- Allow all user roles to executae samba net command

2008-01-30 13:56:22 +00:00 · 2008-01-30 13:56:22 +00:00 · 0f70114e58
commit 0f70114e58
parent 7c2be34d14
2 changed files with 122 additions and 44 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -972,7 +972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2008-01-29 10:17:11.000000000 -0500
@@ -152,6 +152,24 @@
 ########################################
@ -1276,7 +1276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 		java_domtrans(rpm_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.5/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/admin/sudo.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/sudo.if	2008-01-29 16:49:45.000000000 -0500
@@ -55,7 +55,7 @@
 	#
@ -1286,7 +1286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
-@@ -68,27 +68,26 @@
+@@ -68,33 +68,32 @@
 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_sudo_t self:unix_dgram_socket sendto;
 	allow $1_sudo_t self:unix_stream_socket connectto;
@ -1316,7 +1316,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
 	auth_use_nsswitch($1_sudo_t)
-@@ -106,12 +105,14 @@
+ 
 	corecmd_read_bin_symlinks($1_sudo_t)
 -	corecmd_getattr_all_executables($1_sudo_t)
 +	corecmd_exec_all_executables($1_sudo_t)
 	domain_use_interactive_fds($1_sudo_t)
 	domain_sigchld_interactive_fds($1_sudo_t)
@@ -106,16 +105,20 @@
 	files_getattr_usr_files($1_sudo_t)
 	# for some PAM modules and for cwd
 	files_dontaudit_search_home($1_sudo_t)
@ -1331,7 +1338,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
 	logging_send_syslog_msg($1_sudo_t)
 	miscfiles_read_localization($1_sudo_t)
-@@ -125,13 +126,4 @@
+ 
 +	mta_per_role_template($1, $1_sudo_t, $3)
 +
 	userdom_manage_user_home_content_files($1,$1_sudo_t)
 	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
 	userdom_manage_user_tmp_files($1,$1_sudo_t)
@@ -125,13 +128,12 @@
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
@ -1344,6 +1357,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
 -	')
 -
 -	') dnl end TODO
 +	domain_role_change_exemption($1_sudo_t)
 +	userdom_spec_domtrans_all_users($1_sudo_t)
 +	selinux_validate_context($1_sudo_t)
 +	selinux_compute_relabel_context($1_sudo_t)
 +	term_use_all_user_ttys($1_sudo_t)
 +	term_use_all_user_ptys($1_sudo_t)
 +	term_relabel_all_user_ttys($1_sudo_t)
 +	term_relabel_all_user_ptys($1_sudo_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2007-10-12 08:56:09.000000000 -0400
@ -4777,7 +4798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.5/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.if	2008-01-29 16:49:06.000000000 -0500
@@ -875,6 +875,7 @@
 	read_lnk_files_pattern($1,bin_t,bin_t)
@ -8076,7 +8097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te	2008-01-28 11:46:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te	2008-01-29 13:05:07.000000000 -0500
@@ -13,6 +13,9 @@
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
@ -8131,7 +8152,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 	hal_dbus_chat(consolekit_t)
 	optional_policy(`
-@@ -67,3 +86,14 @@
+@@ -64,6 +83,21 @@
 ')
 optional_policy(`
 +	polkit_domtrans_auth(consolekit_t)
 +')
 +
 +optional_policy(`
 	xserver_read_all_users_xauth(consolekit_t)
 	xserver_stream_connect_xdm_xserver(consolekit_t)
 ')
@ -9443,7 +9471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
 # Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-25 14:07:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-29 10:21:26.000000000 -0500
@@ -53,6 +53,7 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -9666,7 +9694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.5/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.te	2008-01-18 14:09:36.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.te	2008-01-29 10:21:10.000000000 -0500
@@ -9,6 +9,7 @@
 #
 # Delcarations
@ -9675,6 +9703,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 type dbusd_etc_t alias etc_dbusd_t;
 files_type(dbusd_etc_t)
@@ -21,7 +22,7 @@
 files_tmp_file(system_dbusd_tmp_t)
 type system_dbusd_var_lib_t;
 -files_pid_file(system_dbusd_var_lib_t)
 +files_type(system_dbusd_var_lib_t)
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
@@ -65,6 +66,7 @@
 fs_getattr_all_fs(system_dbusd_t)
@ -9952,8 +9989,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.2.5/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dhcp.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dhcp.te	2008-01-29 08:02:57.000000000 -0500
-@@ -19,6 +19,9 @@
+@@ -19,18 +19,20 @@
 type dhcpd_var_run_t;
 files_pid_file(dhcpd_var_run_t)
@ -9963,7 +10000,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
 ########################################
 #
 # Local policy
-@@ -30,7 +33,6 @@
+ #
 -allow dhcpd_t self:capability net_raw;
 +allow dhcpd_t self:capability { net_raw sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process signal_perms;
 allow dhcpd_t self:fifo_file { read write getattr };
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
@ -11986,7 +12028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mailman.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.te	2008-01-29 09:37:11.000000000 -0500
@@ -53,10 +53,9 @@
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
@ -12000,11 +12042,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 ')
 ########################################
-@@ -65,6 +64,10 @@
+@@ -65,6 +64,11 @@
 #
 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 +allow mailman_mail_t initrc_t:process signal;
 +allow mailman_mail_t self:process signal;
 +allow mailman_mail_t self:capability { setuid setgid };
 +
 +files_search_spool(mailman_mail_t)
@ -13950,7 +13993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.5/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/polkit.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.if	2008-01-29 13:04:40.000000000 -0500
@@ -0,0 +1,59 @@
 +
 +## <summary>policy for polkit_auth</summary>
@ -14946,7 +14989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
 +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if
 --- nsaserefpolicy/policy/modules/services/procmail.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/procmail.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.if	2008-01-28 15:44:39.000000000 -0500
@@ -39,3 +39,22 @@
 	corecmd_search_bin($1)
 	can_exec($1,procmail_exec_t)
@ -16471,7 +16514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/samba.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/samba.te	2008-01-28 14:28:32.000000000 -0500
@@ -26,28 +26,28 @@
 ## <desc>
@ -16505,7 +16548,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ## </p>
 ## </desc>
 gen_tunable(samba_run_unconfined,false)
-@@ -139,6 +139,14 @@
+@@ -73,11 +73,9 @@
 logging_log_file(samba_log_t)
 type samba_net_t;
 -domain_type(samba_net_t)
 -role system_r types samba_net_t;
 -
 type samba_net_exec_t;
 -domain_entry_file(samba_net_t,samba_net_exec_t)
 +role system_r types samba_net_t;
 +application_domain(samba_net_t, samba_net_exec_t)
 type samba_net_tmp_t;
 files_tmp_file(samba_net_tmp_t)
@@ -139,6 +137,14 @@
 type winbind_var_run_t;
 files_pid_file(winbind_var_run_t)
@ -16520,7 +16577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ########################################
 #
 # Samba net local policy
-@@ -193,6 +201,8 @@
+@@ -193,6 +199,8 @@
 miscfiles_read_localization(samba_net_t) 
@ -16529,7 +16586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
 optional_policy(`
-@@ -213,7 +223,7 @@
+@@ -213,7 +221,7 @@
 allow smbd_t self:msgq create_msgq_perms;
 allow smbd_t self:sem create_sem_perms;
 allow smbd_t self:shm create_shm_perms;
@ -16538,7 +16595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow smbd_t self:tcp_socket create_stream_socket_perms;
 allow smbd_t self:udp_socket create_socket_perms;
 allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -221,10 +231,8 @@
+@@ -221,10 +229,8 @@
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@ -16551,7 +16608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow smbd_t samba_net_tmp_t:file getattr;
-@@ -234,6 +242,7 @@
+@@ -234,6 +240,7 @@
 manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
 manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
 manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
@ -16559,7 +16616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
 manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
-@@ -251,7 +260,7 @@
+@@ -251,7 +258,7 @@
 manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
 files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@ -16568,7 +16625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
-@@ -340,6 +349,17 @@
+@@ -340,6 +347,17 @@
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
@ -16586,7 +16643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 optional_policy(`
-@@ -391,7 +411,7 @@
+@@ -391,7 +409,7 @@
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -16595,7 +16652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow nmbd_t self:tcp_socket create_stream_socket_perms;
 allow nmbd_t self:udp_socket create_socket_perms;
 allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +423,7 @@
+@@ -403,8 +421,7 @@
 read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
 manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@ -16605,7 +16662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
 create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +458,7 @@
+@@ -439,6 +456,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 fs_getattr_all_fs(nmbd_t)
@ -16613,7 +16670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 fs_search_auto_mountpoints(nmbd_t)
 domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +542,7 @@
+@@ -522,6 +540,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 term_list_ptys(smbmount_t)
@ -16621,7 +16678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 corecmd_list_bin(smbmount_t)
-@@ -546,28 +567,37 @@
+@@ -546,28 +565,37 @@
 userdom_use_all_users_fds(smbmount_t)
@ -16666,7 +16723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow swat_t smbd_var_run_t:file read;
 manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +607,9 @@
+@@ -577,7 +605,9 @@
 manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
 files_pid_filetrans(swat_t,swat_var_run_t,file)
@ -16677,7 +16734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -602,6 +634,7 @@
+@@ -602,6 +632,7 @@
 dev_read_urand(swat_t)
@ -16685,7 +16742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 files_read_etc_files(swat_t)
 files_search_home(swat_t)
 files_read_usr_files(swat_t)
-@@ -614,6 +647,7 @@
+@@ -614,6 +645,7 @@
 libs_use_shared_libs(swat_t)
 logging_send_syslog_msg(swat_t)
@ -16693,7 +16750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 logging_search_logs(swat_t)
 miscfiles_read_localization(swat_t)
-@@ -631,6 +665,17 @@
+@@ -631,6 +663,17 @@
 	kerberos_use(swat_t)
 ')
@ -16711,7 +16768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ########################################
 #
 # Winbind local policy
-@@ -679,6 +724,8 @@
+@@ -679,6 +722,8 @@
 manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
 files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@ -16720,7 +16777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(winbind_t)
 kernel_list_proc(winbind_t)
 kernel_read_proc_symlinks(winbind_t)
-@@ -766,6 +813,7 @@
+@@ -766,6 +811,7 @@
 optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
@ -16728,7 +16785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 ########################################
-@@ -790,3 +838,37 @@
+@@ -790,3 +836,37 @@
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
 	')
 ')
@ -20678,7 +20735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.5/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.fc	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.fc	2008-01-29 16:36:06.000000000 -0500
@@ -29,7 +29,6 @@
 /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
@ -20687,8 +20744,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
-@@ -42,3 +41,6 @@
+@@ -40,5 +39,10 @@
 /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
 +/var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 +/var/run/sepermit(/.*)?	 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 +/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
@ -21512,6 +21573,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 dev_read_urand(racoon_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.2.5/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/system/iscsi.te	2008-01-29 09:44:07.000000000 -0500
@@ -29,7 +29,7 @@
 #
 allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
 -allow iscsid_t self:process setsched;
 +allow iscsid_t self:process { setrlimit setsched };
 allow iscsid_t self:fifo_file { read write };
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow iscsid_t self:unix_dgram_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-12-12 11:35:28.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/system/libraries.fc	2008-01-18 12:40:46.000000000 -0500
@ -22119,12 +22192,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 #################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.5/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/mount.fc	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/mount.fc	2008-01-29 09:05:12.000000000 -0500
-@@ -1,4 +1,3 @@
+@@ -1,4 +1,5 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 -
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/usr/bin/fusermount            --      gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-12-19 05:32:17.000000000 -0500
@ -22597,7 +22672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-21 15:06:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-29 15:11:06.000000000 -0500
@@ -75,7 +75,6 @@
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -26908,7 +26983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-24 16:05:12.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-29 15:10:46.000000000 -0500
@@ -0,0 +1,47 @@
 +policy_module(staff,1.0.1)
 +userdom_unpriv_user_template(staff)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif
 %changelog
 * Mon Jan 28 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-21
 - Allow all user roles to executae samba net command
 * Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-20
 - Allow usertypes to read/write noxattr file systems