- Add pulseaudio context

2009-03-09 21:17:23 +00:00 · 2009-03-09 21:17:23 +00:00 · 46b5649f90
commit 46b5649f90
parent 0c34c69a38
4 changed files with 403 additions and 41 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -1273,6 +1273,13 @@ squid = module
 # 
 ssh = base
 # Layer: services
 # Module: sssd
 #
 # System Security Services Daemon
 # 
 sssd = module
 # Layer: kernel
 # Module: storage
 #
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -1266,6 +1266,13 @@ squid = module
 # 
 ssh = base
 # Layer: services
 # Module: sssd
 #
 # System Security Services Daemon
 # 
 sssd = module
 # Layer: kernel
 # Module: storage
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1273,6 +1273,13 @@ squid = module
 # 
 ssh = base
 # Layer: services
 # Module: sssd
 #
 # System Security Services Daemon
 # 
 sssd = module
 # Layer: kernel
 # Module: storage
 #
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -3553,8 +3553,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if	2009-03-08 08:48:02.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if	2009-03-09 16:50:20.000000000 -0400
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
 +
 +## <summary>policy for pulseaudio</summary>
 +
@ -3631,19 +3631,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	ps_process_pattern($2, pulseaudio_t)
 +
 +	allow pulseaudio_t $2:process { signal signull };
 +	allow $2 pulseaudio_t:process { signal signull };
 +	ps_process_pattern(pulseaudio_t, $2)
 +
 +	allow pulseaudio_t $2:unix_stream_socket connectto;
 +	allow $2 pulseaudio_t:unix_stream_socket connectto;
 +
-+	userdom_manage_home_role($1, $2)
+	userdom_manage_home_role($1, pulseaudio_t)
-+	userdom_manage_tmp_role($1, $2)
+	userdom_manage_tmp_role($1, pulseaudio_t)
-+	userdom_manage_tmpfs_role($1, $2)
+	userdom_manage_tmpfs_role($1, pulseaudio_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te	2009-03-08 08:48:02.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te	2009-03-09 16:49:50.000000000 -0400
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,88 @@
 +policy_module(pulseaudio,1.0.0)
 +
 +########################################
@ -3687,10 +3688,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_read_usr_files(pulseaudio_t)
 +
 +fs_rw_anon_inodefs_files(pulseaudio_t)
 +fs_getattr_tmpfs(pulseaudio_t)
 +
 +term_use_all_user_ttys(pulseaudio_t)
 +term_use_all_user_ptys(pulseaudio_t)
 +
 +auth_use_nsswitch(pulseaudio_t)
 +
 +miscfiles_read_localization(pulseaudio_t)
 +
 +logging_send_syslog_msg(pulseaudio_t)
@ -3718,6 +3722,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	xserver_common_app(pulseaudio_t)
 +	xserver_read_xdm_pid(pulseaudio_t)
 +	xserver_stream_connect(pulseaudio_t)
 +')
 +
 +tunable_policy(`pulseaudio_network',`
@ -3726,6 +3732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#FALSE
 +')
 +
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.8/policy/modules/apps/qemu.fc
 --- nsaserefpolicy/policy/modules/apps/qemu.fc	2008-08-07 11:15:02.000000000 -0400
 +++ serefpolicy-3.6.8/policy/modules/apps/qemu.fc	2009-03-07 12:11:40.000000000 -0500
@ -12684,7 +12691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.8/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/hal.if	2009-03-09 12:17:13.000000000 -0400
+++ serefpolicy-3.6.8/policy/modules/services/hal.if	2009-03-09 16:17:22.000000000 -0400
@@ -20,6 +20,24 @@
 ########################################
@ -12777,7 +12784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +interface(`hal_create_log',`
 +	gen_require(`
-+		type hald_logd_t;
+		type hald_log_t;
 +	')
 +
 +	# log files for hald
@ -21256,6 +21263,328 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(ssh_keygen_t)
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.8/policy/modules/services/sssd.fc
 --- nsaserefpolicy/policy/modules/services/sssd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.8/policy/modules/services/sssd.fc	2009-03-09 15:47:38.000000000 -0400
@@ -0,0 +1,6 @@
 +
 +/usr/sbin/sssd	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 +
 +/etc/rc.d/init.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
 +/var/run/sssd.pid		--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/lib/sss(/.*)?			gen_context(system_u:object_r:sssd_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.8/policy/modules/services/sssd.if
 --- nsaserefpolicy/policy/modules/services/sssd.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.8/policy/modules/services/sssd.if	2009-03-09 15:49:56.000000000 -0400
@@ -0,0 +1,249 @@
 +
 +## <summary>policy for sssd</summary>
 +
 +########################################
 +## <summary>
 +##	Execute a domain transition to run sssd.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`sssd_domtrans',`
 +	gen_require(`
 +		type sssd_t;
 +                type sssd_exec_t;
 +	')
 +
 +	domtrans_pattern($1,sssd_exec_t,sssd_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Execute sssd server in the sssd domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	The type of the process performing this action.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_initrc_domtrans',`
 +	gen_require(`
 +		type sssd_initrc_exec_t;
 +	')
 +
 +	init_labeled_script_domtrans($1,sssd_initrc_exec_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read sssd PID files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_read_pid_files',`
 +	gen_require(`
 +		type sssd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	allow $1 sssd_var_run_t:file read_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Manage sssd var_run files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_manage_var_run',`
 +	gen_require(`
 +		type sssd_var_run_t;
 +	')
 +
 +         manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
 +         manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
 +         manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Search sssd lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_search_lib',`
 +	gen_require(`
 +		type sssd_var_lib_t;
 +	')
 +
 +	allow $1 sssd_var_lib_t:dir search_dir_perms;
 +	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Read sssd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_read_lib_files',`
 +	gen_require(`
 +		type sssd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +        read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete
 +##	sssd lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_manage_lib_files',`
 +	gen_require(`
 +		type sssd_var_lib_t;
 +	')
 +
 +	files_search_var_lib($1)
 +        manage_files_pattern($1, sssd_var_lib_t,  sssd_var_lib_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Manage sssd var_lib files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_manage_var_lib',`
 +	gen_require(`
 +		type sssd_var_lib_t;
 +	')
 +
 +         manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
 +         manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
 +         manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Send and receive messages from
 +##	sssd over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_dbus_chat',`
 +	gen_require(`
 +		type sssd_t;
 +		class dbus send_msg;
 +	')
 +
 +	allow $1 sssd_t:dbus send_msg;
 +	allow sssd_t $1:dbus send_msg;
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Connect to sssd over an unix stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`sssd_stream_connect',`
 +	gen_require(`
 +		type sssd_t, sssd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	allow $1 sssd_var_run_t:sock_file write;
 +	allow $1 sssd_t:unix_stream_socket connectto;
 +')
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate 
 +##	an sssd environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed to manage the sssd domain.
 +##	</summary>
 +## </param>
 +## <param name="terminal">
 +##	<summary>
 +##	The type of the user terminal.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`sssd_admin',`
 +	gen_require(`
 +		type sssd_t;
 +	')
 +
 +	allow $1 sssd_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, sssd_t, sssd_t)
 +	        
 +
 +	gen_require(`
 +		type sssd_initrc_exec_t;
 +	')
 +
 +	# Allow sssd_t to restart the apache service
 +	sssd_initrc_domtrans($1)
 +	domain_system_change_exemption($1)
 +	role_transition $2 sssd_initrc_exec_t system_r;
 +	allow $2 system_r;
 +
 +	sssd_manage_var_run($1)
 +
 +	sssd_manage_var_lib($1)
 +
 +')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.8/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.8/policy/modules/services/sssd.te	2009-03-09 15:47:36.000000000 -0400
@@ -0,0 +1,55 @@
 +policy_module(sssd,1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type sssd_t;
 +type sssd_exec_t;
 +init_daemon_domain(sssd_t, sssd_exec_t)
 +
 +permissive sssd_t;
 +
 +type sssd_initrc_exec_t;
 +init_script_file(sssd_initrc_exec_t)
 +
 +type sssd_var_run_t;
 +files_pid_file(sssd_var_run_t)
 +
 +type sssd_var_lib_t;
 +files_type(sssd_var_lib_t)
 +
 +########################################
 +#
 +# sssd local policy
 +#
 +
 +# Init script handling
 +domain_use_interactive_fds(sssd_t)
 +
 +# internal communication is often done using fifo and unix sockets.
 +allow sssd_t self:fifo_file rw_file_perms;
 +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +manage_dirs_pattern(sssd_t, sssd_var_run_t,  sssd_var_run_t)
 +manage_files_pattern(sssd_t, sssd_var_run_t,  sssd_var_run_t)
 +files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
 +
 +manage_dirs_pattern(sssd_t, sssd_var_lib_t,  sssd_var_lib_t)
 +manage_files_pattern(sssd_t, sssd_var_lib_t,  sssd_var_lib_t)
 +manage_sock_files_pattern(sssd_t, sssd_var_lib_t,  sssd_var_lib_t)
 +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
 +
 +corecmd_exec_bin(sssd_t)
 +
 +dev_read_urand(sssd_t)
 +
 +files_read_etc_files(sssd_t)
 +
 +miscfiles_read_localization(sssd_t)
 +
 +optional_policy(`
 +	dbus_system_bus_client(sssd_t)
 +	dbus_connect_system_bus(sssd_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.8/policy/modules/services/stunnel.fc
 --- nsaserefpolicy/policy/modules/services/stunnel.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.8/policy/modules/services/stunnel.fc	2009-03-07 12:11:40.000000000 -0500
@ -22706,7 +23035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/xserver.te	2009-03-07 12:11:40.000000000 -0500
+++ serefpolicy-3.6.8/policy/modules/services/xserver.te	2009-03-09 16:07:15.000000000 -0400
@@ -34,6 +34,13 @@
 ## <desc>
@ -23121,7 +23450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
-@@ -542,6 +639,19 @@
+@@ -542,6 +639,23 @@
 ')
 optional_policy(`
@ -23130,6 +23459,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	polkit_read_reload(xdm_t)
 +')
 +
 +optional_policy(`
 +	pulseaudio_role(system_r, xdm_t)
 +')
 +
 +# On crash gdm execs gdb to dump stack
 +optional_policy(`
 +	rpm_exec(xdm_t)
@ -23141,7 +23474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -550,8 +660,9 @@
+@@ -550,8 +664,9 @@
 ')
 optional_policy(`
@ -23153,7 +23486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +671,6 @@
+@@ -560,7 +675,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -23161,7 +23494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +681,10 @@
+@@ -571,6 +685,10 @@
 ')
 optional_policy(`
@ -23172,7 +23505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
-@@ -587,7 +701,7 @@
+@@ -587,7 +705,7 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -23181,7 +23514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +716,11 @@
+@@ -602,9 +720,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -23193,7 +23526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -622,7 +738,7 @@
+@@ -622,7 +742,7 @@
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@ -23202,7 +23535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +751,19 @@
+@@ -635,9 +755,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -23222,7 +23555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +806,14 @@
+@@ -680,9 +810,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -23237,7 +23570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +828,13 @@
+@@ -697,8 +832,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -23251,7 +23584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +856,7 @@
+@@ -720,6 +860,7 @@
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -23259,7 +23592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +879,7 @@
+@@ -742,7 +883,7 @@
 ')
 ifdef(`enable_mls',`
@ -23268,7 +23601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
-@@ -774,6 +911,10 @@
+@@ -774,6 +915,10 @@
 ')
 optional_policy(`
@ -23279,7 +23612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rhgb_getpgid(xserver_t)
 	rhgb_signal(xserver_t)
 ')
-@@ -806,7 +947,7 @@
+@@ -806,7 +951,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
@ -23288,7 +23621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +968,14 @@
+@@ -827,9 +972,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -23303,7 +23636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +990,14 @@
+@@ -844,11 +994,14 @@
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -23319,7 +23652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -856,6 +1005,11 @@
+@@ -856,6 +1009,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
@ -23331,7 +23664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1035,8 @@
+@@ -881,6 +1039,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -23340,7 +23673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1061,8 @@
+@@ -905,6 +1065,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -23349,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1130,51 @@
+@@ -972,17 +1134,51 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -23559,7 +23892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/authlogin.if	2009-03-07 12:11:40.000000000 -0500
+++ serefpolicy-3.6.8/policy/modules/system/authlogin.if	2009-03-09 15:51:16.000000000 -0400
@@ -43,20 +43,38 @@
 interface(`auth_login_pgm_domain',`
 	gen_require(`
@ -23607,7 +23940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	init_rw_utmp($1)
-@@ -100,9 +119,38 @@
+@@ -100,11 +119,40 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
@ -23627,9 +23960,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		optional_policy(`
 +			oddjob_dbus_chat($1)
 +			oddjob_domtrans_mkhomedir($1)
-+		')
+ 	')
-+	')
+ ')
-+
+ 
 +	optional_policy(`
 +		corecmd_exec_bin($1)
 +		storage_getattr_fixed_disk_dev($1)
@ -23638,16 +23971,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	optional_policy(`
 +		nis_authenticate($1)
- 	')
+	')
 +
 +	optional_policy(`
 +		ssh_agent_exec($1)
 +		userdom_read_user_home_content_files($1)
 +	')
 +
- ')
+')
- 
+
 ########################################
 ## <summary>
 ##	Use the login program as an entry point program.
@@ -197,8 +245,11 @@
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
@ -23780,15 +24115,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		nis_use_ypbind($1)
 	')
-@@ -1307,6 +1413,7 @@
+@@ -1305,8 +1411,13 @@
 	')
 	optional_policy(`
 +		sssd_stream_connect($1)
 +	')
 +
 +	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
 +		samba_dontaudit_write_var_files($1)
 	')
 ')
-@@ -1341,3 +1448,99 @@
+@@ -1341,3 +1452,99 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -27942,7 +28283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/userdomain.if	2009-03-07 12:36:20.000000000 -0500
+++ serefpolicy-3.6.8/policy/modules/system/userdomain.if	2009-03-09 16:06:34.000000000 -0400
@@ -30,8 +30,9 @@
 	')