Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-1

- Remove user based home directory separation
2007-12-03 00:15:23 +00:00 · 2007-12-03 00:15:23 +00:00 · 3b47cb03b7
commit 3b47cb03b7
parent 9186dc57d9
2 changed files with 365 additions and 165 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -2404,6 +2404,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
 +optional_policy(`
 +		xserver_xdm_rw_shm(java_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.1/policy/modules/apps/loadkeys.te
 --- nsaserefpolicy/policy/modules/apps/loadkeys.te	2007-10-12 08:56:02.000000000 -0400
 +++ serefpolicy-3.2.1/policy/modules/apps/loadkeys.te	2007-12-01 08:16:19.000000000 -0500
@@ -44,3 +44,5 @@
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
 +
 +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.1/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2007-01-02 12:57:22.000000000 -0500
 +++ serefpolicy-3.2.1/policy/modules/apps/mono.if	2007-11-30 11:23:56.000000000 -0500
@ -3840,7 +3849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/files.if	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/kernel/files.if	2007-12-01 06:48:16.000000000 -0500
@@ -1266,6 +1266,24 @@
 ########################################
@ -3944,7 +3953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.1/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te	2007-12-01 08:42:02.000000000 -0500
@@ -25,6 +25,8 @@
 fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@ -3954,6 +3963,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -135,6 +137,11 @@
 genfscon squash / gen_context(system_u:object_r:squash_t,s0)
 files_mountpoint(squash_t)
 +type vmblock_t;
 +fs_noxattr_type(vmblock_t)
 +files_mountpoint(vmblock_t)
 +genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
 +
 type vxfs_t;
 fs_noxattr_type(vxfs_t)
 files_mountpoint(vxfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.1/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.2.1/policy/modules/kernel/kernel.if	2007-11-30 11:30:39.000000000 -0500
@ -5131,8 +5152,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.1/policy/modules/services/clamav.fc
 --- nsaserefpolicy/policy/modules/services/clamav.fc	2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/clamav.fc	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/clamav.fc	2007-12-01 07:49:02.000000000 -0500
-@@ -13,8 +13,7 @@
+@@ -5,16 +5,18 @@
 /usr/bin/freshclam		--	gen_context(system_u:object_r:freshclam_exec_t,s0)
 /usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
 +/usr/sbin/clamav-milter		--	gen_context(system_u:object_r:clamd_exec_t,s0)
 /var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamd\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/run/clamav\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
 +/var/run/clamav-milter(/.*)?		gen_context(system_u:object_r:clamd_var_run_t,s0)
 /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
@ -5140,11 +5171,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 -/var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 +/var/log/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
 +/var/log/clamav.milter		--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.1/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/clamav.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/clamav.te	2007-12-01 08:04:25.000000000 -0500
@@ -87,6 +87,7 @@
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
@ -5153,7 +5185,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
-@@ -127,6 +128,10 @@
+@@ -120,6 +121,8 @@
 cron_use_system_job_fds(clamd_t)
 cron_rw_pipes(clamd_t)
 +mta_read_config(clamd_t)
 +
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
 	amavis_read_spool_files(clamd_t)
@@ -127,6 +130,10 @@
 	amavis_create_pid_files(clamd_t)
 ')
@ -5164,7 +5205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 ########################################
 #
 # Freshclam local policy
-@@ -233,3 +238,7 @@
+@@ -233,3 +240,7 @@
 optional_policy(`
 	apache_read_sys_content(clamscan_t)
 ')
@ -5803,8 +5844,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Printer/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cups.te	2007-11-30 11:25:57.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/cups.te	2007-12-02 18:58:51.000000000 -0500
-@@ -48,9 +48,7 @@
+@@ -1,5 +1,5 @@
 -policy_module(cups,1.8.2)
 +policy_module(cups,1.4.1)
 ########################################
 #
@@ -43,14 +43,12 @@
 type cupsd_var_run_t;
 files_pid_file(cupsd_var_run_t)
 -mls_trusted_object(cupsd_var_run_t)
 type hplip_t;
 type hplip_exec_t;
 init_daemon_domain(hplip_t,hplip_exec_t)
@ -5812,27 +5865,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 -type hplip_etc_t;
 -files_config_file(hplip_etc_t)
 +domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
 +domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
 type hplip_var_run_t;
 files_pid_file(hplip_var_run_t)
-@@ -81,14 +79,14 @@
+@@ -71,6 +69,8 @@
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
 +
 +	mls_trusted_object(cupsd_var_run_t)
 ')
 ########################################
@@ -81,12 +81,12 @@
 # /usr/lib/cups/backend/serial needs sys_admin(?!)
 allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 -allow cupsd_t self:process { setsched signal_perms };
 -allow cupsd_t self:fifo_file rw_file_perms;
 +allow cupsd_t self:process { setpgid setsched signal_perms };
- allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
 -allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
 +allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:tcp_socket create_stream_socket_perms;
 allow cupsd_t self:udp_socket create_socket_perms;
 +allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:appletalk_socket create_socket_perms;
- # generic socket here until appletalk socket is available in kernels
+@@ -105,7 +105,7 @@
 allow cupsd_t self:socket create_socket_perms;
@@ -105,7 +103,7 @@
 # allow cups to execute its backend scripts
 can_exec(cupsd_t, cupsd_exec_t)
@ -5841,7 +5903,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 allow cupsd_t cupsd_exec_t:lnk_file read;
 manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -122,13 +120,14 @@
+@@ -117,13 +117,19 @@
 manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 +# This whole section needs to be moved to a smbspool policy
 +# smbspool seems to be iterating through all existing tmp files.
 +# Looking for kerberos files
 +files_getattr_all_tmp_files(cupsd_t)
 +userdom_read_unpriv_users_tmp_files(cupsd_t)
 +files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
 +
 allow cupsd_t cupsd_var_run_t:dir setattr;
 manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
 files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
@ -5851,14 +5925,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 allow cupsd_t hplip_var_run_t:file { read getattr };
 stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
- allow cupsd_t ptal_var_run_t : sock_file setattr;
+@@ -133,8 +139,7 @@
 +auth_use_nsswitch(cupsd_t)
 +
 kernel_read_system_state(cupsd_t)
 kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)
-@@ -150,21 +149,26 @@
+ 
 -corenet_all_recvfrom_unlabeled(cupsd_t)
 -corenet_all_recvfrom_netlabel(cupsd_t)
 +corenet_non_ipsec_sendrecv(cupsd_t)
 corenet_tcp_sendrecv_all_if(cupsd_t)
 corenet_udp_sendrecv_all_if(cupsd_t)
 corenet_raw_sendrecv_all_if(cupsd_t)
@@ -150,31 +155,39 @@
 corenet_tcp_bind_reserved_port(cupsd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
@ -5884,18 +5961,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
- mls_file_write_all_levels(cupsd_t)
+-mls_file_write_all_levels(cupsd_t)
- mls_file_read_all_levels(cupsd_t)
+-mls_file_read_all_levels(cupsd_t)
-@@ -173,6 +177,8 @@
+mls_file_write_down(cupsd_t)
 +mls_file_read_up(cupsd_t)
 +mls_rangetrans_target(cupsd_t)
 mls_socket_write_all_levels(cupsd_t)
 term_use_unallocated_ttys(cupsd_t)
 term_search_ptys(cupsd_t)
 +auth_use_nsswitch(cupsd_t)
 +
 auth_domtrans_chk_passwd(cupsd_t)
 +auth_domtrans_upd_passwd_chk(cupsd_t)
 auth_dontaudit_read_pam_pid(cupsd_t)
 +auth_rw_faillog(cupsd_t)
-@@ -187,7 +193,7 @@
+ # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
 corecmd_exec_shell(cupsd_t)
@@ -187,7 +200,7 @@
 # read python modules
 files_read_usr_files(cupsd_t)
 # for /var/lib/defoma
@ -5904,7 +5987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
-@@ -196,12 +202,9 @@
+@@ -196,15 +209,14 @@
 files_read_var_symlinks(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
@ -5918,7 +6001,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 init_exec_script_files(cupsd_t)
-@@ -221,17 +224,38 @@
+auth_use_nsswitch(cupsd_t)
 +
 libs_use_ld_so(cupsd_t)
 libs_use_shared_libs(cupsd_t)
 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
@@ -221,14 +233,37 @@
 sysnet_read_config(cupsd_t)
@ -5932,9 +6020,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ifdef(`enable_mls',`
 	lpd_relabel_spool(cupsd_t)
- ')
+
- 
+	mls_trusted_object(cupsd_var_run_t)
- optional_policy(`
+	init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
 +')
 +
 +optional_policy(`
 +	avahi_dbus_chat(cupsd_t)
 +')
 +
@ -5942,7 +6033,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +	init_stream_connect_script(cupsd_t)
 +
 +	unconfined_rw_pipes(cupsd_t)
 +	unconfined_rw_stream_sockets(cupsd_t)
 +
 +	optional_policy(`
 +		init_dbus_chat_script(cupsd_t)
@ -5951,45 +6041,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +
 +		dbus_stub(cupsd_t)
 +	')
 +')
 +
 +optional_policy(`
 	apm_domtrans_client(cupsd_t)
 ')
-@@ -262,16 +286,16 @@
+ optional_policy(`
@@ -241,6 +276,7 @@
 optional_policy(`
 	dbus_system_bus_client_template(cupsd,cupsd_t)
 +	dbus_send_system_bus(cupsd_t)
 	userdom_dbus_send_all_users(cupsd_t)
@@ -262,7 +298,7 @@
 ')
 optional_policy(`
 -	nscd_socket_use(cupsd_t)
-')
+	mta_send_mail(cupsd_t)
 -
 -optional_policy(`
 	# cups execs smbtool which reads samba_etc_t files
 	samba_read_config(cupsd_t)
 	samba_rw_var_files(cupsd_t)
 ')
 optional_policy(`
-+	mta_send_mail(cupsd_t)
+@@ -319,8 +355,7 @@
-+')
+ kernel_read_system_state(cupsd_config_t)
-+
+ kernel_read_kernel_sysctls(cupsd_config_t)
 +optional_policy(`
 	seutil_sigchld_newrole(cupsd_t)
 ')
-@@ -291,7 +315,9 @@
+-corenet_all_recvfrom_unlabeled(cupsd_config_t)
- allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+-corenet_all_recvfrom_netlabel(cupsd_config_t)
- allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+corenet_non_ipsec_sendrecv(cupsd_config_t)
- allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+ corenet_tcp_sendrecv_all_if(cupsd_config_t)
-allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
+ corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
-+
+ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
-+allow cupsd_config_t hplip_exec_t:file read_file_perms;
+@@ -330,11 +365,13 @@
 +domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t,cupsd_t)
@@ -330,6 +356,7 @@
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
 dev_read_rand(cupsd_config_t)
@ -5997,31 +6079,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
@@ -354,6 +381,8 @@
- logging_send_syslog_msg(cupsd_config_t)
+ corecmd_exec_bin(cupsd_config_t)
 +corecmd_exec_sbin(cupsd_config_t)
 corecmd_exec_shell(cupsd_config_t)
-+auth_use_nsswitch(cupsd_config_t)
+ domain_use_interactive_fds(cupsd_config_t)
-+
+@@ -376,12 +413,17 @@
 miscfiles_read_localization(cupsd_config_t)
 seutil_dontaudit_search_config(cupsd_config_t)
@@ -376,6 +405,14 @@
 ')
 optional_policy(`
 +	term_use_generic_ptys(cupsd_config_t)
 +')
 +
 +optional_policy(`
 +	unconfined_rw_pipes(cupsd_config_t)
 +')
 +
 +optional_policy(`
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
-@@ -391,6 +428,7 @@
+ optional_policy(`
 	dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
 	dbus_connect_system_bus(cupsd_config_t)
 +	dbus_send_system_bus(cupsd_config_t)
 	optional_policy(`
 		hal_dbus_chat(cupsd_config_t)
@@ -391,6 +433,7 @@
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
@ -6029,30 +6111,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 optional_policy(`
-@@ -402,14 +440,6 @@
+@@ -461,8 +504,7 @@
- ')
+ kernel_read_system_state(cupsd_lpd_t)
 kernel_read_network_state(cupsd_lpd_t)
- optional_policy(`
+-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
-	nis_use_ypbind(cupsd_config_t)
+-corenet_all_recvfrom_netlabel(cupsd_lpd_t)
-')
+corenet_non_ipsec_sendrecv(cupsd_lpd_t)
-
+ corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
-optional_policy(`
+ corenet_udp_sendrecv_all_if(cupsd_lpd_t)
-	nscd_socket_use(cupsd_config_t)
+ corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
-')
+@@ -480,6 +522,8 @@
 -
 -optional_policy(`
 	rpm_read_db(cupsd_config_t)
 ')
@@ -430,7 +460,6 @@
 allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
 allow cupsd_lpd_t self:udp_socket create_socket_perms;
 -allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
 # for identd
 # cjp: this should probably only be inetd_child rules?
@@ -480,6 +509,8 @@
 files_read_etc_files(cupsd_lpd_t)
@ -6061,7 +6130,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 libs_use_ld_so(cupsd_lpd_t)
 libs_use_shared_libs(cupsd_lpd_t)
-@@ -495,14 +526,6 @@
+@@ -487,22 +531,12 @@
 miscfiles_read_localization(cupsd_lpd_t)
 -sysnet_read_config(cupsd_lpd_t)
 -
 cups_stream_connect(cupsd_lpd_t)
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
 ')
@ -6076,8 +6153,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ########################################
 #
 # HPLIP local policy
-@@ -523,11 +546,9 @@
+@@ -520,14 +554,12 @@
- allow hplip_t cupsd_etc_t:dir search;
+ allow hplip_t self:udp_socket create_socket_perms;
 allow hplip_t self:rawip_socket create_socket_perms;
 -allow hplip_t cupsd_etc_t:dir search;
 +allow hplip_t cupsd_etc_t:dir search_dir_perms;
 cups_stream_connect(hplip_t)
 -
@ -6091,38 +6172,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,7 +579,9 @@
+@@ -535,8 +567,7 @@
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
 -corenet_all_recvfrom_unlabeled(hplip_t)
 -corenet_all_recvfrom_netlabel(hplip_t)
 +corenet_non_ipsec_sendrecv(hplip_t)
 corenet_tcp_sendrecv_all_if(hplip_t)
 corenet_udp_sendrecv_all_if(hplip_t)
 corenet_raw_sendrecv_all_if(hplip_t)
@@ -558,13 +589,15 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
 -dev_read_usbfs(hplip_t)
 +dev_rw_usbfs(hplip_t)
 +
 +lpd_read_spool(hplip_t)
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -585,8 +608,6 @@
+ 
- userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
+ # for python
 corecmd_exec_bin(hplip_t)
 +corecmd_search_sbin(hplip_t)
 domain_use_interactive_fds(hplip_t)
@@ -586,6 +619,7 @@
 userdom_dontaudit_search_all_users_home_content(hplip_t)
-lpd_read_config(cupsd_t)
+ lpd_read_config(cupsd_t)
-
+lpd_manage_spool(hplip_t)
 optional_policy(`
 	seutil_sigchld_newrole(hplip_t)
- ')
+@@ -627,8 +661,7 @@
-@@ -666,3 +687,11 @@
+ kernel_list_proc(ptal_t)
- optional_policy(`
+ kernel_read_proc_symlinks(ptal_t)
- 	udev_read_db(ptal_t)
+ 
- ')
+-corenet_all_recvfrom_unlabeled(ptal_t)
-+
+-corenet_all_recvfrom_netlabel(ptal_t)
-+
+corenet_non_ipsec_sendrecv(ptal_t)
-+# This whole section needs to be moved to a smbspool policy
+ corenet_tcp_sendrecv_all_if(ptal_t)
-+# smbspool seems to be iterating through all existing tmp files.
+ corenet_tcp_sendrecv_all_nodes(ptal_t)
-+# Looking for kerberos files
+ corenet_tcp_sendrecv_all_ports(ptal_t)
 +files_getattr_all_tmp_files(cupsd_t)
 +userdom_read_unpriv_users_tmp_files(cupsd_t)
 +files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-11-15 13:40:14.000000000 -0500
 +++ serefpolicy-3.2.1/policy/modules/services/cvs.te	2007-11-30 11:23:56.000000000 -0500
@ -7527,7 +7621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.1/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/mta.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/mta.te	2007-12-01 07:56:06.000000000 -0500
@@ -6,6 +6,8 @@
 # Declarations
 #
@ -7545,7 +7639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 mta_base_mail_template(system)
 role system_r types system_mail_t;
-@@ -40,27 +43,38 @@
+@@ -40,27 +43,40 @@
 allow system_mail_t self:capability { dac_override };
 read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
@ -7559,6 +7653,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 dev_read_urand(system_mail_t)
 +fs_rw_anon_inodefs_files(system_mail_t)
 +
 +selinux_getattr_fs(system_mail_t)
 +
 init_use_script_ptys(system_mail_t)
@ -7584,7 +7680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 optional_policy(`
-@@ -73,6 +87,7 @@
+@@ -73,6 +89,7 @@
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
@ -7592,7 +7688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	cron_dontaudit_write_pipes(system_mail_t)
 ')
-@@ -81,6 +96,11 @@
+@@ -81,6 +98,11 @@
 ')
 optional_policy(`
@ -7604,6 +7700,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	logrotate_read_tmp_files(system_mail_t)
 ')
@@ -136,6 +158,14 @@
 ')
 optional_policy(`
 +	clamav_stream_connect(sendmail_t)
 +')
 +
 +optional_policy(`
 +	spamd_stream_connect(system_mail_t)
 +')
 +
 +optional_policy(`
 	smartmon_read_tmp_files(system_mail_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.1/policy/modules/services/mysql.fc
 --- nsaserefpolicy/policy/modules/services/mysql.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.1/policy/modules/services/mysql.fc	2007-11-30 11:23:56.000000000 -0500
@ -9268,9 +9379,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
 	unconfined_shell_domtrans(rshd_t)
 +	unconfined_signal(rshd_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.1/policy/modules/services/rsync.fc
 --- nsaserefpolicy/policy/modules/services/rsync.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.2.1/policy/modules/services/rsync.fc	2007-12-01 08:07:48.000000000 -0500
@@ -1,2 +1,4 @@
 /usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
 +
 +/var/log/rsync.log      --	gen_context(system_u:object_r:rsync_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.1/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/rsync.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/rsync.te	2007-12-01 08:08:40.000000000 -0500
@@ -8,7 +8,7 @@
 ## <desc>
@ -9289,7 +9408,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 ## </p>
 ## </desc>
 gen_tunable(allow_rsync_anon_write,false)
-@@ -41,7 +41,7 @@
+@@ -30,6 +30,9 @@
 type rsync_data_t;
 files_type(rsync_data_t)
 +type rsync_log_t;
 +logging_log_file(rsync_log_t)
 +
 type rsync_tmp_t;
 files_tmp_file(rsync_tmp_t)
@@ -41,7 +44,7 @@
 # Local policy
 #
@ -9298,7 +9427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_fifo_file_perms;
 allow rsync_t self:tcp_socket create_stream_socket_perms;
-@@ -51,7 +51,6 @@
+@@ -51,7 +54,6 @@
 # cjp: this should probably only be inetd_child_t rules?
 # search home and kerberos also.
 allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@ -9306,7 +9435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 #end for identd
 allow rsync_t rsync_data_t:dir list_dir_perms;
-@@ -65,8 +64,6 @@
+@@ -65,8 +67,6 @@
 manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
 files_pid_filetrans(rsync_t,rsync_var_run_t,file)
@ -9315,7 +9444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 kernel_read_kernel_sysctls(rsync_t)
 kernel_read_system_state(rsync_t)
 kernel_read_network_state(rsync_t)
-@@ -90,6 +87,8 @@
+@@ -90,11 +90,14 @@
 files_read_etc_files(rsync_t)
 files_search_home(rsync_t)
@ -9324,7 +9453,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 libs_use_ld_so(rsync_t)
 libs_use_shared_libs(rsync_t)
-@@ -116,7 +115,6 @@
+ logging_send_syslog_msg(rsync_t)
 -logging_dontaudit_search_logs(rsync_t)
 +manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
 +logging_log_filetrans(rsync_t,rsync_log_t,file)
 miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
@@ -116,7 +119,6 @@
 ')
 tunable_policy(`rsync_export_all_ro',`
@ -10066,7 +10202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.1/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/sendmail.te	2007-11-30 11:38:03.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/sendmail.te	2007-12-01 07:43:47.000000000 -0500
@@ -20,19 +20,22 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
@ -10101,7 +10237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
 corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,33 @@
+@@ -94,30 +99,34 @@
 miscfiles_read_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
@ -10133,6 +10269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 optional_policy(`
 -	nis_use_ypbind(sendmail_t)
 +	cyrus_stream_connect(sendmail_t)
 +	clamav_stream_connect(sendmail_t)
 ')
 optional_policy(`
@ -10141,36 +10278,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 ')
 optional_policy(`
-@@ -135,6 +143,10 @@
+@@ -135,24 +144,25 @@
 ')
 optional_policy(`
 +	sasl_connect(sendmail_t)
 +')
 +
 +optional_policy(`
 +	spamd_stream_connect(sendmail_t)
 +')
 +
 +optional_policy(`
 	udev_read_db(sendmail_t)
 ')
-@@ -156,3 +168,15 @@
+-ifdef(`TODO',`
- 
+-allow sendmail_t etc_mail_t:dir rw_dir_perms;
- dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+-allow sendmail_t etc_mail_t:file manage_file_perms;
- ') dnl end TODO
+-# for the start script to run make -C /etc/mail
-+
+-allow initrc_t etc_mail_t:dir rw_dir_perms;
 -allow initrc_t etc_mail_t:file manage_file_perms;
 -allow system_mail_t initrc_t:fd use;
 -allow system_mail_t initrc_t:fifo_file write;
 -
 -# When sendmail runs as user_mail_domain, it needs some extra permissions
 -# to update /etc/mail/statistics.
 -allow user_mail_domain etc_mail_t:file rw_file_perms;
 +########################################
 +#
 +# Unconfined sendmail local policy 
 +# Allow unconfined domain to run newalias and have transitions work
 +#
-+
+ 
 -# Silently deny attempts to access /root.
 -dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
 +optional_policy(`
 +	mta_etc_filetrans_aliases(unconfined_sendmail_t)
 +	unconfined_domain(unconfined_sendmail_t)
 +')
-+
+ 
 -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te	2007-11-30 11:30:59.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te	2007-12-02 19:04:59.000000000 -0500
@@ -27,8 +27,8 @@
 # setroubleshootd local policy
 #
 -allow setroubleshootd_t self:capability { dac_override sys_tty_config };
 -allow setroubleshootd_t self:process { signull signal getattr getsched };
 +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
 +allow setroubleshootd_t self:process { getattr getsched  setsched sigkill signull signal };
 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52,7 +52,9 @@
 kernel_read_kernel_sysctls(setroubleshootd_t)
@ -10181,6 +10344,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 corecmd_exec_bin(setroubleshootd_t)
 corecmd_exec_shell(setroubleshootd_t)
@@ -73,7 +75,7 @@
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
 -files_getattr_all_dirs(setroubleshootd_t)
 +files_list_all(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
 fs_getattr_all_dirs(setroubleshootd_t)
@@ -110,6 +112,7 @@
 optional_policy(`
 	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
@ -10292,7 +10464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 /usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.1/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.if	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.if	2007-12-01 07:44:50.000000000 -0500
@@ -38,6 +38,8 @@
 	gen_require(`
 		type spamc_exec_t, spamassassin_exec_t;
@ -10396,9 +10568,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 	kernel_read_kernel_sysctls($1_spamassassin_t)
@@ -528,3 +526,21 @@
 	dontaudit $1 spamd_tmp_t:sock_file getattr;
 ')
 +
 +########################################
 +## <summary>
 +##	Connect to run spamd.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to connect.
 +##	</summary>
 +## </param>
 +#
 +interface(`spamd_stream_connect',`
 +	gen_require(`
 +		type spamd_t, spamd_var_run_t;
 +	')
 +
 +	stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.1/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.te	2007-11-30 11:23:56.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.te	2007-12-01 07:44:33.000000000 -0500
@@ -44,6 +44,15 @@
 type spamassassin_exec_t;
 application_executable_file(spamassassin_exec_t)
@ -10415,7 +10609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 ########################################
 #
 # Spamassassin daemon local policy
-@@ -81,7 +90,7 @@
+@@ -81,10 +90,11 @@
 # var/lib files for spamd
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@ -10424,7 +10618,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-@@ -150,10 +159,12 @@
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
 kernel_read_all_sysctls(spamd_t)
@@ -150,10 +160,12 @@
 userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
 tunable_policy(`use_nfs_home_dirs',`
@ -11548,7 +11746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/xserver.te	2007-11-30 13:33:41.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/xserver.te	2007-12-01 06:51:49.000000000 -0500
@@ -16,6 +16,13 @@
 ## <desc>
@ -11626,12 +11824,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -132,15 +166,20 @@
+@@ -132,15 +166,21 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 +fs_rw_tmpfs_files(xdm_xserver_t)
 +fs_getattr_all_fs(xdm_t)
 +fs_search_inotifyfs(xdm_t)
 manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)	
 manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
@ -11648,7 +11847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +224,7 @@
+@@ -185,6 +225,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -11656,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -197,6 +237,7 @@
+@@ -197,6 +238,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -11664,7 +11863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -209,8 +250,8 @@
+@@ -209,8 +251,8 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
@ -11675,7 +11874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_getattr_power_mgmt_dev(xdm_t)
 dev_setattr_power_mgmt_dev(xdm_t)
-@@ -246,6 +287,7 @@
+@@ -246,6 +288,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -11683,7 +11882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
-@@ -257,12 +299,11 @@
+@@ -257,12 +300,11 @@
 libs_exec_lib_files(xdm_t)
 logging_read_generic_logs(xdm_t)
@ -11697,7 +11896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -271,6 +312,10 @@
+@@ -271,6 +313,10 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -11708,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +351,11 @@
+@@ -306,6 +352,11 @@
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
@ -11720,7 +11919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 optional_policy(`
-@@ -323,6 +373,10 @@
+@@ -323,6 +374,10 @@
 ')
 optional_policy(`
@ -11731,7 +11930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	loadkeys_exec(xdm_t)
 ')
-@@ -336,10 +390,6 @@
+@@ -336,10 +391,6 @@
 ')
 optional_policy(`
@ -11742,7 +11941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -348,8 +398,8 @@
+@@ -348,8 +399,8 @@
 ')
 optional_policy(`
@ -11752,7 +11951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -385,7 +435,7 @@
+@@ -385,7 +436,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -11761,7 +11960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -397,6 +447,15 @@
+@@ -397,6 +448,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
@ -11777,7 +11976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -409,6 +468,7 @@
+@@ -409,6 +469,7 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -11785,7 +11984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -425,6 +485,14 @@
+@@ -425,6 +486,14 @@
 ')
 optional_policy(`
@ -11800,7 +11999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
-@@ -434,47 +502,30 @@
+@@ -434,47 +503,30 @@
 ')
 optional_policy(`
@ -14758,7 +14957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/userdomain.if	2007-11-30 15:06:10.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/system/userdomain.if	2007-12-01 08:14:44.000000000 -0500
@@ -29,8 +29,9 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -379,6 +379,7 @@ exit 0
 %endif
 %changelog
 * Sun Dec 2 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-2
 * Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-1
 - Remove user based home directory separation