- Allow hal_acl_t to getattr/setattr fixed_disk

2009-01-04 19:45:03 +00:00 · 2009-01-04 19:45:03 +00:00 · 5df2628335
commit 5df2628335
parent 32363900ec
2 changed files with 128 additions and 68 deletions
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
@ -2004,7 +2004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.1/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/java.te	2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/java.te	2009-01-04 13:53:30.000000000 -0500
@@ -40,7 +40,7 @@
 # Local policy
 #
@ -2014,7 +2014,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow java_t self:fifo_file rw_fifo_file_perms;
 allow java_t self:tcp_socket create_socket_perms;
 allow java_t self:udp_socket create_socket_perms;
-@@ -147,4 +147,11 @@
+@@ -116,12 +116,13 @@
 	allow java_t java_tmp_t:file execute;
 -	libs_legacy_use_shared_libs(java_t)
 	libs_legacy_use_ld_so(java_t)
 	miscfiles_legacy_read_localization(java_t)
 ')
 +libs_legacy_use_shared_libs(java_t)
 +
 optional_policy(`
 	nis_use_ypbind(java_t)
 ')
@@ -147,4 +148,11 @@
 	unconfined_domain_noaudit(unconfined_java_t)
 	unconfined_dbus_chat(unconfined_java_t)
@ -5496,7 +5511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if	2008-12-01 16:27:54.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if	2009-01-04 12:00:43.000000000 -0500
@@ -534,6 +534,24 @@
 ########################################
@ -7814,7 +7829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive afs_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.1/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/apache.fc	2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.fc	2008-12-29 10:16:33.000000000 -0500
@@ -1,12 +1,13 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -7874,10 +7889,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +71,21 @@
+@@ -64,11 +71,22 @@
 /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
@ -8432,7 +8448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/apache.te	2008-12-08 16:47:30.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.te	2009-01-04 12:50:52.000000000 -0500
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -12351,7 +12367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/hal.te	2008-12-19 17:16:25.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/hal.te	2009-01-04 12:01:07.000000000 -0500
@@ -49,6 +49,15 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -12368,7 +12384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Local policy
-@@ -143,6 +152,7 @@
+@@ -143,11 +152,16 @@
 files_getattr_all_dirs(hald_t)
 files_read_kernel_img(hald_t)
 files_rw_lock_dirs(hald_t)
@ -12376,7 +12392,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
-@@ -195,6 +205,7 @@
+ fs_list_inotifyfs(hald_t)
 fs_list_auto_mountpoints(hald_t)
 +fs_mount_dos_fs(hald_t)
 +fs_unmount_dos_fs(hald_t)
 +fs_manage_dos_files(hald_t)
 +
 files_getattr_all_mountpoints(hald_t)
 mls_file_read_all_levels(hald_t)
@@ -195,6 +209,7 @@
 seutil_read_file_contexts(hald_t)
 sysnet_read_config(hald_t)
@ -12384,7 +12409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -277,6 +288,12 @@
+@@ -277,6 +292,12 @@
 ')
 optional_policy(`
@ -12397,7 +12422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rpc_search_nfs_state_data(hald_t)
 ')
-@@ -301,12 +318,16 @@
+@@ -301,12 +322,16 @@
 	virt_manage_images(hald_t)
 ')
@ -12415,7 +12440,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow hald_acl_t self:process { getattr signal };
 allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-@@ -346,12 +367,17 @@
+@@ -321,6 +346,7 @@
 manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
 manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
 files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
 +allow hald_t hald_var_run_t:dir mounton;
 corecmd_exec_bin(hald_acl_t)
@@ -339,6 +365,8 @@
 storage_getattr_removable_dev(hald_acl_t)
 storage_setattr_removable_dev(hald_acl_t)
 +storage_getattr_fixed_disk_dev(hald_acl_t)
 +storage_setattr_fixed_disk_dev(hald_acl_t)
 auth_use_nsswitch(hald_acl_t)
@@ -346,12 +374,17 @@
 miscfiles_read_localization(hald_acl_t)
@ -12434,7 +12476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
 allow hald_t hald_mac_t:process signal;
-@@ -418,3 +444,49 @@
+@@ -418,3 +451,49 @@
 files_read_usr_files(hald_keymap_t)
 miscfiles_read_localization(hald_keymap_t)
@ -18108,6 +18150,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 userdom_dontaudit_search_user_home_dirs(pyzor_t)
 optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.1/policy/modules/services/radvd.te
 --- nsaserefpolicy/policy/modules/services/radvd.te	2008-11-11 16:13:46.000000000 -0500
 +++ serefpolicy-3.6.1/policy/modules/services/radvd.te	2009-01-04 12:30:51.000000000 -0500
@@ -22,7 +22,7 @@
 #
 # Local policy
 #
 -allow radvd_t self:capability { setgid setuid net_raw };
 +allow radvd_t self:capability { setgid setuid net_raw net_admin };
 dontaudit radvd_t self:capability sys_tty_config;
 allow radvd_t self:process signal_perms;
 allow radvd_t self:unix_dgram_socket create_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.1/policy/modules/services/razor.if
 --- nsaserefpolicy/policy/modules/services/razor.if	2008-11-11 16:13:46.000000000 -0500
 +++ serefpolicy-3.6.1/policy/modules/services/razor.if	2008-11-25 09:45:43.000000000 -0500
@ -19423,7 +19477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.1/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/sendmail.te	2008-11-25 10:40:18.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/sendmail.te	2009-01-04 12:51:01.000000000 -0500
@@ -1,5 +1,5 @@
 -policy_module(sendmail, 1.8.2)
@ -19459,11 +19513,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -64,24 +69,29 @@
+@@ -64,24 +69,30 @@
 fs_getattr_all_fs(sendmail_t)
 fs_search_auto_mountpoints(sendmail_t)
 +fs_rw_anon_inodefs_files(sendmail_t)
 +fs_list_inotifyfs(sendmail_t)
 term_dontaudit_use_console(sendmail_t)
@ -19489,7 +19544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_use_nsswitch(sendmail_t)
-@@ -89,23 +99,38 @@
+@@ -89,23 +100,38 @@
 libs_read_lib_files(sendmail_t)
 logging_send_syslog_msg(sendmail_t)
@ -19530,7 +19585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -113,13 +138,19 @@
+@@ -113,13 +139,19 @@
 ')
 optional_policy(`
@ -19551,7 +19606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -127,24 +158,29 @@
+@@ -127,24 +159,29 @@
 ')
 optional_policy(`
@ -26456,7 +26511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-27 06:28:18.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2009-01-04 13:57:22.000000000 -0500
@@ -30,8 +30,9 @@
 	')
@ -27133,7 +27188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 #######################################
-@@ -722,15 +740,27 @@
+@@ -722,15 +740,29 @@
 	userdom_base_user_template($1)
@ -27148,26 +27203,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	userdom_exec_user_home_content_files($1_t)
 +	userdom_manage_tmp_role($1_r, $1_usertype)
 +	userdom_manage_tmpfs_role($1_r, $1_usertype)
 +
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
 +
 +		tunable_policy(`allow_$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
 +		')
 +		tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
 +
 +		tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
 +	')
 -	userdom_change_password_template($1)
 +	gen_tunable(allow_$1_exec_content, true)
 +
 +	tunable_policy(`allow_$1_exec_content',`
 +		userdom_exec_user_tmp_files($1_usertype)
 +		userdom_exec_user_home_content_files($1_usertype)
 +	')
 +
 +	tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 +		fs_exec_nfs_files($1_usertype)
 +	')
 +
 +	tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 +		fs_exec_cifs_files($1_usertype)
 +	')
 	##############################
 	#
-@@ -746,70 +776,72 @@
+@@ -746,70 +778,72 @@
 	allow $1_t self:context contains;
@ -27273,7 +27330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -846,6 +878,28 @@
+@@ -846,6 +880,28 @@
 	# Local policy
 	#
@ -27302,7 +27359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		loadkeys_run($1_t,$1_r)
 	')
-@@ -876,7 +930,7 @@
+@@ -876,7 +932,7 @@
 	userdom_restricted_user_template($1)
@ -27311,17 +27368,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	##############################
 	#
-@@ -884,14 +938,18 @@
+@@ -884,14 +940,18 @@
 	#
 	auth_role($1_r, $1_t)
 -	auth_search_pam_console_data($1_t)
 +	auth_search_pam_console_data($1_usertype)
 +
 +	xserver_role($1_r, $1_t)
 -	dev_read_sound($1_t)
 -	dev_write_sound($1_t)
 +	xserver_role($1_r, $1_t)
 +
 +	dev_read_sound($1_usertype)
 +	dev_write_sound($1_usertype)
 	# gnome keyring wants to read this.
@ -27335,7 +27392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	logging_dontaudit_send_audit_msgs($1_t)
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +957,24 @@
+@@ -899,28 +959,24 @@
 	selinux_get_enforce_mode($1_t)
 	optional_policy(`
@ -27370,7 +27427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -931,8 +985,7 @@
+@@ -931,8 +987,7 @@
 ## </summary>
 ## <desc>
 ##	<p>
@ -27380,7 +27437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	</p>
 ##	<p>
 ##	This template creates a user domain, types, and
-@@ -954,8 +1007,8 @@
+@@ -954,8 +1009,8 @@
 	# Declarations
 	#
@ -27390,7 +27447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_common_user_template($1)
 	##############################
-@@ -964,11 +1017,10 @@
+@@ -964,11 +1019,10 @@
 	#
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -27403,7 +27460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1038,43 @@
+@@ -986,37 +1040,43 @@
 		')
 	')
@ -27460,7 +27517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 #######################################
-@@ -1050,7 +1108,7 @@
+@@ -1050,7 +1110,7 @@
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
@ -27469,7 +27526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	##############################
-@@ -1059,8 +1117,7 @@
+@@ -1059,8 +1119,7 @@
 	#
 	# Inherit rules for ordinary users.
@ -27479,7 +27536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
-@@ -1083,7 +1140,8 @@
+@@ -1083,7 +1142,8 @@
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
@ -27489,7 +27546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1106,8 +1164,6 @@
+@@ -1106,8 +1166,6 @@
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
@ -27498,7 +27555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1218,6 @@
+@@ -1162,20 +1220,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
@ -27519,7 +27576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1221,6 +1263,7 @@
+@@ -1221,6 +1265,7 @@
 	dev_relabel_all_dev_nodes($1)
 	files_create_boot_flag($1)
@ -27527,7 +27584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1286,11 +1329,15 @@
+@@ -1286,11 +1331,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -27543,7 +27600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1387,7 +1434,7 @@
+@@ -1387,7 +1436,7 @@
 ########################################
 ## <summary>
@ -27552,7 +27609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1420,6 +1467,14 @@
+@@ -1420,6 +1469,14 @@
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -27567,7 +27624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1435,9 +1490,11 @@
+@@ -1435,9 +1492,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -27579,7 +27636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1494,6 +1551,25 @@
+@@ -1494,6 +1553,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
@ -27605,7 +27662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1547,9 +1623,9 @@
+@@ -1547,9 +1625,9 @@
 		type user_home_dir_t, user_home_t;
 	')
@ -27617,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1568,6 +1644,8 @@
+@@ -1568,6 +1646,8 @@
 	')
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -27626,7 +27683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1643,6 +1721,7 @@
+@@ -1643,6 +1723,7 @@
 		type user_home_dir_t, user_home_t;
 	')
@ -27634,7 +27691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1741,6 +1820,62 @@
+@@ -1741,6 +1822,62 @@
 ########################################
 ## <summary>
@ -27697,7 +27754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1757,14 +1892,6 @@
+@@ -1757,14 +1894,6 @@
 	files_search_home($1)
 	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@ -27712,7 +27769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1787,6 +1914,46 @@
+@@ -1787,6 +1916,46 @@
 ########################################
 ## <summary>
@ -27759,7 +27816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete files
 ##	in a user home subdirectory.
 ## </summary>
-@@ -2819,6 +2986,24 @@
+@@ -2819,6 +2988,24 @@
 ########################################
 ## <summary>
@ -27784,7 +27841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Do not audit attempts to use user ttys.
 ## </summary>
 ## <param name="domain">
-@@ -2851,6 +3036,7 @@
+@@ -2851,6 +3038,7 @@
 	')
 	read_files_pattern($1,userdomain,userdomain)
@ -27792,7 +27849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
-@@ -2965,6 +3151,24 @@
+@@ -2965,6 +3153,24 @@
 ########################################
 ## <summary>
@ -27817,7 +27874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -2981,3 +3185,264 @@
+@@ -2981,3 +3187,264 @@
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,4 +1,4 @@
-%define distro redhat
+ %define distro redhat
 %define polyinstatiate n
 %define monolithic n
 %if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.1
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -446,6 +446,9 @@ exit 0
 %endif
 %changelog
 * Sun Jan 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.1-15
 - Allow hal_acl_t to getattr/setattr fixed_disk
 * Sat Dec 27 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-14
 - Change userdom_read_all_users_state to include reading symbolic links in /proc