- Update gpg to allow reading of inotify

2008-01-08 19:58:56 +00:00 · 2008-01-08 19:58:56 +00:00 · 5baf53aabd
parent 3648b64bcb
commit 5baf53aabd
2 changed files with 406 additions and 73 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -957,7 +957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2008-01-03 11:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2008-01-08 08:11:14.000000000 -0500
@@ -152,6 +152,24 @@
 ########################################
@ -983,7 +983,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ##	Send and receive messages from
 ##	rpm over dbus.
 ## </summary>
-@@ -210,6 +228,24 @@
+@@ -173,6 +191,27 @@
 ########################################
 ## <summary>
 +##	Send and receive messages from
 +##	rpm_script over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`rpm_script_dbus_chat',`
 +	gen_require(`
 +		type rpm_script_t;
 +		class dbus send_msg;
 +	')
 +
 +	allow $1 rpm_script_t:dbus send_msg;
 +	allow rpm_script_t $1:dbus send_msg;
 +')
 +
 +########################################
 +## <summary>
 ##	Create, read, write, and delete the RPM log.
 ## </summary>
 ## <param name="domain">
@@ -210,6 +249,24 @@
 ########################################
 ## <summary>
@ -1008,7 +1036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ##	Create, read, write, and delete RPM
 ##	script temporary files.
 ## </summary>
-@@ -225,7 +261,29 @@
+@@ -225,7 +282,29 @@
 	')
 	files_search_tmp($1)
@ -1038,7 +1066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ')
 ########################################
-@@ -289,3 +347,137 @@
+@@ -289,3 +368,137 @@
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
@ -1304,7 +1332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/su.if	2008-01-03 13:47:22.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/su.if	2008-01-08 05:34:26.000000000 -0500
@@ -41,15 +41,13 @@
 	allow $2 $1_su_t:process signal;
@ -1330,7 +1358,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
 	logging_send_syslog_msg($1_su_t)
 	miscfiles_read_localization($1_su_t)
-@@ -172,13 +171,12 @@
+@@ -119,11 +118,6 @@
 	optional_policy(`
 		kerberos_use($1_su_t)
 	')
 -
 -	ifdef(`TODO',`
 -	# Caused by su - init scripts
 -	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
 -	') dnl end TODO
 ')
 #######################################
@@ -172,13 +166,12 @@
 	domain_interactive_fd($1_su_t)
 	role $3 types $1_su_t;
@ -1347,7 +1387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
 	allow $1_su_t self:key { search write };
 	# Transition from the user domain to this domain.
-@@ -188,7 +186,7 @@
+@@ -188,7 +181,7 @@
 	corecmd_shell_domtrans($1_su_t,$2)
 	allow $2 $1_su_t:fd use;
 	allow $2 $1_su_t:fifo_file rw_file_perms;
@ -1356,7 +1396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
-@@ -203,15 +201,15 @@
+@@ -203,15 +196,15 @@
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
@ -1375,7 +1415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
 	files_read_etc_files($1_su_t)
 	files_read_etc_runtime_files($1_su_t)
 	files_search_var_lib($1_su_t)
-@@ -226,12 +224,14 @@
+@@ -226,12 +219,14 @@
 	libs_use_ld_so($1_su_t)
 	libs_use_shared_libs($1_su_t)
@ -1391,7 +1431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
 	ifdef(`distro_rhel4',`
 		domain_role_change_exemption($1_su_t)
-@@ -295,13 +295,7 @@
+@@ -295,13 +290,7 @@
 		xserver_domtrans_user_xauth($1, $1_su_t)
 	')
@ -2327,8 +2367,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.5/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/gpg.te	2008-01-03 17:11:59.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.te	2008-01-08 05:15:21.000000000 -0500
-@@ -7,15 +7,223 @@
+@@ -7,15 +7,225 @@
 #
 # Type for gpg or pgp executables.
@ -2378,6 +2418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
 +allow gpg_t user_gpg_secret_t:dir create_dir_perms;
 +userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir)
 +userdom_manage_user_home_content_files(user,gpg_t)
 +userdom_manage_user_tmp_files(user,gpg_t)
 +
 +# transition from the gpg domain to the helper domain
 +domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t)
@ -2397,6 +2438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
 +dev_read_urand(gpg_t)
 +
 +fs_getattr_xattr_fs(gpg_t)
 +fs_list_inotifyfs(gpg_t)
 +
 +domain_use_interactive_fds(gpg_t)
 +
@ -4364,8 +4406,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc	2008-01-03 14:26:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc	2008-01-07 11:08:14.000000000 -0500
-@@ -7,6 +7,7 @@
+@@ -7,11 +7,11 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -4373,7 +4415,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -58,6 +59,8 @@
+ /bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 -
 #
 # /dev
 #
@@ -58,6 +58,8 @@
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
@ -4382,7 +4429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -127,6 +130,8 @@
+@@ -127,6 +129,8 @@
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
@ -4391,7 +4438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 # /usr
 #
-@@ -147,7 +152,7 @@
+@@ -147,7 +151,7 @@
 /usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/daemon(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
@ -4400,15 +4447,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -186,6 +191,8 @@
+@@ -186,7 +190,10 @@
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
 +/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 +/usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
@@ -284,3 +291,6 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
@ -5003,6 +5052,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
 /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.2.5/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/kernel/storage.if	2008-01-08 06:26:10.000000000 -0500
@@ -81,6 +81,26 @@
 ########################################
 ## <summary>
 +##	dontaudit the caller attempts to read from a fixed disk.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	The type of the process performing this action.
 +##	</summary>
 +## </param>
 +#
 +interface(`storage_dontaudit_raw_read_fixed_disk',`
 +	gen_require(`
 +		attribute fixed_disk_raw_read;
 +		type fixed_disk_device_t;
 +	')
 +
 +	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
 +	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	Allow the caller to directly read from a fixed disk.
 ##	This is extremly dangerous as it can bypass the
 ##	SELinux protections for filesystem objects, and
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.5/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2007-09-12 10:34:17.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/kernel/terminal.if	2007-12-19 05:38:09.000000000 -0500
@ -7012,7 +7091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2007-12-30 09:53:47.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-08 10:52:45.000000000 -0500
@@ -53,6 +53,7 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -7063,7 +7142,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 	ifdef(`hide_broken_symptoms', `
 		dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
-@@ -214,7 +221,7 @@
+@@ -182,6 +189,7 @@
 	optional_policy(`
 		xserver_use_xdm_fds($1_dbusd_t)
 		xserver_rw_xdm_pipes($1_dbusd_t)
 +		xserver_dontaudit_xdm_lib_search($1_dbusd_t)
 	')
 ')
@@ -214,7 +222,7 @@
 	# SE-DBus specific permissions
 #	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@ -7072,7 +7159,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($2)
-@@ -251,6 +258,7 @@
+@@ -223,6 +231,10 @@
 	files_search_pids($2)
 	stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
 	dbus_read_config($2)
 +
 +	optional_policy(`
 +		rpm_script_dbus_chat($2)
 +	')
 ')
 #######################################
@@ -251,6 +263,7 @@
 template(`dbus_user_bus_client_template',`
 	gen_require(`
 		type $1_dbusd_t;
@ -7080,7 +7178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 		class dbus send_msg;
 	')
-@@ -263,6 +271,7 @@
+@@ -263,6 +276,7 @@
 	# For connecting to the bus
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
@ -7088,7 +7186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 ')
 ########################################
-@@ -292,6 +301,59 @@
+@@ -292,6 +306,59 @@
 ########################################
 ## <summary>
@ -7148,7 +7246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 ##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
-@@ -366,3 +428,53 @@
+@@ -366,3 +433,53 @@
 	allow $1 system_dbusd_t:dbus *;
 ')
@ -7243,7 +7341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.5/policy/modules/services/dcc.te
 --- nsaserefpolicy/policy/modules/services/dcc.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dcc.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dcc.te	2008-01-04 09:52:10.000000000 -0500
@@ -124,7 +124,7 @@
 # dcc procmail interface local policy
 #
@ -7253,15 +7351,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
 allow dcc_client_t self:unix_dgram_socket create_socket_perms;
 allow dcc_client_t self:udp_socket create_socket_perms;
-@@ -148,6 +148,8 @@
+@@ -148,6 +148,10 @@
 files_read_etc_files(dcc_client_t)
 files_read_etc_runtime_files(dcc_client_t)
 +kernel_read_system_state(dcc_client_t)
 +
 +auth_use_nsswitch(dcc_client_t)
 +
 libs_use_ld_so(dcc_client_t)
 libs_use_shared_libs(dcc_client_t)
@@ -155,11 +159,8 @@
 miscfiles_read_localization(dcc_client_t)
 -sysnet_read_config(dcc_client_t)
 -sysnet_dns_name_resolve(dcc_client_t)
 -
 optional_policy(`
 -	nscd_socket_use(dcc_client_t)
 +	spamassassin_read_spamd_tmp_files(dcc_client_t)
 ')
 ########################################
@@ -275,9 +276,7 @@
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
 userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
 -optional_policy(`
 -	nscd_socket_use(dccd_t)
 -')
 +auth_use_nsswitch(dccd_t)
 optional_policy(`
 	seutil_sigchld_newrole(dccd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.5/policy/modules/services/dictd.fc
 --- nsaserefpolicy/policy/modules/services/dictd.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/dictd.fc	2007-12-19 05:38:09.000000000 -0500
@ -7730,7 +7854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc
 --- nsaserefpolicy/policy/modules/services/fail2ban.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc	2008-01-08 13:32:00.000000000 -0500
@@ -1,3 +1,4 @@
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 +/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
@ -7887,7 +8011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/hal.te	2007-12-20 14:02:58.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/hal.te	2008-01-08 09:48:17.000000000 -0500
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -7940,7 +8064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 #
 allow hald_acl_t self:capability { dac_override fowner };
-+allow hald_acl_t self:process signal;
+allow hald_acl_t self:process { getattr signal };
 allow hald_acl_t self:fifo_file read_fifo_file_perms;
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
@ -8376,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.if	2007-12-27 11:44:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.if	2008-01-04 10:12:33.000000000 -0500
@@ -133,6 +133,12 @@
 		sendmail_create_log($1_mail_t)
 	')
@ -9437,6 +9561,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 	logrotate_exec(ntpd_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/oddjob.te	2008-01-04 12:24:30.000000000 -0500
@@ -15,6 +15,7 @@
 type oddjob_mkhomedir_t;
 type oddjob_mkhomedir_exec_t;
 domain_type(oddjob_mkhomedir_t)
 +domain_obj_id_change_exemption(oddjob_mkhomedir_t)
 init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
@@ -68,20 +69,38 @@
 # oddjob_mkhomedir local policy
 #
 +allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
 +allow oddjob_mkhomedir_t self:process setfscreate;
 allow oddjob_mkhomedir_t self:fifo_file { read write };
 allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
 files_read_etc_files(oddjob_mkhomedir_t)
 +kernel_read_system_state(oddjob_mkhomedir_t)
 +
 +auth_use_nsswitch(oddjob_mkhomedir_t)
 +
 libs_use_ld_so(oddjob_mkhomedir_t)
 libs_use_shared_libs(oddjob_mkhomedir_t)
 +logging_send_syslog_msg(oddjob_mkhomedir_t)
 +
 miscfiles_read_localization(oddjob_mkhomedir_t)
 +selinux_get_fs_mount(oddjob_mkhomedir_t)
 +selinux_validate_context(oddjob_mkhomedir_t)
 +selinux_compute_access_vector(oddjob_mkhomedir_t)
 +selinux_compute_create_context(oddjob_mkhomedir_t)
 +selinux_compute_relabel_context(oddjob_mkhomedir_t)
 +selinux_compute_user_contexts(oddjob_mkhomedir_t)
 +
 +seutil_read_config(oddjob_mkhomedir_t)
 +seutil_read_file_contexts(oddjob_mkhomedir_t)
 +seutil_read_default_contexts(oddjob_mkhomedir_t)
 +
 # Add/remove user home directories
 +userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t)
 userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
 -userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
 -userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
 -userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
 -userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
 +userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t)
 +userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te
 --- nsaserefpolicy/policy/modules/services/openct.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/openct.te	2007-12-19 05:38:09.000000000 -0500
@ -9460,7 +9638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
 /var/run/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te	2008-01-08 13:31:47.000000000 -0500
@@ -8,7 +8,7 @@
 ## <desc>
@ -9479,7 +9657,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
 allow openvpn_t self:process { signal getsched };
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -110,3 +110,12 @@
+@@ -47,6 +47,7 @@
 allow openvpn_t openvpn_etc_t:dir list_dir_perms;
 read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
 read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
 +can_exec(openvpn_t,openvpn_etc_t)
 allow openvpn_t openvpn_var_log_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
@@ -77,6 +78,7 @@
 corenet_sendrecv_openvpn_server_packets(openvpn_t)
 corenet_rw_tun_tap_dev(openvpn_t)
 corenet_tcp_connect_openvpn_port(openvpn_t)
 +corenet_tcp_connect_http_port(openvpn_t)
 dev_search_sysfs(openvpn_t)
 dev_read_rand(openvpn_t)
@@ -110,3 +112,12 @@
 	networkmanager_dbus_chat(openvpn_t)
 ')
@ -10077,8 +10271,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/procmail.te	2008-01-03 10:56:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te	2008-01-08 11:05:41.000000000 -0500
-@@ -129,7 +129,9 @@
+@@ -102,6 +102,10 @@
 ')
 optional_policy(`
 +	cron_read_pipes(procmail_t)
 +')
 +
 +optional_policy(`
 	munin_dontaudit_search_lib(procmail_t)
 ')
@@ -129,7 +133,9 @@
 	corenet_udp_bind_generic_port(procmail_t)
 	corenet_dontaudit_udp_bind_all_ports(procmail_t)
@ -10167,6 +10372,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
 ')
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te
 --- nsaserefpolicy/policy/modules/services/qmail.te	2007-10-02 09:54:52.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/qmail.te	2008-01-07 16:36:33.000000000 -0500
@@ -85,6 +85,8 @@
 libs_use_ld_so(qmail_inject_t)
 libs_use_shared_libs(qmail_inject_t)
 +miscfiles_read_localization(qmail_inject_t)
 +
 qmail_read_config(qmail_inject_t)
 ########################################
@@ -106,15 +108,25 @@
 kernel_read_system_state(qmail_local_t)
 +corecmd_exec_bin(qmail_local_t)
 corecmd_exec_shell(qmail_local_t)
 +can_exec(qmail_local_t, qmail_local_exec_t)
 files_read_etc_files(qmail_local_t)
 files_read_etc_runtime_files(qmail_local_t)
 +auth_use_nsswitch(qmail_local_t)
 +
 +logging_send_syslog(qmail_local_t)
 +
 mta_append_spool(qmail_local_t)
 qmail_domtrans_queue(qmail_local_t)
 +optional_policy(`
 +	spamassassin_domtrans_spamc(qmail_local_t)
 +')
 +
 ########################################
 #
 # qmail-lspawn local policy
@@ -155,6 +167,10 @@
 manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
 rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
 +corecmd_exec_bin(qmail_queue_t)
 +
 +logging_send_syslog(qmail_queue_t)
 +
 optional_policy(`
 	daemontools_ipc_domain(qmail_queue_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
 --- nsaserefpolicy/policy/modules/services/razor.fc	2007-10-12 08:56:07.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/razor.fc	2007-12-19 05:38:09.000000000 -0500
@ -10364,7 +10618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/rpc.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpc.te	2008-01-08 06:24:04.000000000 -0500
@@ -60,10 +60,14 @@
 manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -10399,12 +10653,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ########################################
 #
 # NFSD local policy
-@@ -92,9 +102,13 @@
+@@ -92,9 +102,16 @@
 allow nfsd_t exports_t:file { getattr read };
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 +dev_dontaudit_getattr_all_blk_files(nfsd_t) 
 +dev_dontaudit_getattr_all_chr_files(nfsd_t) 
 +
 +dev_read_lvm_control(nfsd_t)
 +storage_dontaudit_raw_read_fixed_disk(nfsd_t)
 +
 # for /proc/fs/nfs/exports - should we have a new type?
 kernel_read_system_state(nfsd_t) 
@ -10413,7 +10670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -124,6 +138,7 @@
+@@ -124,6 +141,7 @@
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
@ -10421,7 +10678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ')
 tunable_policy(`nfs_export_all_ro',`
-@@ -144,6 +159,7 @@
+@@ -144,6 +162,7 @@
 manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@ -10429,7 +10686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
-@@ -157,8 +173,13 @@
+@@ -157,8 +176,13 @@
 files_list_tmp(gssd_t) 
 files_read_usr_symlinks(gssd_t) 
@ -10584,7 +10841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/samba.if	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/samba.if	2008-01-08 13:39:02.000000000 -0500
@@ -331,6 +331,25 @@
 ########################################
@ -10619,7 +10876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 ########################################
-@@ -492,3 +512,102 @@
+@@ -492,3 +512,103 @@
 	allow $1 samba_var_t:dir search_dir_perms;
 	stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
 ')
@ -10669,6 +10926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +		type samba_share_t;
 +	')
 +
 +	allow $1 samba_share_t:filesystem getattr;
 +	read_files_pattern($1, samba_share_t, samba_share_t)
 +')
 +
@ -10724,7 +10982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/samba.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/samba.te	2008-01-08 13:40:20.000000000 -0500
@@ -26,28 +26,28 @@
 ## <desc>
@ -10801,7 +11059,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow smbd_t samba_net_tmp_t:file getattr;
-@@ -251,7 +256,7 @@
+@@ -234,6 +239,7 @@
 manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
 manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
 manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
 +allow smbd_t samba_share_t:filesystem getattr;
 manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
 manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
@@ -251,7 +257,7 @@
 manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
 files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@ -10810,7 +11076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
-@@ -340,6 +345,17 @@
+@@ -340,6 +346,17 @@
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
@ -10828,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 optional_policy(`
-@@ -391,7 +407,7 @@
+@@ -391,7 +408,7 @@
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -10837,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow nmbd_t self:tcp_socket create_stream_socket_perms;
 allow nmbd_t self:udp_socket create_socket_perms;
 allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +419,7 @@
+@@ -403,8 +420,7 @@
 read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
 manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@ -10847,7 +11113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
 create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +454,7 @@
+@@ -439,6 +455,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 fs_getattr_all_fs(nmbd_t)
@ -10855,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 fs_search_auto_mountpoints(nmbd_t)
 domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +538,7 @@
+@@ -522,6 +539,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 term_list_ptys(smbmount_t)
@ -10863,7 +11129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 corecmd_list_bin(smbmount_t)
-@@ -546,28 +563,37 @@
+@@ -546,28 +564,37 @@
 userdom_use_all_users_fds(smbmount_t)
@ -10908,7 +11174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow swat_t smbd_var_run_t:file read;
 manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +603,9 @@
+@@ -577,7 +604,9 @@
 manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
 files_pid_filetrans(swat_t,swat_var_run_t,file)
@ -10919,7 +11185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -602,6 +630,7 @@
+@@ -602,6 +631,7 @@
 dev_read_urand(swat_t)
@ -10927,7 +11193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 files_read_etc_files(swat_t)
 files_search_home(swat_t)
 files_read_usr_files(swat_t)
-@@ -614,6 +643,7 @@
+@@ -614,6 +644,7 @@
 libs_use_shared_libs(swat_t)
 logging_send_syslog_msg(swat_t)
@ -10935,7 +11201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 logging_search_logs(swat_t)
 miscfiles_read_localization(swat_t)
-@@ -631,6 +661,17 @@
+@@ -631,6 +662,17 @@
 	kerberos_use(swat_t)
 ')
@ -10953,7 +11219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ########################################
 #
 # Winbind local policy
-@@ -679,6 +720,8 @@
+@@ -679,6 +721,8 @@
 manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
 files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@ -10962,7 +11228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(winbind_t)
 kernel_list_proc(winbind_t)
 kernel_read_proc_symlinks(winbind_t)
-@@ -766,6 +809,7 @@
+@@ -766,6 +810,7 @@
 optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
@ -10970,7 +11236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 ########################################
-@@ -790,3 +834,37 @@
+@@ -790,3 +835,37 @@
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
 	')
 ')
@ -11223,7 +11489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te	2008-01-08 06:17:24.000000000 -0500
@@ -27,8 +27,8 @@
 # setroubleshootd local policy
 #
@ -11245,16 +11511,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 corecmd_exec_bin(setroubleshootd_t)
 corecmd_exec_shell(setroubleshootd_t)
-@@ -73,7 +75,7 @@
+@@ -68,13 +70,17 @@
 dev_read_urand(setroubleshootd_t)
 dev_read_sysfs(setroubleshootd_t)
 +dev_getattr_all_blk_files(setroubleshootd_t)
 +dev_getattr_all_chr_files(setroubleshootd_t)
 domain_dontaudit_search_all_domains_state(setroubleshootd_t)
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
 -files_getattr_all_dirs(setroubleshootd_t)
 +files_list_all(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
 +files_getattr_all_pipes(setroubleshootd_t)
 +files_getattr_all_sockets(setroubleshootd_t)
 fs_getattr_all_dirs(setroubleshootd_t)
-@@ -110,6 +112,7 @@
+ fs_getattr_all_files(setroubleshootd_t)
@@ -110,6 +116,7 @@
 optional_policy(`
 	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
 	dbus_connect_system_bus(setroubleshootd_t)
@ -12584,7 +12860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.if	2008-01-03 16:24:11.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if	2008-01-08 11:18:17.000000000 -0500
@@ -15,6 +15,7 @@
 template(`xserver_common_domain_template',`
 	gen_require(`
@ -13158,7 +13434,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -974,6 +1041,37 @@
+@@ -937,7 +1004,7 @@
 ########################################
 ## <summary>
 -##      Read XDM var lib files.
 +##      dontaudit search of XDM var lib directories.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
@@ -945,12 +1012,12 @@
 ##      </summary>
 ## </param>
 #
 -interface(`xserver_read_xdm_lib_files',`
 +interface(`xserver_dontaudit_xdm_lib_search',`
 	gen_require(`
 		type xdm_var_lib_t;
 	')
 -	allow $1 xdm_var_lib_t:file { getattr read };
 +	dontaudit $1 xdm_var_lib_t:dir search_dir_perms;
 ')
 ########################################
@@ -965,15 +1032,47 @@
 #
 interface(`xserver_domtrans_xdm_xserver',`
 	gen_require(`
 -		type xdm_xserver_t, xserver_exec_t;
 +		type xdm_xserver_t, xserver_exec_t, xdm_t;
 	')
  	allow $1 xdm_xserver_t:process siginh;
 + 	allow xdm_t $1:process sigchld;
 	domtrans_pattern($1,xserver_exec_t,xdm_xserver_t)
 ')
 ########################################
 ## <summary>
@ -13196,7 +13507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -1123,7 +1221,7 @@
+@@ -1123,7 +1222,7 @@
 		type xdm_xserver_tmp_t;
 	')
@ -13205,7 +13516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -1312,3 +1410,45 @@
+@@ -1312,3 +1411,45 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -14276,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/init.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/init.te	2008-01-08 13:52:56.000000000 -0500
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -14430,7 +14741,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
-@@ -729,6 +765,11 @@
+@@ -708,9 +744,11 @@
 	squid_manage_logs(initrc_t)
 ')
 -optional_policy(`
 -	# allow init scripts to su
 -	su_restricted_domain_template(initrc,initrc_t,system_r)
 +ifndef(`targeted_policy',`
 +	optional_policy(`
 +		# allow init scripts to su
 +		su_restricted_domain_template(initrc,initrc_t,system_r)
 +	')
 ')
 optional_policy(`
@@ -729,6 +767,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
@ -14442,7 +14768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	unconfined_domain(initrc_t)
-@@ -743,6 +784,10 @@
+@@ -743,6 +786,10 @@
 ')
 optional_policy(`
@ -16552,7 +16878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-03 16:34:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-08 05:05:58.000000000 -0500
@@ -29,8 +29,9 @@
 	')
@ -19565,8 +19891,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-03 17:06:13.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-08 05:06:18.000000000 -0500
-@@ -0,0 +1,31 @@
+@@ -0,0 +1,34 @@
 +policy_module(staff,1.0.1)
 +userdom_unpriv_user_template(staff)
 +
@ -19574,6 +19900,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
 +userdom_role_change_template(staff, sysadm)
 +userdom_dontaudit_use_sysadm_terms(staff_t)
 +
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +
 +optional_policy(`
 +	xserver_per_role_template(staff, staff_t, staff_r)
 +')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -306,19 +306,20 @@ fi
 exit 0
-%triggerpostun targeted -- selinux-policy-targeted < 3.2.4-3.fc9
+%triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
 setsebool -P use_nfs_home_dirs=1
 semanage user -l | grep -s unconfined_u 
 if [ $? == 0 ]; then
-   semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
+   semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
 else
-   semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
+   semanage user -a -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
 fi
 seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
 [ $seuser == "system_u" ]   && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 __default__
 seuser=`semanage login -l | grep root | awk '{ print $2 }'`
 [ $seuser == "system_u" ]   && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 root
 restorecon -R /root /etc/selinux/targeted 2> /dev/null
 semodule -r qmail 2> /dev/null
 exit 0
 %files targeted
@ -386,6 +387,9 @@ exit 0
 %endif
 %changelog
 * Mon Jan 7 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-9
 - Update gpg to allow reading of inotify
 * Wed Jan 2 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-8
 - Change user and staff roles to work correctly with varied perms