- Allow cupsd_config_t to read/write usb_device_t

- Support for finger print reader, - Many fixes for clvmd - dbus starting networkmanager
2007-09-21 20:21:36 +00:00 · 2007-09-21 20:21:36 +00:00 · 347ff1a0c3
parent 07e28d136d
commit 347ff1a0c3
2 changed files with 185 additions and 39 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -1462,7 +1462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.if	2007-09-20 17:57:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.if	2007-09-20 18:26:14.000000000 -0400
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
@ -1482,7 +1482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
 	allow $1_javaplugin_t $2:fd use;
 	# Unrestricted inheritance from the caller.
 	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -166,6 +165,60 @@
+@@ -166,6 +165,62 @@
 	optional_policy(`
 		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
 	')
@ -1537,13 +1537,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
 +	dev_read_urand($1_java_t)
 +	dev_read_rand($1_java_t)
 +
+	fs_dontaudit_rw_tmpfs_files($1_java_t)
+
 +	optional_policy(`
 +		xserver_xdm_rw_shm($1_java_t)
 +	')
 ')
 
 ########################################
-@@ -219,3 +272,66 @@
+@@ -219,3 +274,66 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, java_exec_t, java_t)
 ')
@ -1612,7 +1614,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.0.8/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.te	2007-09-20 18:14:17.000000000 -0400
+@@ -23,7 +23,7 @@
+ #
+ 
+ # execheap is needed for itanium/BEA jrocket
+-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { getsched sigkill execheap execmem execstack };
+ 
+ init_dbus_chat_script(java_t)
+ 
@@ -31,3 +31,7 @@
 	unconfined_domain_noaudit(java_t)
 	unconfined_dbus_chat(java_t)
@ -1623,8 +1634,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mono.if	2007-09-20 11:42:05.000000000 -0400
-@@ -18,3 +18,102 @@
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if	2007-09-20 18:25:48.000000000 -0400
+@@ -18,3 +18,103 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, mono_exec_t, mono_t)
 ')
@ -1720,6 +1731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
 +	userdom_unpriv_usertype($1, $1_mono_t)
 +
 +	allow $1_mono_t self:process { signal getsched execheap execmem };
+	allow $2 $1_mono_t:process noatsecure;
 +
 +	domtrans_pattern($2, mono_exec_t, $1_mono_t)
 +
@ -2250,7 +2262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2007-09-21 14:41:45.000000000 -0400
@@ -36,6 +36,11 @@
 /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
@ -2284,7 +2296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
-@@ -259,3 +265,7 @@
+@@ -259,3 +265,8 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -2292,6 +2304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/etc/gdm/XKeepsCrashing[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
 +/etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 +/etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
+/lib(64)?/dbus-1/dbus-daemon-launch-helper --    gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2007-07-03 07:05:38.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in	2007-09-17 16:20:18.000000000 -0400
@ -2415,7 +2428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-09-21 14:29:01.000000000 -0400
@@ -20,6 +20,7 @@
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@ -2424,6 +2437,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
+@@ -98,6 +99,7 @@
+ /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uimput	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ 
+ /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-06-19 16:23:34.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/domain.if	2007-09-17 16:20:18.000000000 -0400
@ -4904,7 +4925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ifdef(`TODO',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc	2007-09-18 12:31:53.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.fc	2007-09-21 15:23:17.000000000 -0400
@@ -8,17 +8,14 @@
 /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -4924,24 +4945,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
 
 /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -26,6 +23,9 @@
+@@ -26,6 +23,11 @@
 /usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 /usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
 +/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/lib(64)?/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
 +
 /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -52,3 +52,4 @@
+@@ -52,3 +54,4 @@
 /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
 
 /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-09-18 12:15:12.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-09-21 09:12:45.000000000 -0400
@@ -49,9 +49,6 @@
 type hplip_exec_t;
 init_daemon_domain(hplip_t,hplip_exec_t)
@ -5103,7 +5126,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	seutil_sigchld_newrole(cupsd_t)
 ')
 
-@@ -377,6 +400,14 @@
+@@ -331,6 +354,7 @@
+ dev_read_sysfs(cupsd_config_t)
+ dev_read_urand(cupsd_config_t)
+ dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
+ 
+ fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+@@ -377,6 +401,14 @@
 ')
 
 optional_policy(`
@ -5118,7 +5149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
-@@ -526,11 +557,6 @@
+@@ -526,11 +558,6 @@
 
 cups_stream_connect(hplip_t)
 
@ -5130,7 +5161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
 
-@@ -560,7 +586,7 @@
+@@ -560,7 +587,7 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -5139,7 +5170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +613,6 @@
+@@ -587,8 +614,6 @@
 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 
@ -5189,7 +5220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if	2007-09-20 15:31:09.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if	2007-09-21 06:44:48.000000000 -0400
@@ -50,6 +50,12 @@
 ## </param>
 #
@ -5330,7 +5361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.te	2007-09-20 12:01:29.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.te	2007-09-21 14:44:08.000000000 -0400
@@ -23,6 +23,9 @@
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
@ -5350,13 +5381,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
 files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
-@@ -116,9 +121,18 @@
+@@ -116,9 +121,22 @@
 ')
 
 optional_policy(`
 +	rhgb_use_ptys(system_dbusd_t)
 +')
 +
+optional_policy(`
+	networkmanager_domtrans(system_dbusd_t)
+')
+
 +optional_policy(`
 	sysnet_domtrans_dhcpc(system_dbusd_t)
 ')
@ -6134,7 +6169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-09-19 13:28:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-09-21 14:55:44.000000000 -0400
@@ -155,6 +155,8 @@
 selinux_compute_relabel_context(hald_t)
 selinux_compute_user_contexts(hald_t)
@ -6152,6 +6187,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 allow hald_acl_t self:fifo_file read_fifo_file_perms;
 
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
+@@ -344,6 +347,8 @@
+ 
+ files_read_usr_files(hald_mac_t)
+ 
+kernel_read_system_state(hald_mac_t)
+
+ libs_use_ld_so(hald_mac_t)
+ libs_use_shared_libs(hald_mac_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-09-12 10:34:50.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/inetd.te	2007-09-17 16:20:18.000000000 -0400
@ -7921,7 +7965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
 	consoletype_exec(rhgb_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.8/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ricci.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ricci.te	2007-09-21 10:21:12.000000000 -0400
@@ -138,6 +138,7 @@
 files_create_boot_flag(ricci_t)
 
@ -7930,6 +7974,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 auth_append_login_records(ricci_t)
 
 init_dontaudit_stream_connect_script(ricci_t)
+@@ -260,7 +261,7 @@
+ # ricci_modclusterd local policy
+ #
+ 
+-allow ricci_modclusterd_t self:capability sys_nice;
+allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
+ allow ricci_modclusterd_t self:process { signal sigkill setsched };
+ allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
+ allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
@@ -321,6 +322,10 @@
 ')
 
@ -7941,6 +7994,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 	unconfined_use_fds(ricci_modclusterd_t)
 ')
 
+@@ -468,9 +473,6 @@
+ 
+ logging_send_syslog_msg(ricci_modstorage_t)
+ 
+-lvm_domtrans(ricci_modstorage_t)
+-lvm_manage_config(ricci_modstorage_t)
+-
+ miscfiles_read_localization(ricci_modstorage_t)
+ 
+ modutils_read_module_deps(ricci_modstorage_t)
+@@ -482,6 +484,7 @@
+ 
+ optional_policy(`
+ 	lvm_domtrans(ricci_modstorage_t)
+	lvm_manage_config(ricci_modstorage_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/rlogin.te	2007-09-17 16:20:18.000000000 -0400
@ -11141,6 +11212,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
 	seutil_sigchld_newrole(iptables_t)
 ')
 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.0.8/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/iscsi.te	2007-09-21 14:55:01.000000000 -0400
+@@ -68,6 +68,8 @@
+ 
+ files_read_etc_files(iscsid_t)
+ 
+kernel_read_system_state(iscsid_t)
+
+ libs_use_ld_so(iscsid_t)
+ libs_use_shared_libs(iscsid_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-08-02 08:17:28.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/libraries.fc	2007-09-18 10:51:20.000000000 -0400
@ -11862,7 +11945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.8/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.fc	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/lvm.fc	2007-09-21 09:54:46.000000000 -0400
@@ -15,6 +15,7 @@
 #
 /etc/lvm(/.*)?			gen_context(system_u:object_r:lvm_etc_t,s0)
@ -11873,19 +11956,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
 /etc/lvm/lock(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.te	2007-09-17 16:20:18.000000000 -0400
-@@ -150,7 +150,9 @@
+++ serefpolicy-3.0.8/policy/modules/system/lvm.te	2007-09-21 15:33:57.000000000 -0400
+@@ -44,9 +44,9 @@
+ # Cluster LVM daemon local policy
+ #
+ 
+-allow clvmd_t self:capability { sys_admin mknod };
+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+ dontaudit clvmd_t self:capability sys_tty_config;
+-allow clvmd_t self:process signal_perms;
+allow clvmd_t self:process { signal_perms  setsched };
+ dontaudit clvmd_t self:process ptrace;
+ allow clvmd_t self:socket create_socket_perms;
+ allow clvmd_t self:fifo_file rw_fifo_file_perms;
+@@ -85,6 +85,9 @@
+ corenet_sendrecv_generic_server_packets(clvmd_t)
+ 
+ dev_read_sysfs(clvmd_t)
+dev_manage_generic_symlinks(clvmd_t)
+dev_relabel_generic_dev_dirs(clvmd_t)
+dev_manage_generic_blk_files(clvmd_t)
+ dev_manage_generic_chr_files(clvmd_t)
+ dev_rw_lvm_control(clvmd_t)
+ dev_dontaudit_getattr_all_blk_files(clvmd_t)
+@@ -102,6 +105,7 @@
+ 
+ domain_use_interactive_fds(clvmd_t)
+ 
+storage_relabel_fixed_disk(clvmd_t)
+ storage_raw_read_fixed_disk(clvmd_t)
+ 
+ libs_use_ld_so(clvmd_t)
+@@ -113,6 +117,9 @@
+ 
+ seutil_dontaudit_search_config(clvmd_t)
+ seutil_sigchld_newrole(clvmd_t)
+seutil_read_config(clvmd_t)
+seutil_read_file_contexts(clvmd_t)
+seutil_search_default_contexts(clvmd_t)
+ 
+ sysnet_read_config(clvmd_t)
+ 
+@@ -150,7 +157,8 @@
 
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
 # rawio needed for dmraid
 -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
 +allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
 +# lvm needs net_admin for multipath
-+
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
-@@ -228,6 +230,8 @@
+@@ -208,7 +216,6 @@
+ selinux_compute_user_contexts(lvm_t)
+ 
+ dev_create_generic_chr_files(lvm_t)
+-dev_delete_generic_dirs(lvm_t)
+ dev_read_rand(lvm_t)
+ dev_read_urand(lvm_t)
+ dev_rw_lvm_control(lvm_t)
+@@ -228,6 +235,8 @@
 dev_dontaudit_getattr_generic_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_pipes(lvm_t)
 dev_create_generic_dirs(lvm_t)
@ -11894,7 +12024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
-@@ -246,6 +250,7 @@
+@@ -246,6 +255,7 @@
 storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
@ -11902,7 +12032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
 
 term_getattr_all_user_ttys(lvm_t)
 term_list_ptys(lvm_t)
-@@ -275,6 +280,8 @@
+@@ -275,6 +285,8 @@
 seutil_search_default_contexts(lvm_t)
 seutil_sigchld_newrole(lvm_t)
 
@ -11911,7 +12041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
 ifdef(`distro_redhat',`
 	# this is from the initrd:
 	files_rw_isid_type_dirs(lvm_t)
-@@ -293,5 +300,15 @@
+@@ -293,5 +305,14 @@
 ')
 
 optional_policy(`
@ -11926,7 +12056,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
 +	xen_append_log(lvm_t)
 +	xen_dontaudit_rw_unix_stream_sockets(lvm_t)
 +')
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-08-22 07:14:12.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/modutils.te	2007-09-17 16:20:18.000000000 -0400
@ -12838,6 +12967,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 term_dontaudit_use_all_user_ttys(ifconfig_t)
 term_dontaudit_use_all_user_ptys(ifconfig_t)
 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
+--- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-05-29 14:10:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc	2007-09-21 06:46:14.000000000 -0400
+@@ -10,3 +10,4 @@
+ /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+ 
+ /usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/rhythmbox		    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-09-17 16:20:18.000000000 -0400
@ -13047,7 +13184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-09-21 06:44:58.000000000 -0400
@@ -5,28 +5,36 @@
 #
 # Declarations
@ -13231,14 +13368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -227,6 +223,17 @@
- 	unconfined_dbus_chat(unconfined_execmem_t)
+@@ -225,8 +221,20 @@
 
- 	optional_policy(`
-+		avahi_dbus_chat(unconfined_t)
-+	')
+ 	init_dbus_chat_script(unconfined_execmem_t)
+ 	unconfined_dbus_chat(unconfined_execmem_t)
+	dbus_connect_system_bus(unconfined_execmem_t)
 +
 +	optional_policy(`
+		avahi_dbus_chat(unconfined_execmem_t)
+	')
+ 
+ 	optional_policy(`
 		hal_dbus_chat(unconfined_execmem_t)
 	')
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,12 @@ exit 0
 %endif

 %changelog
+* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-7
+- Allow cupsd_config_t to read/write usb_device_t
+- Support for finger print reader,
+- Many fixes for clvmd
+- dbus starting networkmanager
+
 * Thu Sep 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-5
 - Fix java and mono to run in xguest account