- Fixes for IBM java location

2008-12-17 21:15:08 +00:00 · 2008-12-17 21:15:08 +00:00 · 33c7eab541
parent dcd0c96f34
commit 33c7eab541
2 changed files with 149 additions and 70 deletions
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
@ -357,14 +357,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow consoletype_t self:fifo_file rw_fifo_file_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.1/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/admin/kismet.te	2008-12-02 11:02:15.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/admin/kismet.te	2008-12-12 09:38:02.000000000 -0500
-@@ -25,11 +25,13 @@
+@@ -25,11 +25,14 @@
 # kismet local policy
 #
 -allow kismet_t self:capability { net_admin net_raw setuid setgid };
 +allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
 +allow kismet_t self:capability { kill net_admin net_raw setuid setgid };
-+allow kismet_t self:process signal;
+allow kismet_t self:process signal_perms;
 allow kismet_t self:fifo_file rw_file_perms;
 allow kismet_t self:packet_socket create_socket_perms;
 -allow kismet_t self:unix_dgram_socket create_socket_perms;
@ -374,7 +375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;
-@@ -47,6 +49,14 @@
+@@ -47,6 +50,15 @@
 corecmd_exec_bin(kismet_t)
@ -385,6 +386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +corenet_tcp_sendrecv_all_ports(kismet_t)
 +corenet_tcp_bind_all_nodes(kismet_t)
 +corenet_tcp_bind_kismet_port(kismet_t)
 +corenet_tcp_connect_kismet_port(kismet_t)
 +
 auth_use_nsswitch(kismet_t)
@ -1784,13 +1786,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # GPG agent local policy
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.1/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2008-08-07 11:15:03.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/apps/java.fc	2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/java.fc	2008-12-17 09:13:47.000000000 -0500
-@@ -3,14 +3,15 @@
+@@ -2,15 +2,16 @@
 # /opt
 #
 /opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:java_exec_t,s0)
- /opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 -/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
 -/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
 +/opt/ibm/java.*/(bin|javaws)(/.*)?	-- gen_context(system_u:object_r:java_exec_t,s0)
 +/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 +/opt/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
@ -2546,7 +2550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te	2008-12-05 08:34:32.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.te	2008-12-15 12:10:00.000000000 -0500
@@ -0,0 +1,275 @@
 +
 +policy_module(nsplugin, 1.0.0)
@ -2742,7 +2746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +
 +allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
 +#execing pulseaudio
 +dontaudit nsplugin_t self:process { getcap setcap };
 +
@ -4770,7 +4774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type power_device_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.1/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2008-10-16 17:21:13.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/kernel/domain.if	2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/kernel/domain.if	2008-12-11 15:07:55.000000000 -0500
@@ -1247,18 +1247,34 @@
 ##	</summary>
 ## </param>
@ -5812,7 +5816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.1/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-14 11:58:07.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.te	2008-11-25 09:48:01.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.te	2008-12-12 10:10:06.000000000 -0500
@@ -21,7 +21,7 @@
 # Use xattrs for the following filesystem types.
@ -5843,11 +5847,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type vxfs_t;
 fs_noxattr_type(vxfs_t)
-@@ -241,6 +248,7 @@
+@@ -241,6 +248,8 @@
 genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
 +genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 +genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
 ########################################
 #
@ -6628,7 +6633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.1/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/roles/staff.te	2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/roles/staff.te	2008-12-11 15:08:24.000000000 -0500
@@ -8,112 +8,32 @@
 role staff_r;
@ -10558,7 +10563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cups.te	2008-12-05 08:56:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/cups.te	2008-12-15 11:14:17.000000000 -0500
@@ -20,9 +20,18 @@
 type cupsd_etc_t;
 files_config_file(cupsd_etc_t)
@ -10615,7 +10620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 -allow cupsd_t self:process { setsched signal_perms };
 -allow cupsd_t self:fifo_file rw_file_perms;
-+allow cupsd_t self:process { setpgid setsched signal_perms };
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
 +allow cupsd_t self:fifo_file rw_fifo_file_perms;
 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
@ -10869,17 +10874,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -491,7 +555,8 @@
+@@ -491,7 +555,10 @@
 allow hplip_t self:udp_socket create_socket_perms;
 allow hplip_t self:rawip_socket create_socket_perms;
 -allow hplip_t cupsd_etc_t:dir search;
 +allow hplip_t cupsd_etc_t:dir search_dir_perms;
-+allow hplip_t cupsd_tmp_t:file rw_file_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
 +manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
 +files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
 cups_stream_connect(hplip_t)
-@@ -500,6 +565,10 @@
+@@ -500,6 +567,10 @@
 read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
 files_search_etc(hplip_t)
@ -10890,7 +10897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
 files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -529,7 +598,8 @@
+@@ -529,7 +600,8 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -10900,7 +10907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +623,9 @@
+@@ -553,7 +625,9 @@
 userdom_dontaudit_search_user_home_dirs(hplip_t)
 userdom_dontaudit_search_user_home_content(hplip_t)
@ -10911,7 +10918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	dbus_system_bus_client(hplip_t)
-@@ -635,3 +707,39 @@
+@@ -635,3 +709,39 @@
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
@ -12187,7 +12194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/hal.te	2008-12-10 09:03:53.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/hal.te	2008-12-12 09:32:41.000000000 -0500
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -12206,7 +12213,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
-@@ -277,6 +281,12 @@
+@@ -195,6 +199,7 @@
 seutil_read_file_contexts(hald_t)
 sysnet_read_config(hald_t)
 +sysnet_domtrans_dhcpc(hald_t)
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -277,6 +282,12 @@
 ')
 optional_policy(`
@ -12219,7 +12234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rpc_search_nfs_state_data(hald_t)
 ')
-@@ -301,12 +311,16 @@
+@@ -301,12 +312,16 @@
 	virt_manage_images(hald_t)
 ')
@ -12237,7 +12252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow hald_acl_t self:process { getattr signal };
 allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-@@ -346,12 +360,17 @@
+@@ -346,12 +361,17 @@
 miscfiles_read_localization(hald_acl_t)
@ -12256,7 +12271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
 allow hald_t hald_mac_t:process signal;
-@@ -418,3 +437,7 @@
+@@ -418,3 +438,7 @@
 files_read_usr_files(hald_keymap_t)
 miscfiles_read_localization(hald_keymap_t)
@ -12919,14 +12934,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_type(mailscanner_spool_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.1/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2008-09-12 10:48:05.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/services/mta.fc	2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/mta.fc	2008-12-15 09:22:51.000000000 -0500
@@ -1,4 +1,4 @@
 -/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 +/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
-@@ -22,7 +22,3 @@
+@@ -11,9 +11,11 @@
 /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 +/usr/bin/esmtp    		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
 +/usr/sbin/ssmtp 		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
 /var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
@@ -22,7 +24,3 @@
 /var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
@ -18579,7 +18606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.1/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/samba.te	2008-12-08 15:15:10.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/samba.te	2008-12-15 12:23:46.000000000 -0500
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
@ -18632,7 +18659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Samba net local policy
 #
 -
-+allow samba_net_t self:capability { dac_read_search dac_override };
+allow samba_net_t self:capability { sys_nice dac_read_search dac_override };
 +allow samba_net_t self:process { getsched setsched };
 allow samba_net_t self:unix_dgram_socket create_socket_perms;
 allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
@ -18651,15 +18678,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_all_recvfrom_unlabeled(samba_net_t)
 corenet_all_recvfrom_netlabel(samba_net_t)
-@@ -190,6 +205,7 @@
+@@ -190,15 +205,23 @@
 domain_use_interactive_fds(samba_net_t)
 files_read_etc_files(samba_net_t)
 +files_read_usr_symlinks(samba_net_t)
 auth_use_nsswitch(samba_net_t)
 +auth_read_cache(samba_net_t)
-@@ -197,8 +213,14 @@
+ logging_send_syslog_msg(samba_net_t)
 miscfiles_read_localization(samba_net_t) 
@ -18675,7 +18703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	kerberos_use(samba_net_t)
-@@ -208,7 +230,7 @@
+@@ -208,7 +231,7 @@
 #
 # smbd Local policy
 #
@ -18684,7 +18712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit smbd_t self:capability sys_tty_config;
 allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow smbd_t self:process setrlimit;
-@@ -226,10 +248,8 @@
+@@ -226,10 +249,8 @@
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@ -18696,7 +18724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow smbd_t samba_net_tmp_t:file getattr;
-@@ -239,6 +259,7 @@
+@@ -239,6 +260,7 @@
 manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@ -18704,7 +18732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -256,7 +277,7 @@
+@@ -256,7 +278,7 @@
 manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 files_pid_filetrans(smbd_t, smbd_var_run_t, file)
@ -18713,7 +18741,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
-@@ -321,6 +342,10 @@
+@@ -298,6 +320,7 @@
 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
 +auth_domtrans_upd_passwd(smbd_t)
 domain_use_interactive_fds(smbd_t)
 domain_dontaudit_list_all_domains_state(smbd_t)
@@ -321,6 +344,10 @@
 userdom_use_unpriv_users_fds(smbd_t)
 userdom_dontaudit_search_user_home_dirs(smbd_t)
@ -18724,7 +18760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -350,8 +375,20 @@
+@@ -350,8 +377,20 @@
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
@ -18745,7 +18781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 	cups_stream_connect(smbd_t)
-@@ -359,6 +396,16 @@
+@@ -359,6 +398,16 @@
 optional_policy(`
 	kerberos_use(smbd_t)
@ -18762,7 +18798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -381,8 +428,10 @@
+@@ -381,8 +430,10 @@
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
@ -18773,7 +18809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
-@@ -454,6 +503,7 @@
+@@ -454,6 +505,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 fs_getattr_all_fs(nmbd_t)
@ -18781,7 +18817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_search_auto_mountpoints(nmbd_t)
 domain_use_interactive_fds(nmbd_t)
-@@ -553,19 +603,33 @@
+@@ -553,19 +605,33 @@
 userdom_use_user_terminals(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
@ -18818,7 +18854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -585,6 +649,9 @@
+@@ -585,6 +651,9 @@
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 allow swat_t winbind_exec_t:file mmap_file_perms;
@ -18828,7 +18864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -609,15 +676,18 @@
+@@ -609,15 +678,18 @@
 dev_read_urand(swat_t)
@ -18847,7 +18883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_search_logs(swat_t)
 miscfiles_read_localization(swat_t)
-@@ -635,6 +705,17 @@
+@@ -635,6 +707,17 @@
 	kerberos_use(swat_t)
 ')
@ -18865,16 +18901,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Winbind local policy
-@@ -642,7 +723,7 @@
+@@ -642,7 +725,7 @@
 allow winbind_t self:capability { dac_override ipc_lock setuid };
 dontaudit winbind_t self:capability sys_tty_config;
 -allow winbind_t self:process signal_perms;
-+allow winbind_t self:process { signal_perms getsched };
+allow winbind_t self:process { signal_perms getsched setsched };
 allow winbind_t self:fifo_file rw_fifo_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +764,10 @@
+@@ -683,9 +766,10 @@
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@ -18887,7 +18923,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_all_recvfrom_unlabeled(winbind_t)
 corenet_all_recvfrom_netlabel(winbind_t)
-@@ -713,6 +795,7 @@
+@@ -709,10 +793,12 @@
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
 +auth_rw_cache(winbind_t)
 domain_use_interactive_fds(winbind_t)
 files_read_etc_files(winbind_t)
@ -18895,7 +18936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(winbind_t)
-@@ -768,8 +851,13 @@
+@@ -768,8 +854,13 @@
 userdom_use_user_terminals(winbind_helper_t)
 optional_policy(`
@ -18909,7 +18950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -778,6 +866,16 @@
+@@ -778,6 +869,16 @@
 #
 optional_policy(`
@ -18926,7 +18967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
-@@ -788,9 +886,43 @@
+@@ -788,9 +889,43 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@ -21059,7 +21100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.if	2008-12-04 13:08:52.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/xserver.if	2008-12-11 14:52:07.000000000 -0500
@@ -397,11 +397,12 @@
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
@ -21432,7 +21473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	display.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2008-11-18 18:57:20.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/xserver.te	2008-12-08 10:28:07.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/xserver.te	2008-12-11 14:53:37.000000000 -0500
@@ -34,6 +34,13 @@
 ## <desc>
@ -21917,10 +21958,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -972,6 +1091,21 @@
+@@ -972,6 +1091,37 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 +allow xserver_unconfined_type self:x_drawable all_x_drawable_perms;
 +allow xserver_unconfined_type self:x_screen all_x_screen_perms;
 +allow xserver_unconfined_type self:x_gc all_x_gc_perms;
 +allow xserver_unconfined_type self:x_font all_x_font_perms;
 +allow xserver_unconfined_type self:x_colormap all_x_colormap_perms;
 +allow xserver_unconfined_type self:x_property all_x_property_perms;
 +allow xserver_unconfined_type self:x_selection all_x_selection_perms;
 +allow xserver_unconfined_type self:x_cursor all_x_cursor_perms;
 +allow xserver_unconfined_type self:x_client all_x_client_perms;
 +allow xserver_unconfined_type self:x_device all_x_device_perms;
 +allow xserver_unconfined_type self:x_server all_x_server_perms;
 +allow xserver_unconfined_type self:x_extension all_x_extension_perms;
 +allow xserver_unconfined_type self:x_resource all_x_resource_perms;
 +allow xserver_unconfined_type self:x_event all_x_event_perms;
 +allow xserver_unconfined_type self:x_synthetic_event all_x_synthetic_event_perms;
 +
 +optional_policy(`
 +	unconfined_rw_shm(xserver_t)
 +	unconfined_execmem_rw_shm(xserver_t)
@ -21939,7 +21996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`TODO',`
 tunable_policy(`allow_polyinstantiation',`
 # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1120,13 @@
+@@ -986,3 +1136,13 @@
 #
 allow xdm_t user_home_type:file unlink;
 ') dnl end TODO
@ -22093,7 +22150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if	2008-12-11 09:57:10.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if	2008-12-17 09:20:00.000000000 -0500
@@ -43,6 +43,7 @@
 interface(`auth_login_pgm_domain',`
 	gen_require(`
@ -22310,7 +22367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -1341,3 +1449,80 @@
+@@ -1341,3 +1449,99 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -22336,6 +22393,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
 +##	Read authentication cache
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`auth_read_cache',`
 +	gen_require(`
 +		type auth_cache_t;
 +	')
 +
 +	read_files_pattern($1, auth_cache_t,  auth_cache_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read/Write authentication cache
 +## </summary>
 +## <param name="domain">
@ -23212,7 +23288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.1/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/system/libraries.fc	2008-12-09 10:20:24.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/libraries.fc	2008-12-15 11:27:38.000000000 -0500
@@ -60,12 +60,15 @@
 #
 # /opt
@ -23321,7 +23397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ') dnl end distro_redhat
 #
-@@ -310,3 +331,20 @@
+@@ -310,3 +331,19 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@ -23338,9 +23414,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/usr/lib(64)?/libmpeg2\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/sse2/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/i686/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.1/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2008-11-11 16:13:48.000000000 -0500
@ -25020,7 +25095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.1/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if	2008-12-03 10:18:59.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/sysnetwork.if	2008-12-12 10:01:10.000000000 -0500
@@ -192,7 +192,25 @@
 		type dhcpc_state_t;
 	')
@ -26056,7 +26131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-09 14:27:56.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-11 15:08:45.000000000 -0500
@@ -30,8 +30,9 @@
 	')
@ -26187,7 +26262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	sysnet_read_config($1_t)
 +	files_dontaudit_getattr_all_dirs($1_usertype)
 +	files_dontaudit_list_non_security($1_usertype)
-+	files_dontaudit_getattr_non_security_files($1_usertype)
+	files_dontaudit_getattr_all_files($1_usertype)
 +	files_dontaudit_getattr_non_security_symlinks($1_usertype)
 +	files_dontaudit_getattr_non_security_pipes($1_usertype)
 +	files_dontaudit_getattr_non_security_sockets($1_usertype)
@ -26686,7 +26761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 -		pcscd_read_pub_files($1_t)
 -		pcscd_stream_connect($1_t)
-+		nsplugin_role($1_r, $1_t)
+		nsplugin_role($1_r, $1_usertype)
 	')
 	optional_policy(`
@ -27046,7 +27121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	optional_policy(`
 +		mono_role_template($1, $1_r, $1_t)
- 	')
+	')
 +
 +	optional_policy(`
 +		mount_run($1_t, $1_r)
@ -27055,7 +27130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	# Run pppd in pppd_t by default for user
 +	optional_policy(`
 +		ppp_run_cond($1_t, $1_r)
-+	')
+ 	')
 +
 ')
@ -27409,7 +27484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -2981,3 +3184,263 @@
+@@ -2981,3 +3184,264 @@
 	allow $1 userdomain:dbus send_msg;
 ')
@ -27495,6 +27570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +  domain_read_all_domains_state($1_t)
 +  domain_getattr_all_domains($1_t)
 +  domain_obj_id_change_exemption($1_t)
 +
 +  files_read_kernel_modules($1_t)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.1
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -446,6 +446,9 @@ exit 0
 %endif
 %changelog
 * Wed Dec 17 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-11
 - Fixes for IBM java location
 * Thu Dec 11 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-10
 - Allow unconfined_r unconfined_java_t