +185,153 @@
+@@ -164,3 +185,156 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -22765,6 +22826,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +# local policy for disk plugins 
 +#
 +
++allow munin_disk_plugin_t self:capability { sys_rawio };
++
 +allow munin_disk_plugin_t self:tcp_socket create_stream_socket_perms;
 +
 +rw_files_pattern(munin_disk_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -22782,6 +22845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +dev_read_sysfs(munin_disk_plugin_t)
 +dev_read_urand(munin_disk_plugin_t)
 +
++storage_raw_read_fixed_disk(munin_disk_plugin_t)
 +storage_getattr_fixed_disk_dev(munin_disk_plugin_t)
 +
 +sysnet_read_config(munin_disk_plugin_t)
@@ -30045,6 +30109,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +',`
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.fc serefpolicy-3.7.19/policy/modules/services/sasl.fc
+--- nsaserefpolicy/policy/modules/services/sasl.fc	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/sasl.fc	2010-07-14 12:47:11.116159544 +0200
+@@ -1,4 +1,4 @@
+-/etc/rc\.d/init\.d/sasl	--	gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/saslauthd	--	gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+ 
+ #
+ # /usr
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.19/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/sasl.te	2010-05-28 09:42:00.182610859 +0200
@@ -30070,7 +30143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/sendmail.if	2010-05-28 09:42:00.183610792 +0200
++++ serefpolicy-3.7.19/policy/modules/services/sendmail.if	2010-07-14 12:54:00.393409832 +0200
 @@ -57,6 +57,24 @@
  	allow sendmail_t $1:process sigchld;
  ')
@@ -30096,7 +30169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  ########################################
  ## <summary>
  ##	Execute the sendmail program in the sendmail domain.
-@@ -277,3 +295,69 @@
+@@ -277,3 +295,70 @@
  	sendmail_domtrans_unconfined($1)
  	role $2 types unconfined_sendmail_t;
  ')
@@ -30150,9 +30223,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +	allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
 +
-+	sendmail_initrc_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 sendmail_initrc_exec_t system_r;
++    init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
++    domain_system_change_exemption($1)
++    role_transition $2 sendmail_initrc_exec_t system_r;
++    allow $2 system_r;
 +
 +	logging_search_logs($1)
 +	admin_pattern($1, sendmail_log_t)
@@ -31174,7 +31248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +/root/\.shosts				gen_context(system_u:object_r:home_ssh_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if	2010-06-28 14:23:36.870401349 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if	2010-07-14 14:41:02.740409622 +0200
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -31395,11 +31469,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  #######################################
  ## <summary>
  ##	Delete from the ssh temp files.
-@@ -714,3 +793,50 @@
+@@ -714,3 +793,67 @@
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
 +
++#######################################
++## <summary>
++## Send a null signal to sshd processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_signull',`
++	gen_require(`
++		type sshd_t;
++	')
++	allow $1 sshd_t:process signull;
++')
++
 +########################################
 +## <summary>
 +##	All of the rules required to administrate 
@@ -33008,7 +33099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te	2010-06-14 11:32:09.363806498 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te	2010-07-14 14:41:48.517158641 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(xserver, 3.3.2)
@@ -33613,7 +33704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	hostname_exec(xdm_t)
  ')
  
-@@ -543,20 +756,59 @@
+@@ -543,20 +756,63 @@
  ')
  
  optional_policy(`
@@ -33663,6 +33754,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 +
 +optional_policy(`
++	ssh_signull(xdm_t)
++')
++
++optional_policy(`
  	udev_read_db(xdm_t)
  ')
  
@@ -33675,7 +33770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -565,7 +817,6 @@
+@@ -565,7 +821,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -33683,7 +33778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +827,10 @@
+@@ -576,6 +831,10 @@
  ')
  
  optional_policy(`
@@ -33694,7 +33789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -600,10 +855,9 @@
+@@ -600,10 +859,9 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -33706,7 +33801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
  allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +869,18 @@
+@@ -615,6 +873,18 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -33725,7 +33820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +900,19 @@
+@@ -634,12 +904,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -33747,7 +33842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +946,6 @@
+@@ -673,7 +950,6 @@
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -33755,7 +33850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -683,9 +955,12 @@
+@@ -683,9 +959,12 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -33769,7 +33864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +975,13 @@
+@@ -700,8 +979,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -33783,7 +33878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1003,14 @@
+@@ -723,11 +1007,14 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -33798,7 +33893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1062,28 @@
+@@ -779,12 +1066,28 @@
  ')
  
  optional_policy(`
@@ -33828,7 +33923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -811,7 +1110,7 @@
+@@ -811,7 +1114,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -33837,7 +33932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1131,14 @@
+@@ -832,9 +1135,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -33852,7 +33947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1153,14 @@
+@@ -849,11 +1157,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -33869,7 +33964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -999,3 +1306,33 @@
+@@ -999,3 +1310,33 @@
  allow xserver_unconfined_type xextension_type:x_extension *;
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -35757,6 +35852,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ifdef(`hide_broken_symptoms',`
  	ifdef(`distro_gentoo',`
  		# leaked fds from portage
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.7.19/policy/modules/system/locallogin.fc
+--- nsaserefpolicy/policy/modules/system/locallogin.fc	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/locallogin.fc	2010-07-14 11:26:45.251159071 +0200
+@@ -1,2 +1,4 @@
+ 
+ /sbin/sulogin		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
++/sbin/sushell  		-- gen_context(system_u:object_r:sulogin_exec_t,s0)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.19/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/system/locallogin.te	2010-05-28 09:42:00.245611274 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5903858..5c60cd1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -331,7 +331,7 @@ if [ $1 -eq 1 ]; then
    %loadpolicy targeted $packages
    restorecon -R /root /var/log /var/run /var/lib 2> /dev/null
 else
-   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager 2>/dev/null
+   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip 2>/dev/null
    %loadpolicy targeted $packages
    %relabel targeted
 fi
@@ -450,7 +450,7 @@ SELinux Reference policy mls base module.
 %saveFileContext mls
 
 %post mls 
-semodule -n -s mls -r mailscanner -r polkit -r ModemManager 2>/dev/null
+semodule -n -s mls -r mailscanner -r polkit -r ModemManager -r telepathysofiasip 2>/dev/null
 packages=`cat /usr/share/selinux/mls/modules.lst`
 %loadpolicy mls $packages
 
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Jul 14 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-37
+- Redefine hi_reserved_port_t to include ports from 512 to 599 
+- Add label for /sbin/sushell
+- Fixes for munin plugin policy
+
 * Tue Jul 13 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-36
 - Allow netutils to read and write USB monitor devices
 - Fix label for /rhev