diff --git a/policy-20080710.patch b/policy-20080710.patch
index 8e7e4858..1174d81f 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -6707,7 +6707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.10/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/kernel/devices.if 2008-10-03 11:36:44.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/kernel/devices.if 2008-10-06 13:16:47.000000000 -0400
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -6717,7 +6717,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
relabelfrom_fifo_files_pattern($1, device_t, device_node)
relabelfrom_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -167,6 +167,25 @@
+@@ -148,6 +148,24 @@
+
+ ########################################
+ ##
++## Del entries to directories in /dev.
++##
++##
++##
++## Domain allowed to add entries.
++##
++##
++#
++interface(`dev_del_entry_generic_dirs',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:dir del_entry_dir_perms;
++')
++
++########################################
++##
+ ## Create a directory in the device directory.
+ ##
+ ##
+@@ -167,6 +185,25 @@
########################################
##
@@ -6743,7 +6768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Delete a directory in the device directory.
##
##
-@@ -667,6 +686,7 @@
+@@ -667,6 +704,7 @@
')
dontaudit $1 device_node:blk_file getattr;
@@ -6751,7 +6776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -704,6 +724,7 @@
+@@ -704,6 +742,7 @@
')
dontaudit $1 device_node:chr_file getattr;
@@ -6759,7 +6784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1160,6 +1181,25 @@
+@@ -1160,6 +1199,25 @@
########################################
##
@@ -6785,7 +6810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read the CPU identity.
##
##
-@@ -1958,6 +1998,42 @@
+@@ -1958,6 +2016,42 @@
########################################
##
@@ -6828,7 +6853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to the null device (/dev/null).
##
##
-@@ -2769,6 +2845,24 @@
+@@ -2769,6 +2863,24 @@
########################################
##
@@ -6853,7 +6878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write generic the USB devices.
##
##
-@@ -2787,6 +2881,97 @@
+@@ -2787,6 +2899,97 @@
########################################
##
@@ -6951,7 +6976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Mount a usbfs filesystem.
##
##
-@@ -3322,3 +3507,223 @@
+@@ -3322,3 +3525,223 @@
typeattribute $1 devices_unconfined_type;
')
@@ -8201,7 +8226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.10/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-08-14 13:08:27.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/kernel/filesystem.te 2008-10-03 11:36:44.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/kernel/filesystem.te 2008-10-06 14:17:31.000000000 -0400
@@ -21,7 +21,6 @@
# Use xattrs for the following filesystem types.
@@ -8222,7 +8247,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
-@@ -241,6 +245,7 @@
+@@ -141,6 +145,7 @@
+ fs_noxattr_type(vmblock_t)
+ files_mountpoint(vmblock_t)
+ genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
++genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
+
+ type vxfs_t;
+ fs_noxattr_type(vxfs_t)
+@@ -241,6 +246,7 @@
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -8320,7 +8353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_default_files(kernel_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.10/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/kernel/selinux.if 2008-10-03 11:36:44.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/kernel/selinux.if 2008-10-06 13:08:30.000000000 -0400
@@ -164,6 +164,7 @@
type security_t;
')
@@ -8660,8 +8693,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.10/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.10/policy/modules/roles/guest.te 2008-10-03 11:36:44.000000000 -0400
-@@ -0,0 +1,34 @@
++++ serefpolicy-3.5.10/policy/modules/roles/guest.te 2008-10-06 12:29:55.000000000 -0400
+@@ -0,0 +1,35 @@
+
+policy_module(guest, 1.0.0)
+
@@ -8687,6 +8720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ mono_per_role_template(guest, guest_t, guest_r)
+')
+
++
+optional_policy(`
+ gen_require(`
+ type xguest_t;
@@ -18892,7 +18926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.10/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/services/networkmanager.te 2008-10-03 11:37:02.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/services/networkmanager.te 2008-10-06 12:42:23.000000000 -0400
@@ -33,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed
@@ -19033,12 +19067,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -174,9 +208,18 @@
+@@ -174,9 +208,19 @@
')
optional_policy(`
-- ppp_domtrans(NetworkManager_t)
+ ppp_initrc_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
+ ppp_sigkill(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -19053,7 +19087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -221,3 +264,28 @@
+@@ -221,3 +265,28 @@
miscfiles_read_localization(wpa_cli_t)
term_dontaudit_use_console(wpa_cli_t)
@@ -22900,15 +22934,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_shell_domtrans(rshd_t)
+ unconfined_signal(rshd_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.10/policy/modules/services/rsync.fc
+--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/services/rsync.fc 2008-10-06 08:55:56.000000000 -0400
+@@ -3,4 +3,4 @@
+
+ /var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
+
+-/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0)
++/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.10/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/services/rsync.te 2008-10-03 11:36:44.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/services/rsync.te 2008-10-06 12:50:44.000000000 -0400
@@ -45,7 +45,7 @@
# Local policy
#
-allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
-+allow rsync_t self:capability { chown dac_read_search dac_override setuid setgid sys_chroot };
++allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -24232,7 +24275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.10/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/services/smartmon.te 2008-10-03 11:36:44.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/services/smartmon.te 2008-10-06 13:16:57.000000000 -0400
@@ -10,6 +10,9 @@
type fsdaemon_exec_t;
init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
@@ -24243,7 +24286,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type fsdaemon_var_run_t;
files_pid_file(fsdaemon_var_run_t)
-@@ -28,6 +31,7 @@
+@@ -23,11 +26,12 @@
+
+ allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+ dontaudit fsdaemon_t self:capability sys_tty_config;
+-allow fsdaemon_t self:process signal_perms;
++allow fsdaemon_t self:process { signal_perms setfscreate };
+ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
allow fsdaemon_t self:udp_socket create_socket_perms;
@@ -24271,6 +24320,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysadm_dontaudit_search_home_dirs(fsdaemon_t)
optional_policy(`
+@@ -95,3 +99,10 @@
+ optional_policy(`
+ udev_read_db(fsdaemon_t)
+ ')
++
++dev_del_entry_generic_dirs(fsdaemon_t)
++storage_dev_filetrans_fixed_disk(fsdaemon_t)
++storage_manage_fixed_disk(fsdaemon_t)
++seutil_read_file_contexts(fsdaemon_t)
++selinux_validate_context(fsdaemon_t)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.10/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.10/policy/modules/services/snmp.fc 2008-10-03 11:36:44.000000000 -0400
@@ -26535,7 +26595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.10/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/services/xserver.if 2008-10-03 16:06:18.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/services/xserver.if 2008-10-06 12:32:14.000000000 -0400
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26665,14 +26725,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- #
- # $1_xserver_t Local policy
- #
--
-- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+ allow $1_xserver_t xauth_home_t:file { getattr read };
-- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
+ role $3 types xauth_t;
+- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+-
- domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
@@ -26740,15 +26800,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
--
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
++ allow $2 xauth_t:process signal;
+
- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-+ allow $2 xauth_t:process signal;
-
+-
- allow $2 $1_xauth_t:process signal;
+ allow $2 xauth_home_t:file manage_file_perms;
+ allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -26772,13 +26832,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- # cjp: why?
- term_use_ptmx($1_xauth_t)
-+ ps_process_pattern($2,xauth_t)
-
+-
- auth_use_nsswitch($1_xauth_t)
-
- libs_use_ld_so($1_xauth_t)
- libs_use_shared_libs($1_xauth_t)
--
++ ps_process_pattern($2,xauth_t)
+
- userdom_use_user_terminals($1, $1_xauth_t)
- userdom_read_user_tmp_files($1, $1_xauth_t)
-
@@ -26818,7 +26878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $2 iceauth_home_t:file { relabelfrom relabelto };
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
-+ allow xdm_t iceauth_home_t:file read_file_perms;
++ xserver_use_xdm($2)
fs_search_auto_mountpoints($1_iceauth_t)
@@ -26879,7 +26939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -643,11 +572,109 @@
+@@ -643,13 +572,208 @@
xserver_read_xdm_tmp_files($2)
@@ -26921,8 +26981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ attribute x_domain;
+ type $1_xserver_t;
+# type $2_input_xevent_t;
-+ ')
-+
+ ')
+
+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
+
+# typeattribute $2_input_xevent_t $1_input_xevent_type;
@@ -26990,13 +27050,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1_xserver_t input_xevent_t:x_event send;
+ allow $1_xserver_t $1_rootwindow_t:x_drawable send;
- ')
-
- #######################################
-@@ -662,6 +689,103 @@
- ## is the prefix for user_t).
- ##
- ##
++')
++
++#######################################
++##
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Provides the minimal set required by a basic
++## X client application.
++##
++##
++##
++## The prefix of the X server domain (e.g., user
++## is the prefix for user_t).
++##
++##
+##
+##
+## Client domain allowed access.
@@ -27082,21 +27149,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-+#######################################
-+##
-+## Interface to provide X object permissions on a given X server to
-+## an X client domain. Provides the minimal set required by a basic
-+## X client application.
-+##
-+##
-+##
-+## The prefix of the X server domain (e.g., user
-+## is the prefix for user_t).
-+##
-+##
- ##
- ##
- ## The prefix of the X client domain (e.g., user
+ #######################################
+ ##
+ ## Interface to provide X object permissions on a given X server to
@@ -676,7 +800,7 @@
#
template(`xserver_common_x_domain_template',`
@@ -27237,13 +27292,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined($3),
-@@ -879,17 +1007,17 @@
+@@ -879,24 +1007,17 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
-+ type xdm_t, xdm_tmp_t, xdm_xproperty_t;
++ type xdm_xproperty_t;
+ type xauth_home_t, iceauth_home_t;
')
@@ -27257,12 +27312,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read .Xauthority file
- allow $3 $1_xauth_home_t:file { getattr read };
- allow $3 $1_iceauth_home_t:file { getattr read };
+-
+- # for when /tmp/.X11-unix is created by the system
+- allow $3 xdm_t:fd use;
+- allow $3 xdm_t:fifo_file { getattr read write ioctl };
+- allow $3 xdm_tmp_t:dir search;
+- allow $3 xdm_tmp_t:sock_file { read write };
+- dontaudit $3 xdm_t:tcp_socket { read write };
+ allow $3 xauth_home_t:file { getattr read };
+ allow $3 iceauth_home_t:file { getattr read };
- # for when /tmp/.X11-unix is created by the system
- allow $3 xdm_t:fd use;
-@@ -916,11 +1044,9 @@
+ # Allow connections to X server.
+ files_search_tmp($3)
+@@ -911,16 +1032,11 @@
+ xserver_rw_session_template($1, $3, $4)
+ xserver_use_user_fonts($1, $3)
+
+- xserver_read_xdm_tmp_files($3)
+-
# X object manager
xserver_common_x_domain_template($1, $2, $3)
@@ -27271,13 +27338,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- allow $3 $1_xserver_t:shm rw_shm_perms;
- allow $3 $1_xserver_tmpfs_t:file rw_file_perms;
- ')
-+ allow $3 xdm_t:x_client { getattr destroy };
-+ allow $3 xdm_t:x_drawable { receive get_property getattr send list_child };
+ allow $3 xdm_xproperty_t:x_property { write read };
++ xserver_use_xdm($3)
')
########################################
-@@ -952,26 +1078,43 @@
+@@ -952,26 +1068,43 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -27328,15 +27394,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Transition to a user Xauthority domain.
##
##
-@@ -997,10 +1140,77 @@
+@@ -997,10 +1130,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_t, xauth_exec_t;
- ')
-
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++ ')
++
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
@@ -27368,8 +27433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type xauth_home_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ allow $2 xauth_home_t:file { getattr read };
+')
+
@@ -27408,7 +27474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1030,10 +1240,10 @@
+@@ -1030,10 +1230,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -27421,7 +27487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1219,6 +1429,25 @@
+@@ -1219,6 +1419,25 @@
########################################
##
@@ -27447,7 +27513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read xdm-writable configuration files.
##
##
-@@ -1273,6 +1502,7 @@
+@@ -1273,6 +1492,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -27455,7 +27521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1291,7 +1521,7 @@
+@@ -1291,7 +1511,7 @@
')
files_search_pids($1)
@@ -27464,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1314,6 +1544,24 @@
+@@ -1314,6 +1534,24 @@
########################################
##
@@ -27489,7 +27555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute the X server in the XDM X server domain.
##
##
-@@ -1324,15 +1572,47 @@
+@@ -1324,15 +1562,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -27538,7 +27604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -1482,7 +1762,7 @@
+@@ -1482,7 +1752,7 @@
type xdm_xserver_tmp_t;
')
@@ -27547,7 +27613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1674,6 +1954,26 @@
+@@ -1674,6 +1944,26 @@
########################################
##
@@ -27574,7 +27640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## xdm xserver RW shared memory socket.
##
##
-@@ -1692,6 +1992,24 @@
+@@ -1692,6 +1982,24 @@
########################################
##
@@ -27599,7 +27665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1704,8 +2022,127 @@
+@@ -1704,8 +2012,157 @@
#
interface(`xserver_unconfined',`
gen_require(`
@@ -27663,15 +27729,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ gen_require(`
+ type fonts_home_t;
+ type fonts_config_home_t;
- ')
-
-- typeattribute $1 xserver_unconfined_type;
++ ')
++
+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
+ manage_files_pattern($1, fonts_home_t, fonts_home_t)
+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
+
+ manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t)
- ')
++')
+
+########################################
+##
@@ -27729,9 +27794,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 xdm_home_t:file rw_file_perms;
+')
+
++#######################################
++##
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Provides the minimal set required by a basic
++## X client application.
++##
++##
++##
++## Client domain allowed access.
++##
++##
++#
++interface(`xserver_use_xdm',`
++ gen_require(`
++ type xdm_t, xdm_tmp_t;
+ ')
+
+- typeattribute $1 xserver_unconfined_type;
++ allow $1 xdm_t:fd use;
++ allow $1 xdm_t:fifo_file { getattr read write ioctl };
++ dontaudit $1 xdm_t:tcp_socket { read write };
++
++ # Allow connections to X server.
++ xserver_stream_connect_xdm($1)
++ xserver_read_xdm_tmp_files($1)
++ xserver_xdm_stream_connect($1)
++
++ allow $1 xdm_t:x_client { getattr destroy };
++ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child };
++ allow $1 xdm_xproperty_t:x_property { write read };
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.10/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/services/xserver.te 2008-10-03 16:06:35.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/services/xserver.te 2008-10-06 12:03:23.000000000 -0400
@@ -8,6 +8,14 @@
##
@@ -28278,7 +28374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
+')
+
-+
++allow xdm_t iceauth_home_t:file read_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.10/policy/modules/services/zabbix.fc
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.10/policy/modules/services/zabbix.fc 2008-10-03 11:36:44.000000000 -0400
@@ -29538,7 +29634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.10/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.5.10/policy/modules/system/libraries.fc 2008-10-03 11:36:44.000000000 -0400
++++ serefpolicy-3.5.10/policy/modules/system/libraries.fc 2008-10-06 12:36:31.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -29618,7 +29714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -310,3 +321,13 @@
+@@ -310,3 +321,15 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -29632,6 +29728,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.10/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-08-13 15:24:56.000000000 -0400
+++ serefpolicy-3.5.10/policy/modules/system/libraries.te 2008-10-03 11:36:44.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 10cea6d1..9990068a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.10
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -390,6 +390,9 @@ exit 0
%endif
%changelog
+* Mon Oct 6 2008 Dan Walsh 3.5.10-3
+- Fixes for confined xwindows and xdm_t
+
* Fri Oct 3 2008 Dan Walsh 3.5.10-2
- Allow confined users and xdm to exec wm
- Allow nsplugin to talk to fifo files on nfs