- Dontaudit domains trying to write to .xsession-errors

2008-10-24 13:41:09 +00:00 · 2008-10-24 13:41:09 +00:00 · 798a73de69
parent 3281238148
commit 798a73de69
2 changed files with 152 additions and 69 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -6953,7 +6953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	all protocols (TCP, UDP, etc)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te	2008-10-21 11:21:45.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te	2008-10-24 08:28:13.000000000 -0400
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -6983,7 +6983,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # create child processes in the domain
 allow domain self:process { fork sigchld };
-@@ -131,6 +141,9 @@
+@@ -113,6 +123,7 @@
+ optional_policy(`
+ 	xserver_dontaudit_use_xdm_fds(domain)
+ 	xserver_dontaudit_rw_xdm_pipes(domain)
+	xserver_dontaudit_rw_xdm_home_files(domain)
+ ')
+ 
+ ########################################
+@@ -131,6 +142,9 @@
 allow unconfined_domain_type domain:fd use;
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 
@ -6993,7 +7001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
 
-@@ -140,7 +153,7 @@
+@@ -140,7 +154,7 @@
 
 # For /proc/pid
 allow unconfined_domain_type domain:dir list_dir_perms;
@ -7002,7 +7010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
-@@ -148,3 +161,39 @@
+@@ -148,3 +162,39 @@
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -7063,7 +7071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/files.if	2008-10-17 10:31:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/files.if	2008-10-24 08:41:49.000000000 -0400
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -7076,7 +7084,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_type($1)
 ')
 
-@@ -1303,6 +1308,24 @@
+@@ -1060,6 +1065,24 @@
+ ##	</summary>
+ ## </param>
+ #
+interface(`files_relabel_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ interface(`files_relabelto_all_file_type_fs',`
+ 	gen_require(`
+ 		attribute file_type;
+@@ -1303,6 +1326,24 @@
 
 ########################################
 ## <summary>
@ -7101,7 +7134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Unmount a rootfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -1889,6 +1912,26 @@
+@@ -1889,6 +1930,26 @@
 
 ########################################
 ## <summary>
@ -7128,7 +7161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Do not audit attempts to write generic files in /etc.
 ## </summary>
 ## <param name="domain">
-@@ -2224,6 +2267,49 @@
+@@ -2224,6 +2285,49 @@
 
 ########################################
 ## <summary>
@ -7178,7 +7211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Do not audit attempts to search directories on new filesystems
 ##	that have not yet been labeled.
 ## </summary>
-@@ -2744,6 +2830,24 @@
+@@ -2744,6 +2848,24 @@
 
 ########################################
 ## <summary>
@ -7203,7 +7236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete symbolic links in /mnt.
 ## </summary>
 ## <param name="domain">
-@@ -3394,6 +3498,8 @@
+@@ -3394,6 +3516,8 @@
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -7212,7 +7245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -3471,6 +3577,47 @@
+@@ -3471,6 +3595,47 @@
 
 ########################################
 ## <summary>
@ -7260,7 +7293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
-@@ -3547,6 +3694,24 @@
+@@ -3547,6 +3712,24 @@
 
 ########################################
 ## <summary>
@ -7285,7 +7318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Relabel a file to the type used in /usr.
 ## </summary>
 ## <param name="domain">
-@@ -4433,6 +4598,25 @@
+@@ -4433,6 +4616,25 @@
 
 ########################################
 ## <summary>
@ -7311,7 +7344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
-@@ -4761,12 +4945,14 @@
+@@ -4761,12 +4963,14 @@
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
 
@ -7327,7 +7360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -4787,3 +4973,71 @@
+@@ -4787,3 +4991,71 @@
 
 	typeattribute $1 files_unconfined_type;
 ')
@ -7894,7 +7927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-14 11:58:07.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2008-10-17 10:31:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2008-10-24 08:34:16.000000000 -0400
@@ -21,7 +21,6 @@
 
 # Use xattrs for the following filesystem types.
@ -7915,15 +7948,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type eventpollfs_t;
 fs_type(eventpollfs_t)
 # change to task SID 20060628
-@@ -141,6 +145,7 @@
+@@ -141,6 +145,8 @@
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
 genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
 +genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
 
 type vxfs_t;
 fs_noxattr_type(vxfs_t)
-@@ -241,6 +246,7 @@
+@@ -241,6 +247,7 @@
 genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@ -12391,7 +12425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cron.if	2008-10-23 17:00:09.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cron.if	2008-10-24 08:57:55.000000000 -0400
@@ -35,39 +35,24 @@
 #
 template(`cron_per_role_template',`
@ -12744,7 +12778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	Manage lib files used by cron
+##	Manage pid files used by cron
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -12752,13 +12786,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`cron_manage_lib_files',`
+interface(`cron_manage_pid_files',`
 +	gen_require(`
-+		type crond_var_lib_t;
+		type crond_var_run_t;
 +	')
 +
 +
-+	manage_files_pattern($1, crond_var_lib_t,  crond_var_lib_t)
+	manage_files_pattern($1, crond_var_run_t,  crond_var_run_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2008-08-07 11:15:11.000000000 -0400
@ -13652,7 +13686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dbus.if	2008-10-17 17:55:07.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dbus.if	2008-10-24 09:08:08.000000000 -0400
@@ -53,19 +53,19 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -13881,7 +13915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
-@@ -366,3 +440,99 @@
+@@ -366,3 +440,120 @@
 
 	allow $1 system_dbusd_t:dbus *;
 ')
@ -13936,6 +13970,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dbus_system_bus_client_template($1, $1)
 +	dbus_connect_system_bus($1)
 +
+	ifdef(`hide_broken_symptoms', `
+		dbus_dontaudit_rw_system_selinux_socket($1)
+	');
 +')
 +
 +########################################
@ -13981,6 +14018,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	dontaudit $2 dbusd_userbus:unix_stream_socket connectto;
 +')
+
+########################################
+## <summary>
+##	dontaudit attempts to use system_dbus_t selinux_socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_rw_system_selinux_socket',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2008-10-16 17:21:16.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/dbus.te	2008-10-17 17:54:43.000000000 -0400
@ -14622,7 +14677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te	2008-10-23 16:59:49.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te	2008-10-24 08:57:28.000000000 -0400
@@ -10,6 +10,9 @@
 type dnsmasq_exec_t;
 init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
@ -14682,7 +14737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 -	nis_use_ypbind(dnsmasq_t)
-+	cron_manage_lib_files(crond_var_lib_t)
+	cron_manage_pid_files(dnsmasq_t)
 ')
 
 optional_policy(`
@ -17899,7 +17954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te
 --- nsaserefpolicy/policy/modules/services/pads.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/pads.te	2008-10-17 10:31:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/pads.te	2008-10-24 08:49:04.000000000 -0400
@@ -0,0 +1,68 @@
 +
 +policy_module(pads, 0.0.1) 
@ -17940,7 +17995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow pads_t pads_var_run_t:file manage_file_perms;
 +files_pid_filetrans(pads_t, pads_var_run_t, file)
 +
-+corecmd_search_sbin(pads_t)
+corecmd_search_bin(pads_t)
 +
 +corenet_all_recvfrom_unlabeled(pads_t)
 +corenet_all_recvfrom_netlabel(pads_t)
@ -19691,7 +19746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/prelude.te	2008-10-23 14:47:03.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/prelude.te	2008-10-24 09:28:30.000000000 -0400
@@ -13,25 +13,57 @@
 type prelude_spool_t;
 files_type(prelude_spool_t)
@ -19785,6 +19840,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 auth_use_nsswitch(prelude_t)
 
+@@ -89,7 +132,7 @@
+ #
+ # prelude_audisp local policy
+ #
+-
+allow prelude_audisp_t self:capability dac_override;
+ allow prelude_audisp_t self:fifo_file rw_file_perms;
+ allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+ allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
@@ -110,6 +153,7 @@
 corenet_tcp_sendrecv_all_if(prelude_audisp_t)
 corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
@ -19793,7 +19857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 dev_read_rand(prelude_audisp_t)
 dev_read_urand(prelude_audisp_t)
-@@ -117,15 +161,143 @@
+@@ -117,15 +161,139 @@
 # Init script handling
 domain_use_interactive_fds(prelude_audisp_t)
 
@ -19817,7 +19881,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +
 +allow prelude_correlator_t self:capability dac_override;
-+
 +allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
 +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
 +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
@ -19827,7 +19890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +prelude_manage_spool(prelude_correlator_t)
 +
-+corecmd_search_sbin(prelude_correlator_t)
+corecmd_search_bin(prelude_correlator_t)
 +
 +corenet_all_recvfrom_unlabeled(prelude_correlator_t)
 +corenet_all_recvfrom_netlabel(prelude_correlator_t)
@ -19844,8 +19907,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_read_usr_files(prelude_correlator_t)
 +files_search_spool(prelude_correlator_t)
 +
-+kernel_read_sysctl(prelude_correlator_t)
-+
 +libs_use_ld_so(prelude_correlator_t)
 +libs_use_shared_libs(prelude_correlator_t)
 +
@ -19910,8 +19971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +fs_list_inotifyfs(prelude_lml_t)
 +fs_read_anon_inodefs_files(prelude_lml_t)
-+
-+kernel_read_sysctl(prelude_lml_t)
+fs_rw_anon_inodefs_files(prelude_lml_t)
 +
 +auth_use_nsswitch(prelude_lml_t)
 +
@ -19937,12 +19997,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # prewikka_cgi Declarations
-@@ -134,6 +306,17 @@
+@@ -134,6 +302,20 @@
 optional_policy(`
 	apache_content_template(prewikka)
 	files_read_etc_files(httpd_prewikka_script_t)
 +	files_search_tmp(httpd_prewikka_script_t)
 +
+	kernel_read_sysctl(httpd_prewikka_script_t)
+	kernel_search_network_sysctl(httpd_prewikka_script_t)
+
 +	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
 +
 +	corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
@ -23701,6 +23764,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_var_files(tftpd_t)
 files_read_var_symlinks(tftpd_t)
 files_search_var(tftpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.13/policy/modules/services/tor.te
+--- nsaserefpolicy/policy/modules/services/tor.te	2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/tor.te	2008-10-24 08:19:01.000000000 -0400
+@@ -34,7 +34,7 @@
+ # tor local policy
+ #
+ 
+-allow tor_t self:capability { setgid setuid };
+allow tor_t self:capability { setgid setuid sys_tty_config };
+ allow tor_t self:fifo_file rw_fifo_file_perms;
+ allow tor_t self:unix_stream_socket create_stream_socket_perms;
+ allow tor_t self:netlink_route_socket r_netlink_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/virt.fc	2008-10-17 10:31:27.000000000 -0400
@ -24039,7 +24114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-10-23 17:14:25.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-10-24 08:25:44.000000000 -0400
@@ -16,6 +16,7 @@
 	gen_require(`
 		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -26652,7 +26727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/init.te	2008-10-20 14:36:54.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/init.te	2008-10-24 08:50:27.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -26755,7 +26830,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 can_exec(initrc_t,initrc_tmp_t)
 allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -276,7 +305,7 @@
+@@ -253,6 +282,7 @@
+ kernel_dontaudit_getattr_message_if(initrc_t)
+ 
+ files_read_kernel_symbol_table(initrc_t)
+files_exec_etc_files(initrc_t)
+ 
+ corenet_all_recvfrom_unlabeled(initrc_t)
+ corenet_all_recvfrom_netlabel(initrc_t)
+@@ -276,7 +306,7 @@
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
@ -26764,7 +26847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -330,7 +359,7 @@
+@@ -330,7 +360,7 @@
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -26773,7 +26856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -371,6 +400,7 @@
+@@ -371,6 +401,7 @@
 libs_use_shared_libs(initrc_t)
 libs_exec_lib_files(initrc_t)
 
@ -26781,7 +26864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(initrc_t)
 logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
-@@ -503,6 +533,7 @@
+@@ -503,6 +534,7 @@
 	optional_policy(`
 		#for /etc/rc.d/init.d/nfs to create /etc/exports
 		rpc_write_exports(initrc_t)
@ -26789,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	optional_policy(`
-@@ -521,6 +552,31 @@
+@@ -521,6 +553,31 @@
 	')
 ')
 
@ -26821,18 +26904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -536,6 +592,10 @@
- ')
- 
- optional_policy(`
-+	automount_exec_config(initrc_t)
-+')
-+
-+optional_policy(`
- 	bind_read_config(initrc_t)
- 
- 	# for chmod in start script
-@@ -575,6 +635,10 @@
+@@ -575,6 +632,10 @@
 	dbus_read_config(initrc_t)
 
 	optional_policy(`
@ -26843,7 +26915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		networkmanager_dbus_chat(initrc_t)
 	')
 ')
-@@ -660,12 +724,6 @@
+@@ -660,12 +721,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -26856,7 +26928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -726,6 +784,9 @@
+@@ -726,6 +781,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -26866,7 +26938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -738,10 +799,12 @@
+@@ -738,10 +796,12 @@
 	squid_manage_logs(initrc_t)
 ')
 
@ -26879,7 +26951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -759,6 +822,11 @@
+@@ -759,6 +819,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
 
@ -26891,7 +26963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	unconfined_domain(initrc_t)
 
-@@ -773,6 +841,10 @@
+@@ -773,6 +838,10 @@
 ')
 
 optional_policy(`
@ -26902,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	vmware_read_system_config(initrc_t)
 	vmware_append_system_config(initrc_t)
 ')
-@@ -795,3 +867,11 @@
+@@ -795,3 +864,11 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -27753,7 +27825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		samba_run_smbmount($1, $2, $3)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te	2008-10-20 11:20:42.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/mount.te	2008-10-24 08:40:39.000000000 -0400
@@ -18,17 +18,18 @@
 init_system_domain(mount_t,mount_exec_t)
 role system_r types mount_t;
@ -27835,6 +27907,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_search_all(mount_t)
 files_read_etc_files(mount_t)
+@@ -87,7 +98,7 @@
+ files_mounton_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
+ # These rules need to be generalized.  Only admin, initrc should have it:
+-files_relabelto_all_file_type_fs(mount_t)
+files_relabel_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+ files_unmount_all_file_type_fs(mount_t)
+ # for when /etc/mtab loses its type
@@ -100,6 +111,8 @@
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
@ -33169,15 +33250,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel
 --- nsaserefpolicy/support/Makefile.devel	2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.5.13/support/Makefile.devel	2008-10-24 08:13:54.000000000 -0400
-@@ -181,8 +181,8 @@
+++ serefpolicy-3.5.13/support/Makefile.devel	2008-10-24 09:40:08.000000000 -0400
+@@ -181,8 +181,7 @@
 tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
 	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
 	@test -d $(@D) || mkdir -p $(@D)
 -	$(call peruser-expansion,$(basename $(@F)),$@.role)
 -	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+#	$(call peruser-expansion,$(basename $(@F)),$@.role)
-+#	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 
 tmp/%.mod.fc: $(m4support) %.fc
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -462,6 +462,9 @@ exit 0
 %endif

 %changelog
+* Thu Oct 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-7
+- Dontaudit domains trying to write to .xsession-errors
+
 * Thu Oct 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-6
 - Allow nsplugin to look at autofs_t directory