diff --git a/policy-20080710.patch b/policy-20080710.patch
index e5b0ce7..4bd4290 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -1,99 +1,3 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.13/Makefile
---- nsaserefpolicy/Makefile 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/Makefile 2008-11-24 10:49:49.000000000 -0500
-@@ -311,20 +311,22 @@
-
- # parse-rolemap modulename,outputfile
- define parse-rolemap
-- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+ echo "" >> $2
-+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
-
- # perrole-expansion modulename,outputfile
- define perrole-expansion
-- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-- $(call parse-rolemap,$1,$2)
-- $(verbose) echo "')" >> $2
--
-- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-- $(call parse-rolemap-compat,$1,$2)
-- $(verbose) echo "')" >> $2
-+ echo "No longer doing perrole-expansion"
-+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+# $(call parse-rolemap,$1,$2)
-+# $(verbose) echo "')" >> $2
-+
-+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+# $(call parse-rolemap-compat,$1,$2)
-+# $(verbose) echo "')" >> $2
- endef
-
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -523,6 +525,10 @@
- @mkdir -p $(appdir)/users
- $(verbose) $(INSTALL) -m 644 $^ $@
-
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+ @mkdir -p $(appdir)
-+ $(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- @mkdir -p $(appdir)
- $(verbose) $(INSTALL) -m 644 $< $@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.13/Rules.modular
---- nsaserefpolicy/Rules.modular 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/Rules.modular 2008-11-24 10:49:49.000000000 -0500
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
-- $(call perrole-expansion,$(basename $(@F)),$@.role)
-- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+# $(call perrole-expansion,$(basename $(@F)),$@.role)
-+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- $(verbose) $(genperm) $(avs) $(secclass) > $@
-- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
-
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -146,7 +146,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- $(verbose) echo "" > $@
-- $(call parse-rolemap,base,$@)
-+# $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-@@ -192,6 +192,16 @@
-
- ########################################
- #
-+# Remove the dontaudit rules from the base.conf
-+#
-+enableaudit: $(base_conf)
-+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
-+ @echo "Removing dontaudit rules from $(^F)"
-+ $(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit
-+ $(verbose) mv $(tmpdir)/base.audit $(base_conf)
-+
-+########################################
-+#
- # Appconfig files
- #
- $(appdir)/customizable_types: $(base_conf)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.13/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/config/appconfig-mcs/default_contexts 2008-11-24 10:49:49.000000000 -0500
@@ -187,6 +91,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context
+--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-10-17 08:49:10.000000000 -0400
++++ serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context 2008-11-24 10:49:49.000000000 -0500
+@@ -1 +1 @@
+-system_u:sysadm_r:sysadm_t:s0
++system_u:system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts 2008-11-24 10:49:49.000000000 -0500
@@ -202,12 +112,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context
---- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-10-17 08:49:10.000000000 -0400
-+++ serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context 2008-11-24 10:49:49.000000000 -0500
-@@ -1 +1 @@
--system_u:sysadm_r:sysadm_t:s0
-+system_u:system_r:unconfined_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts 2008-11-24 10:49:49.000000000 -0500
@@ -364,6 +268,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.13/Makefile
+--- nsaserefpolicy/Makefile 2008-10-17 08:49:11.000000000 -0400
++++ serefpolicy-3.5.13/Makefile 2008-11-24 10:49:49.000000000 -0500
+@@ -311,20 +311,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -523,6 +525,10 @@
+ @mkdir -p $(appdir)/users
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++ @mkdir -p $(appdir)
++ $(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.5.13/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2008-10-17 08:49:10.000000000 -0400
+++ serefpolicy-3.5.13/man/man8/samba_selinux.8 2008-11-24 10:49:49.000000000 -0500
@@ -489,7 +440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.13/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/consoletype.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/admin/consoletype.te 2008-12-05 09:17:31.000000000 -0500
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -505,6 +456,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
role system_r types consoletype_t;
########################################
+@@ -18,7 +20,7 @@
+ # Local declarations
+ #
+
+-allow consoletype_t self:capability sys_admin;
++allow consoletype_t self:capability { sys_admin sys_tty_config };
+ allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow consoletype_t self:fd use;
+ allow consoletype_t self:fifo_file rw_fifo_file_perms;
@@ -42,6 +44,7 @@
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
@@ -568,7 +528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.13/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/logrotate.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/admin/logrotate.te 2008-12-08 15:21:47.000000000 -0500
@@ -119,6 +119,7 @@
seutil_dontaudit_read_config(logrotate_t)
@@ -577,6 +537,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
+@@ -190,5 +191,6 @@
+ ')
+
+ optional_policy(`
++ squid_exec(logrotate_t)
+ squid_signal(logrotate_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.13/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-10-17 08:49:14.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te 2008-11-24 11:54:20.000000000 -0500
@@ -1242,6 +1209,122 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
java_domtrans(rpm_script_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.13/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/admin/sudo.if 2008-12-08 13:50:09.000000000 -0500
+@@ -55,7 +55,7 @@
+ #
+
+ # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+@@ -68,33 +68,36 @@
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++ allow $1_sudo_t self:key manage_key_perms;
++ allow $1_sudo_t $1_t:key search;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t, $2)
++ corecmd_bin_domtrans($1_sudo_t, $2)
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
+
+ kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+- kernel_search_key($1_sudo_t)
++ kernel_link_key($1_sudo_t)
+
+ dev_read_urand($1_sudo_t)
++ dev_rw_generic_usb_dev($1_sudo_t)
+
+ fs_search_auto_mountpoints($1_sudo_t)
+ fs_getattr_xattr_fs($1_sudo_t)
+
+- auth_domtrans_chk_passwd($1_sudo_t)
++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ # sudo stores a token in the pam_pid directory
+ auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
+ corecmd_read_bin_symlinks($1_sudo_t)
+- corecmd_getattr_all_executables($1_sudo_t)
++ corecmd_exec_all_executables($1_sudo_t)
+
+ domain_use_interactive_fds($1_sudo_t)
+ domain_sigchld_interactive_fds($1_sudo_t)
+@@ -106,32 +109,50 @@
+ files_getattr_usr_files($1_sudo_t)
+ # for some PAM modules and for cwd
+ files_dontaudit_search_home($1_sudo_t)
++ files_list_tmp($1_sudo_t)
+
+ init_rw_utmp($1_sudo_t)
+
+ libs_use_ld_so($1_sudo_t)
+ libs_use_shared_libs($1_sudo_t)
+
++ logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+ miscfiles_read_localization($1_sudo_t)
+
+- userdom_manage_user_home_content_files($1, $1_sudo_t)
+- userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
+- userdom_manage_user_tmp_files($1, $1_sudo_t)
+- userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
++ mta_per_role_template($1, $1_sudo_t, $3)
++
++ unprivuser_manage_home_content_files($1_sudo_t)
++ unprivuser_manage_home_content_symlinks($1_sudo_t)
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files($1_sudo_t)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files($1_sudo_t)
++ ')
++ unprivuser_manage_tmp_files($1_sudo_t)
++ unprivuser_manage_tmp_symlinks($1_sudo_t)
++ userdom_exec_user_home_content_files($1, $1_sudo_t)
+ userdom_use_user_terminals($1, $1_sudo_t)
+ userdom_use_unpriv_users_fds($1_sudo_t)
+ # for some PAM modules and for cwd
++ sysadm_search_home_content_dirs($1_sudo_t)
+ userdom_dontaudit_search_all_users_home_content($1_sudo_t)
++ userdom_manage_all_users_keys($1_sudo_t)
+
+- ifdef(`TODO',`
+- # for when the network connection is killed
+- dontaudit unpriv_userdomain $1_sudo_t:process signal;
+-
+- ifdef(`mta.te', `
+- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+- ')
++ domain_role_change_exemption($1_sudo_t)
++ userdom_spec_domtrans_all_users($1_sudo_t)
+
+- ') dnl end TODO
++ selinux_validate_context($1_sudo_t)
++ selinux_compute_relabel_context($1_sudo_t)
++ selinux_getattr_fs($1_sudo_t)
++ seutil_read_config($1_sudo_t)
++ seutil_search_default_contexts($1_sudo_t)
++
++ term_use_all_user_ttys($1_sudo_t)
++ term_use_all_user_ptys($1_sudo_t)
++ term_relabel_all_user_ttys($1_sudo_t)
++ term_relabel_all_user_ptys($1_sudo_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.13/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2008-10-17 08:49:14.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/admin/su.if 2008-11-24 10:49:49.000000000 -0500
@@ -1400,122 +1483,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.13/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/sudo.if 2008-11-24 10:49:49.000000000 -0500
-@@ -55,7 +55,7 @@
- #
-
- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
-@@ -68,33 +68,36 @@
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+ allow $1_sudo_t self:key manage_key_perms;
-+ allow $1_sudo_t $1_t:key search;
-
- # Enter this derived domain from the user domain
- domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t, $2)
-+ corecmd_bin_domtrans($1_sudo_t, $2)
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
-
- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-- kernel_search_key($1_sudo_t)
-+ kernel_link_key($1_sudo_t)
-
- dev_read_urand($1_sudo_t)
-+ dev_rw_generic_usb_dev($1_sudo_t)
-
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
-- auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
- auth_use_nsswitch($1_sudo_t)
-
- corecmd_read_bin_symlinks($1_sudo_t)
-- corecmd_getattr_all_executables($1_sudo_t)
-+ corecmd_exec_all_executables($1_sudo_t)
-
- domain_use_interactive_fds($1_sudo_t)
- domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +109,50 @@
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
-+ files_list_tmp($1_sudo_t)
-
- init_rw_utmp($1_sudo_t)
-
- libs_use_ld_so($1_sudo_t)
- libs_use_shared_libs($1_sudo_t)
-
-+ logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-
-- userdom_manage_user_home_content_files($1, $1_sudo_t)
-- userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
-- userdom_manage_user_tmp_files($1, $1_sudo_t)
-- userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
-+ mta_per_role_template($1, $1_sudo_t, $3)
-+
-+ unprivuser_manage_home_content_files($1_sudo_t)
-+ unprivuser_manage_home_content_symlinks($1_sudo_t)
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_files($1_sudo_t)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_files($1_sudo_t)
-+ ')
-+ unprivuser_manage_tmp_files($1_sudo_t)
-+ unprivuser_manage_tmp_symlinks($1_sudo_t)
-+ userdom_exec_user_home_content_files($1, $1_sudo_t)
- userdom_use_user_terminals($1, $1_sudo_t)
- userdom_use_unpriv_users_fds($1_sudo_t)
- # for some PAM modules and for cwd
-+ sysadm_search_home_content_dirs($1_sudo_t)
- userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-+ userdom_manage_all_users_keys($1_sudo_t)
-
-- ifdef(`TODO',`
-- # for when the network connection is killed
-- dontaudit unpriv_userdomain $1_sudo_t:process signal;
--
-- ifdef(`mta.te', `
-- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-- ')
-+ domain_role_change_exemption($1_sudo_t)
-+ userdom_spec_domtrans_all_users($1_sudo_t)
-
-- ') dnl end TODO
-+ selinux_validate_context($1_sudo_t)
-+ selinux_compute_relabel_context($1_sudo_t)
-+ selinux_getattr_fs($1_sudo_t)
-+ seutil_read_config($1_sudo_t)
-+ seutil_search_default_contexts($1_sudo_t)
-+
-+ term_use_all_user_ttys($1_sudo_t)
-+ term_use_all_user_ptys($1_sudo_t)
-+ term_relabel_all_user_ttys($1_sudo_t)
-+ term_relabel_all_user_ptys($1_sudo_t)
- ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-10-17 08:49:14.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te 2008-11-24 10:49:49.000000000 -0500
@@ -4211,8 +4178,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -0,0 +1,12 @@
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-12-08 16:25:40.000000000 -0500
+@@ -0,0 +1,13 @@
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
@@ -4223,11 +4190,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-12-05 10:36:37.000000000 -0500
@@ -0,0 +1,297 @@
+
+## policy for nsplugin
@@ -4528,8 +4496,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-03 08:58:51.000000000 -0500
-@@ -0,0 +1,277 @@
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-05 08:34:30.000000000 -0500
+@@ -0,0 +1,279 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -4596,6 +4564,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
@@ -6465,7 +6435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+wm_domain_template(user,xdm)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-04 09:14:24.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-05 08:46:59.000000000 -0500
@@ -129,6 +129,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6489,6 +6459,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -222,8 +223,8 @@
+ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/vmware-tools/sbin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -292,3 +293,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
@@ -6573,7 +6554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-03 08:58:40.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-08 15:25:33.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.10.0)
@@ -6688,12 +6669,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +193,16 @@
+@@ -170,14 +193,17 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
-+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
++network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
@@ -6701,11 +6682,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(vnc, tcp,5900,s0)
network_port(wccp, udp,2048,s0)
+-network_port(whois, tcp,43,s0, udp,43,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
- network_port(whois, tcp,43,s0, udp,43,s0)
++network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
+ network_port(xfs, tcp,7100,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-17 08:49:14.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2008-11-24 10:49:49.000000000 -0500
@@ -7973,7 +7956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-12-08 16:43:51.000000000 -0500
@@ -535,6 +535,24 @@
########################################
@@ -11159,7 +11142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-12-04 14:56:57.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-12-08 16:48:00.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -11332,11 +11315,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -312,12 +369,11 @@
+@@ -312,12 +369,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_list_inotifyfs(httpd_t)
++fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -11347,10 +11331,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +391,10 @@
+@@ -334,7 +391,10 @@
+ # for tomcat
files_read_var_lib_symlinks(httpd_t)
- fs_search_auto_mountpoints(httpd_sys_script_t)
+-fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
@@ -11630,9 +11615,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +752,7 @@
+@@ -597,10 +751,9 @@
+ dev_read_urand(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
++fs_read_iso9660_files(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
@@ -11641,7 +11628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +785,25 @@
+@@ -633,12 +786,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -11670,7 +11657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +812,12 @@
+@@ -647,6 +813,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -11683,7 +11670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,20 +835,20 @@
+@@ -664,20 +836,20 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11709,7 +11696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +862,22 @@
+@@ -691,12 +863,25 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11721,6 +11708,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
++fs_read_iso9660_files(httpd_sys_script_t)
++fs_search_auto_mountpoints(httpd_sys_script_t)
++
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
@@ -11734,7 +11724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +885,31 @@
+@@ -704,6 +889,31 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11766,7 +11756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +922,10 @@
+@@ -716,10 +926,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11781,7 +11771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -727,6 +933,8 @@
+@@ -727,6 +937,8 @@
# httpd_rotatelogs local policy
#
@@ -11790,7 +11780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +949,66 @@
+@@ -741,3 +953,66 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -12276,13 +12266,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.13/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bind.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -1,4 +1,4 @@
++++ serefpolicy-3.5.13/policy/modules/services/bind.fc 2008-12-08 11:45:16.000000000 -0500
+@@ -1,17 +1,22 @@
-/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+ /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+ /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
++/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+
+ /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+
+ /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+ /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+ /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+
+ ifdef(`distro_debian',`
+ /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.13/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/bind.if 2008-11-24 10:49:49.000000000 -0500
@@ -14116,8 +14124,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-12-02 10:19:35.000000000 -0500
-@@ -20,6 +20,12 @@
++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-12-05 08:56:59.000000000 -0500
+@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -14130,7 +14138,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
-@@ -48,6 +54,10 @@
++type cupsd_lock_t;
++files_lock_file(cupsd_lock_t)
++
+ type cupsd_log_t;
+ logging_log_file(cupsd_log_t)
+
+@@ -48,6 +57,10 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
@@ -14141,7 +14155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type hplip_etc_t;
files_config_file(hplip_etc_t)
-@@ -65,6 +75,16 @@
+@@ -65,6 +78,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
@@ -14158,7 +14172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
-@@ -79,13 +99,14 @@
+@@ -79,13 +102,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -14176,7 +14190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -97,6 +118,9 @@
+@@ -97,6 +121,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
@@ -14186,7 +14200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -104,8 +128,8 @@
+@@ -104,8 +131,11 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -14194,10 +14208,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
++
++allow cupsd_t cupsd_lock_t:file manage_file_perms;
++files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
-@@ -116,13 +140,20 @@
+@@ -116,13 +146,20 @@
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -14220,7 +14237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-@@ -149,44 +180,49 @@
+@@ -149,44 +186,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -14275,7 +14292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +231,16 @@
+@@ -195,15 +237,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -14296,7 +14313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -219,17 +256,21 @@
+@@ -219,17 +262,21 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -14321,7 +14338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -246,8 +287,16 @@
+@@ -246,8 +293,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -14338,7 +14355,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -263,6 +312,10 @@
+@@ -263,6 +318,10 @@
')
optional_policy(`
@@ -14349,7 +14366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -281,7 +334,7 @@
+@@ -281,7 +340,7 @@
# Cups configuration daemon local policy
#
@@ -14358,7 +14375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -313,7 +366,7 @@
+@@ -313,7 +372,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
@@ -14367,7 +14384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -326,6 +379,7 @@
+@@ -326,6 +385,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -14375,7 +14392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -343,7 +397,7 @@
+@@ -343,7 +403,7 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@@ -14384,7 +14401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(cupsd_config_t)
-@@ -353,6 +407,7 @@
+@@ -353,6 +413,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@@ -14392,7 +14409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -365,14 +420,16 @@
+@@ -365,14 +426,16 @@
sysadm_dontaudit_search_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -14411,7 +14428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -388,6 +445,7 @@
+@@ -388,6 +451,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -14419,7 +14436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -500,7 +558,8 @@
+@@ -500,7 +564,8 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -14429,7 +14446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cups_stream_connect(hplip_t)
-@@ -509,6 +568,8 @@
+@@ -509,6 +574,8 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -14438,7 +14455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -538,7 +599,8 @@
+@@ -538,7 +605,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -14448,7 +14465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -552,6 +614,8 @@
+@@ -552,6 +620,8 @@
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -14457,7 +14474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(hplip_t)
libs_use_shared_libs(hplip_t)
-@@ -564,12 +628,14 @@
+@@ -564,12 +634,14 @@
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -14473,7 +14490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -651,3 +717,44 @@
+@@ -651,3 +723,44 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -16828,13 +16845,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Init script handling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.13/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2008-11-24 10:49:49.000000000 -0500
-@@ -121,7 +121,7 @@
++++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2008-12-08 14:32:09.000000000 -0500
+@@ -121,7 +121,11 @@
sysadm_dontaudit_search_home_dirs(slapd_t)
optional_policy(`
- kerberos_use(slapd_t)
+ kerberos_keytab_template(slapd, slapd_t)
++')
++
++optional_policy(`
++ sasl_connect(slapd_t)
')
optional_policy(`
@@ -17883,7 +17904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-12-05 09:14:53.000000000 -0500
@@ -1,8 +1,12 @@
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
@@ -17902,7 +17923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/usr/libexec/nm-openconnect-service -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-10-17 08:49:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if 2008-11-24 10:49:49.000000000 -0500
@@ -22907,6 +22928,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type roundup_var_run_t;
files_pid_file(roundup_var_run_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.13/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/rpcbind.fc 2008-11-24 10:49:49.000000000 -0500
+@@ -1,4 +1,4 @@
+-/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+
+ /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.13/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te 2008-11-24 10:49:49.000000000 -0500
+@@ -60,6 +60,7 @@
+ domain_use_interactive_fds(rpcbind_t)
+
+ files_read_etc_files(rpcbind_t)
++files_read_etc_runtime_files(rpcbind_t)
+
+ libs_use_ld_so(rpcbind_t)
+ libs_use_shared_libs(rpcbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.5.13/policy/modules/services/rpc.fc
--- nsaserefpolicy/policy/modules/services/rpc.fc 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/rpc.fc 2008-11-24 10:49:49.000000000 -0500
@@ -23043,26 +23084,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.13/policy/modules/services/rpcbind.fc
---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -1,4 +1,4 @@
--/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
-
- /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.13/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te 2008-11-24 10:49:49.000000000 -0500
-@@ -60,6 +60,7 @@
- domain_use_interactive_fds(rpcbind_t)
-
- files_read_etc_files(rpcbind_t)
-+files_read_etc_runtime_files(rpcbind_t)
-
- libs_use_ld_so(rpcbind_t)
- libs_use_shared_libs(rpcbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.13/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/rshd.te 2008-11-24 10:49:49.000000000 -0500
@@ -23629,7 +23650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-08 15:15:16.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -23683,7 +23704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
-
+allow samba_net_t self:capability { dac_read_search dac_override };
-+allow samba_net_t self:process getsched;
++allow samba_net_t self:process { getsched setsched };
allow samba_net_t self:unix_dgram_socket create_socket_perms;
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
allow samba_net_t self:udp_socket create_socket_perms;
@@ -23709,7 +23730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(samba_net_t)
-@@ -200,7 +216,10 @@
+@@ -200,7 +216,14 @@
miscfiles_read_localization(samba_net_t)
@@ -23717,10 +23738,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
sysadm_dontaudit_search_home_dirs(samba_net_t)
+userdom_list_all_users_home_dirs(samba_net_t)
++
++optional_policy(`
++ pcscd_read_pub_files(samba_net_t)
++')
optional_policy(`
kerberos_use(samba_net_t)
-@@ -210,7 +229,7 @@
+@@ -210,7 +233,7 @@
#
# smbd Local policy
#
@@ -23729,7 +23754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -228,10 +247,8 @@
+@@ -228,10 +251,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -23741,7 +23766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -241,6 +258,7 @@
+@@ -241,6 +262,7 @@
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -23749,7 +23774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -258,7 +276,7 @@
+@@ -258,7 +280,7 @@
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
@@ -23758,7 +23783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -314,20 +332,24 @@
+@@ -314,20 +336,24 @@
init_rw_utmp(smbd_t)
@@ -23786,7 +23811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -348,6 +370,25 @@
+@@ -348,6 +374,25 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -23812,7 +23837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -360,6 +401,11 @@
+@@ -360,6 +405,11 @@
')
optional_policy(`
@@ -23824,7 +23849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_search_nfs_state_data(smbd_t)
')
-@@ -379,8 +425,10 @@
+@@ -379,8 +429,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@@ -23835,7 +23860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -452,6 +500,7 @@
+@@ -452,6 +504,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -23843,7 +23868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -536,6 +585,7 @@
+@@ -536,6 +589,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -23851,7 +23876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_list_bin(smbmount_t)
-@@ -547,32 +597,46 @@
+@@ -547,32 +601,46 @@
auth_use_nsswitch(smbmount_t)
@@ -23904,7 +23929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -592,6 +656,9 @@
+@@ -592,6 +660,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -23914,7 +23939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -616,10 +683,12 @@
+@@ -616,10 +687,12 @@
dev_read_urand(swat_t)
@@ -23927,7 +23952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -628,6 +697,7 @@
+@@ -628,6 +701,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -23935,7 +23960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -645,6 +715,17 @@
+@@ -645,6 +719,17 @@
kerberos_use(swat_t)
')
@@ -23953,16 +23978,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Winbind local policy
-@@ -694,6 +775,8 @@
+@@ -653,7 +738,7 @@
+
+ allow winbind_t self:capability { dac_override ipc_lock setuid };
+ dontaudit winbind_t self:capability sys_tty_config;
+-allow winbind_t self:process signal_perms;
++allow winbind_t self:process { signal_perms getsched };
+ allow winbind_t self:fifo_file rw_fifo_file_perms;
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
+ allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+@@ -694,9 +779,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+corecmd_exec_bin(winbind_t)
+
kernel_read_kernel_sysctls(winbind_t)
- kernel_list_proc(winbind_t)
- kernel_read_proc_symlinks(winbind_t)
-@@ -780,8 +863,13 @@
+-kernel_list_proc(winbind_t)
+-kernel_read_proc_symlinks(winbind_t)
++kernel_read_system_state(winbind_t)
+
+ corenet_all_recvfrom_unlabeled(winbind_t)
+ corenet_all_recvfrom_netlabel(winbind_t)
+@@ -724,6 +810,7 @@
+ domain_use_interactive_fds(winbind_t)
+
+ files_read_etc_files(winbind_t)
++files_read_usr_symlinks(winbind_t)
+
+ libs_use_ld_so(winbind_t)
+ libs_use_shared_libs(winbind_t)
+@@ -780,8 +867,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -23976,7 +24022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -790,6 +878,16 @@
+@@ -790,6 +882,16 @@
#
optional_policy(`
@@ -23993,7 +24039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -800,9 +898,46 @@
+@@ -800,9 +902,46 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -25635,6 +25681,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ sendmail_stub(spamc_t)
+ sendmail_rw_pipes(spamc_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.13/policy/modules/services/squid.if
+--- nsaserefpolicy/policy/modules/services/squid.if 2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/squid.if 2008-12-08 15:21:38.000000000 -0500
+@@ -21,6 +21,24 @@
+
+ ########################################
+ ##
++## Execute squid
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`squid_exec',`
++ gen_require(`
++ type squid_exec_t;
++ ')
++
++ can_exec($1, squid_exec_t)
++')
++
++########################################
++##
+ ## Send generic signals to squid.
+ ##
+ ##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.13/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/squid.te 2008-11-24 10:49:49.000000000 -0500
@@ -25667,7 +25741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-04 09:20:21.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-05 11:39:29.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -28746,7 +28820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.13/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-12-03 09:33:25.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-12-08 15:05:47.000000000 -0500
@@ -56,10 +56,6 @@
miscfiles_read_localization($1_chkpwd_t)
@@ -28852,7 +28926,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -333,19 +378,16 @@
+@@ -323,8 +368,10 @@
+ interface(`auth_domtrans_chk_passwd',`
+ gen_require(`
+ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
++ type auth_cache_t;
+ ')
+
++ allow $1 auth_cache_t:dir search_dir_perms;
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t)
+
+@@ -333,19 +380,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -28877,7 +28962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -356,6 +398,28 @@
+@@ -356,6 +400,28 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -28906,7 +28991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -369,12 +433,12 @@
+@@ -369,12 +435,12 @@
##
##
##
@@ -28921,7 +29006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
#
-@@ -386,6 +450,7 @@
+@@ -386,6 +452,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -28929,7 +29014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -871,7 +936,7 @@
+@@ -871,7 +938,7 @@
files_search_var($1)
allow $1 var_auth_t:dir manage_dir_perms;
allow $1 var_auth_t:file rw_file_perms;
@@ -28938,7 +29023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1175,6 +1240,32 @@
+@@ -1175,6 +1242,32 @@
########################################
##
@@ -28971,7 +29056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
-@@ -1447,6 +1538,10 @@
+@@ -1447,6 +1540,10 @@
')
optional_policy(`
@@ -28982,7 +29067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nis_use_ypbind($1)
')
-@@ -1457,6 +1552,7 @@
+@@ -1457,6 +1554,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -28990,7 +29075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1491,3 +1587,81 @@
+@@ -1491,3 +1589,81 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -29853,6 +29938,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.5.13/policy/modules/system/iptables.fc
+--- nsaserefpolicy/policy/modules/system/iptables.fc 2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/iptables.fc 2008-12-08 16:37:01.000000000 -0500
+@@ -6,3 +6,4 @@
+ /usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.5.13/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/iptables.te 2008-11-27 06:12:54.000000000 -0500
@@ -36387,6 +36480,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.13/Rules.modular
+--- nsaserefpolicy/Rules.modular 2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/Rules.modular 2008-11-24 10:49:49.000000000 -0500
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -146,7 +146,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+@@ -192,6 +192,16 @@
+
+ ########################################
+ #
++# Remove the dontaudit rules from the base.conf
++#
++enableaudit: $(base_conf)
++ @test -d $(tmpdir) || mkdir -p $(tmpdir)
++ @echo "Removing dontaudit rules from $(^F)"
++ $(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit
++ $(verbose) mv $(tmpdir)/base.audit $(base_conf)
++
++########################################
++#
+ # Appconfig files
+ #
+ $(appdir)/customizable_types: $(base_conf)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2008-10-17 08:49:14.000000000 -0400
+++ serefpolicy-3.5.13/support/Makefile.devel 2008-11-24 10:49:49.000000000 -0500
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6f7daed..a19ba79 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 32%{?dist}
+Release: 33%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -459,6 +459,9 @@ exit 0
%endif
%changelog
+* Fri Dec 5 2008 Dan Walsh 3.5.13-33
+- Allow nsplugin to manage sock files and fifo_files in nsplugin_home_t
+
* Thu Dec 4 2008 Dan Walsh 3.5.13-32
- Turn off nsplugin transition, by default
- Allow httpd_sys_script_t to communicate with postgresql