- Fix service start stop terminal avc's

2007-09-22 12:15:13 +00:00 · 2007-09-22 12:15:13 +00:00 · 6c319e4011
parent ec4fb1ce99
commit 6c319e4011
2 changed files with 211 additions and 38 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -312,6 +312,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 /usr/bin/ainit 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 +/sbin/alsactl 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 +/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
+--- nsaserefpolicy/policy/modules/admin/alsa.if	2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if	2007-09-22 06:43:02.000000000 -0400
+@@ -74,3 +74,39 @@
+ 	read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
+ 	read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
+ ')
+
+########################################
+## <summary>
+##	search alsa lib config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_search_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	allow $1 alsa_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read alsa lib config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2007-07-25 10:37:43.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/alsa.te	2007-09-21 19:08:24.000000000 -0400
@ -2429,7 +2472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-09-21 14:29:01.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2007-09-22 08:10:42.000000000 -0400
@@ -20,6 +20,7 @@
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@ -2442,10 +2485,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/input/uimput	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
 
 /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if	2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if	2007-09-22 08:11:28.000000000 -0400
+@@ -1306,6 +1306,44 @@
+ 
+ ########################################
+ ## <summary>
+##	Get the attributes of the event devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_event_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 event_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the event devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_event_dev',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 event_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+ ##	Read input event devices (/dev/input).
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-06-19 16:23:34.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/domain.if	2007-09-17 16:20:18.000000000 -0400
@ -3730,7 +3821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.te	2007-09-22 07:26:32.000000000 -0400
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -6290,7 +6381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-09-22 07:42:39.000000000 -0400
@@ -42,6 +42,10 @@
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@ -6302,7 +6393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
-@@ -172,3 +176,25 @@
+@@ -172,3 +176,26 @@
 	allow $1 krb5kdc_conf_t:file read_file_perms;
 
 ')
@ -6325,6 +6416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +
 +	files_search_tmp($1)
 +	allow $1 self:process setfscreate;
+	selinux_validate_context($1)
 +	seutil_read_file_contexts($1)
 +	allow $1 krb5_host_rcache_t:file manage_file_perms;
 +')
@ -6977,6 +7069,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 
 ########################################
 #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc
+--- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-09-12 10:34:50.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc	2007-09-22 07:16:25.000000000 -0400
+@@ -5,3 +5,4 @@
+ /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant.log	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2007-06-15 14:54:33.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if	2007-09-20 08:50:57.000000000 -0400
@ -7007,8 +7107,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2007-09-20 08:50:29.000000000 -0400
-@@ -20,7 +20,7 @@
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2007-09-22 07:14:54.000000000 -0400
+@@ -13,6 +13,9 @@
+ type NetworkManager_var_run_t;
+ files_pid_file(NetworkManager_var_run_t)
+ 
+type NetworkManager_log_t;
+files_pid_file(NetworkManager_log_t)
+
+ ########################################
+ #
+ # Local policy
+@@ -20,7 +23,7 @@
 
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
@ -7017,7 +7127,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-@@ -138,6 +138,9 @@
+@@ -38,6 +41,9 @@
+ manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
+ files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+ 
+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file)
+
+ kernel_read_system_state(NetworkManager_t)
+ kernel_read_network_state(NetworkManager_t)
+ kernel_read_kernel_sysctls(NetworkManager_t)
+@@ -138,6 +144,9 @@
 	dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
 	dbus_connect_system_bus(NetworkManager_t)
 	dbus_send_system_bus(NetworkManager_t)
@ -7027,7 +7147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 ')
 
 optional_policy(`
-@@ -173,8 +176,10 @@
+@@ -173,8 +182,10 @@
 ')
 
 optional_policy(`
@ -8015,7 +8135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te	2007-09-22 07:43:42.000000000 -0400
@@ -64,9 +64,10 @@
 fs_getattr_xattr_fs(rlogind_t)
 fs_search_auto_mountpoints(rlogind_t)
@ -8028,25 +8148,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
 
 files_read_etc_files(rlogind_t)
 files_read_etc_runtime_files(rlogind_t)
-@@ -82,7 +83,7 @@
+@@ -82,21 +83,17 @@
 
 miscfiles_read_localization(rlogind_t)
 
 -seutil_dontaudit_search_config(rlogind_t)
+-
+-sysnet_read_config(rlogind_t)
 +seutil_read_config(rlogind_t)
 
- sysnet_read_config(rlogind_t)
+ userdom_setattr_unpriv_users_ptys(rlogind_t)
+ # cjp: this is egregious
+ userdom_read_all_users_home_content_files(rlogind_t)
 
-@@ -93,7 +94,9 @@
 remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
 
 optional_policy(`
 +	kerberos_use(rlogind_t)
 	kerberos_read_keytab(rlogind_t)
+-')
+-
+-ifdef(`TODO',`
+-# Allow krb5 rlogind to use fork and open /dev/tty for use
+-allow rlogind_t userpty_type:chr_file setattr;
 +	kerberos_manage_host_rcache(rlogind_t)
 ')
- 
- ifdef(`TODO',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
 --- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te	2007-09-17 16:20:18.000000000 -0400
@ -8920,7 +9047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te	2007-09-22 07:08:31.000000000 -0400
@@ -20,19 +20,22 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
@ -9460,7 +9587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/telnet.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/telnet.te	2007-09-22 07:45:00.000000000 -0400
@@ -32,7 +32,6 @@
 allow telnetd_t self:udp_socket create_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
@ -9482,7 +9609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
 files_read_etc_files(telnetd_t)
 files_read_etc_runtime_files(telnetd_t)
 # for identd; cjp: this should probably only be inetd_child rules?
-@@ -80,9 +81,7 @@
+@@ -80,27 +81,26 @@
 
 miscfiles_read_localization(telnetd_t)
 
@ -9493,7 +9620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
 
 remotelogin_domtrans(telnetd_t)
 
-@@ -90,17 +89,16 @@
+userdom_search_unpriv_users_home_dirs(telnetd_t)
+
+ # for identd; cjp: this should probably only be inetd_child rules?
 optional_policy(`
 	kerberos_use(telnetd_t)
 	kerberos_read_keytab(telnetd_t)
@ -10565,7 +10694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-09-21 16:37:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-09-22 08:12:19.000000000 -0400
@@ -9,6 +9,13 @@
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
@ -10601,7 +10730,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ########################################
 #
 # PAM local policy
-@@ -159,6 +173,8 @@
+@@ -149,6 +163,8 @@
+ dev_setattr_apm_bios_dev(pam_console_t)
+ dev_getattr_dri_dev(pam_console_t)
+ dev_setattr_dri_dev(pam_console_t)
+dev_getattr_event_dev(pam_console_t)
+dev_setattr_event_dev(pam_console_t)
+ dev_getattr_framebuffer_dev(pam_console_t)
+ dev_setattr_framebuffer_dev(pam_console_t)
+ dev_getattr_generic_usb_dev(pam_console_t)
+@@ -159,6 +175,8 @@
 dev_setattr_mouse_dev(pam_console_t)
 dev_getattr_power_mgmt_dev(pam_console_t)
 dev_setattr_power_mgmt_dev(pam_console_t)
@ -10610,7 +10748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 dev_getattr_scanner_dev(pam_console_t)
 dev_setattr_scanner_dev(pam_console_t)
 dev_getattr_sound_dev(pam_console_t)
-@@ -236,7 +252,7 @@
+@@ -236,7 +254,7 @@
 
 optional_policy(`
 	xserver_read_xdm_pid(pam_console_t)
@ -10619,7 +10757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -302,3 +318,28 @@
+@@ -302,3 +320,28 @@
 	xserver_use_xdm_fds(utempter_t)
 	xserver_rw_xdm_pipes(utempter_t)
 ')
@ -10829,8 +10967,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.if	2007-09-17 16:20:18.000000000 -0400
-@@ -540,18 +540,19 @@
+++ serefpolicy-3.0.8/policy/modules/system/init.if	2007-09-22 07:07:39.000000000 -0400
+@@ -211,6 +211,13 @@
+ 			kernel_dontaudit_use_fds($1)
+ 		')
+ 	')
+	tunable_policy(`allow_daemons_use_tty',`
+	   term_use_all_user_ttys($1)
+	   term_use_all_user_ptys($1)
+	', `
+	   term_dontaudit_use_all_user_ttys($1)
+	   term_dontaudit_use_all_user_ptys($1)
+	 ')
+ ')
+ 
+ ########################################
+@@ -540,18 +547,19 @@
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -10854,7 +11006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 	')
 ')
 
-@@ -567,18 +568,46 @@
+@@ -567,18 +575,46 @@
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -10905,7 +11057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 	')
 ')
 
-@@ -609,11 +638,11 @@
+@@ -609,11 +645,11 @@
 # cjp: added for gentoo integrated run_init
 interface(`init_script_file_domtrans',`
 	gen_require(`
@ -10919,7 +11071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -684,11 +713,11 @@
+@@ -684,11 +720,11 @@
 #
 interface(`init_getattr_script_files',`
 	gen_require(`
@ -10933,7 +11085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -703,11 +732,11 @@
+@@ -703,11 +739,11 @@
 #
 interface(`init_exec_script_files',`
 	gen_require(`
@ -10947,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -931,6 +960,7 @@
+@@ -931,6 +967,7 @@
 
 	dontaudit $1 initrc_t:unix_stream_socket connectto;
 ')
@ -10955,7 +11107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ########################################
 ## <summary>
 ##	Send messages to init scripts over dbus.
-@@ -1030,11 +1060,11 @@
+@@ -1030,11 +1067,11 @@
 #
 interface(`init_read_script_files',`
 	gen_require(`
@ -10969,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1252,7 +1282,7 @@
+@@ -1252,7 +1289,7 @@
 		type initrc_var_run_t;
 	')
 
@ -10978,7 +11130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1273,3 +1303,64 @@
+@@ -1273,3 +1310,64 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
@ -11045,7 +11197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-09-18 11:07:20.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-09-22 07:06:37.000000000 -0400
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -11140,7 +11292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -497,6 +515,39 @@
+@@ -497,6 +515,43 @@
 ')
 
 optional_policy(`
@ -11152,9 +11304,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +tunable_policy(`allow_daemons_use_tty',`
 +	term_use_unallocated_ttys(daemon)
 +	term_use_generic_ptys(daemon)
+	term_use_all_user_ttys(daemon)
+	term_use_all_user_ptys(daemon)
 +', `
 +	term_dontaudit_use_unallocated_ttys(daemon)
 +	term_dontaudit_use_generic_ptys(daemon)
+	term_dontaudit_use_all_user_ttys(daemon)
+	term_dontaudit_use_all_user_ptys(daemon)
 + ')
 + 
 +# system-config-services causes avc messages that should be dontaudited
@ -11180,7 +11336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
 ')
-@@ -632,12 +683,6 @@
+@@ -632,12 +687,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -11193,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -703,6 +748,9 @@
+@@ -703,6 +752,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -12991,6 +13147,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 term_dontaudit_use_all_user_ttys(ifconfig_t)
 term_dontaudit_use_all_user_ptys(ifconfig_t)
 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te	2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-09-22 06:43:22.000000000 -0400
+@@ -184,6 +184,10 @@
+ ')
+ 
+ optional_policy(`
+	alsa_search_lib(udev_t)
+')
+
+optional_policy(`
+ 	brctl_domtrans(udev_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-05-29 14:10:58.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc	2007-09-21 06:46:14.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,9 @@ exit 0
 %endif

 %changelog
+* Sat Sep 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-9
+- Fix service start stop terminal avc's
+
 * Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-8
 - Allow also to search var_lib
 - New context for dbus launcher