2008-02-26 19:24:53 +00:00 · 2008-02-26 19:24:53 +00:00 · 063999dd85
parent 27b2b09ffe
commit 063999dd85
2 changed files with 247 additions and 86 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -5996,7 +5996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-02-26 13:48:22.000000000 -0500
@@ -7,11 +7,11 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -6032,7 +6032,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/network-scripts/ifup-.*	-l gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -127,6 +135,8 @@
+@@ -99,11 +107,6 @@
+ /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+ 
+-ifdef(`distro_redhat',`
+-/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+-')
+-
+ #
+ # /sbin
+ #
+@@ -127,6 +130,8 @@
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
@ -6041,7 +6053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 # /usr
 #
-@@ -144,10 +154,7 @@
+@@ -144,10 +149,7 @@
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -6053,7 +6065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -178,6 +185,8 @@
+@@ -178,6 +180,8 @@
 /usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -6062,7 +6074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
-@@ -185,8 +194,12 @@
+@@ -185,8 +189,12 @@
 /usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
@ -6075,7 +6087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +297,10 @@
+@@ -284,3 +292,10 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -6088,7 +6100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.3.1/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if	2008-02-26 11:58:10.000000000 -0500
@@ -875,6 +875,7 @@
 
 	read_lnk_files_pattern($1,bin_t,bin_t)
@ -6199,7 +6211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(xen, tcp,8002,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc	2008-02-26 14:17:28.000000000 -0500
@@ -1,7 +1,7 @@
 
 /dev			-d	gen_context(system_u:object_r:device_t,s0)
@ -6209,7 +6221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -12,32 +12,45 @@
+@@ -12,42 +12,58 @@
 /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@ -6255,7 +6267,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -48,6 +61,7 @@
+ /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@ -6263,7 +6280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,9 +83,8 @@
+@@ -69,9 +85,8 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
@ -6275,7 +6292,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -98,13 +111,23 @@
+@@ -91,6 +106,7 @@
+ 
+ /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+ 
+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
+ 
+@@ -98,13 +114,23 @@
 
 /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 
@ -6299,9 +6324,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 
 /dev/pts(/.*)?			<<none>>
 
+@@ -134,3 +160,4 @@
+ /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
+ /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
+ ')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-02-26 14:19:56.000000000 -0500
@@ -65,7 +65,7 @@
 
 	relabelfrom_dirs_pattern($1,device_t,device_node)
@ -6476,7 +6506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -3322,3 +3452,96 @@
+@@ -3322,3 +3452,150 @@
 
 	typeattribute $1 devices_unconfined_type;
 ')
@ -6573,9 +6603,63 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +	rw_chr_files_pattern($1,device_t,autofs_device_t)
 +')
 +
+########################################
+## <summary>
+##	Get the attributes of the network control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	getattr_chr_files_pattern($1,device_t,netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read the network control identity.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	read_chr_files_pattern($1,device_t,netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the network control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	rw_chr_files_pattern($1,device_t,netcontrol_device_t)
+')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.3.1/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te	2008-02-26 14:16:11.000000000 -0500
@@ -32,6 +32,12 @@
 type apm_bios_t;
 dev_node(apm_bios_t)
@ -6589,7 +6673,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 type cardmgr_dev_t;
 dev_node(cardmgr_dev_t)
 files_tmp_file(cardmgr_dev_t)
-@@ -66,12 +72,25 @@
+@@ -49,6 +55,12 @@
+ type cpu_device_t;
+ dev_node(cpu_device_t)
+ 
+#
+# network control devices 
+#
+type netcontrol_device_t;
+dev_node(netcontrol_device_t)
+
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -66,12 +78,25 @@
 dev_node(framebuf_device_t)
 
 #
@ -9396,7 +9493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann
 +/etc/rc.d/init.d/canna	--	gen_context(system_u:object_r:canna_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.3.1/policy/modules/services/canna.if
 --- nsaserefpolicy/policy/modules/services/canna.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/canna.if	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/canna.if	2008-02-26 11:51:53.000000000 -0500
@@ -18,3 +18,74 @@
 	files_search_pids($1)
 	stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t)
@ -11210,9 +11307,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
 ########################################
 #
 # Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.3.1/policy/modules/services/dbus.fc
+--- nsaserefpolicy/policy/modules/services/dbus.fc	2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/dbus.fc	2008-02-26 11:48:35.000000000 -0500
+@@ -4,6 +4,9 @@
+ /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+ /bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+ 
+/lib/dbus-1/dbus-daemon-launch-helper 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
+ /var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+ 
+ /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-02-26 12:56:03.000000000 -0500
@@ -53,6 +53,7 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -11266,6 +11376,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 	allow $1_dbusd_t $2:process sigkill;
 	allow $2 $1_dbusd_t:fd use;
 	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+@@ -115,8 +117,8 @@
+ 	kernel_read_kernel_sysctls($1_dbusd_t)
+ 
+ 	corecmd_list_bin($1_dbusd_t)
+-	corecmd_read_bin_symlinks($1_dbusd_t)
+ 	corecmd_read_bin_files($1_dbusd_t)
+	corecmd_read_bin_symlinks($1_dbusd_t)
+ 	corecmd_read_bin_pipes($1_dbusd_t)
+ 	corecmd_read_bin_sockets($1_dbusd_t)
+ 
@@ -139,6 +141,7 @@
 
 	fs_getattr_romfs($1_dbusd_t)
@ -11472,7 +11592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-02-26 10:53:25.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-02-26 14:09:20.000000000 -0500
@@ -9,6 +9,7 @@
 #
 # Delcarations
@ -11515,7 +11635,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -65,6 +78,7 @@
+@@ -43,6 +56,8 @@
+ # Receive notifications of policy reloads and enforcing status changes.
+ allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+ 
+can_exec(system_dbusd_t,system_dbusd_exec_t)
+
+ allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+ read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+@@ -65,6 +80,7 @@
 
 fs_getattr_all_fs(system_dbusd_t)
 fs_search_auto_mountpoints(system_dbusd_t)
@ -11523,15 +11652,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 
 selinux_get_fs_mount(system_dbusd_t)
 selinux_validate_context(system_dbusd_t)
-@@ -91,6 +105,7 @@
+@@ -81,7 +97,6 @@
+ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
+-corecmd_exec_bin(system_dbusd_t)
+ 
+ domain_use_interactive_fds(system_dbusd_t)
+ 
+@@ -91,6 +106,8 @@
 
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
-+init_domtrans_script(system_dbusd_t)
+init_dbus_chat_script(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
 
 libs_use_ld_so(system_dbusd_t)
 libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +136,20 @@
+@@ -121,9 +138,20 @@
 ')
 
 optional_policy(`
@ -12300,24 +12438,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +/etc/rc.d/init.d/dovecot	--	gen_context(system_u:object_r:dovecot_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.3.1/policy/modules/services/dovecot.if
 --- nsaserefpolicy/policy/modules/services/dovecot.if	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.if	2008-02-26 10:29:56.000000000 -0500
-@@ -21,14 +21,53 @@
+++ serefpolicy-3.3.1/policy/modules/services/dovecot.if	2008-02-26 13:09:21.000000000 -0500
+@@ -21,7 +21,46 @@
 
 ########################################
 ## <summary>
 -##      Do not audit attempts to delete dovecot lib files.
 +##	Connect to dovecot auth unix domain stream socket.
- ## </summary>
- ## <param name="domain">
-##      <summary>
-##      Domain to not audit.
-##      </summary>
+## </summary>
+## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
- ## </param>
+## </param>
 +## <rolecap/>
- #
+#
 +interface(`dovecot_auth_stream_connect',`
 +	gen_require(`
 +		type dovecot_auth_t, dovecot_var_run_t;
@ -12346,19 +12481,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +	domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
 +')
 +
-+########################################
-+### <summary>
-+###      Do not audit attempts to delete dovecot lib files.
-+### </summary>
-+### <param name="domain">
-+###      <summary>
-+###      Domain to not audit.
-+###      </summary>
-+### </param>
-+##
- interface(`dovecot_dontaudit_unlink_lib_files',`
- 	gen_require(`
- 		type dovecot_var_lib_t;
+#######################################
+## <summary>
+##      Do not audit attempts to d`elete dovecot lib files.
+ ## </summary>
+ ## <param name="domain">
+ ##      <summary>
@@ -36,3 +75,89 @@
 
 	dontaudit $1 dovecot_var_lib_t:file unlink;
@ -15398,11 +15526,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-02-26 08:29:22.000000000 -0500
-@@ -1,7 +1,9 @@
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-02-26 14:08:24.000000000 -0500
+@@ -1,7 +1,10 @@
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@ -24225,7 +24354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-02-26 13:19:58.000000000 -0500
@@ -99,7 +99,7 @@
 template(`authlogin_per_role_template',`
 
@ -24271,7 +24400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	# for SSP/ProPolice
 	dev_read_urand($1)
 	# for fingerprint readers
-@@ -226,6 +242,31 @@
+@@ -226,6 +242,33 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
@ -24288,6 +24417,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +	')
 +
 +	optional_policy(`
+		corecmd_exec_bin($1)
+		storage_getattr_fixed_disk_dev($1)
 +		mount_domtrans($1)
 +	')
 +
@ -24303,7 +24434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
-@@ -342,6 +383,8 @@
+@@ -342,6 +385,8 @@
 
 	optional_policy(`
 		kerberos_use($1)
@ -24312,7 +24443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 
 	optional_policy(`
-@@ -356,6 +399,28 @@
+@@ -356,6 +401,28 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -24341,7 +24472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -369,12 +434,12 @@
+@@ -369,12 +436,12 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -24356,7 +24487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	</summary>
 ## </param>
 #
-@@ -386,6 +451,7 @@
+@@ -386,6 +453,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types system_chkpwd_t;
 	allow system_chkpwd_t $3:chr_file rw_file_perms;
@ -24364,7 +24495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -1457,6 +1523,7 @@
+@@ -1457,6 +1525,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
@ -24372,7 +24503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
 
-@@ -1491,3 +1558,23 @@
+@@ -1491,3 +1560,23 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -24554,7 +24685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 -
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-02-26 10:48:51.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-02-26 14:08:51.000000000 -0500
@@ -211,6 +211,13 @@
 			kernel_dontaudit_use_fds($1)
 		')
@ -24607,26 +24738,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 	')
 ')
 
-@@ -567,18 +575,46 @@
+@@ -567,23 +575,70 @@
 #
 interface(`init_domtrans_script',`
 	gen_require(`
 -		type initrc_t, initrc_exec_t;
 +		type initrc_t;
 +		attribute initscript;
- 	')
- 
- 	files_list_etc($1)
-	domtrans_pattern($1,initrc_exec_t,initrc_t)
+	')
+
+	files_list_etc($1)
 +	domtrans_pattern($1,initscript,initrc_t)
- 
- 	ifdef(`enable_mcs',`
-		range_transition $1 initrc_exec_t:process s0;
+
+	ifdef(`enable_mcs',`
 +		range_transition $1 initscript:process s0;
- 	')
- 
- 	ifdef(`enable_mls',`
-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
+
+	ifdef(`enable_mls',`
 +		range_transition $1 initscript:process s0 - mls_systemhigh;
 +	')
 +')
@ -24644,21 +24772,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +interface(`init_script_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
-+
-+	files_list_etc($1)
+ 	')
+ 
+ 	files_list_etc($1)
+-	domtrans_pattern($1,initrc_exec_t,initrc_t)
 +	domtrans_pattern($1,$2,initrc_t)
-+
-+	ifdef(`enable_mcs',`
+ 
+ 	ifdef(`enable_mcs',`
+-		range_transition $1 initrc_exec_t:process s0;
 +		range_transition $1 $2:process s0;
-+	')
-+
-+	ifdef(`enable_mls',`
+ 	')
+ 
+ 	ifdef(`enable_mls',`
+-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 $2:process s0 - mls_systemhigh;
 	')
 ')
 
-@@ -609,11 +645,11 @@
+ ########################################
+ ## <summary>
+##	Execute a file in a bin directory
+##	in the initrc_t domain 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	corecmd_bin_domtrans($1, initrc_t)
+')
+
+########################################
+## <summary>
+ ##	Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -609,11 +664,11 @@
 # cjp: added for gentoo integrated run_init
 interface(`init_script_file_domtrans',`
 	gen_require(`
@ -24672,7 +24827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -684,11 +720,11 @@
+@@ -684,11 +739,11 @@
 #
 interface(`init_getattr_script_files',`
 	gen_require(`
@ -24686,7 +24841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -703,11 +739,11 @@
+@@ -703,11 +758,11 @@
 #
 interface(`init_exec_script_files',`
 	gen_require(`
@ -24700,7 +24855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -931,6 +967,7 @@
+@@ -931,6 +986,7 @@
 
 	dontaudit $1 initrc_t:unix_stream_socket connectto;
 ')
@ -24708,7 +24863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ########################################
 ## <summary>
 ##	Send messages to init scripts over dbus.
-@@ -1030,11 +1067,11 @@
+@@ -1030,11 +1086,11 @@
 #
 interface(`init_read_script_files',`
 	gen_require(`
@ -24722,7 +24877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1097,6 +1134,25 @@
+@@ -1097,6 +1153,25 @@
 
 ########################################
 ## <summary>
@ -24748,7 +24903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
-@@ -1252,7 +1308,7 @@
+@@ -1252,7 +1327,7 @@
 		type initrc_var_run_t;
 	')
 
@ -24757,7 +24912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1273,3 +1329,112 @@
+@@ -1273,3 +1348,114 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
@ -24870,6 +25025,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +	allow $1 init_t:unix_dgram_socket sendto;
 +	allow init_t $1:unix_dgram_socket sendto;
 +')
+
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 08:17:43.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-02-26 10:49:22.000000000 -0500
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -388,8 +388,12 @@ exit 0
 %endif

 %changelog
+* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-3
+
 * Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-2
- 
+- Fix Makefile.devel to build mls modules
+- Fix qemu to be more specific on labeling
+

 * Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-1
 - Update to upstream fixes