- Fixes for iscsid and sssd

- More cleanups for upgrade from F10 to Rawhide.
2009-03-11 20:05:16 +00:00 · 2009-03-11 20:05:16 +00:00 · 2550948f89
parent 4bf1c292b9
commit 2550948f89
1 changed files with 208 additions and 68 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -1598,7 +1598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.8/policy/modules/admin/usermanage.if
 --- nsaserefpolicy/policy/modules/admin/usermanage.if	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/admin/usermanage.if	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/admin/usermanage.if	2009-03-11 15:22:10.000000000 -0400
@@ -117,6 +117,24 @@
 ########################################
@ -2229,7 +2229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.8/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/java.if	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/apps/java.if	2009-03-11 15:31:03.000000000 -0400
@@ -30,6 +30,7 @@
 	allow java_t $2:unix_stream_socket connectto;
@ -2238,7 +2238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -68,3 +69,122 @@
+@@ -68,3 +69,124 @@
 	domtrans_pattern($1, java_exec_t, unconfined_java_t)
 	corecmd_search_bin($1)
 ')
@ -2287,10 +2287,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`java_run_unconfined',`
 +	gen_require(`
 +		type unconfined_java_t;
 +		type java_t;
 +	')
 +
 +	java_domtrans_unconfined($1)
 +	role $2 types unconfined_java_t;
 +	role $2 types java_t;
 +')
 +
 +########################################
@ -2363,8 +2365,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.8/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/java.te	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/apps/java.te	2009-03-11 15:26:01.000000000 -0400
-@@ -40,7 +40,7 @@
+@@ -20,6 +20,8 @@
 typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
 typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
 +role system_r types java_t;
 +
 type java_tmp_t;
 files_tmp_file(java_tmp_t)
 ubac_constrained(java_tmp_t)
@@ -40,7 +42,7 @@
 # Local policy
 #
@ -2373,7 +2384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow java_t self:fifo_file rw_fifo_file_perms;
 allow java_t self:tcp_socket create_socket_perms;
 allow java_t self:udp_socket create_socket_perms;
-@@ -80,6 +80,7 @@
+@@ -80,6 +82,7 @@
 dev_write_sound(java_t)
 dev_read_urand(java_t)
 dev_read_rand(java_t)
@ -2381,7 +2392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(java_t)
 files_read_usr_files(java_t)
-@@ -116,12 +117,13 @@
+@@ -116,12 +119,13 @@
 	allow java_t java_tmp_t:file execute;
@ -2396,7 +2407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	nis_use_ypbind(java_t)
 ')
-@@ -147,4 +149,11 @@
+@@ -147,4 +151,11 @@
 	unconfined_domain_noaudit(unconfined_java_t)
 	unconfined_dbus_chat(unconfined_java_t)
@ -4608,7 +4619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-03-02 16:51:45.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in	2009-03-11 15:16:21.000000000 -0400
@@ -65,10 +65,12 @@
 type server_packet_t, packet_type, server_packet_type;
@ -4730,6 +4741,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xfs, tcp,7100,s0)
@@ -208,6 +235,8 @@
 type node_t, node_type;
 sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
 +typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
 +
 # network_node examples:
 #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
 #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-01-05 15:39:38.000000000 -0500
 +++ serefpolicy-3.6.8/policy/modules/kernel/domain.if	2009-03-10 08:25:54.000000000 -0400
@ -7307,7 +7327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive afs_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.8/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/apache.fc	2009-03-10 09:38:57.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/apache.fc	2009-03-10 16:56:25.000000000 -0400
@@ -1,12 +1,13 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -7395,7 +7415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +
-+/var/www/svn/repo/db(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.8/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.8/policy/modules/services/apache.if	2009-03-10 08:25:54.000000000 -0400
@ -7933,7 +7953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.8/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/apache.te	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/apache.te	2009-03-11 14:44:03.000000000 -0400
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -9959,7 +9979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.8/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/cron.te	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/cron.te	2009-03-10 15:56:54.000000000 -0400
@@ -38,6 +38,10 @@
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
@ -9998,7 +10018,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
-@@ -103,6 +113,13 @@
+@@ -98,11 +108,18 @@
 # Type of user crontabs once moved to cron spool.
 type user_cron_spool_t, cron_spool_type;
 -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
 +typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
 files_type(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
@ -15420,7 +15446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.8/policy/modules/services/oddjob.if
 --- nsaserefpolicy/policy/modules/services/oddjob.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.8/policy/modules/services/oddjob.if	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/oddjob.if	2009-03-11 15:20:43.000000000 -0400
@@ -44,6 +44,7 @@
 	')
@ -16276,7 +16302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.8/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/polkit.te	2009-03-10 08:25:54.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/polkit.te	2009-03-11 15:59:49.000000000 -0400
@@ -0,0 +1,237 @@
 +policy_module(polkit_auth, 1.0.0)
 +
@ -20290,7 +20316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te	2009-03-10 16:10:06.000000000 -0400
@@ -11,6 +11,9 @@
 domain_type(setroubleshootd_t)
 init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@ -21179,7 +21205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.8/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/ssh.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/ssh.te	2009-03-11 14:25:03.000000000 -0400
@@ -41,6 +41,9 @@
 files_tmp_file(sshd_tmp_t)
 files_poly_parent(sshd_tmp_t)
@ -21199,16 +21225,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 files_type(home_ssh_t)
 userdom_user_home_content(home_ssh_t)
-@@ -95,7 +98,7 @@
+@@ -95,8 +98,7 @@
 allow ssh_t self:sem create_sem_perms;
 allow ssh_t self:msgq create_msgq_perms;
 allow ssh_t self:msg { send receive };
 -allow ssh_t self:tcp_socket create_socket_perms;
 -allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
 +allow ssh_t self:tcp_socket create_stream_socket_perms;
 allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
 # Read the ssh key file.
-@@ -115,6 +118,7 @@
+ allow ssh_t sshd_key_t:file read_file_perms;
@@ -115,6 +117,7 @@
 manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
 manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
 userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
@ -21216,6 +21243,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Allow the ssh program to communicate with ssh-agent.
 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -131,6 +134,7 @@
 read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
 kernel_read_kernel_sysctls(ssh_t)
 +kernel_read_system_state(ssh_t)
 corenet_all_recvfrom_unlabeled(ssh_t)
 corenet_all_recvfrom_netlabel(ssh_t)
@@ -139,6 +143,8 @@
 corenet_tcp_sendrecv_all_ports(ssh_t)
 corenet_tcp_connect_ssh_port(ssh_t)
@ -21225,7 +21260,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_read_urand(ssh_t)
-@@ -173,6 +179,7 @@
+@@ -160,19 +166,19 @@
 logging_send_syslog_msg(ssh_t)
 logging_read_generic_logs(ssh_t)
 +auth_use_nsswitch(ssh_t)
 +
 miscfiles_read_localization(ssh_t)
 seutil_read_config(ssh_t)
 -sysnet_read_config(ssh_t)
 -sysnet_dns_name_resolve(ssh_t)
 -
 userdom_dontaudit_list_user_home_dirs(ssh_t)
 userdom_search_user_home_dirs(ssh_t)
 # Write to the user domain tty.
 userdom_use_user_terminals(ssh_t)
 # needs to read krb tgt
 userdom_read_user_tmp_files(ssh_t)
@ -21233,15 +21283,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`allow_ssh_keysign',`
 	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -202,6 +209,7 @@
+@@ -202,23 +208,13 @@
 # for port forwarding
 tunable_policy(`user_tcp_server',`
 	corenet_tcp_bind_ssh_port(ssh_t)
 -')
 -
 -optional_policy(`
 -	kerberos_use(ssh_t)
 -')
 -
 -optional_policy(`
 -	nis_use_ypbind(ssh_t)
 -')
 -
 -optional_policy(`
 -	nscd_socket_use(ssh_t)
 +	corenet_tcp_bind_generic_node(ssh_t)
 ')
 optional_policy(`
-@@ -310,6 +318,8 @@
+ 	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
 	xserver_domtrans_xauth(ssh_t)
 +	xserver_stream_connect(ssh_t)
 ')
 ########################################
@@ -310,6 +306,8 @@
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
@ -21250,7 +21318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_use_all_user_ptys(sshd_t)
 term_setattr_all_user_ptys(sshd_t)
 term_relabelto_all_user_ptys(sshd_t)
-@@ -318,16 +328,30 @@
+@@ -318,16 +316,30 @@
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
@ -21283,7 +21351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -349,7 +373,11 @@
+@@ -349,7 +361,11 @@
 ')
 optional_policy(`
@ -21296,7 +21364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_shell_domtrans(sshd_t)
 ')
-@@ -408,6 +436,8 @@
+@@ -408,6 +424,8 @@
 init_use_fds(ssh_keygen_t)
 init_use_script_ptys(ssh_keygen_t)
@ -21570,8 +21638,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.8/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/sssd.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/sssd.te	2009-03-10 19:51:47.000000000 -0400
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,63 @@
 +policy_module(sssd,1.0.0)
 +
 +########################################
@ -21598,11 +21666,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +# sssd local policy
 +#
 +allow sssd_t self:capability sys_nice;
 +allow sssd_t self:process { setsched signal getsched };
 +allow sssd_t tmp_t:dir { read getattr open };
 +
 +# Init script handling
 +domain_use_interactive_fds(sssd_t)
 +
 +# internal communication is often done using fifo and unix sockets.
 +allow sssd_t self:process signal;
 +allow sssd_t self:fifo_file rw_file_perms;
 +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
@ -21619,7 +21691,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +dev_read_urand(sssd_t)
 +
 +files_list_tmp(sssd_t)
 +files_read_etc_files(sssd_t)
 +files_read_usr_files(sssd_t)
 +
 +auth_use_nsswitch(sssd_t)
 +
 +miscfiles_read_localization(sssd_t)
 +
@ -22108,7 +22184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.8/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/virt.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/virt.te	2009-03-11 14:44:45.000000000 -0400
@@ -8,20 +8,18 @@
 ## <desc>
@ -22147,7 +22223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type virt_log_t;
 logging_log_file(virt_log_t)
-@@ -48,17 +50,37 @@
+@@ -48,17 +50,40 @@
 type virtd_initrc_exec_t;
 init_script_file(virtd_initrc_exec_t)
@ -22176,18 +22252,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
 -allow virtd_t self:process { getsched sigkill signal execmem };
-+allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
-+allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate };
+allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate setsched };
 allow virtd_t self:fifo_file rw_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
 allow virtd_t self:tcp_socket create_stream_socket_perms;
 +manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
 +manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
 +allow virtd_t virt_image_t:file { relabelfrom relabelto };
 +allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
 +
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +89,10 @@
+@@ -67,7 +92,10 @@
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -22199,7 +22278,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -96,7 +121,7 @@
+@@ -86,6 +114,7 @@
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
 kernel_load_module(virtd_t)
 +kernel_search_debugfs(virtd_t)
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
@@ -96,7 +125,7 @@
 corenet_tcp_sendrecv_generic_node(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
@ -22208,7 +22295,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_vnc_port(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
-@@ -107,18 +132,31 @@
+@@ -104,21 +133,36 @@
 dev_read_sysfs(virtd_t)
 dev_read_rand(virtd_t)
 +dev_getattr_all_chr_files(virtd_t)
 # Init script handling
 domain_use_interactive_fds(virtd_t)
@ -22233,6 +22324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_list_auto_mountpoints(virtd_t)
 +fs_getattr_xattr_fs(virtd_t)
 +storage_manage_fixed_disk(virtd_t)
 storage_raw_write_removable_device(virtd_t)
 storage_raw_read_removable_device(virtd_t)
@ -22241,7 +22333,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_getattr_pty_fs(virtd_t)
 term_use_ptmx(virtd_t)
-@@ -129,7 +167,11 @@
+@@ -129,7 +173,11 @@
 logging_send_syslog_msg(virtd_t)
@ -22253,7 +22345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +209,25 @@
+@@ -167,22 +215,33 @@
 	dnsmasq_domtrans(virtd_t)
 	dnsmasq_signal(virtd_t)
 	dnsmasq_kill(virtd_t)
@ -22270,12 +22362,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#	polkit_domtrans_resolve(virtd_t)
 -#')
 +optional_policy(`
-+	polkit_domtrans_auth(virtd_t)
+	kerberos_keytab_template(virtd, virtd_t)
-+	polkit_domtrans_resolve(virtd_t)
+')
 +
 +optional_policy(`
 +	lvm_domtrans(virtd_t)
 +')
 optional_policy(`
 -	qemu_domtrans(virtd_t)
 +	polkit_domtrans_auth(virtd_t)
 +	polkit_domtrans_resolve(virtd_t)
 +')
 +
 +optional_policy(`
 +	qemu_spec_domtrans(virtd_t, svirt_t)
 	qemu_read_state(virtd_t)
 	qemu_signal(virtd_t)
@ -22284,10 +22384,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -197,6 +242,69 @@
+@@ -198,5 +257,72 @@
 	xen_stream_connect_xenstore(virtd_t)
 ')
 optional_policy(`
 -	unconfined_domain(virtd_t)
 +	udev_domtrans(virtd_t)
 +')
 +
 +#optional_policy(`
 +#	unconfined_domain(virtd_t)
 +#')
@ -22351,8 +22455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xen_rw_image_files(svirt_t)
 +')
 +
- optional_policy(`
+optional_policy(`
 -	unconfined_domain(virtd_t)
 +	xen_rw_image_files(svirt_t)
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.8/policy/modules/services/w3c.te
@ -24631,7 +24734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/init.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/system/init.te	2009-03-11 11:57:43.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -24894,7 +24997,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	unconfined_domain(initrc_t)
-@@ -768,6 +837,10 @@
+@@ -761,6 +830,8 @@
 		# system-config-services causes avc messages that should be dontaudited
 		unconfined_dontaudit_rw_pipes(daemon)
 	')
 +	# sudo service restart causes this 
 +	unconfined_signull(daemon)
 	optional_policy(`
 		mono_domtrans(initrc_t)
@@ -768,6 +839,10 @@
 ')
 optional_policy(`
@ -24905,7 +25017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	vmware_read_system_config(initrc_t)
 	vmware_append_system_config(initrc_t)
 ')
-@@ -790,3 +863,11 @@
+@@ -790,3 +865,11 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -25092,7 +25204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.8/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/iscsi.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/system/iscsi.te	2009-03-10 15:47:16.000000000 -0400
@@ -28,7 +28,7 @@
 # iscsid local policy
 #
@ -25111,6 +25223,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_lock_filetrans(iscsid_t,iscsi_lock_t,file)
 allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
@@ -55,6 +55,7 @@
 files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
 kernel_read_system_state(iscsid_t)
 +kernel_search_debugfs(iscsid_t)
 corenet_all_recvfrom_unlabeled(iscsid_t)
 corenet_all_recvfrom_netlabel(iscsid_t)
@@ -73,6 +74,6 @@
 logging_send_syslog_msg(iscsid_t)
 -miscfiles_read_localization(iscsid_t)
 +auth_use_nsswitch(iscsid_t)
 -sysnet_dns_name_resolve(iscsid_t)
 +miscfiles_read_localization(iscsid_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.8/policy/modules/system/libraries.fc	2009-03-10 08:25:55.000000000 -0400
@ -27703,7 +27832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/unconfined.if	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/system/unconfined.if	2009-03-10 16:09:06.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -27983,7 +28112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/unconfined.te	2009-03-10 15:44:05.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/system/unconfined.te	2009-03-11 15:44:23.000000000 -0400
@@ -5,6 +5,35 @@
 #
 # Declarations
@ -28035,7 +28164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow unconfined_r system_r;
 +init_script_role_transition(unconfined_r)
 +role system_r types unconfined_t;
-+typealias unconfined_t alias unconfined_dbusd_t;
+typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t };
 type unconfined_execmem_t;
 -type unconfined_execmem_exec_t;
@ -28075,7 +28204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 libs_run_ldconfig(unconfined_t, unconfined_r)
-@@ -42,26 +94,46 @@
+@@ -42,26 +94,53 @@
 logging_run_auditctl(unconfined_t, unconfined_r)
 mount_run_unconfined(unconfined_t, unconfined_r)
@ -28091,6 +28220,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
 +usermanage_run_passwd(unconfined_t, unconfined_r)
 +usermanage_run_chfn(unconfined_t, unconfined_r)
 +
 +tunable_policy(`unconfined_login',`
 +	corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
 +	allow unconfined_t unconfined_login_domain:fd use;
@ -28099,6 +28231,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
 +	loadkeys_run(unconfined_t, unconfined_r)
 +')
 +
 +optional_policy(`
 +	nsplugin_role_notrans(unconfined_r, unconfined_t)
 +	tunable_policy(`allow_unconfined_nsplugin_transition',`
 +	      nsplugin_domtrans(unconfined_execmem_t)
@ -28124,7 +28260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -102,12 +174,24 @@
+@@ -102,12 +181,24 @@
 	')
 	optional_policy(`
@ -28149,7 +28285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -119,72 +203,80 @@
+@@ -119,72 +210,84 @@
 ')
 optional_policy(`
@ -28196,25 +28332,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 -	portmap_run_helper(unconfined_t, unconfined_r)
-+	prelink_run(unconfined_t, unconfined_r)
+	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
 ')
 optional_policy(`
 -	postfix_run_map(unconfined_t, unconfined_r)
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
-+	portmap_run_helper(unconfined_t, unconfined_r)
+	prelink_run(unconfined_t, unconfined_r)
 ')
 optional_policy(`
 -	pyzor_role(unconfined_r, unconfined_t)
-')
+	portmap_run_helper(unconfined_t, unconfined_r)
-+	qemu_role_notrans(unconfined_r, unconfined_t)
+ ')
 +	qemu_unconfined_role(unconfined_r)
-optional_policy(`
+ optional_policy(`
 -	# cjp: this should probably be removed:
 -	rpc_domtrans_nfsd(unconfined_t)
 +	qemu_role_notrans(unconfined_r, unconfined_t)
 +	qemu_unconfined_role(unconfined_r)
 +
 +	tunable_policy(`allow_unconfined_qemu_transition',`
 +		qemu_domtrans(unconfined_t)
 +	',`
@ -28249,7 +28387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -192,7 +284,7 @@
+@@ -192,7 +295,7 @@
 ')
 optional_policy(`
@ -28258,7 +28396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -204,11 +296,12 @@
+@@ -204,11 +307,12 @@
 ')
 optional_policy(`
@ -28273,7 +28411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -218,14 +311,61 @@
+@@ -218,14 +322,61 @@
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -28298,7 +28436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	xserver_rw_shm(unconfined_execmem_t)
- ')
+')
 +
 +########################################
 +#
@ -28325,7 +28463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		type mozilla_exec_t;
 +	')
 +	domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
-+')
+ ')
 +')
 +
 +optional_policy(`
@ -30200,7 +30338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.8/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/userdomain.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/system/userdomain.te	2009-03-10 15:58:19.000000000 -0400
@@ -8,13 +8,6 @@
 ## <desc>
@ -30394,8 +30532,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.8/policy/modules/system/virtual.te
 --- nsaserefpolicy/policy/modules/system/virtual.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/virtual.te	2009-03-10 08:25:55.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/system/virtual.te	2009-03-11 14:43:06.000000000 -0400
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,80 @@
 +
 +policy_module(virtualization, 1.1.2)
 +
@ -30456,6 +30594,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +auth_use_nsswitch(virtualdomain)
 +
 +logging_send_syslog_msg(virtualdomain)
 +
 +miscfiles_read_localization(virtualdomain)
 +
 +optional_policy(`