- Add anon_inodefs

- Allow unpriv user exec pam_exec_t - Fix trigger
2007-07-23 16:00:09 +00:00 · 2007-07-23 16:00:09 +00:00 · 2ced404c55
commit 2ced404c55
parent 779d23c7e4
2 changed files with 192 additions and 74 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -333,8 +333,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.3/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/admin/anaconda.te	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/admin/anaconda.te	2007-07-23 09:26:54.000000000 -0400
-@@ -37,10 +37,6 @@
+@@ -31,16 +31,13 @@
 modutils_domtrans_insmod(anaconda_t)
 seutil_domtrans_semanage(anaconda_t)
 +seutil_domtrans_setsebool(anaconda_t)
 unconfined_domain(anaconda_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
 optional_policy(`
@ -547,6 +554,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 role system_r types traceroute_t;
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.3/policy/modules/admin/portage.if
 --- nsaserefpolicy/policy/modules/admin/portage.if	2007-07-03 07:06:36.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/admin/portage.if	2007-07-23 09:28:12.000000000 -0400
@@ -324,6 +324,7 @@
 	seutil_domtrans_setfiles($1)
 	# run semodule
 	seutil_domtrans_semanage($1)
 +	seutil_domtrans_setsebool($1)
 	portage_domtrans_gcc_config($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.3/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-06-15 14:54:34.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/admin/prelink.te	2007-07-17 15:46:25.000000000 -0400
@ -806,7 +824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.3/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-07-03 07:06:36.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/admin/rpm.te	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/admin/rpm.te	2007-07-20 17:08:28.000000000 -0400
@@ -9,6 +9,8 @@
 type rpm_t;
 type rpm_exec_t;
@ -816,6 +834,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 domain_obj_id_change_exemption(rpm_t)
 domain_role_change_exemption(rpm_t)
 domain_system_change_exemption(rpm_t)
@@ -321,6 +323,7 @@
 seutil_domtrans_loadpolicy(rpm_script_t)
 seutil_domtrans_setfiles(rpm_script_t)
 seutil_domtrans_semanage(rpm_script_t)
 +seutil_domtrans_setsebool(rpm_script_t)
 userdom_use_all_users_fds(rpm_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.3/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/admin/sudo.if	2007-07-17 15:46:25.000000000 -0400
@ -1234,8 +1260,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.3/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/gnome.if	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/apps/gnome.if	2007-07-23 11:05:01.000000000 -0400
-@@ -33,6 +33,50 @@
+@@ -33,6 +33,51 @@
 ## </param>
 #
 template(`gnome_per_role_template',`
@ -1245,6 +1271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +	# Declarations
 +	#
 +	type $1_gnome_home_t;
 +	userdom_user_home_type($1_gnome_home_t)
 +	userdom_user_home_content($1, $1_gnome_home_t)
 +	manage_dirs_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
 +	manage_files_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
@ -1286,7 +1313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 	gen_require(`
 		type gconfd_exec_t;
 		attribute gnomedomain;
-@@ -51,9 +95,6 @@
+@@ -51,9 +96,6 @@
 	type $1_gconf_home_t;
 	userdom_user_home_content($1, $1_gconf_home_t)
@ -1296,7 +1323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 	type $1_gconf_tmp_t;
 	files_tmp_file($1_gconf_tmp_t)
-@@ -78,9 +119,6 @@
+@@ -78,9 +120,6 @@
 	allow $1_gconfd_t $2:fifo_file write;
 	allow $1_gconfd_t $2:unix_stream_socket connectto;
@ -1306,7 +1333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 	ps_process_pattern($2,$1_gconfd_t)
 	dev_read_urand($1_gconfd_t)
-@@ -101,9 +139,18 @@
+@@ -101,9 +140,18 @@
 	gnome_stream_connect_gconf_template($1,$2)
 	optional_policy(`
@ -1325,7 +1352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 	optional_policy(`
 		xserver_use_xdm_fds($1_gconfd_t)
 		xserver_rw_xdm_pipes($1_gconfd_t)
-@@ -136,13 +183,32 @@
+@@ -136,13 +184,32 @@
 	allow $2 $1_gconfd_t:unix_stream_socket connectto;
 ')
@ -1359,7 +1386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 ##	</p>
 ##	<p>
 ##	This is a templated interface, and should only
-@@ -171,6 +237,30 @@
+@@ -171,6 +238,30 @@
 ########################################
 ## <summary>
@ -1390,7 +1417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 ##	manage gnome homedir content (.config)
 ## </summary>
 ## <param name="userdomain_prefix">
-@@ -193,3 +283,23 @@
+@@ -193,3 +284,23 @@
 	allow $2 $1_gnome_home_t:dir manage_dir_perms;
 	allow $2 $1_gnome_home_t:file manage_file_perms;
 ')
@ -1406,7 +1433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +##	</summary>
 +## </param>
 +#
-+template(`gnome_exec_gconf',`
+interface(`gnome_exec_gconf',`
 +	gen_require(`
 +		type gconfd_exec_t;
 +	')
@ -1711,7 +1738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-20 17:26:25.000000000 -0400
@@ -36,6 +36,8 @@
 	gen_require(`
 		type mozilla_conf_t, mozilla_exec_t;
@ -1736,7 +1763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 	########################################
 	#
 	# Local policy
-@@ -97,15 +107,36 @@
+@@ -97,15 +107,37 @@
 	relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
 	relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
@ -1758,6 +1785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +	userdom_read_user_home_content_files($1,$1_mozilla_t)
 +	userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
 +	userdom_read_user_tmp_files($1,$1_mozilla_t)
 +	userdom_list_user_files($1,$1_mozilla_t)
 +	userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
 +	userdom_manage_user_tmp_files($1,$1_mozilla_t)
 +	userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
@ -1780,7 +1808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 	# Unrestricted inheritance from the caller.
 	allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-@@ -171,6 +202,8 @@
+@@ -171,6 +203,8 @@
 	fs_list_inotifyfs($1_mozilla_t)
 	fs_rw_tmpfs_files($1_mozilla_t)
@ -1789,7 +1817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 	term_dontaudit_getattr_pty_dirs($1_mozilla_t)
 	libs_use_ld_so($1_mozilla_t)
-@@ -186,12 +219,9 @@
+@@ -186,12 +220,9 @@
 	sysnet_dns_name_resolve($1_mozilla_t)
 	sysnet_read_config($1_mozilla_t)
@ -1805,7 +1833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 	xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
 	xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -213,133 +243,6 @@
+@@ -213,133 +244,6 @@
 		fs_manage_cifs_symlinks($1_mozilla_t)
 	')
@ -1939,7 +1967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 	optional_policy(`
 		apache_read_user_scripts($1,$1_mozilla_t)
 		apache_read_user_content($1,$1_mozilla_t)
-@@ -352,21 +255,23 @@
+@@ -352,21 +256,23 @@
 	optional_policy(`
 		cups_read_rw_config($1_mozilla_t)
 		cups_dbus_chat($1_mozilla_t)
@ -1966,7 +1994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 	')
 	optional_policy(`
-@@ -386,25 +291,6 @@
+@@ -386,25 +292,6 @@
 		thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
 	')
@ -1992,7 +2020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 ')
 ########################################
-@@ -577,3 +463,27 @@
+@@ -577,3 +464,27 @@
 	allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
 ')
@ -2272,7 +2300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.3/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/kernel/domain.if	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/kernel/domain.if	2007-07-20 16:52:28.000000000 -0400
@@ -45,6 +45,11 @@
 	# start with basic domain
 	domain_base_type($1)
@ -2552,6 +2580,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +	allow $1 root_t:dir rw_dir_perms;
 +	allow $1 root_t:file { create getattr write };
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.3/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-07-03 07:05:38.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/kernel/filesystem.te	2007-07-23 10:44:40.000000000 -0400
@@ -43,6 +43,12 @@
 #
 # Non-persistent/pseudo filesystems
 #
 +
 +type anon_inodefs_t;
 +fs_type(anon_inodefs_t)
 +files_mountpoint(anon_inodefs_t)
 +genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
 +
 type bdev_t;
 fs_type(bdev_t)
 genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.3/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-07-03 07:05:38.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/kernel/kernel.if	2007-07-17 15:46:25.000000000 -0400
@ -4598,8 +4642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.3/policy/modules/services/dovecot.fc
 --- nsaserefpolicy/policy/modules/services/dovecot.fc	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/dovecot.fc	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/services/dovecot.fc	2007-07-23 09:12:16.000000000 -0400
-@@ -17,10 +17,12 @@
+@@ -17,16 +17,19 @@
 ifdef(`distro_debian', `
 /usr/lib/dovecot/dovecot-auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@ -4612,6 +4656,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 ')
 #
 # /var
 #
 /var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
 +/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 /var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.3/policy/modules/services/dovecot.if
 --- nsaserefpolicy/policy/modules/services/dovecot.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/services/dovecot.if	2007-07-17 15:46:25.000000000 -0400
@ -4967,7 +5018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.3/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-07-03 07:06:26.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/hal.te	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/services/hal.te	2007-07-20 15:18:42.000000000 -0400
@@ -22,6 +22,12 @@
 type hald_log_t;
 files_type(hald_log_t)
@ -5007,7 +5058,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
-@@ -180,6 +191,7 @@
+@@ -163,6 +174,7 @@
 #hal runs shutdown, probably need a shutdown domain
 init_rw_utmp(hald_t)
 init_telinit(hald_t)
 +init_dontaudit_use_fds(hald_t)
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)
@@ -180,6 +192,7 @@
 seutil_read_config(hald_t)
 seutil_read_default_contexts(hald_t)
@ -5015,7 +5074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 sysnet_read_config(hald_t)
-@@ -187,6 +199,7 @@
+@@ -187,6 +200,7 @@
 userdom_dontaudit_search_sysadm_home_dirs(hald_t)
 optional_policy(`
@ -5023,7 +5082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 	alsa_read_rw_config(hald_t)
 ')
-@@ -228,6 +241,10 @@
+@@ -228,6 +242,10 @@
 	optional_policy(`
 		networkmanager_dbus_chat(hald_t)
 	')
@ -5034,7 +5093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 ')
 optional_policy(`
-@@ -296,7 +313,10 @@
+@@ -296,7 +314,10 @@
 corecmd_exec_bin(hald_acl_t)
 dev_getattr_all_chr_files(hald_acl_t)
@ -5045,7 +5104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 dev_setattr_sound_dev(hald_acl_t)
 dev_setattr_generic_usb_dev(hald_acl_t)
 dev_setattr_usbfs_files(hald_acl_t)
-@@ -358,3 +378,25 @@
+@@ -358,3 +379,25 @@
 libs_use_shared_libs(hald_sonypic_t)
 miscfiles_read_localization(hald_sonypic_t)
@ -6185,7 +6244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.3/policy/modules/services/radius.te
 --- nsaserefpolicy/policy/modules/services/radius.te	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/radius.te	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/services/radius.te	2007-07-23 10:49:33.000000000 -0400
@@ -82,6 +82,7 @@
 auth_read_shadow(radiusd_t)
@ -6194,6 +6253,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
 corecmd_exec_bin(radiusd_t)
 corecmd_exec_shell(radiusd_t)
@@ -99,6 +100,7 @@
 logging_send_syslog_msg(radiusd_t)
 miscfiles_read_localization(radiusd_t)
 +miscfiles_read_certs(radiusd_t)
 sysnet_read_config(radiusd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.3/policy/modules/services/rhgb.te
 --- nsaserefpolicy/policy/modules/services/rhgb.te	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/services/rhgb.te	2007-07-17 15:46:25.000000000 -0400
@ -6994,7 +7061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.3/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/xserver.if	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/services/xserver.if	2007-07-23 11:02:03.000000000 -0400
@@ -353,12 +353,6 @@
 	# allow ps to show xauth
 	ps_process_pattern($2,$1_xauth_t)
@ -7042,7 +7109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -555,25 +555,47 @@
+@@ -555,25 +555,46 @@
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
@ -7056,10 +7123,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	userdom_search_user_home_dirs($1,$2)
 -	# for .xsession-errors
 -	userdom_dontaudit_write_user_home_content_files($1,$2)
 -
 +	userdom_manage_user_home_content_dirs($1, xdm_t)
 +	userdom_manage_user_home_content_files($1, xdm_t)
 +	userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
 	xserver_ro_session_template(xdm,$2,$3)
 -	xserver_rw_session_template($1,$2,$3)
 -	xserver_use_user_fonts($1,$2)
@ -7076,8 +7143,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		userdom_read_all_users_home_content_files(xdm_t)
 +		userdom_read_all_users_home_content_files(xdm_xserver_t)
 +#Compiler is broken so these wont work
-+#		gnome_read_user_gnome_config($1, xdm_t)
+		gnome_read_user_gnome_config($1, xdm_t)
-+#		gnome_read_user_gnome_config($1, xdm_xserver_t)
+		gnome_read_user_gnome_config($1, xdm_xserver_t)
 +	')
 +
 +	# Read .Xauthority file
@ -7098,7 +7165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	')
 ')
-@@ -626,6 +648,24 @@
+@@ -626,6 +647,24 @@
 ########################################
 ## <summary>
@ -7123,7 +7190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -659,6 +699,73 @@
+@@ -659,6 +698,73 @@
 ########################################
 ## <summary>
@ -7197,7 +7264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -1136,7 +1243,7 @@
+@@ -1136,7 +1242,7 @@
 		type xdm_xserver_tmp_t;
 	')
@ -7206,7 +7273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -1325,3 +1432,44 @@
+@@ -1325,3 +1431,44 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -7549,7 +7616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.3/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/authlogin.if	2007-07-20 11:12:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/system/authlogin.if	2007-07-20 14:51:53.000000000 -0400
@@ -27,7 +27,8 @@
 	domain_type($1_chkpwd_t)
 	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@ -8038,14 +8105,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.3/policy/modules/system/fusermount.fc
 --- nsaserefpolicy/policy/modules/system/fusermount.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.3/policy/modules/system/fusermount.fc	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/system/fusermount.fc	2007-07-23 08:11:14.000000000 -0400
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,7 @@
 +# fusermount executable will have:
 +# label: system_u:object_r:fusermount_exec_t
 +# MLS sensitivity: s0
 +# MCS categories: <none>
 +
 +/usr/bin/fusermount		--	gen_context(system_u:object_r:fusermount_exec_t,s0)
 +/bin/fusermount		--	gen_context(system_u:object_r:fusermount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.3/policy/modules/system/fusermount.if
 --- nsaserefpolicy/policy/modules/system/fusermount.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.3/policy/modules/system/fusermount.if	2007-07-17 15:46:25.000000000 -0400
@ -9033,13 +9101,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.3/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/modutils.te	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/system/modutils.te	2007-07-23 09:23:58.000000000 -0400
@@ -43,7 +43,7 @@
 # insmod local policy
 #
 -allow insmod_t self:capability { dac_override net_raw sys_tty_config };
-+allow insmod_t self:capability { dac_override mknod net_raw sys_tty_config };
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 allow insmod_t self:udp_socket create_socket_perms; 
@ -10301,7 +10369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-23 11:53:11.000000000 -0400
@@ -29,90 +29,99 @@
 	')
@ -10845,12 +10913,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	kernel_get_sysvipc_info($1_t)
 -	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
-+	kernel_get_sysvipc_info($1_usertype)
+-
 -	corenet_udp_bind_all_nodes($1_t)
 -	corenet_udp_bind_generic_port($1_t)
-+	corenet_udp_bind_all_nodes($1_usertype)
+	kernel_get_sysvipc_info($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
 -	dev_read_sysfs($1_t)
 -	dev_read_rand($1_t)
@ -10859,7 +10925,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	dev_read_sound($1_t)
 -	dev_read_sound_mixer($1_t)
 -	dev_write_sound_mixer($1_t)
-
+	corenet_udp_bind_all_nodes($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
 -	domain_use_interactive_fds($1_t)
 -	# Command completion can fire hundreds of denials
 -	domain_dontaudit_exec_all_entry_files($1_t)
@ -10925,10 +10993,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	# Stop warnings about access to /dev/console
 -	init_dontaudit_use_fds($1_t)
 -	init_dontaudit_use_script_fds($1_t)
 -
 -	libs_exec_lib_files($1_t)
 +	storage_getattr_fixed_disk_dev($1_usertype)
 -	libs_exec_lib_files($1_t)
 -
 -	logging_dontaudit_getattr_all_logs($1_t)
 -
 -	miscfiles_read_man_pages($1_t)
@ -11317,12 +11385,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 	typeattribute $1_devpts_t user_ptynode;
-@@ -985,36 +1038,66 @@
+@@ -985,36 +1038,68 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
 -	userdom_poly_home_template($1)
 -	userdom_poly_tmp_template($1)
 +	auth_exec_pam($1_t)
 +
 +	optional_policy(`
 +		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 +	')
@ -11398,7 +11468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		')
 	')
-@@ -1028,16 +1111,8 @@
+@@ -1028,16 +1113,8 @@
 	# the same domain and outside users)  disabling this forces FTP passive mode
 	# and may change other protocols
 	tunable_policy(`user_tcp_server',`
@ -11417,7 +11487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	optional_policy(`
-@@ -1054,17 +1129,6 @@
+@@ -1054,17 +1131,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
@ -11435,7 +11505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 #######################################
-@@ -1102,6 +1166,8 @@
+@@ -1102,6 +1168,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
@ -11444,7 +11514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1193,7 @@
+@@ -1127,7 +1195,7 @@
 	# $1_t local policy
 	#
@ -11453,7 +11523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 	# Set password information for other users.
-@@ -1139,8 +1205,6 @@
+@@ -1139,8 +1207,6 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
@ -11462,7 +11532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
-@@ -1902,6 +1966,41 @@
+@@ -1902,6 +1968,41 @@
 ########################################
 ## <summary>
@ -11504,7 +11574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -3078,7 +3177,7 @@
+@@ -3078,7 +3179,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -11513,7 +11583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5422,7 @@
+@@ -5323,7 +5424,7 @@
 		attribute user_tmpfile;
 	')
@ -11522,7 +11592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5548,6 +5647,26 @@
+@@ -5548,6 +5649,26 @@
 ########################################
 ## <summary>
@ -11549,7 +11619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Unconfined access to user domains.  (Deprecated)
 ## </summary>
 ## <param name="domain">
-@@ -5559,3 +5678,191 @@
+@@ -5559,3 +5680,234 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -11617,6 +11687,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +########################################
 +## <summary>
 +##	allow getattr all user file type
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`userdom_list_user_files',`
 +	gen_require(`
 +		attribute $1_file_type;
 +	')
 +
 +	allow $2 $1_file_type:dir search_dir_perms;
 +	allow $2 $1_file_type:file getattr;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to write to homedirs of sysadm users 
 +##	home directory.
 +## </summary>
@ -11695,10 +11785,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +template(`userdom_unpriv_xwindows_login_user', `
 +
 +userdom_unpriv_login_user($1)
 +# Should be optional but policy will not build because of compiler problems
 +# Must be before xwindows calls
 +#optional_policy(`
 +	gnome_per_role_template($1, $1_usertype, $1_r)
 +	gnome_exec_gconf($1_t)
 +#')
 +
 +userdom_xwindows_client_template($1)
 +allow xguest_usertype xguest_usertype:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +auth_exec_pam($1_t)
 +logging_send_syslog_msg($1_usertype)
 +
 +optional_policy(`
@ -11717,11 +11813,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +')
 +
 +optional_policy(`
 +	gnome_per_role_template($1, $1_usertype, $1_r)
 +	gnome_exec_gconf($1_t)
 +')
 +
 +optional_policy(`
 +	java_per_role_template($1, $1_t, $1_r)
 +')
 +
@ -11741,6 +11832,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +dev_dontaudit_read_rand($1_usertype)
 +
 +')
 +
 +########################################
 +## <summary>
 +##	Identify specified type as being in a users home directory
 +## </summary>
 +## <desc>
 +##	<p>
 +##	Make the specified type a home type.
 +##	</p>
 +## </desc>
 +## <param name="type">
 +##	<summary>
 +##	Type to be used as a home directory type.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_user_home_type',`
 +	gen_require(`
 +		attribute user_home_type;
 +	')
 +	typeattribute $1 user_home_type;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.3/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-07-03 07:06:32.000000000 -0400
 +++ serefpolicy-3.0.3/policy/modules/system/userdomain.te	2007-07-17 15:46:25.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -293,13 +293,13 @@ semodule -r moilscanner 2>/dev/null
 %relabel targeted
 exit 0
-%triggerpostun targeted -- selinux-policy-targeted < 3.0.3.2
+%triggerpostun targeted -- selinux-policy-targeted <= 3.0.3-4
 setsebool -P use_nfs_home_dirs=1
 restorecon -R /root /etc/selinux/targeted 2> /dev/null
 semanage login -m -s "system_u" __default__ 2> /dev/null
 semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 2> /dev/null
-semanage user -a -P guest -R guest_r guest_u
+semanage user -a -P guest -R guest_r guest_u 2> /dev/null
 semanage user -a -P xguest -R xguest_r xguest_u 
 restorecon -R /root 2> /dev/null
 exit 0
 %files targeted
@ -359,6 +359,11 @@ exit 0
 %endif
 %changelog
 * Fri Jul 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-4
 - Add anon_inodefs
 - Allow unpriv user exec pam_exec_t
 - Fix trigger
 * Fri Jul 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-3
 - Allow cups to use generic usb
 - fix inetd to be able to run random apps (git)