- Fixes for hald_mac

- Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root
2007-10-19 21:21:40 +00:00 · 2007-10-19 21:21:40 +00:00 · 30dfdc7f05
parent 3375c34d9a
commit 30dfdc7f05
2 changed files with 318 additions and 74 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -1039,7 +1039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t
 # Init script handling
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te	2007-10-08 10:28:20.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te	2007-10-19 15:49:45.000000000 -0400
@@ -8,9 +8,11 @@
 type consoletype_t;
@ -1470,7 +1470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.8/policy/modules/admin/kudzu.te
 --- nsaserefpolicy/policy/modules/admin/kudzu.te	2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te	2007-10-19 15:11:04.000000000 -0400
@@ -21,8 +21,8 @@
 # Local policy
 #
@ -1482,7 +1482,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 allow kudzu_t self:process { signal_perms execmem };
 allow kudzu_t self:fifo_file rw_fifo_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -103,6 +103,8 @@
+@@ -68,6 +68,7 @@
 modutils_read_module_deps(kudzu_t)
 modutils_read_module_config(kudzu_t)
 modutils_rename_module_config(kudzu_t)
 +modutils_unlink_module_config(kudzu_t)
 storage_read_scsi_generic(kudzu_t)
 storage_read_tape(kudzu_t)
@@ -103,6 +104,8 @@
 init_use_fds(kudzu_t)
 init_use_script_ptys(kudzu_t)
 init_stream_connect_script(kudzu_t)
@ -1491,7 +1499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 # kudzu will telinit to make init re-read
 # the inittab after configuring serial consoles
 init_telinit(kudzu_t)
-@@ -134,20 +136,15 @@
+@@ -134,20 +137,15 @@
 ')
 optional_policy(`
@ -3417,8 +3425,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/etc/apcupsd/onbattery  --    gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in	2007-10-17 16:11:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in	2007-10-19 14:41:51.000000000 -0400
-@@ -1449,6 +1449,43 @@
+@@ -903,9 +903,11 @@
 interface(`corenet_udp_bind_generic_port',`
 	gen_require(`
 		type port_t;
 +		attribute port_type;
 	')
 	allow $1 port_t:udp_socket name_bind;
 +	dontaudit $1 { port_type -port_t }:udp_socket name_bind;
 ')
 ########################################
@@ -1449,6 +1451,43 @@
 ########################################
 ## <summary>
@ -3721,7 +3741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2007-10-18 16:47:15.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2007-10-19 15:31:15.000000000 -0400
@@ -343,8 +343,7 @@
 ########################################
@ -3851,7 +3871,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
-@@ -2023,6 +2021,31 @@
+@@ -1192,6 +1190,25 @@
 ########################################
 ## <summary>
 +##	Do not audit attempts to write
 +##	files in the root directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_dontaudit_write_root_dir',`
 +	gen_require(`
 +		type root_t;
 +	')
 +
 +	dontaudit $1 root_t:dir write;
 +')
 +
 +########################################
 +## <summary>
 ##	Do not audit attempts to read or write
 ##	character device nodes in the root directory.
 ## </summary>
@@ -2023,6 +2040,31 @@
 ########################################
 ## <summary>
@ -3883,7 +3929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
-@@ -3107,6 +3130,24 @@
+@@ -3107,6 +3149,24 @@
 ########################################
 ## <summary>
@ -3908,7 +3954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Manage temporary files and directories in /tmp.
 ## </summary>
 ## <param name="domain">
-@@ -3198,6 +3239,44 @@
+@@ -3198,6 +3258,44 @@
 ########################################
 ## <summary>
@ -3953,7 +3999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Read all tmp files.
 ## </summary>
 ## <param name="domain">
-@@ -3323,6 +3402,42 @@
+@@ -3323,6 +3421,42 @@
 ########################################
 ## <summary>
@ -3996,7 +4042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
-@@ -3381,7 +3496,7 @@
+@@ -3381,7 +3515,7 @@
 ########################################
 ## <summary>
@ -4005,7 +4051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3389,17 +3504,17 @@
+@@ -3389,17 +3523,17 @@
 ##	</summary>
 ## </param>
 #
@ -4026,7 +4072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3407,12 +3522,12 @@
+@@ -3407,12 +3541,12 @@
 ##	</summary>
 ## </param>
 #
@ -4041,7 +4087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 ########################################
-@@ -4043,7 +4158,7 @@
+@@ -4043,7 +4177,7 @@
 		type var_t, var_lock_t;
 	')
@ -4050,7 +4096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 ########################################
-@@ -4560,6 +4675,8 @@
+@@ -4560,6 +4694,8 @@
 	# Need to give access to /selinux/member
 	selinux_compute_member($1)
@ -4059,7 +4105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 	# Need sys_admin capability for mounting
 	allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4699,11 @@
+@@ -4582,6 +4718,11 @@
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
@ -4071,7 +4117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 ########################################
-@@ -4619,3 +4741,28 @@
+@@ -4619,3 +4760,28 @@
 	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
 ')
@ -4618,7 +4664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.8/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/amavis.te	2007-10-17 10:28:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/amavis.te	2007-10-19 14:39:41.000000000 -0400
@@ -65,6 +65,7 @@
 # Spool Files
 manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
@ -4627,6 +4673,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
 manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
 filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file)
 files_search_spool(amavis_t)
@@ -116,6 +117,7 @@
 # bind to incoming port
 corenet_tcp_bind_amavisd_recv_port(amavis_t)
 corenet_udp_bind_generic_port(amavis_t)
 +corenet_dontaudit_udp_bind_all_ports(amavis_t)
 corenet_tcp_connect_razor_port(amavis_t)
 dev_read_rand(amavis_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/apache.fc	2007-10-03 11:10:24.000000000 -0400
@ -5613,6 +5667,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 optional_policy(`
 	hostname_exec(apcupsd_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.0.8/policy/modules/services/asterisk.te
 --- nsaserefpolicy/policy/modules/services/asterisk.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/asterisk.te	2007-10-19 14:32:49.000000000 -0400
@@ -98,6 +98,7 @@
 # for VOIP voice channels.
 corenet_tcp_bind_generic_port(asterisk_t)
 corenet_udp_bind_generic_port(asterisk_t)
 +corenet_dontaudit_udp_bind_all_ports(asterisk_t)
 corenet_sendrecv_generic_server_packets(asterisk_t)
 dev_read_sysfs(asterisk_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.8/policy/modules/services/audioentropy.te
 --- nsaserefpolicy/policy/modules/services/audioentropy.te	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/audioentropy.te	2007-10-03 11:10:24.000000000 -0400
@ -5866,7 +5931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te	2007-10-10 11:33:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te	2007-10-19 15:47:32.000000000 -0400
@@ -10,7 +10,6 @@
 type consolekit_exec_t;
 init_daemon_domain(consolekit_t, consolekit_exec_t)
@ -7648,8 +7713,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.fc	2007-10-05 15:23:01.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.fc	2007-10-19 15:05:59.000000000 -0400
-@@ -13,9 +13,12 @@
+@@ -8,14 +8,18 @@
 /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
 /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 +/usr/libexec/hald-addon-macbook-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
 /var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
@ -7664,7 +7735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-08 11:29:21.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-19 15:06:33.000000000 -0400
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -7709,7 +7780,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 allow hald_acl_t self:fifo_file read_fifo_file_perms;
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -344,6 +351,8 @@
+@@ -341,9 +348,12 @@
 files_search_var_lib(hald_mac_t)
 dev_write_raw_memory(hald_mac_t)
 +dev_read_sysfs(hald_t)
 files_read_usr_files(hald_mac_t)
@ -9088,6 +9163,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
 	rpm_exec(pegasus_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.0.8/policy/modules/services/portmap.te
 --- nsaserefpolicy/policy/modules/services/portmap.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/portmap.te	2007-10-19 14:35:04.000000000 -0400
@@ -63,6 +63,7 @@
 # portmap binds to arbitary ports
 corenet_tcp_bind_generic_port(portmap_t)
 corenet_udp_bind_generic_port(portmap_t)
 +corenet_dontaudit_udp_bind_all_ports(portmap_t)
 corenet_tcp_bind_reserved_port(portmap_t)
 corenet_udp_bind_reserved_port(portmap_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.0.8/policy/modules/services/portslave.te
 --- nsaserefpolicy/policy/modules/services/portslave.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/portslave.te	2007-10-03 11:10:24.000000000 -0400
@ -9690,7 +9776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
 +/var/lib/radiousd(/.*)?		gen_context(system_u:object_r:radiusd_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.8/policy/modules/services/radius.te
 --- nsaserefpolicy/policy/modules/services/radius.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/radius.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/radius.te	2007-10-19 14:35:18.000000000 -0400
@@ -19,6 +19,9 @@
 type radiusd_log_t;
 logging_log_file(radiusd_log_t)
@ -9710,7 +9796,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
 manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t)
 files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
-@@ -82,6 +87,7 @@
+@@ -73,6 +78,7 @@
 corenet_sendrecv_radacct_server_packets(radiusd_t)
 # for RADIUS proxy port
 corenet_udp_bind_generic_port(radiusd_t)
 +corenet_dontaudit_udp_bind_all_ports(radiusd_t)
 corenet_sendrecv_generic_server_packets(radiusd_t)
 dev_read_sysfs(radiusd_t)
@@ -82,6 +88,7 @@
 auth_read_shadow(radiusd_t)
 auth_domtrans_chk_passwd(radiusd_t)
@ -9755,7 +9849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
 # Only permit unprivileged user domains to be entered via rlogin,
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.8/policy/modules/services/rhgb.te
 --- nsaserefpolicy/policy/modules/services/rhgb.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rhgb.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rhgb.te	2007-10-19 15:31:30.000000000 -0400
@@ -59,6 +59,7 @@
 corenet_sendrecv_all_client_packets(rhgb_t)
@ -9764,7 +9858,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
 domain_use_interactive_fds(rhgb_t)
-@@ -109,6 +110,7 @@
+@@ -68,6 +69,7 @@
 files_search_tmp(rhgb_t)
 files_read_usr_files(rhgb_t)
 files_mounton_mnt(rhgb_t)
 +files_dontaudit_write_root_dir(rhgb_t)
 files_dontaudit_read_default_files(rhgb_t)
 files_dontaudit_search_pids(rhgb_t)
 # for nscd
@@ -100,6 +102,7 @@
 miscfiles_read_localization(rhgb_t)
 miscfiles_read_fonts(rhgb_t)
 +miscfiles_dontaudit_write_fonts(rhgb_t)
 seutil_search_default_contexts(rhgb_t)
 seutil_read_config(rhgb_t)
@@ -109,6 +112,7 @@
 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
 userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
@ -9772,7 +9882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
 xserver_read_xdm_xserver_tmp_files(rhgb_t)
 xserver_kill_xdm_xserver(rhgb_t)
-@@ -117,6 +119,7 @@
+@@ -117,6 +121,7 @@
 xserver_domtrans_xdm_xserver(rhgb_t)
 xserver_signal_xdm_xserver(rhgb_t)
 xserver_read_xdm_tmp_files(rhgb_t)
@ -11476,6 +11586,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
 	gen_require(`
 		type ucspitcp_t;
 		role system_r;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.0.8/policy/modules/services/ucspitcp.te
 --- nsaserefpolicy/policy/modules/services/ucspitcp.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.te	2007-10-19 14:36:02.000000000 -0400
@@ -35,6 +35,7 @@
 corenet_udp_sendrecv_all_ports(rblsmtpd_t)
 corenet_tcp_bind_all_nodes(rblsmtpd_t)
 corenet_udp_bind_generic_port(rblsmtpd_t)
 +corenet_dontaudit_udp_bind_all_ports(rblsmtpd_t)
 files_read_etc_files(rblsmtpd_t)
 files_search_var(rblsmtpd_t)
@@ -78,6 +79,7 @@
 corenet_tcp_bind_dns_port(ucspitcp_t)
 corenet_udp_bind_dns_port(ucspitcp_t)
 corenet_udp_bind_generic_port(ucspitcp_t)
 +corenet_dontaudit_udp_bind_all_ports(ucspitcp_t)
 # server packets:
 corenet_sendrecv_ftp_server_packets(ucspitcp_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
 --- nsaserefpolicy/policy/modules/services/uwimap.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/uwimap.te	2007-10-03 11:10:25.000000000 -0400
@ -11578,7 +11707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-10-10 16:06:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-10-19 16:57:07.000000000 -0400
@@ -126,6 +126,8 @@
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
@ -11688,9 +11817,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
 +	userdom_manage_user_tmp_dirs($1, xdm_t)
 +	userdom_manage_user_tmp_files($1, xdm_t)
 +
 +	# Handling of pam_keyring
 +	gnome_manage_user_gnome_config($1, xdm_t)
 	xserver_ro_session_template(xdm,$2,$3)
 -	xserver_rw_session_template($1,$2,$3)
@ -11704,6 +11830,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
 +	xserver_xdm_stream_connect($2)
 +
 +	# Handling of pam_keyring
 +	gnome_manage_user_gnome_config($1, xdm_t)
 +
 +	optional_policy(`
 +		userdom_read_all_users_home_content_files(xdm_t)
 +		userdom_read_all_users_home_content_files(xdm_xserver_t)
@ -11951,7 +12080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-10-15 13:34:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-10-19 14:06:25.000000000 -0400
@@ -16,6 +16,13 @@
 ## <desc>
@ -12094,7 +12223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
-@@ -434,47 +464,25 @@
+@@ -434,47 +464,26 @@
 ')
 optional_policy(`
@ -12111,6 +12240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	unconfined_rw_shm(xdm_xserver_t)
 +	unconfined_execmem_rw_shm(xdm_xserver_t)
 +	unconfined_rw_tmpfs_files(xdm_xserver_t)
 +	unconfined_manage_tmp_files(xdm_xserver_t)
 -	ifdef(`distro_rhel4',`
 -		allow xdm_xserver_t self:process { execheap execmem };
@ -12884,6 +13014,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
 +optional_policy(`
 +	unconfined_dontaudit_rw_pipes(hostname_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.0.8/policy/modules/system/hotplug.te
 --- nsaserefpolicy/policy/modules/system/hotplug.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/hotplug.te	2007-10-19 16:02:32.000000000 -0400
@@ -179,6 +179,7 @@
 	sysnet_read_dhcpc_pid(hotplug_t)
 	sysnet_rw_dhcp_config(hotplug_t)
 	sysnet_domtrans_ifconfig(hotplug_t)
 +	sysnet_signal_ifconfig(hotplug_t)
 ')
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-08-22 07:14:12.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/init.if	2007-10-10 15:15:51.000000000 -0400
@ -14344,8 +14485,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.0.8/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if	2007-10-19 15:29:31.000000000 -0400
-@@ -253,6 +253,8 @@
+@@ -57,6 +57,26 @@
 ## </param>
 ## <rolecap/>
 #
 +interface(`miscfiles_dontaudit_write_fonts',`
 +	gen_require(`
 +		type fonts_t;
 +	')
 +
 +	dontaudit $1 fonts_t:dir write;
 +	dontaudit $1 fonts_t:file write;
 +')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete fonts.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 interface(`miscfiles_manage_fonts',`
 	gen_require(`
 		type fonts_t;
@@ -253,6 +273,8 @@
 	files_search_usr($1)
 	allow $1 man_t:dir setattr;
@ -14354,6 +14522,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 	delete_dirs_pattern($1,man_t,man_t)
 	delete_files_pattern($1,man_t,man_t)
 	delete_lnk_files_pattern($1,man_t,man_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.0.8/policy/modules/system/modutils.if
 --- nsaserefpolicy/policy/modules/system/modutils.if	2007-05-29 14:10:58.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/modutils.if	2007-10-19 15:10:57.000000000 -0400
@@ -66,6 +66,25 @@
 ########################################
 ## <summary>
 +##	Unlink a file with the configuration options used when
 +##	loading modules.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`modutils_unlink_module_config',`
 +	gen_require(`
 +		type modules_conf_t;
 +	')
 +
 +	allow $1 modules_conf_t:file unlink;
 +')
 +
 +########################################
 +## <summary>
 ##	Unconditionally execute insmod in the insmod domain.
 ## </summary>
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-08-22 07:14:12.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/modutils.te	2007-10-03 11:10:25.000000000 -0400
@ -14465,7 +14662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.te	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/mount.te	2007-10-19 14:40:29.000000000 -0400
@@ -8,6 +8,13 @@
 ## <desc>
@ -15220,8 +15417,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if	2007-10-19 16:03:30.000000000 -0400
-@@ -522,6 +522,8 @@
+@@ -145,6 +145,25 @@
 ########################################
 ## <summary>
 +##	Send a generic signal to the ifconfig client.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	The domain sending the signal.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`sysnet_signal_ifconfig',`
 +	gen_require(`
 +		type ifconfig_t;
 +	')
 +
 +	allow $1 ifconfig_t:process signal;
 +')
 +
 +########################################
 +## <summary>
 ##	Send and receive messages from
 ##	dhcpc over dbus.
 ## </summary>
@@ -522,6 +541,8 @@
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
@ -15230,7 +15453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 ########################################
-@@ -556,3 +558,23 @@
+@@ -556,3 +577,23 @@
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
 ')
@ -15256,7 +15479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te	2007-10-19 15:08:29.000000000 -0400
@@ -45,7 +45,7 @@
 dontaudit dhcpc_t self:capability sys_tty_config;
 # for access("/etc/bashrc", X_OK) on Red Hat
@ -15320,7 +15543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 # Create UDP sockets, necessary when called from dhcpc
 allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -280,6 +286,8 @@
+@@ -280,8 +286,11 @@
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
@ -15328,8 +15551,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +
 term_dontaudit_use_all_user_ttys(ifconfig_t)
 term_dontaudit_use_all_user_ptys(ifconfig_t)
 +term_dontaudit_use_ptmx(ifconfig_t)
-@@ -332,3 +340,7 @@
+ domain_use_interactive_fds(ifconfig_t)
@@ -332,3 +341,7 @@
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
@ -15383,7 +15609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/bin/sbcl			    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-10-15 13:33:52.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-10-19 14:06:05.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -15684,12 +15910,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-19 10:29:16.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-19 17:16:21.000000000 -0400
-@@ -5,36 +5,48 @@
+@@ -5,36 +5,51 @@
 #
 # Declarations
 #
-+attribute unconfined_terminal; 
+type unconfined_gnome_home_t;
 +files_type(unconfined_gnome_home_t)
 -# usage in this module of types created by these
 -# calls is not correct, however we dont currently
@ -15698,8 +15925,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -userdom_manage_home_template(unconfined)
 -userdom_manage_tmp_template(unconfined)
 -userdom_manage_tmpfs_template(unconfined)
-+userdom_unpriv_login_user(unconfined)
+attribute unconfined_terminal; 
-+userdom_common_user_template(unconfined)
+
 +userdom_unpriv_user_template(unconfined)
 +userdom_xwindows_client_template(unconfined)
 +
 +unconfined_terminal_type(unconfined_devpts_t)
 +unconfined_terminal_type(unconfined_tty_device_t)
@ -15741,7 +15970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +54,29 @@
+@@ -42,37 +57,29 @@
 logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -15786,7 +16015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -107,6 +111,10 @@
+@@ -107,6 +114,10 @@
 	optional_policy(`
 		oddjob_dbus_chat(unconfined_t)
 	')
@ -15797,34 +16026,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -118,11 +126,11 @@
+@@ -114,15 +125,15 @@
 ')
 optional_policy(`
-	inn_domtrans(unconfined_t)
+-	ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	iptables_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	java_domtrans(unconfined_t)
 +	java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
-@@ -134,11 +142,7 @@
+-	inn_domtrans(unconfined_t)
 +	ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	java_domtrans(unconfined_t)
 +	iptables_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
@@ -130,15 +141,10 @@
 ')
 optional_policy(`
 -	modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 -
 optional_policy(`
 -	mono_domtrans(unconfined_t)
 -')
 -
 -optional_policy(`
 -	mta_per_role_template(unconfined,unconfined_t,unconfined_r)
-+	mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+	modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
-@@ -155,32 +159,23 @@
+@@ -155,32 +161,23 @@
 optional_policy(`
 	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -15861,16 +16100,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -205,11 +200,22 @@
+@@ -205,11 +202,22 @@
 ')
 optional_policy(`
 -	wine_domtrans(unconfined_t)
 +	wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	xserver_domtrans_xdm_xserver(unconfined_t)
 +	mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
 +	unconfined_domain(unconfined_mozilla_t)
 +	allow unconfined_mozilla_t self:process { execstack execmem };
@ -15878,15 +16116,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +optional_policy(`
 +	kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	xserver_domtrans_xdm_xserver(unconfined_t)
 +	xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	xserver_xdm_rw_shm(unconfined_t)
 ')
 ########################################
-@@ -225,8 +231,21 @@
+@@ -225,8 +233,21 @@
 	init_dbus_chat_script(unconfined_execmem_t)
 	unconfined_dbus_chat(unconfined_execmem_t)
@ -15919,7 +16158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-18 16:49:15.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-19 16:52:39.000000000 -0400
@@ -29,8 +29,9 @@
 	')
@ -17336,7 +17575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te	2007-10-18 16:49:05.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te	2007-10-19 16:18:21.000000000 -0400
@@ -24,13 +24,6 @@
 ## <desc>
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -373,6 +373,11 @@ exit 0
 %endif
 %changelog
 * Fri Oct 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-28
 - Fixes for hald_mac 
 - Treat unconfined_home_dir_t as a home dir
 - dontaudit rhgb writes to fonts and root
 * Fri Oct 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-27
 - Fix dnsmasq
 - Allow rshd full login privs