diff --git a/policy-20070501.patch b/policy-20070501.patch
index 0e8f5f1..f825b2f 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -1196,7 +1196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if s
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-05-29 11:35:27.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -1209,7 +1209,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -256,3 +261,5 @@
+@@ -248,6 +253,7 @@
+ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+ /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+ /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -256,3 +262,5 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -2704,6 +2712,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-2.6.4/policy/modules/services/arpwatch.te
+--- nsaserefpolicy/policy/modules/services/arpwatch.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/arpwatch.te 2007-05-29 09:01:26.000000000 -0400
+@@ -28,7 +28,6 @@
+ allow arpwatch_t self:process signal_perms;
+ allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+ allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+ allow arpwatch_t self:udp_socket create_socket_perms;
+ allow arpwatch_t self:packet_socket create_socket_perms;
+@@ -78,8 +77,6 @@
+
+ miscfiles_read_localization(arpwatch_t)
+
+-sysnet_read_config(arpwatch_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+ userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
+
+@@ -92,7 +89,7 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(arpwatch_t)
++ auth_use_nsswitch(arpwatch_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.6.4/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/automount.te 2007-05-21 10:46:53.000000000 -0400
@@ -2725,7 +2762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
domain_use_interactive_fds(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.6.4/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/avahi.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/avahi.te 2007-05-29 09:12:19.000000000 -0400
@@ -18,7 +18,7 @@
# Local policy
#
@@ -2735,6 +2772,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms setcap };
allow avahi_t self:fifo_file { read write };
+@@ -32,6 +32,8 @@
+ allow avahi_t avahi_var_run_t:dir setattr;
+ files_pid_filetrans(avahi_t,avahi_var_run_t,file)
+
++auth_use_nsswitch(avahi_t)
++
+ kernel_read_kernel_sysctls(avahi_t)
+ kernel_list_proc(avahi_t)
+ kernel_read_proc_symlinks(avahi_t)
+@@ -63,8 +65,6 @@
+ files_read_etc_runtime_files(avahi_t)
+ files_read_usr_files(avahi_t)
+
+-auth_use_nsswitch(avahi_t)
+-
+ init_signal_script(avahi_t)
+ init_signull_script(avahi_t)
+
+@@ -75,8 +75,6 @@
+
+ miscfiles_read_localization(avahi_t)
+
+-sysnet_read_config(avahi_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+ userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/bind.te 2007-05-21 10:46:53.000000000 -0400
@@ -2759,7 +2823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-2.6.4/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/consolekit.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/consolekit.te 2007-05-29 11:04:09.000000000 -0400
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -2776,7 +2840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
-@@ -50,8 +48,15 @@
+@@ -50,8 +48,16 @@
libs_use_ld_so(consolekit_t)
libs_use_shared_libs(consolekit_t)
@@ -2788,13 +2852,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+userdom_ptrace_all_users(consolekit_t)
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
++domain_dontaudit_ptrace_all_domains(consolekit_t)
+
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_send_system_bus(consolekit_t)
-@@ -68,3 +73,9 @@
+@@ -67,4 +73,11 @@
+ optional_policy(`
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
++ xserver_stream_connect_xdm(consolekit_t)
')
+
+ifdef(`targeted_policy',`
@@ -3406,7 +3473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-05-22 14:42:12.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-05-29 09:07:20.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -3420,29 +3487,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
type dovecot_cert_t;
files_type(dovecot_cert_t)
-@@ -111,7 +117,6 @@
+@@ -46,8 +52,6 @@
+ allow dovecot_t self:tcp_socket create_stream_socket_perms;
+ allow dovecot_t self:unix_dgram_socket create_socket_perms;
+ allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
+-
+ domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+@@ -67,6 +71,8 @@
+ manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
+ files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
+
++auth_use_nsswitch(dovecot_t)
++
+ kernel_read_kernel_sysctls(dovecot_t)
+ kernel_read_system_state(dovecot_t)
+
+@@ -110,9 +116,6 @@
+ miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
- sysnet_read_config(dovecot_t)
+-sysnet_read_config(dovecot_t)
-sysnet_use_ldap(dovecot_auth_t)
-
+-
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
-@@ -138,11 +143,11 @@
- ')
-
- optional_policy(`
-- squid_dontaudit_search_cache(dovecot_t)
-+ udev_read_db(dovecot_t)
+ userdom_priveleged_home_dir_manager(dovecot_t)
+@@ -130,10 +133,6 @@
')
optional_policy(`
-- udev_read_db(dovecot_t)
-+ squid_dontaudit_search_cache(dovecot_t)
+- nis_use_ypbind(dovecot_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(dovecot_t)
')
- ########################################
-@@ -150,19 +155,20 @@
+@@ -150,25 +149,29 @@
# dovecot auth local policy
#
@@ -3465,7 +3549,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
-@@ -177,6 +183,7 @@
+ kernel_read_all_sysctls(dovecot_auth_t)
+ kernel_read_system_state(dovecot_auth_t)
+
++logging_send_syslog_msg(dovecot_auth_t)
++logging_send_audit_msg(dovecot_auth_t)
++
+ dev_read_urand(dovecot_auth_t)
+
+ auth_domtrans_chk_passwd(dovecot_auth_t)
+@@ -177,6 +180,7 @@
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
@@ -3473,26 +3566,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -191,11 +198,51 @@
- seutil_dontaudit_search_config(dovecot_auth_t)
+@@ -190,12 +194,46 @@
- sysnet_dns_name_resolve(dovecot_auth_t)
-+sysnet_use_ldap(dovecot_auth_t)
+ seutil_dontaudit_search_config(dovecot_auth_t)
+-sysnet_dns_name_resolve(dovecot_auth_t)
+-
optional_policy(`
kerberos_use(dovecot_auth_t)
')
-+logging_send_syslog_msg(dovecot_auth_t)
-+logging_send_audit_msg(dovecot_auth_t)
-+
-+optional_policy(`
+ optional_policy(`
+- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
- optional_policy(`
-- logging_send_syslog_msg(dovecot_auth_t)
++optional_policy(`
+ postfix_create_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
+')
@@ -4062,6 +4152,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te
+--- nsaserefpolicy/policy/modules/services/nagios.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-05-29 09:04:20.000000000 -0400
+@@ -73,8 +73,10 @@
+ corenet_udp_sendrecv_all_nodes(nagios_t)
+ corenet_tcp_sendrecv_all_ports(nagios_t)
+ corenet_udp_sendrecv_all_ports(nagios_t)
++corenet_tcp_connect_all_ports(nagios_t)
+
+ dev_read_sysfs(nagios_t)
++dev_read_urand(nagios_t)
+
+ domain_use_interactive_fds(nagios_t)
+ # for ps
+@@ -97,8 +99,6 @@
+
+ miscfiles_read_localization(nagios_t)
+
+-sysnet_read_config(nagios_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+ userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
+
+@@ -121,7 +121,7 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(nagios_t)
++ auth_use_nsswitch(nagios_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-2.6.4/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if 2007-05-21 10:46:53.000000000 -0400
@@ -4088,6 +4210,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+ domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
+
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-2.6.4/policy/modules/services/nis.fc
+--- nsaserefpolicy/policy/modules/services/nis.fc 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/nis.fc 2007-05-29 11:39:06.000000000 -0400
+@@ -4,6 +4,7 @@
+ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+
+ /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
++/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+
+ /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+ /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.6.4/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/nis.if 2007-05-21 10:46:53.000000000 -0400
@@ -4434,16 +4567,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.6.4/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-05-21 10:46:53.000000000 -0400
-@@ -122,6 +122,7 @@
- allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
- allow postfix_$1_t self:tcp_socket create_socket_perms;
- allow postfix_$1_t self:udp_socket create_socket_perms;
-+ allow postfix_$1_t self:netlink_route_socket r_netlink_socket_perms;
++++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-05-29 09:03:07.000000000 -0400
+@@ -116,6 +116,10 @@
+ ##
+ #
+ template(`postfix_server_domain_template',`
++ gen_require(`
++ type postfix_master_t;
++ ')
++
+ postfix_domain_template($1)
- domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+ allow postfix_$1_t self:capability { setuid setgid dac_override };
+@@ -137,10 +141,8 @@
+ corenet_tcp_connect_all_ports(postfix_$1_t)
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
-@@ -455,3 +456,22 @@
+- sysnet_read_config(postfix_$1_t)
+-
+ optional_policy(`
+- nis_use_ypbind(postfix_$1_t)
++ auth_use_nsswitch(postfix_$1_t)
+ ')
+ ')
+
+@@ -455,3 +457,22 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -4468,8 +4616,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-05-21 10:46:53.000000000 -0400
-@@ -169,6 +169,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-05-29 11:49:32.000000000 -0400
+@@ -169,12 +169,18 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -4478,7 +4626,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(postfix_master_t)
term_dontaudit_use_generic_ptys(postfix_master_t)
-@@ -184,6 +186,10 @@
+ ')
+
+ optional_policy(`
++ auth_use_nsswitch(postfix_master_t)
++')
++
++optional_policy(`
+ cyrus_stream_connect(postfix_master_t)
+ ')
+
+@@ -184,6 +190,10 @@
')
optional_policy(`
@@ -4489,7 +4647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
nis_use_ypbind(postfix_master_t)
')
-@@ -210,6 +216,7 @@
+@@ -210,6 +220,7 @@
allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
@@ -4497,7 +4655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_bounce_t postfix_public_t:sock_file write;
allow postfix_bounce_t postfix_public_t:dir search;
-@@ -228,6 +235,7 @@
+@@ -228,6 +239,7 @@
#
allow postfix_cleanup_t self:process setrlimit;
@@ -4505,7 +4663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# connect to master process
stream_connect_pattern(postfix_cleanup_t,postfix_private_t,postfix_private_t,postfix_master_t)
-@@ -250,6 +258,7 @@
+@@ -250,6 +262,7 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
@@ -4513,7 +4671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
manage_dirs_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
manage_files_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
-@@ -369,6 +378,7 @@
+@@ -369,6 +382,7 @@
#
allow postfix_pickup_t self:tcp_socket create_socket_perms;
@@ -4521,7 +4679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t)
-@@ -386,7 +396,7 @@
+@@ -386,7 +400,7 @@
# Postfix pipe local policy
#
@@ -4530,7 +4688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -395,6 +405,10 @@
+@@ -395,6 +409,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -4541,7 +4699,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
procmail_domtrans(postfix_pipe_t)
')
-@@ -475,6 +489,8 @@
+@@ -441,6 +459,10 @@
+ ')
+
+ optional_policy(`
++ fstools_read_pipes(postfix_postdrop_t)
++')
++
++optional_policy(`
+ ppp_use_fds(postfix_postqueue_t)
+ ppp_sigchld(postfix_postqueue_t)
+ ')
+@@ -475,6 +497,8 @@
# Postfix qmgr local policy
#
@@ -4550,7 +4719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
stream_connect_pattern(postfix_qmgr_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t,postfix_public_t,postfix_public_t)
-@@ -519,8 +535,6 @@
+@@ -519,8 +543,6 @@
# Postfix smtp delivery local policy
#
@@ -4559,7 +4728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -552,9 +566,18 @@
+@@ -552,9 +574,18 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -5426,7 +5595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+unconfined_domain(samba_unconfined_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/sasl.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/sasl.te 2007-05-29 10:35:15.000000000 -0400
@@ -63,6 +63,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -5435,6 +5604,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
auth_use_nsswitch(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
+@@ -79,6 +80,7 @@
+ libs_use_shared_libs(saslauthd_t)
+
+ logging_send_syslog_msg(saslauthd_t)
++logging_send_audit_msg(saslauthd_t)
+
+ miscfiles_read_localization(saslauthd_t)
+ miscfiles_read_certs(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-2.6.4/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/sendmail.if 2007-05-21 10:46:53.000000000 -0400
@@ -5565,6 +5742,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-2.6.4/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/spamassassin.if 2007-05-29 10:25:34.000000000 -0400
+@@ -466,6 +466,7 @@
+ ')
+
+ files_search_var_lib($1)
++ list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+ read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.6.4/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/spamassassin.te 2007-05-21 10:46:53.000000000 -0400
@@ -5929,13 +6117,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-05-29 09:10:31.000000000 -0400
@@ -27,11 +27,9 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
- allow $1_chkpwd_t self:capability { audit_control setuid };
-+ allow $1_chkpwd_t self:capability setuid;
++ allow $1_chkpwd_t self:capability { dac_override setuid };
allow $1_chkpwd_t self:process getattr;
- send_audit_msgs_pattern($1_chkpwd_t)
@@ -5951,16 +6139,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
miscfiles_read_localization($1_chkpwd_t)
-@@ -109,7 +108,7 @@
+@@ -109,7 +108,8 @@
role $3 types system_chkpwd_t;
# cjp: is this really needed?
- allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ logging_send_audit_msg($2)
++ logging_set_loginuid($1)
dontaudit $2 shadow_t:file { getattr read };
-@@ -152,21 +151,12 @@
+@@ -152,21 +152,12 @@
##
#
template(`auth_domtrans_user_chk_passwd',`
@@ -5987,7 +6176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -180,6 +170,9 @@
+@@ -180,6 +171,9 @@
##
#
interface(`auth_login_pgm_domain',`
@@ -5997,17 +6186,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -187,6 +180,9 @@
+@@ -187,6 +181,11 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+
++ logging_send_audit_msg($1)
++
# for SSP/ProPolice
dev_read_urand($1)
-@@ -211,9 +207,11 @@
+@@ -211,9 +210,11 @@
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
@@ -6020,7 +6211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
init_rw_utmp($1)
logging_send_syslog_msg($1)
-@@ -221,6 +219,7 @@
+@@ -221,6 +222,7 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -6028,7 +6219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -320,10 +319,6 @@
+@@ -320,10 +322,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -6039,7 +6230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -357,6 +352,37 @@
+@@ -357,6 +355,37 @@
########################################
##
@@ -6077,7 +6268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -1391,3 +1417,114 @@
+@@ -1391,3 +1420,114 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -6288,6 +6479,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-2.6.4/policy/modules/system/fstools.if
+--- nsaserefpolicy/policy/modules/system/fstools.if 2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/fstools.if 2007-05-29 11:48:37.000000000 -0400
+@@ -124,3 +124,22 @@
+
+ allow $1 swapfile_t:file getattr;
+ ')
++
++########################################
++##
++## Read fstools unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fstools_read_pipes',`
++ gen_require(`
++ type fsdaemon_t;
++ ')
++
++ allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-05-21 10:46:53.000000000 -0400
@@ -6779,8 +6996,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.4/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.if 2007-05-21 10:46:53.000000000 -0400
-@@ -302,6 +302,25 @@
++++ serefpolicy-2.6.4/policy/modules/system/logging.if 2007-05-29 09:11:30.000000000 -0400
+@@ -223,6 +223,25 @@
+
+ ########################################
+ ##
++## Execute klogd in the klog domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_domtrans_klog',`
++ gen_require(`
++ type klogd_t, klogd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,klogd_exec_t,klogd_t)
++')
++
++########################################
++##
+ ## Create an object in the log directory, with a private
+ ## type using a type transition.
+ ##
+@@ -302,6 +321,25 @@
########################################
##
@@ -6806,7 +7049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
-@@ -436,7 +455,7 @@
+@@ -436,7 +474,7 @@
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
@@ -6815,7 +7058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -480,6 +499,8 @@
+@@ -480,6 +518,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -6824,7 +7067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -563,3 +584,121 @@
+@@ -563,3 +603,121 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -6868,7 +7111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ typeattribute $1 can_set_loginuid, can_send_audit_msg;
+
+ allow $1 self:capability audit_control;
-+ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay };
++ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay };
+')
+
+########################################
@@ -7101,7 +7344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.6.4/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-05-29 11:16:14.000000000 -0400
@@ -102,6 +102,7 @@
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
@@ -7110,7 +7353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
libs_use_ld_so(insmod_t)
libs_use_shared_libs(insmod_t)
-@@ -123,6 +124,14 @@
+@@ -123,6 +124,18 @@
')
optional_policy(`
@@ -7118,6 +7361,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
+')
+
+optional_policy(`
++ firstboot_dontaudit_rw_pipes(insmod_t)
++')
++
++optional_policy(`
+ hal_write_log(insmod_t)
+')
+
@@ -7125,7 +7372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
hotplug_search_config(insmod_t)
')
-@@ -155,6 +164,7 @@
+@@ -155,6 +168,7 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -7133,7 +7380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-@@ -185,6 +195,7 @@
+@@ -185,6 +199,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
@@ -7684,7 +7931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.6.4/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.if 2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.if 2007-05-29 11:47:34.000000000 -0400
@@ -18,7 +18,7 @@
')