- Allow xdm to create user_tmp_t sockets for switch user to work

2009-02-09 14:20:38 +00:00 · 2009-02-09 14:20:38 +00:00 · 598de2dbc3
commit 598de2dbc3
parent bc861e624e
1 changed files with 99 additions and 62 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -1483,8 +1483,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.4/policy/modules/admin/usermanage.if
 --- nsaserefpolicy/policy/modules/admin/usermanage.if	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if	2009-02-07 07:19:49.000000000 -0500
-@@ -138,6 +138,7 @@
+@@ -117,6 +117,24 @@
 ########################################
 ## <summary>
 +##	Send sigkills to passwd.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`usermanage_passwd_sigkill',`
 +	gen_require(`
 +		type passwd_t;
 +	')
 +
 +	allow $1 passwd_t:process sigkill;
 +')
 +
 +########################################
 +## <summary>
 ##	Execute passwd in the passwd domain, and
 ##	allow the specified role the passwd domain.
 ## </summary>
@@ -138,6 +156,7 @@
 	usermanage_domtrans_passwd($1)
 	role $2 types passwd_t;
@ -4634,7 +4659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.4/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/devices.if	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/kernel/devices.if	2009-02-09 09:03:10.000000000 -0500
@@ -65,7 +65,7 @@
 	relabelfrom_dirs_pattern($1, device_t, device_node)
@ -5410,7 +5435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.4/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/files.if	2009-02-04 10:53:13.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/kernel/files.if	2009-02-09 09:04:21.000000000 -0500
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -8851,7 +8876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/apache.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/apache.te	2009-02-06 16:08:00.000000000 -0500
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -9072,8 +9097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_pam, false)
 +
- tunable_policy(`allow_httpd_mod_auth_pam',`
+tunable_policy(`allow_httpd_mod_auth_pam',`
 -	auth_domtrans_chk_passwd(httpd_t)
 +	auth_domtrans_chkpwd(httpd_t)
 +')
 +
@ -9084,7 +9108,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 +optional_policy(`
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
 -	auth_domtrans_chk_passwd(httpd_t)
 +		samba_domtrans_winbind_helper(httpd_t)
 ')
 ')
@ -9358,20 +9383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -655,6 +809,12 @@
+@@ -672,15 +826,14 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 +tunable_policy(`httpd_use_cifs',`
 +	fs_manage_cifs_files(httpd_suexec_t)
 +	fs_manage_cifs_symlinks(httpd_suexec_t)
 +	fs_exec_cifs_files(httpd_suexec_t)
 +')
 +
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
@@ -672,15 +832,14 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -9390,7 +9402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +858,24 @@
+@@ -699,12 +852,24 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -9408,16 +9420,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	fs_manage_nfs_dirs(httpd_sys_script_t)
 +	fs_manage_nfs_files(httpd_sys_script_t)
 +	fs_manage_nfs_symlinks(httpd_sys_script_t)
-+')
+	fs_exec_nfs_files(httpd_sys_script_t)
 +
 +tunable_policy(`httpd_use_nfs',`
 +	fs_manage_nfs_dirs(httpd_suexec_t)
 +	fs_manage_nfs_files(httpd_suexec_t)
 +	fs_manage_nfs_symlinks(httpd_suexec_t)
 +	fs_exec_nfs_files(httpd_suexec_t)
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +883,35 @@
+@@ -712,6 +877,35 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
@ -9447,13 +9459,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	fs_manage_cifs_dirs(httpd_suexec_t)
 +	fs_manage_cifs_files(httpd_suexec_t)
 +	fs_manage_cifs_symlinks(httpd_suexec_t)
 +	fs_exec_cifs_files(httpd_suexec_t)
 +')
 +
 +
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +924,10 @@
+@@ -724,6 +918,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -9464,7 +9476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -735,6 +939,8 @@
+@@ -735,6 +933,8 @@
 # httpd_rotatelogs local policy
 #
@ -9473,7 +9485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +960,12 @@
+@@ -754,6 +954,12 @@
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -9486,7 +9498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 # allow accessing files/dirs below the users home dir
-@@ -762,3 +974,66 @@
+@@ -762,3 +968,66 @@
 	userdom_search_user_home_dirs(httpd_suexec_t)
 	userdom_search_user_home_dirs(httpd_user_script_t)
 ')
@ -20074,7 +20086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/rpc.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te	2009-02-09 09:05:45.000000000 -0500
@@ -23,7 +23,7 @@
 gen_tunable(allow_nfsd_anon_write, false)
@ -20100,15 +20112,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -135,6 +137,7 @@
+@@ -135,11 +137,19 @@
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
 +	userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
 +	dev_getattr_all_blk_files(nfsd_t)
 +	dev_getattr_all_chr_files(nfsd_t)
 ')
 tunable_policy(`nfs_export_all_ro',`
-@@ -170,6 +173,7 @@
+ 	fs_read_noxattr_fs_files(nfsd_t) 
 +	auth_read_all_dirs_except_shadow(nfsd_t)
 	auth_read_all_files_except_shadow(nfsd_t)
 +	files_getattr_all_pipes(nfsd_t)
 +	files_getattr_all_sockets(nfsd_t)
 +	dev_getattr_all_blk_files(nfsd_t)
 +	dev_getattr_all_chr_files(nfsd_t)
 ')
 ########################################
@@ -170,6 +180,7 @@
 files_read_usr_symlinks(gssd_t) 
 auth_use_nsswitch(gssd_t)
@ -20116,7 +20140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 miscfiles_read_certs(gssd_t)
-@@ -180,8 +184,7 @@
+@@ -180,8 +191,7 @@
 ')
 optional_policy(`
@ -20582,7 +20606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/samba.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/samba.te	2009-02-07 07:19:23.000000000 -0500
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
@ -20736,7 +20760,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -338,20 +365,27 @@
+@@ -333,25 +360,33 @@
 tunable_policy(`samba_domain_controller',`
 	usermanage_domtrans_passwd(smbd_t)
 +	usermanage_passwd_sigkill(smbd_t)
 	usermanage_domtrans_useradd(smbd_t)
 	usermanage_domtrans_groupadd(smbd_t)
 ')
 tunable_policy(`samba_enable_home_dirs',`
@ -20770,7 +20800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 	cups_stream_connect(smbd_t)
-@@ -359,6 +393,16 @@
+@@ -359,6 +394,16 @@
 optional_policy(`
 	kerberos_use(smbd_t)
@ -20787,7 +20817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -381,8 +425,10 @@
+@@ -381,8 +426,10 @@
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
@ -20798,7 +20828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
-@@ -454,6 +500,7 @@
+@@ -454,6 +501,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 fs_getattr_all_fs(nmbd_t)
@ -20806,7 +20836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_search_auto_mountpoints(nmbd_t)
 domain_use_interactive_fds(nmbd_t)
-@@ -553,19 +600,33 @@
+@@ -553,19 +601,33 @@
 userdom_use_user_terminals(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
@ -20843,7 +20873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -585,6 +646,9 @@
+@@ -585,6 +647,9 @@
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 allow swat_t winbind_exec_t:file mmap_file_perms;
@ -20853,7 +20883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -609,15 +673,18 @@
+@@ -609,15 +674,18 @@
 dev_read_urand(swat_t)
@ -20872,7 +20902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_search_logs(swat_t)
 miscfiles_read_localization(swat_t)
-@@ -635,6 +702,17 @@
+@@ -635,6 +703,17 @@
 	kerberos_use(swat_t)
 ')
@ -20890,7 +20920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Winbind local policy
-@@ -642,7 +720,7 @@
+@@ -642,7 +721,7 @@
 allow winbind_t self:capability { dac_override ipc_lock setuid };
 dontaudit winbind_t self:capability sys_tty_config;
@ -20899,7 +20929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow winbind_t self:fifo_file rw_fifo_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +761,10 @@
+@@ -683,9 +762,10 @@
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@ -20912,7 +20942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_all_recvfrom_unlabeled(winbind_t)
 corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +788,12 @@
+@@ -709,10 +789,12 @@
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
@ -20925,7 +20955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(winbind_t)
-@@ -768,8 +849,13 @@
+@@ -768,8 +850,13 @@
 userdom_use_user_terminals(winbind_helper_t)
 optional_policy(`
@ -20939,7 +20969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -778,6 +864,16 @@
+@@ -778,6 +865,16 @@
 #
 optional_policy(`
@ -20956,7 +20986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
-@@ -788,9 +884,43 @@
+@@ -788,9 +885,43 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@ -23547,7 +23577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/xserver.te	2009-02-05 18:20:04.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/xserver.te	2009-02-08 17:11:40.000000000 -0500
@@ -34,6 +34,13 @@
 ## <desc>
@ -23903,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
-+userdom_write_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
 xserver_rw_session(xdm_t,xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
@ -24394,7 +24424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.4/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if	2009-02-04 10:32:13.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if	2009-02-07 07:22:59.000000000 -0500
@@ -43,20 +43,38 @@
 interface(`auth_login_pgm_domain',`
 	gen_require(`
@ -24509,11 +24539,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	sysnet_dns_name_resolve($1)
 -	sysnet_use_ldap($1)
 -
- 	optional_policy(`
+-	optional_policy(`
 -		kerberos_use($1)
 -	')
 -
-	optional_policy(`
+ 	optional_policy(`
 -		nis_use_ypbind($1)
 +		kerberos_read_keytab($1)
 +		kerberos_connect_524($1)
@ -24600,10 +24630,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Manage all files on the filesystem, except
 ##	the shadow passwords and listed exceptions.
 ## </summary>
-@@ -1297,6 +1395,10 @@
+@@ -1297,6 +1395,14 @@
 	')
 	optional_policy(`
 +		ldap_stream_connect($1)
 +	')
 +
 +	optional_policy(`
 +		kerberos_use($1)
 +	')
 +
@ -24611,7 +24645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		nis_use_ypbind($1)
 	')
-@@ -1307,6 +1409,7 @@
+@@ -1307,6 +1413,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
@ -24619,7 +24653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -1341,3 +1444,99 @@
+@@ -1341,3 +1448,99 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -25561,7 +25595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.4/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/libraries.fc	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/system/libraries.fc	2009-02-09 08:38:58.000000000 -0500
@@ -60,12 +60,15 @@
 #
 # /opt
@ -25599,7 +25633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/(.*/)?java/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
-@@ -115,9 +120,17 @@
+@@ -115,24 +120,34 @@
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25617,7 +25651,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -127,12 +140,14 @@
+ /usr/lib(64)?/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -28621,7 +28658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-05 18:26:44.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-08 17:11:31.000000000 -0500
@@ -30,8 +30,9 @@
 	')