patch from dan Mon, 12 Jun 2006 15:32:00 -0400

2006-06-12 21:36:38 +00:00 · 2006-06-12 21:36:38 +00:00 · 2dbd382425
commit 2dbd382425
parent c546864b81
28 changed files with 123 additions and 70 deletions
--- a/refpolicy/config/appconfig-strict-mls/default_type
+++ b/refpolicy/config/appconfig-strict-mls/default_type
@ -2,3 +2,4 @@ sysadm_r:sysadm_t
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
 auditadm_r:auditadm_t
--- a/refpolicy/policy/modules/admin/prelink.fc
+++ b/refpolicy/policy/modules/admin/prelink.fc
@ -3,6 +3,6 @@
 /usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
-/var/lib/misc/prelink\.*		--	gen_context(system_u:object_r:prelink_cache_t,s0)
+/var/lib/misc/prelink\..*	--	gen_context(system_u:object_r:prelink_cache_t,s0)
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@ -1,5 +1,5 @@
-policy_module(prelink,1.1.2)
+policy_module(prelink,1.1.3)
 ########################################
 #
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@ -1,5 +1,5 @@
-policy_module(rpm,1.3.7)
+policy_module(rpm,1.3.8)
 ########################################
 #
@ -341,9 +341,9 @@ ifdef(`targeted_policy',`
 	optional_policy(`
 		mono_domtrans(rpm_script_t)
 	')
-',`
+
 	optional_policy(`
-		bootloader_domtrans(rpm_script_t)
+		unconfined_domtrans(rpm_script_t)
 	')
 ')
@ -357,6 +357,10 @@ tunable_policy(`allow_execmem',`
 	allow rpm_script_t self:process execmem;
 ')
 optional_policy(`
 	bootloader_domtrans(rpm_script_t)
 ')
 optional_policy(`
 	nis_use_ypbind(rpm_script_t)
 ')
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@ -1,5 +1,5 @@
-policy_module(webalizer,1.2.1)
+policy_module(webalizer,1.2.2)
 ########################################
 #
@ -44,6 +44,7 @@ allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
 allow webalizer_t self:unix_dgram_socket sendto;
 allow webalizer_t self:unix_stream_socket connectto;
 allow webalizer_t self:tcp_socket connected_stream_socket_perms;
 allow webalizer_t self:udp_socket { connect connected_socket_perms };
 allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
 allow webalizer_t webalizer_etc_t:file { getattr read };
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.8)
+policy_module(filesystem,1.3.9)
 ########################################
 #
@ -23,7 +23,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
 # Requires that a security xattr handler exist for the filesystem.
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
@ -174,6 +174,7 @@ genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
 ########################################
 #
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@
-policy_module(kernel,1.3.10)
+policy_module(kernel,1.3.11)
 ########################################
 #
@ -28,6 +28,7 @@ role user_r;
 ifdef(`enable_mls',`
 	role secadm_r;
 	role auditadm_r;
 ')
 #
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@ -1,5 +1,5 @@
-policy_module(automount,1.2.5)
+policy_module(automount,1.2.6)
 ########################################
 #
@ -30,7 +30,7 @@ files_mountpoint(automount_tmp_t)
 allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
 dontaudit automount_t self:capability sys_tty_config;
-allow automount_t self:process { signal_perms getpgid setpgid setsched };
+allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_file_perms;
 allow automount_t self:unix_stream_socket create_socket_perms;
 allow automount_t self:unix_dgram_socket create_socket_perms;
@ -58,9 +58,11 @@ allow automount_t automount_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(automount_t,automount_var_run_t,file)
 kernel_read_kernel_sysctls(automount_t)
 kernel_read_irq_sysctls(automount_t)
 kernel_read_fs_sysctls(automount_t)
 kernel_read_proc_symlinks(automount_t)
 kernel_read_system_state(automount_t)
 kernel_read_network_state(automount_t)
 kernel_list_proc(automount_t)
 files_search_boot(automount_t)
@ -92,6 +94,7 @@ dev_read_sysfs(automount_t)
 dev_read_urand(automount_t)
 domain_use_interactive_fds(automount_t)
 domain_dontaudit_read_all_domains_state(automount_t)
 files_dontaudit_write_var_dirs(automount_t)
 files_getattr_all_dirs(automount_t)
@ -104,11 +107,14 @@ files_getattr_isid_type_dirs(automount_t)
 files_getattr_default_dirs(automount_t)
 # because config files can be shell scripts
 files_exec_etc_files(automount_t)
 files_mounton_mnt(automount_t)
 fs_getattr_all_fs(automount_t)
 fs_getattr_all_dirs(automount_t)
 fs_search_auto_mountpoints(automount_t)
 fs_manage_auto_mountpoints(automount_t)
 fs_unmount_autofs(automount_t)
 fs_mount_autofs(automount_t)
 term_dontaudit_use_console(automount_t)
 term_dontaudit_getattr_pty_dirs(automount_t)
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -1,5 +1,5 @@
-policy_module(cron,1.3.8)
+policy_module(cron,1.3.9)
 gen_require(`
 	class passwd rootok;
@ -353,6 +353,7 @@ ifdef(`targeted_policy',`
 	tunable_policy(`cron_can_relabel',`
 		seutil_domtrans_setfiles(system_crond_t)
 		seutil_domtrans_restorecon(system_crond_t)
 	',`
 		selinux_get_fs_mount(system_crond_t)
 		selinux_validate_context(system_crond_t)
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@ -1,5 +1,5 @@
-policy_module(cups,1.3.7)
+policy_module(cups,1.3.8)
 ########################################
 #
@ -629,6 +629,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_files(hplip_t)
 ')
 optional_policy(`
 	mount_send_nfs_client_request(hplip_t)
 ')
 optional_policy(`
 	seutil_sigchld_newrole(hplip_t)
 ')
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@ -1,5 +1,5 @@
-policy_module(ftp,1.2.5)
+policy_module(ftp,1.2.6)
 ########################################
 #
@ -57,8 +57,9 @@ allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
 allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
 fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-allow ftpd_t ftpd_var_run_t:file create_file_perms;
+allow ftpd_t ftpd_var_run_t:file manage_file_perms;
 allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
 allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms;
 files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
 # Create and modify /var/log/xferlog.
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@ -1,5 +1,5 @@
-policy_module(hal,1.3.8)
+policy_module(hal,1.3.9)
 ########################################
 #
@ -114,6 +114,8 @@ term_dontaudit_use_console(hald_t)
 term_dontaudit_use_generic_ptys(hald_t)
 term_use_unallocated_ttys(hald_t)
 auth_use_nsswitch(hald_t)
 init_use_fds(hald_t)
 init_use_script_ptys(hald_t)
 init_domtrans_script(hald_t)
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@ -1,5 +1,5 @@
-policy_module(kerberos,1.1.2)
+policy_module(kerberos,1.1.3)
 ########################################
 #
@ -188,6 +188,7 @@ kernel_read_system_state(krb5kdc_t)
 kernel_read_kernel_sysctls(krb5kdc_t)
 kernel_list_proc(krb5kdc_t)
 kernel_read_proc_symlinks(krb5kdc_t)
 kernel_read_network_state(krb5kdc_t)
 corenet_non_ipsec_sendrecv(krb5kdc_t)
 corenet_tcp_sendrecv_all_if(krb5kdc_t)
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@ -1,5 +1,5 @@
-policy_module(mysql,1.2.3)
+policy_module(mysql,1.2.4)
 ########################################
 #
@ -34,7 +34,6 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bin
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file { read write };
 allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket create_stream_socket_perms;
 allow mysqld_t self:udp_socket create_socket_perms;
@ -91,6 +90,8 @@ files_read_etc_files(mysqld_t)
 files_read_usr_files(mysqld_t)
 files_search_var_lib(mysqld_t)
 auth_use_nsswitch(mysqld_t)
 init_use_fds(mysqld_t)
 init_use_script_ptys(mysqld_t)
@ -101,7 +102,6 @@ logging_send_syslog_msg(mysqld_t)
 miscfiles_read_localization(mysqld_t)
 sysnet_use_ldap(mysqld_t)
 sysnet_read_config(mysqld_t)
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.3)
+policy_module(networkmanager,1.3.4)
 ########################################
 #
@ -160,6 +160,10 @@ optional_policy(`
 	nscd_signal(NetworkManager_t)
 ')
 optional_policy(`
 	ppp_domtrans(NetworkManager_t)
 ')
 optional_policy(`
 	seutil_sigchld_newrole(NetworkManager_t)
 ')
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@ -1,5 +1,5 @@
-policy_module(ntp,1.1.1)
+policy_module(ntp,1.1.2)
 ########################################
 #
@ -86,6 +86,8 @@ fs_search_auto_mountpoints(ntpd_t)
 term_dontaudit_use_console(ntpd_t)
 auth_use_nsswitch(ntpd_t)
 corecmd_exec_bin(ntpd_t)
 corecmd_exec_sbin(ntpd_t)
 corecmd_exec_ls(ntpd_t)
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@ -1,5 +1,5 @@
-policy_module(procmail,1.2.2)
+policy_module(procmail,1.2.3)
 ########################################
 #
@ -76,6 +76,10 @@ ifdef(`targeted_policy', `
 	files_getattr_tmp_dirs(procmail_t)
 ')
 optional_policy(`
 	clamav_domtrans_clamscan(procmail_t)
 ')
 optional_policy(`
 	logging_send_syslog_msg(procmail_t)
 ')
--- a/refpolicy/policy/modules/services/pyzor.te
+++ b/refpolicy/policy/modules/services/pyzor.te
@ -1,5 +1,5 @@
-policy_module(pyzor,1.0.3)
+policy_module(pyzor,1.0.4)
 ########################################
 #
@ -119,6 +119,10 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t)
 mta_manage_spool(pyzord_t)
 ifdef(`targeted_policy',`
 	userdom_read_generic_user_home_content_files(pyzord_t)
 ')
 optional_policy(`
 	logging_send_syslog_msg(pyzord_t)
 ')
--- a/refpolicy/policy/modules/services/xfs.te
+++ b/refpolicy/policy/modules/services/xfs.te
@ -1,5 +1,5 @@
-policy_module(xfs,1.0.2)
+policy_module(xfs,1.0.3)
 ########################################
 #
@ -58,6 +58,8 @@ files_read_usr_files(xfs_t)
 term_dontaudit_use_console(xfs_t)
 auth_use_nsswitch(xfs_t)
 init_use_fds(xfs_t)
 init_use_script_ptys(xfs_t)
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -1284,6 +1284,8 @@ interface(`auth_use_nsswitch',`
 		type var_auth_t;
 	')
 	allow $1 self:netlink_route_socket r_netlink_socket_perms;
 	allow $1 var_auth_t:dir r_dir_perms;
 	allow $1 var_auth_t:file create_file_perms;
 	files_list_var_lib($1)
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.4)
+policy_module(authlogin,1.3.5)
 ########################################
 #
--- a/refpolicy/policy/modules/system/logging.fc
+++ b/refpolicy/policy/modules/system/logging.fc
@ -1,8 +1,7 @@
-/dev/log			-s	gen_context(system_u:object_r:devlog_t,s0)
+/dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
-/etc/auditd.conf		--	gen_context(system_u:object_r:auditd_etc_t,s0)
+/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
 /etc/audit.rules		--	gen_context(system_u:object_r:auditd_etc_t,s0)
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
@ -25,7 +24,7 @@ ifdef(`distro_suse', `
 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
-/var/log			-d	gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
+/var/log		-d	gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
 /var/log/audit.log	--	gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@ -1,5 +1,5 @@
-policy_module(logging,1.3.6)
+policy_module(logging,1.3.7)
 ########################################
 #
@ -70,6 +70,7 @@ libs_use_shared_libs(auditctl_t)
 allow auditctl_t etc_t:file { getattr read };
 allow auditctl_t auditd_etc_t:dir r_dir_perms;
 allow auditctl_t auditd_etc_t:file r_file_perms;
 # Needed for adding watches
@ -111,6 +112,7 @@ allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
 allow auditd_t self:fifo_file rw_file_perms;
 allow auditd_t auditd_etc_t:dir r_dir_perms;
 allow auditd_t auditd_etc_t:file r_file_perms;
 allow auditd_t auditd_log_t:dir rw_dir_perms;
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.2.7)
+policy_module(selinuxutil,1.2.8)
 gen_require(`
 	bool secure_mode;
@ -115,6 +115,9 @@ files_type(semanage_store_t)
 type semanage_read_lock_t;
 files_type(semanage_read_lock_t)
 type semanage_tmp_t; 
 files_tmp_file(semanage_tmp_t)
 type semanage_trans_lock_t; 
 files_type(semanage_trans_lock_t)
@ -531,12 +534,17 @@ ifdef(`targeted_policy',`',`
 # semodule local policy
 #
 allow semanage_t self:capability dac_override;
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow semanage_t policy_config_t:file { read write };
 allow semanage_t semanage_tmp_t:dir create_dir_perms;
 allow semanage_t semanage_tmp_t:file create_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -473,35 +473,6 @@ template(`base_user_template',`
 		# gnome-session creates socket under /tmp/.ICE-unix/
 		xserver_create_xdm_tmp_sockets($1_t)
 	')
 	ifdef(`TODO',`
 	#
 	# Cups daemon running as user tries to write /etc/printcap
 	#
 	dontaudit $1_t usr_t:file setattr;
 	# /initrd is left mounted, various programs try to look at it
 	dontaudit $1_t ramfs_t:dir getattr;
 	#
 	# Running ifconfig as a user generates the following
 	#
 	dontaudit $1_t sysctl_net_t:dir search;
 	r_dir_file($1_t, usercanread)
 	# old browser_domain():
 	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
 	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
 	dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
 	allow $1_t usbtty_device_t:chr_file read;
 	ifdef(`xdm.te', `
 		allow $1_t xdm_var_lib_t:file r_file_perms;
 	')
 	') dnl endif TODO
 ')
 #######################################
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -1,11 +1,12 @@
-policy_module(userdomain,1.3.27)
+policy_module(userdomain,1.3.28)
 gen_require(`
 	role sysadm_r, staff_r, user_r;
 	ifdef(`enable_mls',`
 		role secadm_r;
 		role auditadm_r;
 	')
 ')
@ -67,6 +68,7 @@ ifdef(`targeted_policy',`
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
 	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 	# User home directory type.
@ -82,6 +84,7 @@ ifdef(`targeted_policy',`
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
 #	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@ -105,8 +108,10 @@ ifdef(`targeted_policy',`
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
 		allow auditadm_r system_r;
 		allow secadm_r user_r;
 		allow staff_r secadm_r;
 		allow staff_r auditadm_r;
 	')
 	optional_policy(`
@ -126,9 +131,19 @@ ifdef(`targeted_policy',`
 	role_change(staff, sysadm)
 	ifdef(`enable_mls',`
-		admin_user_template(secadm)
+		unpriv_user_template(secadm)
 		unpriv_user_template(auditadm)
 		role_change(staff,auditadm)
 		role_change(staff,secadm)
 		role_change(sysadm,secadm)
 		role_change(sysadm,auditadm)
 		role_change(auditadm,secadm)
 		role_change(auditadm,sysadm)
 		role_change(secadm,auditadm)
 		role_change(secadm,sysadm)
 	')
@ -172,19 +187,33 @@ ifdef(`targeted_policy',`
 	')
 	ifdef(`enable_mls',`
 		seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
 		domain_kill_all_domains(auditadm_t)
 	        seutil_read_bin_policy(auditadm_t)
 		corecmd_exec_shell(auditadm_t)
 	        logging_read_generic_logs(auditadm_t)
 		logging_manage_audit_log(auditadm_t)
 		logging_manage_audit_config(auditadm_t)
 		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
 		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
 		allow secadm_t self:capability dac_override;
 		corecmd_exec_shell(secadm_t)
 		domain_obj_id_change_exemption(secadm_t)
 		mls_process_read_up(secadm_t)
 		mls_file_read_up(secadm_t)
 		mls_file_write_down(secadm_t)
 		mls_file_upgrade(secadm_t)
 		mls_file_downgrade(secadm_t)
 	        auth_relabel_all_files_except_shadow(secadm_t)
 		auth_relabel_shadow(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+	        logging_read_generic_logs(secadm_t)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		files_relabel_all_files(secadm_t)
 		auth_relabel_shadow(secadm_t)
 	', `
-		logging_read_audit_log(sysadm_t)
+		logging_manage_audit_log(sysadm_t)
 		logging_manage_audit_config(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 	')
@ -252,6 +281,7 @@ ifdef(`targeted_policy',`
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
 			consoletype_exec(auditadm_t)
 		')
 	')
@ -270,6 +300,7 @@ ifdef(`targeted_policy',`
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
 			dmesg_exec(auditadm_t)
 		')
 	')
--- a/refpolicy/policy/rolemap
+++ b/refpolicy/policy/rolemap
@ -15,5 +15,6 @@ ifdef(`strict_policy',`
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
 		auditadm_r auditadm auditadm_t
 	')
 ')
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@ -29,7 +29,7 @@ ifdef(`targeted_policy',`
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
@ -44,8 +44,8 @@ ifdef(`targeted_policy',`
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')