-

2008-02-28 21:51:10 +00:00 · 2008-02-28 21:51:10 +00:00 · 338714fc7f
parent b7229ad8bb
commit 338714fc7f
2 changed files with 141 additions and 92 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -2276,7 +2276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.3.1/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te	2008-02-28 15:36:54.000000000 -0500
@@ -31,6 +31,9 @@
 files_type(rpm_var_lib_t)
 typealias rpm_var_lib_t alias var_lib_rpm_t;
@ -6744,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-26 21:27:47.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-28 13:12:42.000000000 -0500
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -6784,7 +6784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
-@@ -148,3 +157,27 @@
+@@ -148,3 +157,28 @@
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -6812,6 +6812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +	unconfined_dontaudit_rw_pipes(domain)
 +	unconfined_sigchld(domain)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-02-26 16:54:46.000000000 -0500
@ -8096,7 +8097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-02-27 17:28:38.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-02-28 16:49:32.000000000 -0500
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -8192,12 +8193,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 # httpd_modules_t is the type given to module files (libraries) 
 # that come with Apache /etc/httpd/modules and /usr/lib/apache
 type httpd_modules_t;
-@@ -202,12 +233,15 @@
+@@ -202,12 +233,16 @@
 	prelink_object_file(httpd_modules_t)
 ')
 +apache_content_template(user)
 +userdom_user_home_content(user,httpd_user_content_t)
 +typealias httpd_user_content_t alias httpd_unconfined_content_t;
 +
 ########################################
 #
@ -8209,7 +8211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
-@@ -249,6 +283,7 @@
+@@ -249,6 +284,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
 read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@ -8217,7 +8219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +324,7 @@
+@@ -289,6 +325,7 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -8225,7 +8227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +351,7 @@
+@@ -315,9 +352,7 @@
 auth_use_nsswitch(httpd_t)
@ -8236,7 +8238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 domain_use_interactive_fds(httpd_t)
-@@ -335,6 +369,10 @@
+@@ -335,6 +370,10 @@
 files_read_var_lib_symlinks(httpd_t)
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -8247,7 +8249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
-@@ -351,25 +389,38 @@
+@@ -351,25 +390,38 @@
 userdom_use_unpriv_users_fds(httpd_t)
@ -8291,7 +8293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +433,10 @@
+@@ -382,6 +434,10 @@
 	corenet_sendrecv_http_cache_client_packets(httpd_t)
 ')
@ -8302,7 +8304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +454,21 @@
+@@ -399,11 +455,21 @@
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -8324,7 +8326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +502,14 @@
+@@ -437,8 +503,14 @@
 ')
 optional_policy(`
@ -8340,7 +8342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -450,19 +521,13 @@
+@@ -450,19 +522,13 @@
 ')
 optional_policy(`
@ -8361,7 +8363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -472,13 +537,14 @@
+@@ -472,13 +538,14 @@
 	openca_kill(httpd_t)
 ')
@ -8380,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -486,6 +552,7 @@
+@@ -486,6 +553,7 @@
 ')
 optional_policy(`
@ -8388,7 +8390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -521,6 +588,19 @@
+@@ -521,6 +589,19 @@
 	userdom_use_sysadm_terms(httpd_helper_t)
 ')
@ -8408,7 +8410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache PHP script local policy
-@@ -550,18 +630,24 @@
+@@ -550,18 +631,24 @@
 fs_search_auto_mountpoints(httpd_php_t)
@ -8436,7 +8438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -585,6 +671,8 @@
+@@ -585,6 +672,8 @@
 manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -8445,7 +8447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +681,7 @@
+@@ -593,9 +682,7 @@
 fs_search_auto_mountpoints(httpd_suexec_t)
@ -8456,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +714,7 @@
+@@ -628,6 +715,7 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
@ -8464,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 ')
-@@ -638,6 +725,12 @@
+@@ -638,6 +726,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
@ -8477,7 +8479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +748,6 @@
+@@ -655,10 +749,6 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -8488,7 +8490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache system script local policy
-@@ -668,7 +757,8 @@
+@@ -668,7 +758,8 @@
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -8498,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +772,44 @@
+@@ -682,15 +773,44 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -8544,7 +8546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +819,15 @@
+@@ -700,9 +820,15 @@
 	clamav_domtrans_clamscan(httpd_sys_script_t)
 ')
@ -8560,7 +8562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -724,3 +849,46 @@
+@@ -724,3 +850,46 @@
 logging_search_logs(httpd_rotatelogs_t)
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -11280,7 +11282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.3.1/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cvs.te	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cvs.te	2008-02-28 15:30:50.000000000 -0500
@@ -28,6 +28,9 @@
 type cvs_var_run_t;
 files_pid_file(cvs_var_run_t)
@ -13254,7 +13256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te	2008-02-28 15:39:03.000000000 -0500
@@ -18,6 +18,9 @@
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)
@ -13276,7 +13278,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 kernel_read_system_state(fail2ban_t)
-@@ -55,6 +59,8 @@
+@@ -47,14 +51,20 @@
 files_read_etc_files(fail2ban_t)
 files_read_usr_files(fail2ban_t)
 +files_list_var(fail2ban_t)
 +files_search_var_lib(fail2ban_t)
 +
 +fs_search_inotifyfs(fail2ban_t)
 libs_use_ld_so(fail2ban_t)
 libs_use_shared_libs(fail2ban_t)
 -logging_read_generic_logs(fail2ban_t)
 +logging_read_all_logs(fail2ban_t)
 miscfiles_read_localization(fail2ban_t)
@ -22702,7 +22717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-27 23:02:25.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-28 09:30:18.000000000 -0500
@@ -15,6 +15,11 @@
 template(`xserver_common_domain_template',`
 	gen_require(`
@ -23153,7 +23168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -542,25 +539,360 @@
+@@ -542,25 +539,364 @@
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
@ -23298,6 +23313,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# everyone can get the input focus of everyone else
 +	# this is a fundamental brokenness in the X protocol
 +	allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab };
 +	tunable_policy(`allow_read_x_device',`
 +		allow $3 { x_domain x_server_domain }:x_device read;
 +	')
 +
 +	# everyone can grab the server
 +	# everyone does it, it is basically a free DOS attack
 +	allow $3 x_server_domain:x_server grab;
@ -23520,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	')
 ')
-@@ -593,26 +925,44 @@
+@@ -593,26 +929,44 @@
 #
 template(`xserver_use_user_fonts',`
 	gen_require(`
@ -23572,7 +23591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -638,10 +988,77 @@
+@@ -638,10 +992,77 @@
 #
 template(`xserver_domtrans_user_xauth',`
 	gen_require(`
@ -23652,7 +23671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -671,10 +1088,10 @@
+@@ -671,10 +1092,10 @@
 #
 template(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
@ -23665,7 +23684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -760,7 +1177,7 @@
+@@ -760,7 +1181,7 @@
 		type xconsole_device_t;
 	')
@ -23674,7 +23693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -860,6 +1277,25 @@
+@@ -860,6 +1281,25 @@
 ########################################
 ## <summary>
@ -23700,7 +23719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Read xdm-writable configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -914,6 +1350,7 @@
+@@ -914,6 +1354,7 @@
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -23708,7 +23727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -955,6 +1392,24 @@
+@@ -955,6 +1396,24 @@
 ########################################
 ## <summary>
@ -23733,7 +23752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Execute the X server in the XDM X server domain.
 ## </summary>
 ## <param name="domain">
-@@ -965,15 +1420,47 @@
+@@ -965,15 +1424,47 @@
 #
 interface(`xserver_domtrans_xdm_xserver',`
 	gen_require(`
@ -23782,7 +23801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -1123,7 +1610,7 @@
+@@ -1123,7 +1614,7 @@
 		type xdm_xserver_tmp_t;
 	')
@ -23791,7 +23810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -1312,3 +1799,108 @@
+@@ -1312,3 +1803,108 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -23902,8 +23921,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-02-27 23:17:59.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-02-28 16:46:06.000000000 -0500
-@@ -16,21 +16,79 @@
+@@ -8,6 +8,14 @@
 ## <desc>
 ## <p>
 +## Allows X clients to read the x devices (keyboard/mouse)
 +## </p>
 +## </desc>
 +gen_tunable(allow_read_x_device,true)
 +
 +
 +## <desc>
 +## <p>
 ## Allows clients to write to the X server shared
 ## memory segments.
 ## </p>
@@ -16,21 +24,79 @@
 ## <desc>
 ## <p>
@ -23985,7 +24019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # this is not actually a device, its a pipe
 type xconsole_device_t;
-@@ -56,6 +114,12 @@
+@@ -56,6 +122,12 @@
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
@ -23998,7 +24032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
 typealias xdm_tmp_t alias ice_tmp_t;
-@@ -78,7 +142,31 @@
+@@ -78,7 +150,31 @@
 type xserver_log_t;
 logging_log_file(xserver_log_t)
@ -24030,7 +24064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 init_system_domain(xdm_xserver_t,xserver_exec_t)
 ifdef(`enable_mcs',`
-@@ -95,8 +183,9 @@
+@@ -95,8 +191,9 @@
 # XDM Local policy
 #
@ -24042,7 +24076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +198,8 @@
+@@ -109,6 +206,8 @@
 allow xdm_t self:key { search link write };
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@ -24051,7 +24085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +222,22 @@
+@@ -131,15 +230,22 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -24075,7 +24109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +251,7 @@
+@@ -153,6 +259,7 @@
 allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -24083,7 +24117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -173,6 +272,8 @@
+@@ -173,6 +280,8 @@
 corecmd_exec_shell(xdm_t)
 corecmd_exec_bin(xdm_t)
@ -24092,7 +24126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_all_recvfrom_unlabeled(xdm_t)
 corenet_all_recvfrom_netlabel(xdm_t)
-@@ -184,6 +285,7 @@
+@@ -184,6 +293,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -24100,7 +24134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -196,6 +298,7 @@
+@@ -196,6 +306,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -24108,7 +24142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -208,8 +311,8 @@
+@@ -208,8 +319,8 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
@ -24119,7 +24153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_getattr_power_mgmt_dev(xdm_t)
 dev_setattr_power_mgmt_dev(xdm_t)
-@@ -226,6 +329,7 @@
+@@ -226,6 +337,7 @@
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -24127,7 +24161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 fs_getattr_all_fs(xdm_t)
 fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +349,7 @@
+@@ -245,6 +357,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -24135,7 +24169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
-@@ -256,12 +361,11 @@
+@@ -256,12 +369,11 @@
 libs_exec_lib_files(xdm_t)
 logging_read_generic_logs(xdm_t)
@ -24149,7 +24183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +374,13 @@
+@@ -270,8 +382,13 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -24163,7 +24197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +413,11 @@
+@@ -304,7 +421,11 @@
 ')
 optional_policy(`
@ -24176,7 +24210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 optional_policy(`
-@@ -312,6 +425,23 @@
+@@ -312,6 +433,23 @@
 ')
 optional_policy(`
@ -24200,7 +24234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +452,10 @@
+@@ -322,6 +460,10 @@
 ')
 optional_policy(`
@ -24211,7 +24245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	loadkeys_exec(xdm_t)
 ')
-@@ -335,6 +469,11 @@
+@@ -335,6 +477,11 @@
 ')
 optional_policy(`
@ -24223,18 +24257,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -343,8 +482,9 @@
+@@ -343,8 +490,8 @@
 ')
 optional_policy(`
 -	unconfined_domain(xdm_t)
 +	unconfined_domain(xdm_xserver_t)
 	unconfined_domtrans(xdm_t)
 +	unconfined_signal(xdm_t)
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +520,7 @@
+@@ -380,7 +527,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -24243,7 +24276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +532,15 @@
+@@ -392,6 +539,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
@ -24259,7 +24292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +553,17 @@
+@@ -404,9 +560,17 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -24277,7 +24310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_xserver_t)
 	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +577,22 @@
+@@ -420,6 +584,22 @@
 ')
 optional_policy(`
@ -24300,7 +24333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
-@@ -429,47 +602,125 @@
+@@ -429,47 +609,138 @@
 ')
 optional_policy(`
@ -24309,30 +24342,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	rpm_dontaudit_rw_shm(xdm_xserver_t)
 +	rpm_rw_tmpfs_files(xdm_xserver_t)
 +')
-+
+ 
 -	ifndef(`distro_redhat',`
 -		allow xdm_xserver_t self:process { execheap execmem };
 -	')
 +optional_policy(`
 +	unconfined_rw_shm(xdm_xserver_t)
 +	unconfined_execmem_rw_shm(xdm_xserver_t)
 +	unconfined_rw_tmpfs_files(xdm_xserver_t)
-	ifndef(`distro_redhat',`
+-	ifdef(`distro_rhel4',`
 -		allow xdm_xserver_t self:process { execheap execmem };
 -	')
 +	# xserver signals unconfined user on startx
 +	unconfined_signal(xdm_xserver_t)
 +	unconfined_getpgid(xdm_xserver_t)
 +')
 -	ifdef(`distro_rhel4',`
 -		allow xdm_xserver_t self:process { execheap execmem };
 -	')
 +
 +tunable_policy(`allow_xserver_execmem', `
 +	allow xdm_xserver_t self:process { execheap execmem execstack };
 +')
 +
 +ifndef(`distro_redhat',`
 +	allow xdm_xserver_t self:process { execheap execmem };
 ')
 -ifdef(`TODO',`
@ -24356,16 +24380,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -allow xdm_t polymember:lnk_file { create unlink };
 -# xdm needs access for copying .Xauthority into new home
 -allow xdm_t polymember:file { create getattr write };
-+ifdef(`distro_rhel4',`
+
-+	allow xdm_xserver_t self:process { execheap execmem };
+tunable_policy(`allow_xserver_execmem', `
 +	allow xdm_xserver_t self:process { execheap execmem execstack };
 ')
 +ifndef(`distro_redhat',`
 +	allow xdm_xserver_t self:process { execheap execmem };
 +')
 +
 +ifdef(`distro_rhel4',`
 +	allow xdm_xserver_t self:process { execheap execmem };
 +')
 +
 +##############################
 #
 -# Wants to delete .xsession-errors file
 +# xauth_t Local policy
- #
+#
 -allow xdm_t user_home_type:file unlink;
 +domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
 +
 +userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@ -24412,11 +24444,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +##############################
 #
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+-allow xdm_t user_home_type:file unlink;
 +# iceauth_t Local policy
 #
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
+-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
 -') dnl end TODO
 +
 +allow iceauth_t user_iceauth_home_t:file manage_file_perms;
 +userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@ -24440,7 +24471,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
 +
 +########################################
-+#
+ #
 -allow pam_t xdm_t:fifo_file { getattr ioctl write };
 -') dnl end TODO
 +# Rules for unconfined access to this module
 +#
 +
@ -24459,6 +24492,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *;
 +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 +
 +gen_require(`
 +	attribute domain;
 +')
 +
 +allow xserver_unconfined_type domain:x_resource *;
 +allow xserver_unconfined_type domain:{ x_event x_synthetic_event } *;
 +allow xserver_unconfined_type domain:x_drawable *;
 +
 +  
 +tunable_policy(`allow_read_x_device',`
 +	allow xserver_unconfined_type { x_domain x_server_domain self }:x_device read;
 +')
 +
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.3.1/policy/modules/services/zabbix.fc
 --- nsaserefpolicy/policy/modules/services/zabbix.fc	2007-04-11 15:52:54.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -388,6 +388,9 @@ exit 0
 %endif
 %changelog
 * Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-7
 -
 * Wed Feb 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-6
 - Prepare policy for beta release
 - Change some of the system domains back to unconfined