- dontaudit pam_t and dbusd writing to user_home_t

2008-01-11 19:45:47 +00:00 · 2008-01-11 19:45:47 +00:00 · 4be3ba520d
parent 5baf53aabd
commit 4be3ba520d
2 changed files with 143 additions and 53 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1645,7 +1645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
 #######################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.5/policy/modules/apps/ethereal.te
 --- nsaserefpolicy/policy/modules/apps/ethereal.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te	2008-01-11 13:39:25.000000000 -0500
@@ -16,6 +16,13 @@
 type tethereal_tmp_t;
 files_tmp_file(tethereal_tmp_t)
@ -1783,7 +1783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.5/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/gnome.if	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.if	2008-01-11 13:39:51.000000000 -0500
@@ -33,9 +33,60 @@
 ## </param>
 #
@ -2016,8 +2016,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.5/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/gnome.te	2007-12-19 05:38:08.000000000 -0500
-@@ -8,8 +8,15 @@
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.te	2008-01-11 13:40:13.000000000 -0500
+@@ -8,8 +8,19 @@
 
 attribute gnomedomain;
 
@ -2036,6 +2036,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
 +
 +type user_gconf_tmp_t;
 +files_tmp_file(user_gconf_tmp_t)
+
+typealias user_gnome_home_t alias unconfined_gnome_home_t;
+typealias user_gconf_home_t alias unconfined_gconf_home_t;
+typealias user_gconf_tmp_t alias unconfined_gconf_tmp_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc
 --- nsaserefpolicy/policy/modules/apps/gpg.fc	2007-10-12 08:56:02.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc	2008-01-03 16:26:50.000000000 -0500
@ -2050,7 +2054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
 /usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/gpg.if	2008-01-03 17:11:22.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.if	2008-01-11 13:40:51.000000000 -0500
@@ -38,6 +38,10 @@
 	gen_require(`
 		type gpg_exec_t, gpg_helper_exec_t;
@ -3069,7 +3073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 # /bin
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if	2008-01-03 17:10:37.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if	2008-01-11 13:41:19.000000000 -0500
@@ -35,7 +35,10 @@
 template(`mozilla_per_role_template',`
 	gen_require(`
@ -3510,7 +3514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.5/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te	2008-01-11 14:37:00.000000000 -0500
@@ -6,15 +6,15 @@
 # Declarations
 #
@ -6014,7 +6018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 +/var/run/autofs.*		gen_context(system_u:object_r:automount_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.5/policy/modules/services/automount.if
 --- nsaserefpolicy/policy/modules/services/automount.if	2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/automount.if	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/automount.if	2008-01-08 15:20:43.000000000 -0500
@@ -74,3 +74,21 @@
 
 	dontaudit $1 automount_tmp_t:dir getattr;
@ -6786,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Printer/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.5/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/cups.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cups.te	2008-01-10 16:16:06.000000000 -0500
@@ -43,14 +43,12 @@
 
 type cupsd_var_run_t;
@ -6931,9 +6935,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 auth_use_nsswitch(cupsd_t)
 
 libs_use_ld_so(cupsd_t)
-@@ -220,16 +230,19 @@
+@@ -219,17 +229,22 @@
+ miscfiles_read_fonts(cupsd_t)
 
 seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
 
 -sysnet_read_config(cupsd_t)
 -
@ -6944,6 +6950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 # Write to /var/spool/cups.
 lpd_manage_spool(cupsd_t)
 +lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
 
 ifdef(`enable_mls',`
 	lpd_relabel_spool(cupsd_t)
@ -6953,7 +6960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 
 optional_policy(`
-@@ -242,12 +255,21 @@
+@@ -242,12 +257,21 @@
 
 optional_policy(`
 	dbus_system_bus_client_template(cupsd,cupsd_t)
@ -6975,7 +6982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 
 optional_policy(`
-@@ -263,6 +285,10 @@
+@@ -263,6 +287,10 @@
 ')
 
 optional_policy(`
@ -6986,7 +6993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	# cups execs smbtool which reads samba_etc_t files
 	samba_read_config(cupsd_t)
 	samba_rw_var_files(cupsd_t)
-@@ -326,6 +352,7 @@
+@@ -326,6 +354,7 @@
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
 dev_read_rand(cupsd_config_t)
@ -6994,7 +7001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
-@@ -372,6 +399,10 @@
+@@ -372,6 +401,10 @@
 ')
 
 optional_policy(`
@ -7005,7 +7012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
-@@ -387,6 +418,7 @@
+@@ -387,6 +420,7 @@
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
@ -7013,7 +7020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 
 optional_policy(`
-@@ -499,14 +531,12 @@
+@@ -499,14 +533,12 @@
 allow hplip_t self:udp_socket create_socket_perms;
 allow hplip_t self:rawip_socket create_socket_perms;
 
@ -7032,7 +7039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,14 +567,14 @@
+@@ -537,14 +569,14 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -7049,7 +7056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 domain_use_interactive_fds(hplip_t)
 
 files_read_etc_files(hplip_t)
-@@ -565,6 +595,7 @@
+@@ -565,6 +597,7 @@
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 
 lpd_read_config(cupsd_t)
@ -8500,7 +8507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.if	2008-01-04 10:12:33.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.if	2008-01-11 14:28:39.000000000 -0500
@@ -133,6 +133,12 @@
 		sendmail_create_log($1_mail_t)
 	')
@ -8514,23 +8521,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 
 #######################################
-@@ -217,6 +223,15 @@
- 	tunable_policy(`use_samba_home_dirs',`
- 		fs_manage_cifs_files($1_mail_t)
+@@ -219,6 +225,11 @@
 		fs_manage_cifs_symlinks($1_mail_t)
-+		fs_manage_cifs_files(mailserver_delivery)
-+		fs_manage_cifs_symlinks(mailserver_delivery)
-+	')
-+
+ 	')
+ 
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_manage_nfs_files($1_mail_t)
 +		fs_manage_nfs_symlinks($1_mail_t)
-+		fs_manage_nfs_files(mailserver_delivery)
-+		fs_manage_nfs_symlinks(mailserver_delivery)
- 	')
- 
+	')
+
 	optional_policy(`
-@@ -305,6 +320,42 @@
+ 		allow $1_mail_t self:capability dac_override;
+ 
+@@ -305,6 +316,42 @@
 
 ########################################
 ## <summary>
@ -8573,7 +8576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ##	Modified mailserver interface for
 ##	sendmail daemon use.
 ## </summary>
-@@ -383,11 +434,13 @@
+@@ -383,11 +430,13 @@
 	allow $1 mail_spool_t:dir list_dir_perms;
 	create_files_pattern($1,mail_spool_t,mail_spool_t)
 	read_files_pattern($1,mail_spool_t,mail_spool_t)
@ -8587,7 +8590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	')
 
 	optional_policy(`
-@@ -422,6 +475,7 @@
+@@ -422,6 +471,7 @@
 		# apache should set close-on-exec
 		apache_dontaudit_rw_stream_sockets($1)
 		apache_dontaudit_rw_sys_script_stream_sockets($1)
@ -8595,7 +8598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	')
 ')
 
-@@ -438,20 +492,18 @@
+@@ -438,20 +488,18 @@
 interface(`mta_send_mail',`
 	gen_require(`
 		attribute mta_user_agent;
@ -8622,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 
 ########################################
-@@ -586,6 +638,25 @@
+@@ -586,6 +634,25 @@
 	files_search_etc($1)
 	allow $1 etc_aliases_t:file { rw_file_perms setattr };
 ')
@ -8648,7 +8651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 #######################################
 ## <summary>
-@@ -837,6 +908,25 @@
+@@ -837,6 +904,25 @@
 
 ########################################
 ## <summary>
@ -8676,7 +8679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.te	2008-01-11 14:28:19.000000000 -0500
@@ -6,6 +6,8 @@
 # Declarations
 #
@ -8755,7 +8758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	logrotate_read_tmp_files(system_mail_t)
 ')
 
-@@ -136,6 +158,14 @@
+@@ -136,11 +158,30 @@
 ')
 
 optional_policy(`
@ -8770,6 +8773,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
+-# should break this up among sections:
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mailserver_delivery)
+	fs_manage_cifs_files(mailserver_delivery)
+	fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mailserver_delivery)
+	fs_manage_nfs_files(mailserver_delivery)
+	fs_manage_nfs_symlinks(mailserver_delivery)
+')
+ 
+# should break this up among sections:
+ optional_policy(`
+ 	# why is mail delivered to a directory of type arpwatch_data_t?
+ 	arpwatch_search_data(mailserver_delivery)
+@@ -154,3 +195,4 @@
+ 		cron_read_system_job_tmp_files(mta_user_agent)
+ 	')
+ ')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2007-04-30 10:41:38.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/munin.fc	2007-12-31 05:55:51.000000000 -0500
@ -9905,7 +9930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.if	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.if	2008-01-08 16:12:40.000000000 -0500
@@ -416,7 +416,7 @@
 ##	</summary>
 ## </param>
@ -9944,7 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.te	2007-12-31 14:18:01.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te	2008-01-11 14:27:52.000000000 -0500
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -10098,6 +10123,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix virtual local policy
+@@ -584,3 +618,4 @@
+ # For reading spamassasin
+ mta_read_config(postfix_virtual_t)
+ mta_manage_spool(postfix_virtual_t)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc	2007-12-19 05:38:09.000000000 -0500
@ -10201,6 +10231,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # postgresql Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.2.5/policy/modules/services/postgrey.te
+--- nsaserefpolicy/policy/modules/services/postgrey.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgrey.te	2008-01-08 16:15:30.000000000 -0500
+@@ -24,7 +24,7 @@
+ # Local policy
+ #
+ 
+-allow postgrey_t self:capability { chown setgid setuid };
+allow postgrey_t self:capability { chown dac_override setgid setuid };
+ dontaudit postgrey_t self:capability sys_tty_config;
+ allow postgrey_t self:process signal_perms;
+ allow postgrey_t self:tcp_socket create_stream_socket_perms;
+@@ -85,6 +85,11 @@
+ ')
+ 
+ optional_policy(`
+	postfix_read_config(postgrey_t)
+	postfix_read_spool_files(postgrey_t)
+')
+
+optional_policy(`
+ 	seutil_sigchld_newrole(postgrey_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc
 --- nsaserefpolicy/policy/modules/services/ppp.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/ppp.fc	2007-12-19 05:38:09.000000000 -0500
@ -11632,13 +11686,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc	2008-01-09 09:00:58.000000000 -0500
@@ -1,4 +1,4 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:user_spamassassin_home_t,s0)
 
 /usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
+@@ -9,8 +9,11 @@
+ 
+ /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
+ 
+/var/log/spamd\.log	--	gen_context(system_u:object_r:spamd_log_t,s0)
+
+ /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+ /var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+ 
+ /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
+ /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2007-10-12 08:56:07.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if	2008-01-03 12:06:11.000000000 -0500
@ -12085,7 +12151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te	2008-01-03 12:54:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te	2008-01-09 09:00:24.000000000 -0500
@@ -21,8 +21,9 @@
 gen_tunable(spamd_enable_home_dirs,true)
 
@ -12097,7 +12163,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 
 type spamd_t;
 type spamd_exec_t;
-@@ -42,7 +43,17 @@
+@@ -31,6 +32,9 @@
+ type spamd_spool_t;
+ files_type(spamd_spool_t)
+ 
+type spamd_log_t;
+logging_log_file(spamd_log_t)
+
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+ 
+@@ -42,7 +46,17 @@
 files_pid_file(spamd_var_run_t)
 
 type spamassassin_exec_t;
@ -12116,7 +12192,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 
 ########################################
 #
-@@ -81,10 +92,11 @@
+@@ -71,6 +85,9 @@
+ allow spamd_t self:udp_socket create_socket_perms;
+ allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t,spamd_log_t,file)
+
+ manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
+ manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
+ files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
+@@ -81,10 +98,11 @@
 
 # var/lib files for spamd
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@ -12129,7 +12215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
 
 kernel_read_all_sysctls(spamd_t)
-@@ -149,11 +161,31 @@
+@@ -149,11 +167,31 @@
 userdom_search_unpriv_users_home_dirs(spamd_t)
 userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
 
@ -12161,7 +12247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 	fs_manage_cifs_files(spamd_t)
 ')
 
-@@ -171,6 +203,7 @@
+@@ -171,6 +209,7 @@
 
 optional_policy(`
 	dcc_domtrans_client(spamd_t)
@ -12169,7 +12255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 	dcc_stream_connect_dccifd(spamd_t)
 ')
 
-@@ -212,3 +245,206 @@
+@@ -212,3 +251,206 @@
 optional_policy(`
 	udev_read_db(spamd_t)
 ')
@ -14139,7 +14225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te	2008-01-11 14:30:57.000000000 -0500
@@ -59,6 +59,9 @@
 type utempter_exec_t;
 application_domain(utempter_t,utempter_exec_t)
@ -14160,18 +14246,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ########################################
 #
 # PAM local policy
-@@ -121,6 +127,10 @@
+@@ -121,6 +127,11 @@
 logging_send_syslog_msg(pam_t)
 
 userdom_use_unpriv_users_fds(pam_t)
 +userdom_write_unpriv_users_tmp_files(pam_t)
 +userdom_unlink_unpriv_users_tmp_files(pam_t)
-+userdom_read_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_write_user_home_content_files(user, pam_t)
 +userdom_append_unpriv_users_home_content_files(pam_t)
 
 optional_policy(`
 	locallogin_use_fds(pam_t)
-@@ -279,8 +289,10 @@
+@@ -279,8 +290,10 @@
 files_manage_etc_files(updpwd_t)
 
 term_dontaudit_use_console(updpwd_t)
@ -14183,7 +14270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 
 auth_manage_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)
-@@ -329,11 +341,6 @@
+@@ -329,11 +342,6 @@
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif

 %changelog
+* Mon Jan 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-10
+- dontaudit pam_t and dbusd writing to user_home_t
+
 * Mon Jan 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-9
 - Update gpg to allow reading of inotify