- Allow cron to run unconfined apps

2007-12-18 19:58:20 +00:00 · 2007-12-18 19:58:20 +00:00 · 194f6c15a0
commit 194f6c15a0
parent 91c2fa9d31
2 changed files with 195 additions and 27 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1565,3 +1565,10 @@ munin = module
 # 
 bitlbee = module
 # Layer: services
 # Module: soundserver
 #
 # sound server for network audio server programs, nasd, yiff, etc</summary>
 # 
 soundserver = module
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -109,6 +109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.4/M
 endef
 # create-base-per-role-tmpl modulenames,outputfile
 Binary files nsaserefpolicy/man/ru/man8/samba_selinux.8.gz and serefpolicy-3.2.4/man/ru/man8/samba_selinux.8.gz differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.4/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2007-08-11 06:22:29.000000000 -0400
 +++ serefpolicy-3.2.4/policy/flask/access_vectors	2007-12-13 17:37:33.000000000 -0500
@ -703,7 +704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.4/policy/modules/admin/kudzu.te
 --- nsaserefpolicy/policy/modules/admin/kudzu.te	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te	2007-12-13 17:37:33.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te	2007-12-18 10:07:53.000000000 -0500
@@ -21,8 +21,8 @@
 # Local policy
 #
@ -732,19 +733,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 # kudzu will telinit to make init re-read
 # the inittab after configuring serial consoles
 init_telinit(kudzu_t)
-@@ -140,30 +143,3 @@
+@@ -142,28 +145,6 @@
 optional_policy(`
         udev_read_db(kudzu_t)
 ')
-
+ 
-optional_policy(`
+ optional_policy(`
 -	# cjp: this was originally in the else block
 -	# of ifdef userhelper.te, but it seems to
 -	# make more sense here.  also, require
 -	# blocks curently do not work in the
 -	# else block of optionals
-	unconfined_domain(kudzu_t)
+	unconfined_domtrans(kudzu_t)
-')
+ 	unconfined_domain(kudzu_t)
 ')
 -
 -ifdef(`TODO',`
 -allow kudzu_t modules_conf_t:file unlink;
@ -3405,6 +3405,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 +optional_policy(`
 +	xserver_xdm_rw_shm(wine_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc	2007-12-18 11:39:23.000000000 -0500
@@ -127,6 +127,8 @@
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 +/opt/gutenprint/cups/lib/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +
 #
 # /usr
 #
@@ -147,7 +149,7 @@
 /usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/daemon(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib(64)?/cups/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib(64)?/cups/filter(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
@@ -186,6 +188,8 @@
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
 +/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.4/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.if	2007-12-13 17:37:34.000000000 -0500
@ -3418,8 +3448,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in	2007-12-13 17:37:34.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in	2007-12-18 14:43:53.000000000 -0500
-@@ -133,6 +133,7 @@
+@@ -122,6 +122,7 @@
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 +network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
@@ -133,6 +134,7 @@
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(postfix_policyd, tcp,10031,s0)
@ -3448,7 +3486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.4/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/kernel/devices.if	2007-12-13 17:37:34.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/kernel/devices.if	2007-12-18 10:39:31.000000000 -0500
@@ -65,7 +65,7 @@
 	relabelfrom_dirs_pattern($1,device_t,device_node)
@ -3484,7 +3522,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Delete a directory in the device directory.
 ## </summary>
 ## <param name="domain">
-@@ -667,6 +686,7 @@
+@@ -649,6 +668,7 @@
 	')
 	getattr_blk_files_pattern($1,device_t,device_node)
 +
 ')
 ########################################
@@ -667,6 +687,7 @@
 	')
 	dontaudit $1 device_node:blk_file getattr;
@ -3492,7 +3538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ')
 ########################################
-@@ -704,6 +724,7 @@
+@@ -704,6 +725,7 @@
 	')
 	dontaudit $1 device_node:chr_file getattr;
@ -3500,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ')
 ########################################
-@@ -2787,6 +2808,97 @@
+@@ -2787,6 +2809,97 @@
 ########################################
 ## <summary>
@ -4924,6 +4970,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
 ')
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.2.4/policy/modules/services/bitlbee.te
 --- nsaserefpolicy/policy/modules/services/bitlbee.te	2007-09-17 15:56:47.000000000 -0400
 +++ serefpolicy-3.2.4/policy/modules/services/bitlbee.te	2007-12-18 09:56:33.000000000 -0500
@@ -54,6 +54,9 @@
 corenet_tcp_connect_msnp_port(bitlbee_t)
 corenet_tcp_sendrecv_msnp_port(bitlbee_t)
 +dev_read_rand(bitlbee_t)
 +dev_read_urand(bitlbee_t)
 +
 files_read_etc_files(bitlbee_t)
 files_search_pids(bitlbee_t)
 # grant read-only access to the user help files
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.4/policy/modules/services/bluetooth.fc
 --- nsaserefpolicy/policy/modules/services/bluetooth.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/bluetooth.fc	2007-12-13 17:37:34.000000000 -0500
@ -6118,7 +6177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.4/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/dovecot.te	2007-12-13 17:37:34.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/dovecot.te	2007-12-18 11:01:04.000000000 -0500
@@ -15,6 +15,12 @@
 domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
@ -6218,7 +6277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +')
 +
 +optional_policy(`
-+	postfix_manage_pivate_sockets(dovecot_auth_t)
+	postfix_manage_private_sockets(dovecot_auth_t)
 +	postfix_search_spool(dovecot_auth_t)
 ')
 +
@ -6465,6 +6524,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +	exim_manage_var_lib(exim_lib_update_t)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.4/policy/modules/services/fail2ban.fc
 --- nsaserefpolicy/policy/modules/services/fail2ban.fc	2007-10-12 08:56:07.000000000 -0400
 +++ serefpolicy-3.2.4/policy/modules/services/fail2ban.fc	2007-12-18 11:18:22.000000000 -0500
@@ -1,3 +1,4 @@
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 +/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
 /var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.4/policy/modules/services/ftp.if
 --- nsaserefpolicy/policy/modules/services/ftp.if	2007-10-12 08:56:07.000000000 -0400
 +++ serefpolicy-3.2.4/policy/modules/services/ftp.if	2007-12-13 17:37:34.000000000 -0500
@ -6931,6 +6998,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 ')
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.4/policy/modules/services/mailman.if
 --- nsaserefpolicy/policy/modules/services/mailman.if	2007-12-04 11:02:50.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/mailman.if	2007-12-18 11:04:17.000000000 -0500
@@ -211,6 +211,7 @@
 		type mailman_data_t;
 	')
 +	manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
 	manage_files_pattern($1,mailman_data_t,mailman_data_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.4/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-12-04 11:02:50.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/mailman.te	2007-12-13 17:37:34.000000000 -0500
@ -7274,6 +7352,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	smartmon_read_tmp_files(system_mail_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.4/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2007-04-30 10:41:38.000000000 -0400
 +++ serefpolicy-3.2.4/policy/modules/services/munin.fc	2007-12-18 14:51:15.000000000 -0500
@@ -8,4 +8,5 @@
 /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
 -/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
 +/var/www/html/munin(/.*)?		gen_context(system_u:object_r:http_munin_content_t,s0)
 +/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:http_munin_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.4/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2007-11-15 13:40:14.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/munin.te	2007-12-18 14:50:13.000000000 -0500
@@ -37,6 +37,9 @@
 allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
 allow munin_t self:tcp_socket create_stream_socket_perms;
 allow munin_t self:udp_socket create_socket_perms;
 +allow munin_t self:fifo_file create_fifo_file_perms;
 +
 +can_exec(munin_t, munin_exec_t)
 allow munin_t munin_etc_t:dir list_dir_perms;
 read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
@@ -73,6 +76,7 @@
 corenet_udp_sendrecv_all_nodes(munin_t)
 corenet_tcp_sendrecv_all_ports(munin_t)
 corenet_udp_sendrecv_all_ports(munin_t)
 +corenet_tcp_connect_munin_port(munin_t)
 dev_read_sysfs(munin_t)
 dev_read_urand(munin_t)
@@ -118,3 +122,9 @@
 optional_policy(`
 	udev_read_db(munin_t)
 ')
 +
 +#============= http munin policy ==============
 +apache_content_template(munin)
 +
 +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.4/policy/modules/services/mysql.fc
 --- nsaserefpolicy/policy/modules/services/mysql.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/mysql.fc	2007-12-13 17:37:34.000000000 -0500
@ -8222,7 +8341,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.4/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/postfix.if	2007-12-13 17:37:34.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/postfix.if	2007-12-18 11:00:59.000000000 -0500
@@ -416,7 +416,7 @@
 ##	</summary>
 ## </param>
 #
 -interface(`postfix_create_pivate_sockets',`
 +interface(`postfix_create_private_sockets',`
 	gen_require(`
 		type postfix_private_t;
 	')
@@ -427,6 +427,26 @@
 ########################################
@ -8235,7 +8363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +##	</summary>
 +## </param>
 +#
-+interface(`postfix_manage_pivate_sockets',`
+interface(`postfix_manage_private_sockets',`
 +	gen_require(`
 +		type postfix_private_t;
 +	')
@ -8252,7 +8380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.4/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/postfix.te	2007-12-13 17:37:34.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/postfix.te	2007-12-18 10:58:24.000000000 -0500
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -8303,7 +8431,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
-@@ -273,6 +288,8 @@
+@@ -248,6 +263,10 @@
 corecmd_exec_bin(postfix_cleanup_t)
 +optional_policy(`
 +	mailman_read_data_files(postfix_cleanup_t)
 +')
 +
 ########################################
 #
 # Postfix local local policy
@@ -273,6 +292,8 @@
 files_read_etc_files(postfix_local_t)
@ -8312,7 +8451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
-@@ -285,6 +302,7 @@
+@@ -285,6 +306,7 @@
 optional_policy(`
 #	for postalias
 	mailman_manage_data_files(postfix_local_t)
@ -8320,7 +8459,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ')
 optional_policy(`
-@@ -346,8 +364,6 @@
+@@ -295,8 +317,7 @@
 #
 # Postfix map local policy
 #
 -
 -allow postfix_map_t self:capability setgid;
 +allow postfix_map_t self:capability { dac_override setgid setuid };
 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -346,8 +367,6 @@
 miscfiles_read_localization(postfix_map_t)
@ -8329,7 +8478,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
-@@ -392,6 +408,10 @@
+@@ -360,6 +379,11 @@
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 +optional_policy(`
 +#	for postalias
 +	mailman_manage_data_files(postfix_map_t)
 +')
 +
 ########################################
 #
 # Postfix pickup local policy
@@ -392,6 +416,10 @@
 rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
 optional_policy(`
@ -8340,7 +8501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	procmail_domtrans(postfix_pipe_t)
 ')
-@@ -400,6 +420,10 @@
+@@ -400,6 +428,10 @@
 ')
 optional_policy(`
@ -8351,7 +8512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
-@@ -532,9 +556,6 @@
+@@ -532,9 +564,6 @@
 # connect to master process
 stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@ -8361,7 +8522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
 allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +578,10 @@
+@@ -557,6 +586,10 @@
 	sasl_connect(postfix_smtpd_t)
 ')
@ -13821,7 +13982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.4/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/system/unconfined.te	2007-12-17 17:05:56.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/system/unconfined.te	2007-12-18 13:42:58.000000000 -0500
@@ -9,32 +9,48 @@
 # usage in this module of types created by these
 # calls is not correct, however we dont currently