- Fixes for nsplugin

2008-02-04 17:17:30 +00:00 · 2008-02-04 17:17:30 +00:00 · 380f3cb7b1
parent 60c693e546
commit 380f3cb7b1
1 changed files with 167 additions and 69 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -4528,7 +4528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.6/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc	2008-02-04 10:23:03.000000000 -0500
@@ -1,9 +1,9 @@
 #
 # HOME_DIR/
@ -4568,11 +4568,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
 
 ifdef(`distro_gentoo',`
 /opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-@@ -49,3 +55,4 @@
+@@ -49,3 +55,6 @@
 /opt/vmware/workstation/bin/vmware-wizard --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /opt/vmware/workstation/bin/vmware	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 ')
 +/var/log/vmware.* 	--	gen_context(system_u:object_r:vmware_log_t,s0)
+/var/run/vmnat.* 	-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* 		gen_context(system_u:object_r:vmware_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.6/policy/modules/apps/vmware.if
 --- nsaserefpolicy/policy/modules/apps/vmware.if	2007-02-19 11:32:52.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/apps/vmware.if	2008-02-01 16:01:42.000000000 -0500
@ -4747,7 +4749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc	2008-02-04 11:10:30.000000000 -0500
@@ -7,11 +7,11 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -4799,13 +4801,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +291,6 @@
+@@ -284,3 +291,7 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
 +/usr/lib(64)?/nspluginwrapper/npconfig	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib(64)?/nspluginwrapper/npviewer	gen_context(system_u:object_r:bin_t,s0)
 +
+/usr/lib(64)?/ConsoleKit/scripts(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.6/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.if	2008-02-01 16:01:42.000000000 -0500
@ -5457,7 +5460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.6/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/kernel/files.if	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/kernel/files.if	2008-02-04 12:03:13.000000000 -0500
@@ -1266,6 +1266,24 @@
 
 ########################################
@ -6109,7 +6112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.6/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/services/apache.if	2008-02-01 16:48:52.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/apache.if	2008-02-04 10:16:22.000000000 -0500
@@ -18,10 +18,6 @@
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
@ -8205,16 +8208,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.6/policy/modules/services/consolekit.fc
 --- nsaserefpolicy/policy/modules/services/consolekit.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc	2008-02-04 11:46:55.000000000 -0500
@@ -1,3 +1,5 @@
 /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
 
 /var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 +
 +/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te	2008-02-01 22:35:15.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te	2008-02-04 11:52:57.000000000 -0500
@@ -13,6 +13,9 @@
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
@ -8225,7 +8229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 ########################################
 #
 # consolekit local policy
-@@ -24,6 +27,9 @@
+@@ -24,20 +27,26 @@
 allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
 allow consolekit_t self:unix_dgram_socket create_socket_perms;
 
@ -8235,7 +8239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
 files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
 
-@@ -36,8 +42,10 @@
+ kernel_read_system_state(consolekit_t)
+ 
+ corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)
+ 
+ dev_read_urand(consolekit_t)
+ dev_read_sysfs(consolekit_t)
 
 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
@ -8246,7 +8256,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
 
-@@ -50,12 +58,25 @@
+@@ -47,15 +56,31 @@
+ 
+ auth_use_nsswitch(consolekit_t)
+ 
+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+
 libs_use_ld_so(consolekit_t)
 libs_use_shared_libs(consolekit_t)
 
@ -8273,17 +8289,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 	hal_dbus_chat(consolekit_t)
 
 	optional_policy(`
-@@ -64,6 +85,32 @@
+@@ -64,6 +89,33 @@
 ')
 
 optional_policy(`
 +	polkit_domtrans_auth(consolekit_t)
+	polkit_search_lib(consolekit_t)
 +')
 +
 +optional_policy(`
 	xserver_read_all_users_xauth(consolekit_t)
 	xserver_stream_connect_xdm_xserver(consolekit_t)
- ')
+	xserver_ptrace_xdm(consolekit_t)
+')
 +
 +optional_policy(`
 +	#reading .Xauthity
@ -8298,14 +8316,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_dontaudit_list_nfs(consolekit_t)
 +	fs_dontaudit_rw_nfs_files(consolekit_t)
-+')
+ ')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_dontaudit_list_cifs(consolekit_t)
 +	fs_dontaudit_rw_cifs_files(consolekit_t)
 +')
 +
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.6/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.2.6/policy/modules/services/cron.fc	2008-02-01 16:01:42.000000000 -0500
@ -12652,7 +12669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.6/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/mta.te	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/mta.te	2008-02-04 12:04:01.000000000 -0500
@@ -6,6 +6,8 @@
 # Declarations
 #
@ -12670,7 +12687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 mta_base_mail_template(system)
 role system_r types system_mail_t;
-@@ -37,30 +40,43 @@
+@@ -37,30 +40,45 @@
 #
 
 # newalias required this, not sure if it is needed in 'if' file
@ -12679,6 +12696,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
 +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
+
+files_read_all_tmp_files(system_mail_t)
 
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
@ -12715,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 
 optional_policy(`
-@@ -73,6 +89,7 @@
+@@ -73,6 +91,7 @@
 
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
@ -12723,7 +12742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	cron_dontaudit_write_pipes(system_mail_t)
 ')
 
-@@ -81,6 +98,11 @@
+@@ -81,6 +100,11 @@
 ')
 
 optional_policy(`
@ -12735,7 +12754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	logrotate_read_tmp_files(system_mail_t)
 ')
 
-@@ -136,11 +158,33 @@
+@@ -136,11 +160,33 @@
 ')
 
 optional_policy(`
@ -12753,7 +12772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 -# should break this up among sections:
 +init_stream_connect_script(mailserver_delivery)
 +init_rw_script_stream_sockets(mailserver_delivery)
-+
+ 
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_dirs(mailserver_delivery)
 +	fs_manage_cifs_files(mailserver_delivery)
@ -12765,12 +12784,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 +	fs_manage_nfs_files(mailserver_delivery)
 +	fs_manage_nfs_symlinks(mailserver_delivery)
 +')
- 
+
 +# should break this up among sections:
 optional_policy(`
 	# why is mail delivered to a directory of type arpwatch_data_t?
 	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +198,4 @@
+@@ -154,3 +200,4 @@
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
@ -14377,8 +14396,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/polkit.if	2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,59 @@
+++ serefpolicy-3.2.6/policy/modules/services/polkit.if	2008-02-04 11:48:36.000000000 -0500
+@@ -0,0 +1,62 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@ -14437,6 +14456,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +
 +	files_search_var_lib($1)
 +	read_files_pattern($1, polkit_var_lib_t,  polkit_var_lib_t)
+
+	# Broken placement
+	cron_read_system_job_lib_files($1)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
@ -17750,7 +17772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.6/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/sendmail.te	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/sendmail.te	2008-02-04 12:03:27.000000000 -0500
@@ -20,13 +20,17 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
@ -17779,7 +17801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -69,10 +74,12 @@
+@@ -69,13 +74,16 @@
 
 # for piping mail to a command
 corecmd_exec_shell(sendmail_t)
@ -17792,7 +17814,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 files_search_spool(sendmail_t)
 # for piping mail to a command
 files_read_etc_runtime_files(sendmail_t)
-@@ -97,20 +104,35 @@
+files_read_all_tmp_files(sendmail_t)
+ 
+ init_use_fds(sendmail_t)
+ init_use_script_ptys(sendmail_t)
+@@ -97,20 +105,35 @@
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
 userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
@ -17829,7 +17855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
-@@ -118,6 +140,7 @@
+@@ -118,6 +141,7 @@
 
 optional_policy(`
 	procmail_domtrans(sendmail_t)
@ -17837,7 +17863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 ')
 
 optional_policy(`
-@@ -125,24 +148,25 @@
+@@ -125,24 +149,25 @@
 ')
 
 optional_policy(`
@ -20191,7 +20217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.6/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/xserver.if	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/xserver.if	2008-02-04 11:52:35.000000000 -0500
@@ -15,6 +15,7 @@
 template(`xserver_common_domain_template',`
 	gen_require(`
@ -20393,16 +20419,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -	manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+-
+-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	domtrans_pattern($2, xauth_exec_t, xauth_t)
 
-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-
 -	allow $2 $1_xauth_t:process signal;
 +	allow $2 xauth_t:process signal;
 
 	# allow ps to show xauth
 -	ps_process_pattern($2,$1_xauth_t)
-
+	ps_process_pattern($2,xauth_t)
+ 
 -	allow $2 $1_xauth_home_t:file manage_file_perms;
 -	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
 -
@ -20416,8 +20443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -
 -	fs_getattr_xattr_fs($1_xauth_t)
 -	fs_search_auto_mountpoints($1_xauth_t)
-+	ps_process_pattern($2,xauth_t)
- 
+-
 -	# cjp: why?
 -	term_use_ptmx($1_xauth_t)
 -
@ -20847,7 +20873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -1312,3 +1411,45 @@
+@@ -1312,3 +1411,63 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -20893,9 +20919,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +')
 +
+########################################
+## <summary>
+##	Ptrace XDM 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_ptrace_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process ptrace;
+')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.6/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/xserver.te	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/xserver.te	2008-02-04 11:50:03.000000000 -0500
@@ -16,6 +16,13 @@
 
 ## <desc>
@ -20970,18 +21014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 xserver_common_domain_template(xdm)
 init_system_domain(xdm_xserver_t,xserver_exec_t)
 
-@@ -95,8 +134,8 @@
+@@ -95,8 +134,9 @@
 # XDM Local policy
 #
 
 -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
 +allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms };
+allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
+
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +148,8 @@
+@@ -109,6 +149,8 @@
 allow xdm_t self:key { search link write };
 
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@ -20990,7 +21035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +172,22 @@
+@@ -131,15 +173,22 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -21014,7 +21059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +201,7 @@
+@@ -153,6 +202,7 @@
 allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -21022,7 +21067,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -184,6 +233,7 @@
+@@ -173,6 +223,8 @@
+ 
+ corecmd_exec_shell(xdm_t)
+ corecmd_exec_bin(xdm_t)
+# Uses DBUS
+corecmd_bin_entry_type(xdm_t)
+ 
+ corenet_all_recvfrom_unlabeled(xdm_t)
+ corenet_all_recvfrom_netlabel(xdm_t)
+@@ -184,6 +236,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -21030,7 +21084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -196,6 +246,7 @@
+@@ -196,6 +249,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -21038,7 +21092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -208,8 +259,8 @@
+@@ -208,8 +262,8 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
@ -21049,7 +21103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_getattr_power_mgmt_dev(xdm_t)
 dev_setattr_power_mgmt_dev(xdm_t)
 
-@@ -226,6 +277,7 @@
+@@ -226,6 +280,7 @@
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -21057,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 fs_getattr_all_fs(xdm_t)
 fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +297,7 @@
+@@ -245,6 +300,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -21065,7 +21119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
-@@ -256,12 +309,11 @@
+@@ -256,12 +312,11 @@
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
@ -21079,7 +21133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -270,6 +322,10 @@
+@@ -270,6 +325,10 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -21090,7 +21144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 
-@@ -304,7 +360,16 @@
+@@ -304,7 +363,16 @@
 ')
 
 optional_policy(`
@ -21107,7 +21161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 optional_policy(`
-@@ -322,6 +387,10 @@
+@@ -322,6 +390,10 @@
 ')
 
 optional_policy(`
@ -21118,7 +21172,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	loadkeys_exec(xdm_t)
 ')
 
-@@ -343,8 +412,8 @@
+@@ -335,6 +407,11 @@
+ ')
+ 
+ optional_policy(`
+	polkit_domtrans_auth(xdm_t)
+	polkit_read_lib(xdm_t)
+')
+
+optional_policy(`
+ 	seutil_sigchld_newrole(xdm_t)
+ ')
+ 
+@@ -343,8 +420,8 @@
 ')
 
 optional_policy(`
@ -21128,7 +21194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +449,7 @@
+@@ -380,7 +457,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
@ -21137,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +461,15 @@
+@@ -392,6 +469,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
 
@ -21153,7 +21219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
 
-@@ -404,6 +482,7 @@
+@@ -404,6 +490,7 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -21161,7 +21227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_use_all_users_fonts(xdm_xserver_t)
 
-@@ -420,6 +499,14 @@
+@@ -420,6 +507,14 @@
 ')
 
 optional_policy(`
@ -21176,7 +21242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
 
-@@ -429,47 +516,103 @@
+@@ -429,47 +524,103 @@
 ')
 
 optional_policy(`
@ -21909,7 +21975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.6/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.6/policy/modules/system/init.if	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/init.if	2008-02-04 12:02:32.000000000 -0500
@@ -211,6 +211,13 @@
 			kernel_dontaudit_use_fds($1)
 		')
@ -22077,7 +22143,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1252,7 +1289,7 @@
+@@ -1097,6 +1134,25 @@
+ 
+ ########################################
+ ## <summary>
+##	Read init script temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
+')
+
+########################################
+## <summary>
+ ##	Create files in a init script
+ ##	temporary data directory.
+ ## </summary>
+@@ -1252,7 +1308,7 @@
 		type initrc_var_run_t;
 	')
 
@ -22086,7 +22178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1273,3 +1310,92 @@
+@@ -1273,3 +1329,92 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
@ -22181,7 +22273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.6/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/init.te	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/init.te	2008-02-04 11:10:57.000000000 -0500
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -23045,7 +23137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 +HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.6/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if	2008-02-01 16:01:42.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if	2008-02-04 08:26:35.000000000 -0500
@@ -489,3 +489,44 @@
 	manage_lnk_files_pattern($1,locale_t,locale_t)
 ')
@ -25015,7 +25107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.6/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/userdomain.if	2008-02-01 22:19:29.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/system/userdomain.if	2008-02-04 08:23:21.000000000 -0500
@@ -29,9 +29,14 @@
 	')
 
@ -28179,8 +28271,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-02 17:10:42.000000000 -0500
-@@ -0,0 +1,135 @@
+++ serefpolicy-3.2.6/policy/modules/system/virt.te	2008-02-04 11:23:06.000000000 -0500
+@@ -0,0 +1,137 @@
 +
 +policy_module(virt,1.0.0)
 +
@ -28256,10 +28348,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
 +
 +read_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
 +
 +manage_dirs_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
 +manage_files_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
-+files_trans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 +
 +corenet_all_recvfrom_unlabeled(virtd_t)
 +corenet_all_recvfrom_netlabel(virtd_t)
@ -28699,8 +28793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/users/staff.te	2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,47 @@
+++ serefpolicy-3.2.6/policy/modules/users/staff.te	2008-02-04 08:26:47.000000000 -0500
+@@ -0,0 +1,51 @@
 +policy_module(staff,1.0.1)
 +userdom_unpriv_user_template(staff)
 +
@ -28708,6 +28802,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
 +userdom_role_change_template(staff, sysadm)
 +userdom_dontaudit_use_sysadm_terms(staff_t)
 +
+allow $staff_t self:capability sys_nice;
+
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +
@ -28716,6 +28812,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
 +
+miscfiles_read_hwdata(staff_t)
+
 +sudo_per_role_template(staff, staff_t, staff_r)
 +seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
 +