- Update to upstream

2007-11-12 22:47:17 +00:00 · 2007-11-12 22:47:17 +00:00 · 06da2697cc
parent 7330e86b90
commit 06da2697cc
1 changed files with 283 additions and 100 deletions
--- a/policy-20071023.patch
+++ b/policy-20071023.patch
@ -1087,7 +1087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.1.0/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/prelink.te	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/admin/prelink.te	2007-11-12 10:43:25.000000000 -0500
@@ -26,7 +26,7 @@
 # Local policy
 #
@ -1137,6 +1137,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 optional_policy(`
 	amanda_manage_lib(prelink_t)
 ')
+@@ -88,3 +94,7 @@
+ optional_policy(`
+ 	cron_system_entry(prelink_t, prelink_exec_t)
+ ')
+
+optional_policy(`
+	unconfined_domain(prelink_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.1.0/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-11-16 17:15:26.000000000 -0500
 +++ serefpolicy-3.1.0/policy/modules/admin/rpm.fc	2007-11-06 09:28:35.000000000 -0500
@ -2967,7 +2975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.1.0/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if	2007-11-08 14:28:51.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if	2007-11-12 16:37:44.000000000 -0500
@@ -65,7 +65,7 @@
 
 	relabelfrom_dirs_pattern($1,device_t,device_node)
@ -2977,7 +2985,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 	relabelfrom_fifo_files_pattern($1,device_t,device_node)
 	relabelfrom_sock_files_pattern($1,device_t,device_node)
 	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -2787,6 +2787,97 @@
+@@ -167,6 +167,25 @@
+ 
+ ########################################
+ ## <summary>
+##	Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to relabel.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_dirs_pattern($1,device_t,device_t)
+')
+
+
+########################################
+## <summary>
+ ##	Delete a directory in the device directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -2787,6 +2806,97 @@
 
 ########################################
 ## <summary>
@ -3075,7 +3109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -3322,3 +3413,4 @@
+@@ -3322,3 +3432,4 @@
 
 	typeattribute $1 devices_unconfined_type;
 ')
@ -3400,7 +3434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.1.0/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.if	2007-11-08 09:03:24.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/apache.if	2007-11-12 10:17:15.000000000 -0500
@@ -18,10 +18,6 @@
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
@ -3692,7 +3726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.te	2007-11-07 15:26:15.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/apache.te	2007-11-12 17:45:22.000000000 -0500
@@ -20,20 +20,22 @@
 # Declarations
 #
@ -4073,15 +4107,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 +tunable_policy(`httpd_use_nfs', `
-+	fs_read_nfs_files(httpd_sys_script_t)
-+	fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
 	fs_read_nfs_files(httpd_sys_script_t)
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
 +	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 +	allow httpd_sys_script_t self:udp_socket create_socket_perms;
@ -4133,19 +4167,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 
 ########################################
-@@ -730,3 +862,20 @@
+@@ -730,3 +862,46 @@
 logging_search_logs(httpd_rotatelogs_t)
 
 miscfiles_read_localization(httpd_rotatelogs_t)
 +
 +#============= bugzilla policy ==============
 +apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
 +allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir })
 +
 +files_search_var_lib(httpd_bugzilla_script_t)
 +
 +mta_send_mail(httpd_bugzilla_script_t)
 +
+sysnet_read_config(httpd_bugzilla_script_t)
+
 +optional_policy(`
 +	mysql_search_db(httpd_bugzilla_script_t)
 +	mysql_stream_connect(httpd_bugzilla_script_t)
@ -4964,7 +5024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.1.0/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cups.te	2007-11-08 13:32:52.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/cups.te	2007-11-12 17:22:30.000000000 -0500
@@ -48,9 +48,7 @@
 type hplip_t;
 type hplip_exec_t;
@ -5075,7 +5135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 init_exec_script_files(cupsd_t)
 
-@@ -221,17 +222,37 @@
+@@ -221,17 +222,38 @@
 
 sysnet_read_config(cupsd_t)
 
@ -5099,6 +5159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +	init_stream_connect_script(cupsd_t)
 +
 +	unconfined_rw_pipes(cupsd_t)
+	unconfined_rw_stream_sockets(cupsd_t)
 +
 +	optional_policy(`
 +		init_dbus_chat_script(cupsd_t)
@ -5113,7 +5174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	apm_domtrans_client(cupsd_t)
 ')
 
-@@ -262,16 +283,16 @@
+@@ -262,16 +284,16 @@
 ')
 
 optional_policy(`
@ -5134,7 +5195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	seutil_sigchld_newrole(cupsd_t)
 ')
 
-@@ -291,7 +312,9 @@
+@@ -291,7 +313,9 @@
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
@ -5145,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t,cupsd_t)
-@@ -330,6 +353,7 @@
+@@ -330,6 +354,7 @@
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
 dev_read_rand(cupsd_config_t)
@ -5153,7 +5214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
-@@ -354,6 +378,8 @@
+@@ -354,6 +379,8 @@
 
 logging_send_syslog_msg(cupsd_config_t)
 
@ -5162,7 +5223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 miscfiles_read_localization(cupsd_config_t)
 
 seutil_dontaudit_search_config(cupsd_config_t)
-@@ -376,6 +402,14 @@
+@@ -376,6 +403,14 @@
 ')
 
 optional_policy(`
@ -5177,7 +5238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
-@@ -391,6 +425,7 @@
+@@ -391,6 +426,7 @@
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
@ -5185,7 +5246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 
 optional_policy(`
-@@ -402,14 +437,6 @@
+@@ -402,14 +438,6 @@
 ')
 
 optional_policy(`
@ -5200,7 +5261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	rpm_read_db(cupsd_config_t)
 ')
 
-@@ -430,7 +457,6 @@
+@@ -430,7 +458,6 @@
 allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
 allow cupsd_lpd_t self:udp_socket create_socket_perms;
@ -5208,7 +5269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 # for identd
 # cjp: this should probably only be inetd_child rules?
-@@ -480,6 +506,8 @@
+@@ -480,6 +507,8 @@
 
 files_read_etc_files(cupsd_lpd_t)
 
@ -5217,7 +5278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 libs_use_ld_so(cupsd_lpd_t)
 libs_use_shared_libs(cupsd_lpd_t)
 
-@@ -495,14 +523,6 @@
+@@ -495,14 +524,6 @@
 	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
 ')
 
@ -5232,7 +5293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ########################################
 #
 # HPLIP local policy
-@@ -523,11 +543,9 @@
+@@ -523,11 +544,9 @@
 allow hplip_t cupsd_etc_t:dir search;
 
 cups_stream_connect(hplip_t)
@ -5247,7 +5308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,7 +576,9 @@
+@@ -558,7 +577,9 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -5258,7 +5319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -585,8 +605,6 @@
+@@ -585,8 +606,6 @@
 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 
@ -5267,7 +5328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 optional_policy(`
 	seutil_sigchld_newrole(hplip_t)
 ')
-@@ -666,3 +684,15 @@
+@@ -666,3 +685,15 @@
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
@ -6156,8 +6217,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.1.0/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/inetd.te	2007-11-08 13:24:56.000000000 -0500
-@@ -84,6 +84,7 @@
+++ serefpolicy-3.1.0/policy/modules/services/inetd.te	2007-11-12 11:36:04.000000000 -0500
+@@ -30,6 +30,10 @@
+ type inetd_child_var_run_t;
+ files_pid_file(inetd_child_var_run_t)
+ 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
+ ########################################
+ #
+ # Local policy
+@@ -84,6 +88,7 @@
 corenet_udp_bind_ftp_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
 corenet_udp_bind_inetd_child_port(inetd_t)
@ -6165,7 +6237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 corenet_udp_bind_ktalkd_port(inetd_t)
 corenet_tcp_bind_printer_port(inetd_t)
 corenet_udp_bind_rlogind_port(inetd_t)
-@@ -137,6 +138,7 @@
+@@ -137,6 +142,7 @@
 miscfiles_read_localization(inetd_t)
 
 # xinetd needs MLS override privileges to work
@ -6173,7 +6245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 mls_fd_share_all_levels(inetd_t)
 mls_socket_read_to_clearance(inetd_t)
 mls_socket_write_to_clearance(inetd_t)
-@@ -164,6 +166,7 @@
+@@ -164,6 +170,7 @@
 ')
 
 optional_policy(`
@ -6181,7 +6253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 	unconfined_domtrans(inetd_t)
 ')
 
-@@ -180,6 +183,9 @@
+@@ -180,6 +187,9 @@
 # for identd
 allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow inetd_child_t self:capability { setuid setgid };
@ -6191,7 +6263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 files_search_home(inetd_child_t)
 
 manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -226,3 +232,7 @@
+@@ -226,3 +236,7 @@
 optional_policy(`
 	unconfined_domain(inetd_child_t)
 ')
@ -6209,19 +6281,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.1.0/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/kerberos.if	2007-11-07 11:41:20.000000000 -0500
-@@ -42,6 +42,10 @@
- 	dontaudit $1 krb5_conf_t:file write;
+++ serefpolicy-3.1.0/policy/modules/services/kerberos.if	2007-11-12 16:50:13.000000000 -0500
+@@ -43,7 +43,13 @@
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
-+	
+ 
 +	#kerberos libraries are attempting to set the correct file context
 +	dontaudit $1 self:process setfscreate;
 +	seutil_dontaudit_read_file_contexts($1)
- 
+
 	tunable_policy(`allow_kerberos',`
+		fs_rw_tmpfs_files($1)
+	
 		allow $1 self:tcp_socket create_socket_perms;
-@@ -61,9 +65,6 @@
+ 		allow $1 self:udp_socket create_socket_perms;
+ 
+@@ -61,11 +67,7 @@
 		corenet_tcp_connect_ocsp_port($1)
 		corenet_sendrecv_kerberos_client_packets($1)
 		corenet_sendrecv_ocsp_client_packets($1)
@ -6229,9 +6304,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 -		sysnet_read_config($1)
 -		sysnet_dns_name_resolve($1)
 	')
- 
+-
 	optional_policy(`
-@@ -172,3 +173,51 @@
+ 		tunable_policy(`allow_kerberos',`
+ 			pcscd_stream_connect($1)
+@@ -172,3 +174,51 @@
 	allow $1 krb5kdc_conf_t:file read_file_perms;
 
 ')
@ -7488,6 +7565,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 	logrotate_exec(ntpd_t)
 ')
 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.1.0/policy/modules/services/openct.te
+--- nsaserefpolicy/policy/modules/services/openct.te	2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/openct.te	2007-11-12 10:46:57.000000000 -0500
+@@ -22,6 +22,7 @@
+ allow openct_t self:process signal_perms;
+ 
+ manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+ files_pid_filetrans(openct_t,openct_var_run_t,file)
+ 
+ kernel_read_kernel_sysctls(openct_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.1.0/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2007-10-29 07:52:49.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/services/openvpn.te	2007-11-07 15:47:03.000000000 -0500
@ -8273,7 +8361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.1.0/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rlogin.te	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/rlogin.te	2007-11-12 10:59:25.000000000 -0500
@@ -36,6 +36,8 @@
 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
 term_create_pty(rlogind_t,rlogind_devpts_t)
@ -9720,7 +9808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 	optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.1.0/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/ssh.te	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/ssh.te	2007-11-12 11:36:01.000000000 -0500
@@ -24,7 +24,7 @@
 
 # Type for the ssh-agent executable.
@ -9988,7 +10076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
 +miscfiles_read_certs(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.1.0/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.fc	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/xserver.fc	2007-11-12 11:55:11.000000000 -0500
@@ -32,11 +32,6 @@
 /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
@ -10011,9 +10099,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth		--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -92,13 +88,16 @@
+@@ -91,14 +87,19 @@
+ 
 /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
 
 -/var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
@ -10026,12 +10116,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 +/var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 
 ifdef(`distro_suse',`
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.1.0/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.if	2007-11-08 14:26:18.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/xserver.if	2007-11-12 16:37:20.000000000 -0500
@@ -58,7 +58,6 @@
 	allow $1_xserver_t self:msg { send receive };
 	allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@ -10040,7 +10131,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
 	allow $1_xserver_t self:udp_socket create_socket_perms;
 
-@@ -126,6 +125,9 @@
+@@ -116,8 +115,7 @@
+ 	dev_rw_agp($1_xserver_t)
+ 	dev_rw_framebuffer($1_xserver_t)
+ 	dev_manage_dri_dev($1_xserver_t)
+-	dev_create_generic_dirs($1_xserver_t)
+-	dev_setattr_generic_dirs($1_xserver_t)
+	dev_manage_generic_dirs($1_xserver_t)
+ 	# raw memory access is needed if not using the frame buffer
+ 	dev_read_raw_memory($1_xserver_t)
+ 	dev_wx_raw_memory($1_xserver_t)
+@@ -126,6 +124,9 @@
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
 	dev_rwx_zero($1_xserver_t)
@ -10050,7 +10151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	domain_mmap_low($1_xserver_t)
 
-@@ -141,10 +143,14 @@
+@@ -141,10 +142,14 @@
 	fs_getattr_xattr_fs($1_xserver_t)
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
@ -10066,7 +10167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	term_setattr_unallocated_ttys($1_xserver_t)
 	term_use_unallocated_ttys($1_xserver_t)
 
-@@ -160,8 +166,6 @@
+@@ -160,8 +165,6 @@
 
 	seutil_dontaudit_search_config($1_xserver_t)
 
@ -10075,7 +10176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	ifndef(`distro_redhat',`
 		allow $1_xserver_t self:process { execmem execheap execstack };
 	')
-@@ -179,14 +183,6 @@
+@@ -179,14 +182,6 @@
 	')
 
 	optional_policy(`
@ -10090,7 +10191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 		rhgb_getpgid($1_xserver_t)
 		rhgb_signal($1_xserver_t)
 	')
-@@ -251,7 +247,7 @@
+@@ -251,7 +246,7 @@
 	userdom_user_home_content($1,$1_fonts_cache_t)
 
 	type $1_fonts_config_t, fonts_config_type;
@ -10099,7 +10200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	type $1_iceauth_t;
 	domain_type($1_iceauth_t)
-@@ -282,11 +278,14 @@
+@@ -282,11 +277,14 @@
 	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
 
 	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@ -10114,7 +10215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
 	manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +315,7 @@
+@@ -316,6 +314,7 @@
 	userdom_use_user_ttys($1,$1_xserver_t)
 	userdom_setattr_user_ttys($1,$1_xserver_t)
 	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@ -10122,7 +10223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	xserver_use_user_fonts($1,$1_xserver_t)
 	xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -353,12 +353,6 @@
+@@ -353,12 +352,6 @@
 	# allow ps to show xauth
 	ps_process_pattern($2,$1_xauth_t)
 
@ -10135,7 +10236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	domain_use_interactive_fds($1_xauth_t)
 
 	files_read_etc_files($1_xauth_t)
-@@ -387,6 +381,14 @@
+@@ -387,6 +380,14 @@
 	')
 
 	optional_policy(`
@ -10150,7 +10251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 		nis_use_ypbind($1_xauth_t)
 	')
 
-@@ -536,17 +538,15 @@
+@@ -536,17 +537,15 @@
 template(`xserver_user_client_template',`
 
 	gen_require(`
@ -10174,7 +10275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -555,25 +555,53 @@
+@@ -555,25 +554,53 @@
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
@ -10236,7 +10337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	')
 ')
 
-@@ -626,6 +654,24 @@
+@@ -626,6 +653,24 @@
 
 ########################################
 ## <summary>
@ -10261,7 +10362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -659,6 +705,73 @@
+@@ -659,6 +704,73 @@
 
 ########################################
 ## <summary>
@ -10335,7 +10436,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -927,6 +1040,7 @@
+@@ -873,6 +985,25 @@
+ 
+ ########################################
+ ## <summary>
+##	Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+	gen_require(`
+		type xdm_xserver_t, xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
+')
+
+########################################
+## <summary>
+ ##	Read xdm-writable configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -927,6 +1058,7 @@
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -10343,7 +10470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -987,6 +1101,37 @@
+@@ -987,6 +1119,37 @@
 
 ########################################
 ## <summary>
@ -10381,7 +10508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -1136,7 +1281,7 @@
+@@ -1136,7 +1299,7 @@
 		type xdm_xserver_tmp_t;
 	')
 
@ -10390,7 +10517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -1325,3 +1470,45 @@
+@@ -1325,3 +1488,45 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -10438,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.1.0/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.te	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/xserver.te	2007-11-12 11:58:29.000000000 -0500
@@ -16,6 +16,13 @@
 
 ## <desc>
@ -10453,7 +10580,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ## Allow xdm logins as sysadm
 ## </p>
 ## </desc>
-@@ -96,7 +103,7 @@
+@@ -56,6 +63,12 @@
+ type xdm_var_run_t;
+ files_pid_file(xdm_var_run_t)
+ 
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
+type xdm_var_run_t;
+files_pid_file(xdm_var_run_t)
+
+ type xdm_tmp_t;
+ files_tmp_file(xdm_tmp_t)
+ typealias xdm_tmp_t alias ice_tmp_t;
+@@ -96,7 +109,7 @@
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@ -10462,7 +10602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
-@@ -132,15 +139,20 @@
+@@ -132,15 +145,20 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -10484,7 +10624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +197,7 @@
+@@ -185,6 +203,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -10492,7 +10632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -197,6 +210,7 @@
+@@ -197,6 +216,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -10500,7 +10640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -246,6 +260,7 @@
+@@ -246,6 +266,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -10508,7 +10648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
-@@ -257,6 +272,7 @@
+@@ -257,6 +278,7 @@
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
@ -10516,7 +10656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
-@@ -271,6 +287,10 @@
+@@ -271,6 +293,10 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -10527,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 
-@@ -306,6 +326,10 @@
+@@ -306,6 +332,10 @@
 
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
@ -10538,7 +10678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 optional_policy(`
-@@ -348,8 +372,8 @@
+@@ -348,8 +378,8 @@
 ')
 
 optional_policy(`
@ -10548,7 +10688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -385,7 +409,7 @@
+@@ -385,7 +415,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
@ -10557,7 +10697,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +449,14 @@
+@@ -397,6 +427,15 @@
+ can_exec(xdm_xserver_t, xkb_var_lib_t)
+ files_search_var_lib(xdm_xserver_t)
+ 
+manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)	
+manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir)
+
+manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)	
+manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir)
+
+ # VNC v4 module in X server
+ corenet_tcp_bind_vnc_port(xdm_xserver_t)
+ 
+@@ -425,6 +464,14 @@
 ')
 
 optional_policy(`
@ -10572,7 +10728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
 
-@@ -434,47 +466,31 @@
+@@ -434,47 +481,31 @@
 ')
 
 optional_policy(`
@ -10597,6 +10753,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# xserver signals unconfined user on startx
 +	unconfined_signal(xdm_xserver_t)
 +	unconfined_getpgid(xdm_xserver_t)
+')
+
+
+tunable_policy(`allow_xserver_execmem', `
+	allow xdm_xserver_t self:process { execheap execmem execstack };
 ')
 
 -ifdef(`TODO',`
@ -10620,11 +10781,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -allow xdm_t polymember:lnk_file { create unlink };
 -# xdm needs access for copying .Xauthority into new home
 -allow xdm_t polymember:file { create getattr write };
-+
-+tunable_policy(`allow_xserver_execmem', `
-+	allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
 +ifndef(`distro_redhat',`
 +	allow xdm_xserver_t self:process { execheap execmem };
 +')
@ -10810,7 +10966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.1.0/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/authlogin.te	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/authlogin.te	2007-11-12 12:07:41.000000000 -0500
@@ -59,6 +59,9 @@
 type utempter_exec_t;
 application_domain(utempter_t,utempter_exec_t)
@ -10831,6 +10987,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ########################################
 #
 # PAM local policy
+@@ -287,8 +293,8 @@
+ files_manage_etc_files(updpwd_t)
+ 
+ term_dontaudit_use_console(updpwd_t)
+-term_dontaudit_use_console(updpwd_t)
+-term_dontaudit_use_unallocated_ttys(updpwd_t)
+term_dontaudit_use_all_user_ptys(updpwd_t)
+term_dontaudit_use_all_user_ttys(updpwd_t)
+ 
+ auth_manage_shadow(updpwd_t)
+ auth_use_nsswitch(updpwd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.1.0/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2007-09-26 12:15:01.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/system/fstools.fc	2007-11-06 09:28:35.000000000 -0500
@ -11288,7 +11455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.1.0/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/init.te	2007-11-08 13:26:15.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/init.te	2007-11-12 11:17:51.000000000 -0500
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -12377,7 +12544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.1.0/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/raid.te	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/raid.te	2007-11-12 10:43:40.000000000 -0500
@@ -19,7 +19,7 @@
 # Local policy
 #
@ -12395,6 +12562,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
 
 fs_search_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
+@@ -85,3 +86,7 @@
+ optional_policy(`
+ 	udev_read_db(mdadm_t)
+ ')
+
+optional_policy(`
+	unconfined_domain(mdadm_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.1.0/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2007-05-18 11:12:44.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.fc	2007-11-06 09:28:35.000000000 -0500
@ -12684,7 +12859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te	2007-11-09 14:28:06.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te	2007-11-12 11:41:33.000000000 -0500
@@ -76,7 +76,6 @@
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -12704,7 +12879,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 type semanage_store_t;
 files_type(semanage_store_t)
 
-@@ -194,10 +197,19 @@
+@@ -170,6 +173,7 @@
+ files_read_etc_runtime_files(load_policy_t)
+ 
+ fs_getattr_xattr_fs(load_policy_t)
+fs_list_inotifyfs(load_policy_t)
+ 
+ mls_file_read_all_levels(load_policy_t)
+ 
+@@ -194,10 +198,19 @@
 	# cjp: cover up stray file descriptors.
 	dontaudit load_policy_t selinux_config_t:file write;
 	optional_policy(`
@ -12725,7 +12908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ########################################
 #
 # Newrole local policy
-@@ -215,7 +227,7 @@
+@@ -215,7 +228,7 @@
 allow newrole_t self:msg { send receive };
 allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -12734,7 +12917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 
 read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
 read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-@@ -252,7 +264,9 @@
+@@ -252,7 +265,9 @@
 term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)
 
@ -12744,7 +12927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 auth_rw_faillog(newrole_t)
 
 corecmd_list_bin(newrole_t)
-@@ -273,6 +287,7 @@
+@@ -273,6 +288,7 @@
 libs_use_ld_so(newrole_t)
 libs_use_shared_libs(newrole_t)
 
@ -12752,7 +12935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 logging_send_syslog_msg(newrole_t)
 
 miscfiles_read_localization(newrole_t)
-@@ -294,14 +309,6 @@
+@@ -294,14 +310,6 @@
 	files_polyinstantiate_all(newrole_t)
 ')
 
@ -12767,7 +12950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ########################################
 #
 # Restorecond local policy
-@@ -309,11 +316,12 @@
+@@ -309,11 +317,12 @@
 
 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 allow restorecond_t self:fifo_file rw_fifo_file_perms;
@ -12781,7 +12964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
 kernel_read_system_state(restorecond_t)
-@@ -343,15 +351,12 @@
+@@ -343,15 +352,12 @@
 
 miscfiles_read_localization(restorecond_t)
 
@ -12799,7 +12982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 
 #################################
 #
-@@ -361,7 +366,7 @@
+@@ -361,7 +367,7 @@
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 allow run_init_t self:fifo_file rw_file_perms;
@ -12808,7 +12991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 
 # often the administrator runs such programs from a directory that is owned
 # by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +380,7 @@
+@@ -375,6 +381,7 @@
 term_dontaudit_list_ptys(run_init_t)
 
 auth_domtrans_chk_passwd(run_init_t)
@ -12816,7 +12999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 auth_dontaudit_read_shadow(run_init_t)
 
 corecmd_exec_bin(run_init_t)
-@@ -425,75 +431,49 @@
+@@ -425,75 +432,49 @@
 
 ########################################
 #
@ -12917,7 +13100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 # cjp: need a more general way to handle this:
 ifdef(`enable_mls',`
 	# read secadm tmp files
-@@ -519,7 +499,12 @@
+@@ -519,7 +500,12 @@
 
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
@ -12931,7 +13114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-@@ -537,6 +522,7 @@
+@@ -537,6 +523,7 @@
 
 fs_getattr_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
@ -12939,7 +13122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 fs_search_auto_mountpoints(setfiles_t)
 fs_relabelfrom_noxattr_fs(setfiles_t)
 
-@@ -590,8 +576,16 @@
+@@ -590,8 +577,16 @@
 	fs_relabel_tmpfs_chr_file(setfiles_t)
 ')
 
@ -13438,7 +13621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.0/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te	2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te	2007-11-12 10:02:01.000000000 -0500
@@ -5,17 +5,18 @@
 #
 # Declarations