- Add cyphesis policy

policy-20071130.patch

@@ -6716,7 +6716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-26 21:27:47.000000000 -0500
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -6739,7 +6739,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  
  # create child processes in the domain
  allow domain self:process { fork sigchld };
-@@ -140,7 +148,7 @@
+@@ -96,6 +104,7 @@
+ 
+ # list the root directory
+ files_list_root(domain)
++files_getattr_all_dirs(domain)
+ 
+ tunable_policy(`global_ssp',`
+ 	# enable reading of urandom for all domains:
+@@ -140,7 +149,7 @@
  
  # For /proc/pid
  allow unconfined_domain_type domain:dir list_dir_perms;
@@ -6748,7 +6756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -148,3 +156,27 @@
+@@ -148,3 +157,27 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)