- Eliminate mount_ntfs_t policy, merge into mount_t

2007-07-31 20:51:43 +00:00 · 2007-07-31 20:51:43 +00:00 · 6d2e7d5ebb
commit 6d2e7d5ebb
parent 47a35fa722
2 changed files with 198 additions and 51 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -710,7 +710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.4/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/admin/rpm.if	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/admin/rpm.if	2007-07-31 14:04:42.000000000 -0400
@@ -210,6 +210,24 @@
 ########################################
@ -767,7 +767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ')
 ########################################
-@@ -289,3 +328,65 @@
+@@ -289,3 +328,84 @@
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
@ -833,6 +833,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +
 +	dontaudit $1 rpm_tmp_t:file rw_file_perms;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to read, 
 +##	write RPM shm
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`rpm_dontaudit_rw_shm',`
 +	gen_require(`
 +		type rpm_t;
 +	')
 +
 +	dontaudit $1 rpm_t:shm rw_shm_perms;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.4/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-07-25 10:37:43.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/admin/rpm.te	2007-07-25 13:27:51.000000000 -0400
@ -2697,7 +2716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if	2007-07-30 10:20:15.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if	2007-07-31 16:40:44.000000000 -0400
@@ -1192,6 +1192,24 @@
 ########################################
@ -2723,9 +2742,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 ##	Search inotifyfs filesystem. 
 ## </summary>
 ## <param name="domain">
@@ -2219,7 +2237,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 -#
 +
 interface(`fs_dontaudit_read_ramfs_files',`
 	gen_require(`
 		type ramfs_t;
@@ -3476,3 +3494,42 @@
 	relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
 	relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
 ')
 +
 +########################################
 +## <summary>
 +##	Read files of anon_inodefs file system files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_read_anon_inodefs_files',`
 +	gen_require(`
 +		type anon_inodefs_t;
 +
 +	')
 +
 +	read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read/wrie files of anon_inodefs file system files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_rw_anon_inodefs_files',`
 +	gen_require(`
 +		type anon_inodefs_t;
 +
 +	')
 +
 +	rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te	2007-07-31 16:40:53.000000000 -0400
@@ -43,6 +43,12 @@
 #
 # Non-persistent/pseudo filesystems
@ -2749,7 +2820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 # filesystem SID to label inodes in the following filesystem types,
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.4/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if	2007-07-25 14:26:57.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if	2007-07-31 16:22:36.000000000 -0400
@@ -108,6 +108,24 @@
 ########################################
@ -3354,7 +3425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apache.te	2007-07-26 13:46:18.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/apache.te	2007-07-31 16:48:18.000000000 -0400
@@ -30,6 +30,13 @@
 ## <desc>
@ -3470,22 +3541,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
-@@ -348,7 +396,13 @@
+@@ -348,7 +396,9 @@
 userdom_use_unpriv_users_fds(httpd_t)
 -mta_send_mail(httpd_t)
 +optional_policy(`
 +	nscd_socket_use(httpd_t)
 +')
 +
 +tunable_policy(`httpd_enable_homedirs',`
 +	userdom_search_generic_user_home_dirs(httpd_t)
 +')
 tunable_policy(`allow_httpd_anon_write',`
 	miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +414,7 @@
+@@ -360,6 +410,7 @@
 #
 tunable_policy(`allow_httpd_mod_auth_pam',`
 	auth_domtrans_chk_passwd(httpd_t)
@ -3493,7 +3560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ')
-@@ -367,6 +422,16 @@
+@@ -367,6 +418,16 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
@ -3510,7 +3577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_can_network_connect_db',`
 	# allow httpd to connect to mysql/posgresql
 	corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +452,17 @@
+@@ -387,6 +448,17 @@
 	corenet_sendrecv_http_cache_client_packets(httpd_t)
 ')
@ -3528,7 +3595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +480,21 @@
+@@ -404,11 +476,21 @@
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -3550,7 +3617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +516,12 @@
+@@ -430,6 +512,12 @@
 ')
 optional_policy(`
@ -3563,7 +3630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	calamaris_read_www_files(httpd_t)
 ')
-@@ -512,10 +604,16 @@
+@@ -512,10 +600,16 @@
 tunable_policy(`httpd_tty_comm',`
 	# cjp: this is redundant:
 	term_use_controlling_term(httpd_helper_t)
@ -3581,7 +3648,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache PHP script local policy
-@@ -606,6 +704,10 @@
+@@ -567,7 +661,6 @@
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
 -allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
@@ -581,6 +674,8 @@
 manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 +auth_use_nsswitch(httpd_suexec_t)
 +
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
@@ -606,6 +701,10 @@
 miscfiles_read_localization(httpd_suexec_t)
@ -3592,7 +3676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
 	allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +722,13 @@
+@@ -620,10 +719,13 @@
 	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
 	corenet_tcp_connect_all_ports(httpd_suexec_t)
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
@ -3607,7 +3691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 ')
-@@ -634,6 +739,12 @@
+@@ -634,6 +736,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
@ -3620,7 +3704,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,7 +783,8 @@
+@@ -655,14 +763,6 @@
 	nagios_domtrans_cgi(httpd_suexec_t)
 ')
 -optional_policy(`
 -	nis_use_ypbind(httpd_suexec_t)
 -')
 -
 -optional_policy(`
 -	nscd_socket_use(httpd_suexec_t)
 -')
 -
 ########################################
 #
 # Apache system script local policy
@@ -672,7 +772,8 @@
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -3630,7 +3729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +798,66 @@
+@@ -686,15 +787,66 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -3646,15 +3745,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 +
 +tunable_policy(`httpd_use_nfs', `
 +	fs_read_nfs_files(httpd_sys_script_t)
 +	fs_read_nfs_symlinks(httpd_sys_script_t)
 +')
 +
 +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
 	fs_read_nfs_files(httpd_sys_script_t)
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
 +	fs_read_nfs_files(httpd_sys_script_t)
 +	fs_read_nfs_symlinks(httpd_sys_script_t)
 +')
 +
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
 +	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 +	allow httpd_sys_script_t self:udp_socket create_socket_perms;
@ -3698,7 +3797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -711,6 +874,19 @@
+@@ -711,6 +863,19 @@
 ########################################
 #
@ -3718,7 +3817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 # httpd_rotatelogs local policy
 #
-@@ -728,3 +904,26 @@
+@@ -728,3 +893,26 @@
 logging_search_logs(httpd_rotatelogs_t)
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -3795,7 +3894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.4/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te	2007-07-30 11:42:36.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te	2007-07-31 14:08:18.000000000 -0400
@@ -16,6 +16,9 @@
 type apcupsd_log_t;
 logging_log_file(apcupsd_log_t)
@ -3844,7 +3943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 files_search_locks(apcupsd_t)
 +# Creates /etc/nologin
 +files_manage_etc_runtime_files(apcupsd_t)
-+files_etc_filetrans_etc_runtime(apcuspd_t,file)
+files_etc_filetrans_etc_runtime(apcupsd_t,file)
 +
 +#apcupsd runs shutdown, probably need a shutdown domain
 +init_rw_utmp(apcupsd_t)
@ -4572,7 +4671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.4/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/cups.te	2007-07-31 12:58:26.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/cups.te	2007-07-31 16:41:22.000000000 -0400
@@ -81,12 +81,11 @@
 # /usr/lib/cups/backend/serial needs sys_admin(?!)
 allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@ -4596,7 +4695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 allow cupsd_t cupsd_exec_t:lnk_file read;
 manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -150,14 +149,17 @@
+@@ -150,20 +149,24 @@
 corenet_tcp_bind_reserved_port(cupsd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
@ -4615,7 +4714,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 dev_getattr_printer_dev(cupsd_t)
 domain_read_all_domains_state(cupsd_t)
-@@ -176,6 +178,7 @@
+ 
 fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
 +fs_read_anon_inodefs_files(cupsd_t)
 mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
@@ -176,6 +179,7 @@
 term_search_ptys(cupsd_t)
 auth_domtrans_chk_passwd(cupsd_t)
@ -4623,7 +4729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 auth_dontaudit_read_pam_pid(cupsd_t)
 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -189,7 +192,7 @@
+@@ -189,7 +193,7 @@
 # read python modules
 files_read_usr_files(cupsd_t)
 # for /var/lib/defoma
@ -4632,7 +4738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
-@@ -223,21 +226,45 @@
+@@ -223,21 +227,45 @@
 sysnet_read_config(cupsd_t)
@ -4678,7 +4784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_t, cupsd_exec_t)
 ')
-@@ -250,6 +277,10 @@
+@@ -250,6 +278,10 @@
 	optional_policy(`
 		hal_dbus_chat(cupsd_t)
 	')
@ -4689,7 +4795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 optional_policy(`
-@@ -265,16 +296,16 @@
+@@ -265,16 +297,16 @@
 ')
 optional_policy(`
@ -4710,7 +4816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	seutil_sigchld_newrole(cupsd_t)
 ')
-@@ -379,6 +410,14 @@
+@@ -379,6 +411,14 @@
 ')
 optional_policy(`
@ -4725,7 +4831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
-@@ -562,7 +601,7 @@
+@@ -562,7 +602,7 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -4734,7 +4840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -589,8 +628,6 @@
+@@ -589,8 +629,6 @@
 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
@ -6225,7 +6331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 /usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.4/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/postfix.if	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/postfix.if	2007-07-31 15:40:47.000000000 -0400
@@ -41,6 +41,8 @@
 	allow postfix_$1_t self:unix_stream_socket connectto;
@ -6235,7 +6341,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
 	read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
-@@ -132,10 +134,8 @@
+@@ -66,6 +68,7 @@
 	fs_search_auto_mountpoints(postfix_$1_t)
 	fs_getattr_xattr_fs(postfix_$1_t)
 +	fs_rw_anon_inodefs_files(postfix_$1_t)
 	term_dontaudit_use_console(postfix_$1_t)
@@ -132,10 +135,8 @@
 	corenet_tcp_connect_all_ports(postfix_$1_t)
 	corenet_sendrecv_all_client_packets(postfix_$1_t)
@ -6247,7 +6361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	')
 ')
-@@ -269,6 +269,42 @@
+@@ -269,6 +270,42 @@
 ########################################
 ## <summary>
@ -6290,7 +6404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ##	Do not audit attempts to use
 ##	postfix master process file
 ##	file descriptors.
-@@ -434,6 +470,25 @@
+@@ -434,6 +471,25 @@
 ########################################
 ## <summary>
@ -6316,7 +6430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ##	Execute postfix user mail programs
 ##	in their respective domains.
 ## </summary>
-@@ -450,3 +505,22 @@
+@@ -450,3 +506,22 @@
 	typeattribute $1 postfix_user_domtrans;
 ')
@ -6677,7 +6791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/rpc.te	2007-07-30 09:46:58.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/rpc.te	2007-07-31 14:16:40.000000000 -0400
@@ -59,10 +59,13 @@
 manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -7135,8 +7249,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te	2007-07-31 16:16:14.000000000 -0400
-@@ -76,6 +76,9 @@
+@@ -33,7 +33,6 @@
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
 -allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
 # database files
 allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
@@ -51,6 +50,8 @@
 manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t)
 files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
 +auth_use_nsswitch(setroubleshootd_t)
 +
 kernel_read_kernel_sysctls(setroubleshootd_t)
 kernel_read_system_state(setroubleshootd_t)
 kernel_read_network_state(setroubleshootd_t)
@@ -76,6 +77,9 @@
 files_getattr_all_dirs(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
@ -7146,6 +7277,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 selinux_get_enforce_mode(setroubleshootd_t)
 selinux_validate_context(setroubleshootd_t)
@@ -108,6 +112,3 @@
         rpm_use_script_fds(setroubleshootd_t)
 ')
 -optional_policy(`
 -	nis_use_ypbind(setroubleshootd_t)
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.4/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/services/smartmon.te	2007-07-25 13:27:51.000000000 -0400
@ -10115,7 +10253,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.4/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/sysnetwork.te	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/sysnetwork.te	2007-07-31 16:04:09.000000000 -0400
@@ -45,7 +45,7 @@
 dontaudit dhcpc_t self:capability sys_tty_config;
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
 -allow dhcpc_t self:process signal_perms;
 +allow dhcpc_t self:process { ptrace signal_perms };
 allow dhcpc_t self:fifo_file rw_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
@@ -159,6 +159,10 @@
 	dbus_connect_system_bus(dhcpc_t)
 	dbus_send_system_bus(dhcpc_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 %endif
 %define POLICYVER 21
 %define libsepolver 2.0.3-2
-%define POLICYCOREUTILSVER 2.0.21-1
+%define POLICYCOREUTILSVER 2.0.22-11
 %define CHECKPOLICYVER 2.0.3-1
 Summary: SELinux policy configuration
 Name: selinux-policy