From 478aeeca6b319a390c0b02960eef6524ca071541 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Fri, 28 Mar 2008 21:09:45 +0000
Subject: [PATCH] - Additional access for nsplugin - Allow xdm setcap/getcap
 until pulseaudio is fixed

---
 policy-20071130.patch | 131 +++++++++++++++++++++++-------------------
 1 file changed, 71 insertions(+), 60 deletions(-)

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 43a34a22..1b3202ca 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1885,7 +1885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.3.1/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-02-19 23:24:26.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te	2008-02-26 14:29:22.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te	2008-03-28 10:55:06.000000000 +0100
 @@ -96,9 +96,11 @@
  files_read_etc_files(logrotate_t)
  files_read_etc_runtime_files(logrotate_t)
@@ -3042,7 +3042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
  /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2007-07-23 16:20:12.000000000 +0200
-+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if	2008-02-26 14:29:22.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/apps/gnome.if	2008-03-27 23:42:35.000000000 +0100
 @@ -33,9 +33,60 @@
  ## </param>
  #
@@ -4302,13 +4302,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te
 --- nsaserefpolicy/policy/modules/apps/loadkeys.te	2007-12-19 11:32:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te	2008-02-26 14:29:22.000000000 +0100
-@@ -44,3 +44,5 @@
++++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te	2008-03-28 21:10:09.000000000 +0100
+@@ -44,3 +44,6 @@
  optional_policy(`
  	nscd_dontaudit_search_pid(loadkeys_t)
  ')
 +
 +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
++userdom_dontaudit_list_user_home_dirs(user, loadkeys_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2007-01-02 18:57:22.000000000 +0100
 +++ serefpolicy-3.3.1/policy/modules/apps/mono.if	2008-03-03 14:24:51.000000000 +0100
@@ -5085,8 +5086,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc	2008-03-25 22:48:09.000000000 +0100
-@@ -0,0 +1,8 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.fc	2008-03-27 23:41:57.000000000 +0100
+@@ -0,0 +1,9 @@
 +
 +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
 +/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
@@ -5095,10 +5096,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 +HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 +HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
++HOME_DIR/\.local.*			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-25 06:36:27.000000000 +0100
-@@ -0,0 +1,352 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-28 08:16:42.000000000 +0100
+@@ -0,0 +1,351 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -5273,7 +5275,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	dontaudit nsplugin_t $2:process ptrace;
 +
 +	allow nsplugin_t $1_tmpfs_t:file { read getattr };
-+
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
 +	allow $2 nsplugin_t:unix_stream_socket connectto;
 +
@@ -5453,8 +5454,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-14 16:50:19.000000000 +0100
-@@ -0,0 +1,176 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-28 09:20:56.000000000 +0100
+@@ -0,0 +1,179 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -5508,9 +5509,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 +
 +manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
++exec_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +manage_lnk_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +userdom_user_home_dir_filetrans(user, nsplugin_t, user_nsplugin_home_t, {file dir})
++userdom_dontaudit_write_user_home_content_files(user, nsplugin_t)
 +
 +corecmd_exec_bin(nsplugin_t)
 +corecmd_exec_shell(nsplugin_t)
@@ -5575,6 +5578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +optional_policy(`
 +	gnome_exec_gconf(nsplugin_t)
++	gnome_manage_user_gnome_config(user, nsplugin_t)
 +')
 +
 +optional_policy(`
@@ -12462,7 +12466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 17:02:50.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-03-04 16:11:49.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-03-27 23:55:52.000000000 +0100
 @@ -53,6 +53,7 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -12615,7 +12619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ')
  
  ########################################
-@@ -292,6 +307,59 @@
+@@ -292,6 +307,55 @@
  
  ########################################
  ## <summary>
@@ -12634,10 +12638,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +## </param>
 +#
 +template(`dbus_connectto_user_bus',`
-+	gen_require(`
-+		type $1_dbusd_t;
-+	')
-+
 +	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 +')
 +
@@ -12675,7 +12675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -366,3 +434,55 @@
+@@ -366,3 +430,55 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -14741,7 +14741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-11-14 14:17:58.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/hal.fc	2008-03-21 23:49:34.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/hal.fc	2008-03-28 10:45:08.000000000 +0100
 @@ -8,6 +8,7 @@
  /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
  /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -14813,7 +14813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-12-19 11:32:17.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te	2008-03-21 23:50:19.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/hal.te	2008-03-28 08:16:08.000000000 +0100
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -14852,7 +14852,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  auth_read_pam_console_data(hald_t)
  
-@@ -155,6 +160,8 @@
+@@ -121,6 +126,7 @@
+ dev_rw_power_management(hald_t)
+ # hal is now execing pm-suspend
+ dev_rw_sysfs(hald_t)
++dev_read_video_dev(hald_t)
+ 
+ domain_use_interactive_fds(hald_t)
+ domain_read_all_domains_state(hald_t)
+@@ -155,6 +161,8 @@
  selinux_compute_relabel_context(hald_t)
  selinux_compute_user_contexts(hald_t)
  
@@ -14861,7 +14869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  storage_raw_read_removable_device(hald_t)
  storage_raw_write_removable_device(hald_t)
  storage_raw_read_fixed_disk(hald_t)
-@@ -172,6 +179,8 @@
+@@ -172,6 +180,8 @@
  init_rw_utmp(hald_t)
  init_telinit(hald_t)
  
@@ -14870,7 +14878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  libs_use_ld_so(hald_t)
  libs_use_shared_libs(hald_t)
  libs_exec_ld_so(hald_t)
-@@ -244,6 +253,10 @@
+@@ -244,6 +254,10 @@
  ')
  
  optional_policy(`
@@ -14881,7 +14889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	hotplug_read_config(hald_t)
  ')
  
-@@ -265,6 +278,11 @@
+@@ -265,6 +279,11 @@
  ')
  
  optional_policy(`
@@ -14893,7 +14901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -291,7 +309,8 @@
+@@ -291,7 +310,8 @@
  #
  
  allow hald_acl_t self:capability { dac_override fowner };
@@ -14903,7 +14911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
  allow hald_t hald_acl_t:process signal;
-@@ -301,9 +320,14 @@
+@@ -301,9 +321,14 @@
  manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_acl_t)
  
@@ -14918,7 +14926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  dev_getattr_generic_usb_dev(hald_acl_t)
  dev_getattr_video_dev(hald_acl_t)
  dev_setattr_video_dev(hald_acl_t)
-@@ -325,6 +349,11 @@
+@@ -325,6 +350,11 @@
  
  miscfiles_read_localization(hald_acl_t)
  
@@ -14930,7 +14938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  ########################################
  #
  # Local hald mac policy
-@@ -338,10 +367,14 @@
+@@ -338,10 +368,14 @@
  manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
@@ -14945,7 +14953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  libs_use_ld_so(hald_mac_t)
  libs_use_shared_libs(hald_mac_t)
  
-@@ -391,3 +424,7 @@
+@@ -391,3 +425,7 @@
  libs_use_shared_libs(hald_keymap_t)
  
  miscfiles_read_localization(hald_keymap_t)
@@ -16432,7 +16440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2007-12-19 11:32:17.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/munin.te	2008-03-17 16:21:36.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/munin.te	2008-03-28 11:44:38.000000000 +0100
 @@ -25,26 +25,33 @@
  type munin_var_run_t alias lrrd_var_run_t;
  files_pid_file(munin_var_run_t)
@@ -16521,7 +16529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-@@ -108,7 +126,20 @@
+@@ -108,7 +126,21 @@
  ')
  
  optional_policy(`
@@ -16531,6 +16539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 +
 +optional_policy(`
 +	mta_read_config(munin_t)
++	mta_send_mail(munin_t)
 +')
 +
 +optional_policy(`
@@ -16543,7 +16552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ')
  
  optional_policy(`
-@@ -118,3 +149,9 @@
+@@ -118,3 +150,9 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -25374,7 +25383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 11:32:17.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-03-25 08:25:28.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-03-28 22:07:37.000000000 +0100
 @@ -8,6 +8,14 @@
  
  ## <desc>
@@ -25447,7 +25456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  type iceauth_exec_t;
 -application_executable_file(iceauth_exec_t)
 +application_domain(iceauth_t,iceauth_exec_t)
- 
++
 +type input_xevent_t, xevent_type;
 +type manage_xevent_t, xevent_type;
 +type output_xext_t, xextension_type;
@@ -25463,7 +25472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +type x_rootcolormap_t;
 +type x_rootscreen_t;
 +type x_rootwindow_t;
-+
+ 
 +type xauth_t;
  type xauth_exec_t;
 -application_executable_file(xauth_exec_t)
@@ -25529,13 +25538,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  optional_policy(`
  	prelink_object_file(xkb_var_lib_t)
  ')
-@@ -95,8 +196,11 @@
+@@ -95,8 +196,13 @@
  # XDM Local policy
  #
  
 -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
 +allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
++allow xdm_t self:capability { getcap setcap };
++
 +dontaudit xdm_t self:capability sys_admin;
 +
 +allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
@@ -25543,7 +25554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xdm_t self:fifo_file rw_fifo_file_perms;
  allow xdm_t self:shm create_shm_perms;
  allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +213,8 @@
+@@ -109,6 +215,8 @@
  allow xdm_t self:key { search link write };
  
  allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -25552,7 +25563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +237,22 @@
+@@ -131,15 +239,22 @@
  manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
  manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
  fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -25576,7 +25587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  allow xdm_t xdm_xserver_t:process signal;
  allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +266,7 @@
+@@ -153,6 +268,7 @@
  allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
  
  allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -25584,7 +25595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -173,6 +287,8 @@
+@@ -173,6 +289,8 @@
  
  corecmd_exec_shell(xdm_t)
  corecmd_exec_bin(xdm_t)
@@ -25593,7 +25604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -184,6 +300,7 @@
+@@ -184,6 +302,7 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_all_nodes(xdm_t)
  corenet_udp_bind_all_nodes(xdm_t)
@@ -25601,7 +25612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  corenet_tcp_connect_all_ports(xdm_t)
  corenet_sendrecv_all_client_packets(xdm_t)
  # xdm tries to bind to biff_port_t
-@@ -196,6 +313,7 @@
+@@ -196,6 +315,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -25609,7 +25620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -208,8 +326,8 @@
+@@ -208,8 +328,8 @@
  dev_setattr_video_dev(xdm_t)
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
@@ -25620,7 +25631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_getattr_power_mgmt_dev(xdm_t)
  dev_setattr_power_mgmt_dev(xdm_t)
  
-@@ -226,9 +344,12 @@
+@@ -226,9 +346,12 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -25633,7 +25644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -237,6 +358,7 @@
+@@ -237,6 +360,7 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25641,7 +25652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  term_setattr_console(xdm_t)
  term_use_unallocated_ttys(xdm_t)
-@@ -245,6 +367,7 @@
+@@ -245,6 +369,7 @@
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -25649,7 +25660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -256,12 +379,11 @@
+@@ -256,12 +381,11 @@
  libs_exec_lib_files(xdm_t)
  
  logging_read_generic_logs(xdm_t)
@@ -25663,7 +25674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +392,13 @@
+@@ -270,8 +394,13 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -25677,7 +25688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_t)
-@@ -301,10 +428,15 @@
+@@ -301,10 +430,15 @@
  
  optional_policy(`
  	alsa_domtrans(xdm_t)
@@ -25694,7 +25705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -312,6 +444,23 @@
+@@ -312,6 +446,23 @@
  ')
  
  optional_policy(`
@@ -25718,7 +25729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	# Talk to the console mouse server.
  	gpm_stream_connect(xdm_t)
  	gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +471,10 @@
+@@ -322,6 +473,10 @@
  ')
  
  optional_policy(`
@@ -25729,7 +25740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	loadkeys_exec(xdm_t)
  ')
  
-@@ -335,6 +488,11 @@
+@@ -335,6 +490,11 @@
  ')
  
  optional_policy(`
@@ -25741,7 +25752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -343,8 +501,8 @@
+@@ -343,8 +503,8 @@
  ')
  
  optional_policy(`
@@ -25751,7 +25762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +538,7 @@
+@@ -380,7 +540,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -25760,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +550,15 @@
+@@ -392,6 +552,15 @@
  can_exec(xdm_xserver_t, xkb_var_lib_t)
  files_search_var_lib(xdm_xserver_t)
  
@@ -25776,7 +25787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  # VNC v4 module in X server
  corenet_tcp_bind_vnc_port(xdm_xserver_t)
  
-@@ -404,9 +571,17 @@
+@@ -404,9 +573,17 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -25794,7 +25805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_xserver_t)
  	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +595,22 @@
+@@ -420,6 +597,22 @@
  ')
  
  optional_policy(`
@@ -25817,7 +25828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -429,47 +620,139 @@
+@@ -429,47 +622,139 @@
  ')
  
  optional_policy(`
@@ -29507,7 +29518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-02-06 16:33:22.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te	2008-03-25 06:46:13.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te	2008-03-28 13:41:55.000000000 +0100
 @@ -45,7 +45,7 @@
  dontaudit dhcpc_t self:capability sys_tty_config;
  # for access("/etc/bashrc", X_OK) on Red Hat
@@ -30353,7 +30364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 15:52:56.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-25 08:52:58.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-27 23:47:44.000000000 +0100
 @@ -29,9 +29,14 @@
  	')