- Allow rpm_script to transition to unconfined_execmem_t

2007-12-04 00:15:27 +00:00 · 2007-12-04 00:15:27 +00:00 · 320f3e6459
commit 320f3e6459
parent ed06ab0116
2 changed files with 227 additions and 181 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1209,7 +1209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.1/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/rpm.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/admin/rpm.te	2007-12-03 13:19:43.000000000 -0500
@@ -139,6 +139,7 @@
 auth_relabel_all_files_except_shadow(rpm_t)
 auth_manage_all_files_except_shadow(rpm_t)
@ -1248,6 +1248,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 ')
 ifdef(`TODO',`
@@ -221,7 +229,7 @@
 #
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
 -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
 allow rpm_script_t self:fd use;
 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
 allow rpm_script_t self:unix_dgram_socket create_socket_perms;
@@ -289,6 +297,7 @@
 auth_dontaudit_getattr_shadow(rpm_script_t)
 # ideally we would not need this
@ -1275,6 +1284,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 	tzdata_domtrans(rpm_t)
 	tzdata_domtrans(rpm_script_t)
 ')
@@ -350,6 +356,7 @@
 optional_policy(`
 	unconfined_domain(rpm_script_t)
 	unconfined_domtrans(rpm_script_t)
 +	unconfined_execmem_domtrans(rpm_script_t)
 	optional_policy(`
 		java_domtrans(rpm_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.1/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2007-07-23 10:20:14.000000000 -0400
 +++ serefpolicy-3.2.1/policy/modules/admin/sudo.if	2007-11-30 11:23:56.000000000 -0500
@ -3436,8 +3453,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.1/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/vmware.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/apps/vmware.te	2007-12-02 21:31:37.000000000 -0500
-@@ -22,6 +22,9 @@
+@@ -22,17 +22,21 @@
 type vmware_var_run_t;
 files_pid_file(vmware_var_run_t)
@ -3447,25 +3464,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
 ########################################
 #
 # VMWare host local policy
-@@ -29,7 +32,7 @@
+ #
- allow vmware_host_t self:capability { setuid net_raw };
+-allow vmware_host_t self:capability { setuid net_raw };
 +allow vmware_host_t self:capability { setgid setuid net_raw };
 dontaudit vmware_host_t self:capability sys_tty_config;
 -allow vmware_host_t self:process signal_perms;
 +allow vmware_host_t self:process { execstack execmem signal_perms };
 allow vmware_host_t self:fifo_file rw_fifo_file_perms;
 allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
-@@ -41,6 +44,9 @@
+allow vmware_host_t self:tcp_socket create_socket_perms;
 # cjp: the ro and rw files should be split up
 manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
@@ -41,6 +45,11 @@
 manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
 files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
 +manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t)	
 +logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir })
 +
 +files_search_home(vmware_host_t)
 +
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_list_proc(vmware_host_t)
 kernel_read_proc_symlinks(vmware_host_t)
@@ -63,6 +72,7 @@
 corenet_sendrecv_all_server_packets(vmware_host_t)
 dev_read_sysfs(vmware_host_t)
 +dev_read_urand(vmware_host_t)
 dev_rw_vmware(vmware_host_t)
 domain_use_interactive_fds(vmware_host_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.1/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2007-09-12 10:34:17.000000000 -0400
 +++ serefpolicy-3.2.1/policy/modules/apps/wine.if	2007-11-30 11:23:56.000000000 -0500
@ -5844,7 +5876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Printer/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cups.te	2007-12-02 18:58:51.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/cups.te	2007-12-02 19:07:25.000000000 -0500
@@ -1,5 +1,5 @@
 -policy_module(cups,1.8.2)
@ -5925,17 +5957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 allow cupsd_t hplip_var_run_t:file { read getattr };
 stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -133,8 +139,7 @@
+@@ -150,31 +156,39 @@
 kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)
 -corenet_all_recvfrom_unlabeled(cupsd_t)
 -corenet_all_recvfrom_netlabel(cupsd_t)
 +corenet_non_ipsec_sendrecv(cupsd_t)
 corenet_tcp_sendrecv_all_if(cupsd_t)
 corenet_udp_sendrecv_all_if(cupsd_t)
 corenet_raw_sendrecv_all_if(cupsd_t)
@@ -150,31 +155,39 @@
 corenet_tcp_bind_reserved_port(cupsd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
@ -5978,7 +6000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
 corecmd_exec_shell(cupsd_t)
-@@ -187,7 +200,7 @@
+@@ -187,7 +201,7 @@
 # read python modules
 files_read_usr_files(cupsd_t)
 # for /var/lib/defoma
@ -5987,7 +6009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
-@@ -196,15 +209,14 @@
+@@ -196,15 +210,14 @@
 files_read_var_symlinks(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
@ -6006,7 +6028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 libs_use_ld_so(cupsd_t)
 libs_use_shared_libs(cupsd_t)
 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-@@ -221,14 +233,37 @@
+@@ -221,14 +234,37 @@
 sysnet_read_config(cupsd_t)
@ -6044,7 +6066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 optional_policy(`
-@@ -241,6 +276,7 @@
+@@ -241,6 +277,7 @@
 optional_policy(`
 	dbus_system_bus_client_template(cupsd,cupsd_t)
@ -6052,7 +6074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	userdom_dbus_send_all_users(cupsd_t)
-@@ -262,7 +298,7 @@
+@@ -262,7 +299,7 @@
 ')
 optional_policy(`
@ -6061,17 +6083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 optional_policy(`
-@@ -319,8 +355,7 @@
+@@ -330,11 +367,13 @@
 kernel_read_system_state(cupsd_config_t)
 kernel_read_kernel_sysctls(cupsd_config_t)
 -corenet_all_recvfrom_unlabeled(cupsd_config_t)
 -corenet_all_recvfrom_netlabel(cupsd_config_t)
 +corenet_non_ipsec_sendrecv(cupsd_config_t)
 corenet_tcp_sendrecv_all_if(cupsd_config_t)
 corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
 corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -330,11 +365,13 @@
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
 dev_read_rand(cupsd_config_t)
@ -6085,7 +6097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 corecmd_exec_shell(cupsd_config_t)
 domain_use_interactive_fds(cupsd_config_t)
-@@ -376,12 +413,17 @@
+@@ -376,12 +415,17 @@
 ')
 optional_policy(`
@ -6103,7 +6115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	optional_policy(`
 		hal_dbus_chat(cupsd_config_t)
-@@ -391,6 +433,7 @@
+@@ -391,6 +435,7 @@
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
@ -6111,17 +6123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 optional_policy(`
-@@ -461,8 +504,7 @@
+@@ -480,6 +525,8 @@
 kernel_read_system_state(cupsd_lpd_t)
 kernel_read_network_state(cupsd_lpd_t)
 -corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
 -corenet_all_recvfrom_netlabel(cupsd_lpd_t)
 +corenet_non_ipsec_sendrecv(cupsd_lpd_t)
 corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
 corenet_udp_sendrecv_all_if(cupsd_lpd_t)
 corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
@@ -480,6 +522,8 @@
 files_read_etc_files(cupsd_lpd_t)
@ -6130,7 +6132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 libs_use_ld_so(cupsd_lpd_t)
 libs_use_shared_libs(cupsd_lpd_t)
-@@ -487,22 +531,12 @@
+@@ -487,22 +534,12 @@
 miscfiles_read_localization(cupsd_lpd_t)
@ -6153,7 +6155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ########################################
 #
 # HPLIP local policy
-@@ -520,14 +554,12 @@
+@@ -520,14 +557,12 @@
 allow hplip_t self:udp_socket create_socket_perms;
 allow hplip_t self:rawip_socket create_socket_perms;
@ -6172,17 +6174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -535,8 +567,7 @@
+@@ -558,13 +593,15 @@
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 -corenet_all_recvfrom_unlabeled(hplip_t)
 -corenet_all_recvfrom_netlabel(hplip_t)
 +corenet_non_ipsec_sendrecv(hplip_t)
 corenet_tcp_sendrecv_all_if(hplip_t)
 corenet_udp_sendrecv_all_if(hplip_t)
 corenet_raw_sendrecv_all_if(hplip_t)
@@ -558,13 +589,15 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -6199,7 +6191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 domain_use_interactive_fds(hplip_t)
-@@ -586,6 +619,7 @@
+@@ -586,6 +623,7 @@
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 lpd_read_config(cupsd_t)
@ -6207,16 +6199,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 optional_policy(`
 	seutil_sigchld_newrole(hplip_t)
@@ -627,8 +661,7 @@
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
 -corenet_all_recvfrom_unlabeled(ptal_t)
 -corenet_all_recvfrom_netlabel(ptal_t)
 +corenet_non_ipsec_sendrecv(ptal_t)
 corenet_tcp_sendrecv_all_if(ptal_t)
 corenet_tcp_sendrecv_all_nodes(ptal_t)
 corenet_tcp_sendrecv_all_ports(ptal_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-11-15 13:40:14.000000000 -0500
 +++ serefpolicy-3.2.1/policy/modules/services/cvs.te	2007-11-30 11:23:56.000000000 -0500
@ -7993,7 +7975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +/var/log/wpa_supplicant\.log	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.1/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te	2007-12-02 21:09:24.000000000 -0500
@@ -13,6 +13,9 @@
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
@ -8009,7 +7991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
 -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@ -11746,7 +11728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/xserver.te	2007-12-01 06:51:49.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/xserver.te	2007-12-03 19:02:05.000000000 -0500
@@ -16,6 +16,13 @@
 ## <desc>
@ -11824,13 +11806,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -132,15 +166,21 @@
+@@ -132,15 +166,22 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 +fs_rw_tmpfs_files(xdm_xserver_t)
 +fs_getattr_all_fs(xdm_t)
 +fs_search_inotifyfs(xdm_t)
 +fs_list_all(xdm_t)
 manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)	
 manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
@ -11847,7 +11830,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +225,7 @@
+@@ -154,6 +195,7 @@
 allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
 +read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t)
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
@@ -185,6 +227,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -11855,7 +11846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -197,6 +238,7 @@
+@@ -197,6 +240,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -11863,7 +11854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -209,8 +251,8 @@
+@@ -209,8 +253,8 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
@ -11874,7 +11865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_getattr_power_mgmt_dev(xdm_t)
 dev_setattr_power_mgmt_dev(xdm_t)
-@@ -246,6 +288,7 @@
+@@ -246,6 +290,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -11882,7 +11873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
-@@ -257,12 +300,11 @@
+@@ -257,12 +302,11 @@
 libs_exec_lib_files(xdm_t)
 logging_read_generic_logs(xdm_t)
@ -11896,7 +11887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -271,6 +313,10 @@
+@@ -271,6 +315,10 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -11907,7 +11898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +352,11 @@
+@@ -306,6 +354,11 @@
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
@ -11919,7 +11910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 optional_policy(`
-@@ -323,6 +374,10 @@
+@@ -323,6 +376,10 @@
 ')
 optional_policy(`
@ -11930,7 +11921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	loadkeys_exec(xdm_t)
 ')
-@@ -336,10 +391,6 @@
+@@ -336,10 +393,6 @@
 ')
 optional_policy(`
@ -11941,7 +11932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -348,8 +399,8 @@
+@@ -348,8 +401,8 @@
 ')
 optional_policy(`
@ -11951,7 +11942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -385,7 +436,7 @@
+@@ -385,7 +438,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -11960,7 +11951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -397,6 +448,15 @@
+@@ -397,6 +450,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
@ -11976,7 +11967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -409,6 +469,7 @@
+@@ -409,6 +471,7 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -11984,7 +11975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -425,6 +486,14 @@
+@@ -425,6 +488,14 @@
 ')
 optional_policy(`
@ -11999,7 +11990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
-@@ -434,47 +503,30 @@
+@@ -434,47 +505,30 @@
 ')
 optional_policy(`
@ -12261,7 +12252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.1/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/authlogin.te	2007-11-30 11:33:09.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/system/authlogin.te	2007-12-03 18:47:11.000000000 -0500
@@ -59,6 +59,9 @@
 type utempter_exec_t;
 application_domain(utempter_t,utempter_exec_t)
@ -12282,15 +12273,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ########################################
 #
 # PAM local policy
-@@ -121,6 +127,7 @@
+@@ -121,19 +127,14 @@
 logging_send_syslog_msg(pam_t)
 userdom_use_unpriv_users_fds(pam_t)
 +userdom_write_unpriv_users_tmp_files(pam_t)
 +userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
 +userdom_unlink_unpriv_users_tmp_files(pam_t)
 optional_policy(`
 	locallogin_use_fds(pam_t)
-@@ -287,8 +294,10 @@
+ ')
 -optional_policy(`
 -	nis_use_ypbind(pam_t)
 -')
 -
 -optional_policy(`
 -	nscd_socket_use(pam_t)
 -')
 -
 ########################################
 #
 # PAM console local policy
@@ -287,8 +288,10 @@
 files_manage_etc_files(updpwd_t)
 term_dontaudit_use_console(updpwd_t)
@ -12302,7 +12308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 auth_manage_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)
-@@ -337,11 +346,6 @@
+@@ -337,11 +340,6 @@
 ')
 optional_policy(`
@ -14493,16 +14499,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.1/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc	2007-12-03 13:36:12.000000000 -0500
-@@ -10,3 +10,5 @@
+@@ -10,3 +10,6 @@
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/rhythmbox		    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/sbcl			    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/mock			    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.if	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/system/unconfined.if	2007-12-03 13:19:33.000000000 -0500
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -14537,19 +14544,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	kernel_unconfined($1)
 	corenet_unconfined($1)
-@@ -589,7 +589,101 @@
+@@ -589,7 +589,7 @@
 ########################################
 ## <summary>
 -##	Read files in unconfined users home directories.
 +##	Allow ptrace of unconfined domain
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
-+##	Domain allowed access.
+@@ -597,20 +597,53 @@
-+##	</summary>
+ ##	</summary>
-+## </param>
+ ## </param>
-+#
+ #
 -interface(`unconfined_read_home_content_files',`
 +interface(`unconfined_ptrace',`
 +	gen_require(`
 +		type unconfined_t;
@ -14569,15 +14577,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +## </param>
 +#
 +interface(`unconfined_rw_shm',`
-+	gen_require(`
+ 	gen_require(`
 -		type unconfined_home_dir_t, unconfined_home_t;
 +		type unconfined_t;
-+	')
+ 	')
-+
+ 
 -	files_search_home($1)
 -	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
 -	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 -	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 +	allow $1 unconfined_t:shm rw_shm_perms;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 -##	Read unconfined users temporary files.
 +##	Read and write to unconfined execmem shared memory.
 +## </summary>
 +## <param name="domain">
@ -14596,10 +14610,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +########################################
 +## <summary>
 +##	Transition to the unconfined_execmem domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -618,31 +651,132 @@
 ##	</summary>
 ## </param>
 #
 -interface(`unconfined_read_tmp_files',`
 +interface(`unconfined_execmem_domtrans',`
 +
 	gen_require(`
 -		type unconfined_tmp_t;
 +		type unconfined_execmem_t, unconfined_execmem_exec_t;
 	')
 -	files_search_tmp($1)
 -	allow $1 unconfined_tmp_t:dir list_dir_perms;
 -	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
 -	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
 +	domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t)
 ')
 ########################################
 ## <summary>
 -##	Write unconfined users temporary files.
 +##	allow attempts to use unconfined ttys and ptys.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##	<summary>
+ ##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
@ -14637,65 +14677,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +########################################
 +## <summary>
 +##	Allow apps to set rlimits on userdomain
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -597,20 +691,18 @@
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`unconfined_read_home_content_files',`
 +interface(`unconfined_set_rlimitnh',`
- 	gen_require(`
+	gen_require(`
 -		type unconfined_home_dir_t, unconfined_home_t;
 +		type unconfined_t;
- 	')
+	')
- 
+
 -	files_search_home($1)
 -	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
 -	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 -	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 +	allow $1 unconfined_t:process rlimitinh;
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Read unconfined users temporary files.
 +##	Allow the specified domain to read/write to
 +##	unconfined with a unix domain stream sockets.
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -618,31 +710,54 @@
+##	Domain allowed access.
- ##	</summary>
+##	</summary>
- ## </param>
+## </param>
- #
+#
 -interface(`unconfined_read_tmp_files',`
 +interface(`unconfined_rw_stream_sockets',`
- 	gen_require(`
+	gen_require(`
 -		type unconfined_tmp_t;
 +		type unconfined_t;
- 	')
+	')
- 
+
 -	files_search_tmp($1)
 -	allow $1 unconfined_tmp_t:dir list_dir_perms;
 -	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
 -	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
 +	allow $1 unconfined_t:unix_stream_socket { read write };
- ')
+')
- 
+
- ########################################
+########################################
- ## <summary>
+## <summary>
 -##	Write unconfined users temporary files.
 +##	Read/write unconfined tmpfs files.
- ## </summary>
+## </summary>
 +## <desc>
 +##	<p>
 +##	Read/write unconfined tmpfs files.
 +##	</p>
 +## </desc>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -14733,8 +14759,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/system/unconfined.te	2007-12-03 13:35:11.000000000 -0500
-@@ -9,13 +9,15 @@
+@@ -9,32 +9,46 @@
 # usage in this module of types created by these
 # calls is not correct, however we dont currently
 # have another method to add access to these types
@ -14754,7 +14780,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 type unconfined_execmem_t;
 type unconfined_execmem_exec_t;
-@@ -27,14 +29,21 @@
+ init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
 +type unconfined_notrans_t;
 +type unconfined_notrans_exec_t;
 +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
 +role unconfined_r types unconfined_notrans_t;
 +
 ########################################
 #
 # Local policy
 #
@ -14776,7 +14811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,7 +51,10 @@
+@@ -42,7 +56,10 @@
 logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@ -14787,7 +14822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -51,13 +63,13 @@
+@@ -51,13 +68,13 @@
 userdom_priveleged_home_dir_manager(unconfined_t)
 optional_policy(`
@ -14803,7 +14838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	unconfined_domain(httpd_unconfined_script_t)
 ')
-@@ -71,8 +83,8 @@
+@@ -71,8 +88,8 @@
 optional_policy(`
 	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
@ -14814,7 +14849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -107,6 +119,10 @@
+@@ -107,6 +124,10 @@
 	optional_policy(`
 		oddjob_dbus_chat(unconfined_t)
 	')
@ -14825,7 +14860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -118,11 +134,11 @@
+@@ -118,11 +139,11 @@
 ')
 optional_policy(`
@ -14839,7 +14874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -134,11 +150,7 @@
+@@ -134,11 +155,7 @@
 ')
 optional_policy(`
@ -14852,7 +14887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -154,33 +166,20 @@
+@@ -154,33 +171,20 @@
 ')
 optional_policy(`
@ -14890,15 +14925,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -205,11 +204,22 @@
+@@ -205,11 +209,22 @@
 ')
 optional_policy(`
 -	wine_domtrans(unconfined_t)
 +	wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+')
+ ')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	xserver_domtrans_xdm_xserver(unconfined_t)
 +	mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
 +	unconfined_domain(unconfined_mozilla_t)
 +	allow unconfined_mozilla_t self:process { execstack execmem };
@ -14906,16 +14942,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +optional_policy(`
 +	kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	xserver_domtrans_xdm_xserver(unconfined_t)
 +	xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	xserver_xdm_rw_shm(unconfined_t)
 ')
 ########################################
-@@ -219,14 +229,26 @@
+@@ -219,14 +234,35 @@
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -14942,6 +14977,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +	')
 ')
 +
 +########################################
 +#
 +# Unconfined Execmem Local policy
 +#
 +
 +allow unconfined_notrans_t self:process { execstack execmem };
 +unconfined_domain_noaudit(unconfined_notrans_t)
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.1/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2007-02-19 11:32:53.000000000 -0500
 +++ serefpolicy-3.2.1/policy/modules/system/userdomain.fc	2007-11-30 11:23:56.000000000 -0500
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -379,7 +379,9 @@ exit 0
 %endif
 %changelog
-* Sun Dec 2 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-2
+* Mon Dec 3 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-3
 - Allow rpm_script to transition to unconfined_execmem_t
 * Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-1
 - Remove user based home directory separation