- Allow allow_httpd_mod_auth_pam to work

2008-01-31 19:32:51 +00:00 · 2008-01-31 19:32:51 +00:00 · 7c124f5e42
commit 7c124f5e42
parent f18a882ba5
2 changed files with 323 additions and 86 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -3765,7 +3765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc	2008-01-24 12:34:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc	2008-01-31 08:37:54.000000000 -0500
@@ -0,0 +1,7 @@
 +
 +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
@ -4117,8 +4117,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-25 16:48:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-31 08:42:43.000000000 -0500
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,136 @@
 +policy_module(nsplugin,1.0.0)
 +
 +########################################
@ -4188,6 +4188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +miscfiles_read_localization(nsplugin_t)
 +miscfiles_read_fonts(nsplugin_t)
 +miscfiles_manage_home_fonts(nsplugin_t)
 +
 +optional_policy(`
 +	userdom_read_user_home_content_files(user, nsplugin_t)
@ -5909,7 +5910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
 +/etc/rc.d/init.d/amavis	--	gen_context(system_u:object_r:amavis_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.2.5/policy/modules/services/amavis.if
 --- nsaserefpolicy/policy/modules/services/amavis.if	2007-06-27 10:10:38.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/amavis.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/amavis.if	2008-01-31 08:45:42.000000000 -0500
@@ -186,3 +186,88 @@
 	allow $1 amavis_var_run_t:file create_file_perms;
 	files_search_pids($1)
@ -6370,7 +6371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/apache.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/apache.te	2008-01-31 13:44:27.000000000 -0500
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -6505,7 +6506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
-@@ -351,8 +388,6 @@
+@@ -351,25 +388,38 @@
 userdom_use_unpriv_users_fds(httpd_t)
@ -6514,7 +6515,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`allow_httpd_anon_write',`
 	miscfiles_manage_public_files(httpd_t)
 ') 
-@@ -361,6 +396,13 @@
+ 
 -ifdef(`TODO', `
 #
 # We need optionals to be able to be within booleans to make this work
 #
@ -6526,9 +6528,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +gen_tunable(allow_httpd_mod_auth_pam,false)
 +
 tunable_policy(`allow_httpd_mod_auth_pam',`
- 	auth_domtrans_chk_passwd(httpd_t)
+-	auth_domtrans_chk_passwd(httpd_t)
 -')
 +	auth_domtrans_chkpwd(httpd_t)
 ')
-@@ -370,6 +412,16 @@
+ 
 tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
@ -6545,7 +6550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +434,10 @@
+@@ -382,6 +432,10 @@
 	corenet_sendrecv_http_cache_client_packets(httpd_t)
 ')
@ -6556,7 +6561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +455,21 @@
+@@ -399,11 +453,21 @@
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -6578,7 +6583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +503,14 @@
+@@ -437,8 +501,14 @@
 ')
 optional_policy(`
@ -6594,7 +6599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -450,19 +522,13 @@
+@@ -450,19 +520,13 @@
 ')
 optional_policy(`
@ -6615,7 +6620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -472,13 +538,14 @@
+@@ -472,13 +536,14 @@
 	openca_kill(httpd_t)
 ')
@ -6634,7 +6639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -486,6 +553,7 @@
+@@ -486,6 +551,7 @@
 ')
 optional_policy(`
@ -6642,7 +6647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -521,6 +589,13 @@
+@@ -521,6 +587,13 @@
 	userdom_use_sysadm_terms(httpd_helper_t)
 ')
@ -6656,7 +6661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache PHP script local policy
-@@ -550,18 +625,24 @@
+@@ -550,18 +623,24 @@
 fs_search_auto_mountpoints(httpd_php_t)
@ -6684,7 +6689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -585,6 +666,8 @@
+@@ -585,6 +664,8 @@
 manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -6693,7 +6698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +676,7 @@
+@@ -593,9 +674,7 @@
 fs_search_auto_mountpoints(httpd_suexec_t)
@ -6704,7 +6709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -638,6 +719,12 @@
+@@ -638,6 +717,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
@ -6717,7 +6722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +742,6 @@
+@@ -655,10 +740,6 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -6728,7 +6733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache system script local policy
-@@ -668,7 +751,8 @@
+@@ -668,7 +749,8 @@
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -6738,7 +6743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +766,44 @@
+@@ -682,15 +764,44 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -6784,7 +6789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +813,15 @@
+@@ -700,9 +811,15 @@
 	clamav_domtrans_clamscan(httpd_sys_script_t)
 ')
@ -6800,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -724,3 +843,46 @@
+@@ -724,3 +841,46 @@
 logging_search_logs(httpd_rotatelogs_t)
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -7581,7 +7586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.5/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/bind.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/bind.te	2008-01-31 09:00:42.000000000 -0500
@@ -53,6 +53,9 @@
 init_system_domain(ndc_t,ndc_exec_t)
 role system_r types ndc_t;
@ -7592,6 +7597,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 ########################################
 #
 # Named local policy
@@ -222,6 +225,7 @@
 corenet_tcp_sendrecv_all_nodes(ndc_t)
 corenet_tcp_sendrecv_all_ports(ndc_t)
 corenet_tcp_connect_rndc_port(ndc_t)
 +corenet_tcp_bind_all_nodes(ndc_t)
 corenet_sendrecv_rndc_client_packets(ndc_t)
 domain_use_interactive_fds(ndc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.2.5/policy/modules/services/bitlbee.fc
 --- nsaserefpolicy/policy/modules/services/bitlbee.fc	2007-09-17 15:56:47.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/bitlbee.fc	2008-01-18 12:40:46.000000000 -0500
@ -7805,8 +7818,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.5/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te	2008-01-30 11:17:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te	2008-01-31 11:15:46.000000000 -0500
-@@ -32,6 +32,9 @@
+@@ -32,19 +32,22 @@
 type bluetooth_var_run_t;
 files_pid_file(bluetooth_var_run_t)
@ -7816,7 +7829,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
 ########################################
 #
 # Bluetooth services local policy
-@@ -44,7 +47,7 @@
+ #
 -allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
 +allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
 dontaudit bluetooth_t self:capability sys_tty_config;
 allow bluetooth_t self:process { getsched signal_perms };
 allow bluetooth_t self:fifo_file rw_fifo_file_perms;
 allow bluetooth_t self:shm create_shm_perms;
 allow bluetooth_t self:socket create_stream_socket_perms;
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
@ -12469,7 +12488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.te	2008-01-31 11:45:40.000000000 -0500
@@ -6,6 +6,8 @@
 # Declarations
 #
@ -12487,8 +12506,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 mta_base_mail_template(system)
 role system_r types system_mail_t;
-@@ -40,27 +43,40 @@
+@@ -37,30 +40,43 @@
- allow system_mail_t self:capability { dac_override };
+ #
 # newalias required this, not sure if it is needed in 'if' file
 -allow system_mail_t self:capability { dac_override };
 +allow system_mail_t self:capability { dac_override fowner };
 read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
 +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@ -15087,8 +15110,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.2.5/policy/modules/services/prelude.if
 --- nsaserefpolicy/policy/modules/services/prelude.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/prelude.if	2008-01-30 15:42:04.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/prelude.if	2008-01-31 08:49:34.000000000 -0500
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,128 @@
 +
 +## <summary>policy for prelude</summary>
 +
@ -15155,11 +15178,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +interface(`prelude_admin',`
 +	gen_require(`
 +		type prelude_t;
 +		type prelude_spool_t;
 +		type prelude_var_run_t;
 +		type prelude_var_lib_t;
 +		type prelude_script_exec_t;
 +		type audisp_prelude_t;
 +		type audisp_prelude_var_run_t;
 +	')
 +
 +	allow $1 prelude_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, prelude_t, prelude_t)
 +	        
 +	allow $1 audisp_prelude_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, audisp_prelude_t, audisp_prelude_t)
 +	        
 +	# Allow prelude_t to restart the apache service
 +	prelude_script_domtrans($1)
@ -15167,6 +15198,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +	role_transition $2 prelude_script_exec_t system_r;
 +	allow $2 system_r;
 +
 +        manage_all_pattern($1, prelude_spool_t)
 +        manage_all_pattern($1, prelude_var_lib_t)
 +        manage_all_pattern($1, prelude_var_run_t)
 +	manage_all_pattern($1, audisp_prelude_var_run_t)
 +')
 +
 +########################################
@ -15208,7 +15243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 Binary files nsaserefpolicy/policy/modules/services/prelude.pp and serefpolicy-3.2.5/policy/modules/services/prelude.pp differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.5/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/prelude.te	2008-01-30 15:55:36.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/prelude.te	2008-01-31 13:09:03.000000000 -0500
@@ -0,0 +1,114 @@
 +policy_module(prelude,1.0.0)
 +
@ -15222,15 +15257,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +domain_type(prelude_t)
 +init_daemon_domain(prelude_t, prelude_exec_t)
 +
 +type prelude_spool_t;
 +files_type(prelude_spool_t)
 +
 +type prelude_var_run_t;
 +files_pid_file(prelude_var_run_t)
 +
 +type prelude_var_lib_t;
 +files_type(prelude_var_lib_t)
 +
 +type prelude_spool_t;
 +files_type(prelude_spool_t)
 +
 +type prelude_script_exec_t;
 +init_script_type(prelude_script_exec_t)
 +
@ -15968,7 +16003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if
 --- nsaserefpolicy/policy/modules/services/razor.if	2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/razor.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/razor.if	2008-01-31 11:58:50.000000000 -0500
@@ -137,6 +137,7 @@
 template(`razor_per_role_template',`
 	gen_require(`
@ -15994,6 +16029,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
 	##############################
 	#
@@ -218,3 +217,42 @@
 	domtrans_pattern($1, razor_exec_t, razor_t)
 ')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete razor files
 +##	in a user home subdirectory.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	Create, read, write, and delete razor files
 +##	in a user home subdirectory.
 +##	</p>
 +##	<p>
 +##	This is a templated interface, and should only
 +##	be called from a per-userdomain template.
 +##	</p>
 +## </desc>
 +## <param name="userdomain_prefix">
 +##	<summary>
 +##	The prefix of the user domain (e.g., user
 +##	is the prefix for user_t).
 +##	</summary>
 +## </param>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +template(`razor_manage_user_home_files',`
 +	gen_require(`
 +		type user_home_dir_t, user_razor_home_t;
 +	')
 +
 +	files_search_home($2)
 +	allow $2 user_home_dir_t:dir search_dir_perms;
 +	manage_files_pattern($2,user_razor_home_t,user_razor_home_t)
 +	read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te
 --- nsaserefpolicy/policy/modules/services/razor.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/razor.te	2008-01-18 12:40:46.000000000 -0500
@ -16959,7 +17037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/samba.te	2008-01-28 14:28:32.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/samba.te	2008-01-31 11:27:07.000000000 -0500
@@ -26,28 +26,28 @@
 ## <desc>
@ -17070,7 +17148,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
-@@ -340,6 +347,17 @@
+@@ -320,6 +327,8 @@
 userdom_dontaudit_use_unpriv_user_fds(smbd_t)
 userdom_use_unpriv_users_fds(smbd_t)
 +term_use_ptmx(smbd_t)
 +
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -340,6 +349,17 @@
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
@ -17088,7 +17175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 optional_policy(`
-@@ -391,7 +409,7 @@
+@@ -391,7 +411,7 @@
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -17097,7 +17184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow nmbd_t self:tcp_socket create_stream_socket_perms;
 allow nmbd_t self:udp_socket create_socket_perms;
 allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +421,7 @@
+@@ -403,8 +423,7 @@
 read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
 manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@ -17107,7 +17194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
 create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +456,7 @@
+@@ -439,6 +458,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 fs_getattr_all_fs(nmbd_t)
@ -17115,7 +17202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 fs_search_auto_mountpoints(nmbd_t)
 domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +540,7 @@
+@@ -522,6 +542,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 term_list_ptys(smbmount_t)
@ -17123,7 +17210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 corecmd_list_bin(smbmount_t)
-@@ -546,28 +565,37 @@
+@@ -546,28 +567,37 @@
 userdom_use_all_users_fds(smbmount_t)
@ -17168,7 +17255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow swat_t smbd_var_run_t:file read;
 manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +605,9 @@
+@@ -577,7 +607,9 @@
 manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
 files_pid_filetrans(swat_t,swat_var_run_t,file)
@ -17179,7 +17266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -602,6 +632,7 @@
+@@ -602,6 +634,7 @@
 dev_read_urand(swat_t)
@ -17187,7 +17274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 files_read_etc_files(swat_t)
 files_search_home(swat_t)
 files_read_usr_files(swat_t)
-@@ -614,6 +645,7 @@
+@@ -614,6 +647,7 @@
 libs_use_shared_libs(swat_t)
 logging_send_syslog_msg(swat_t)
@ -17195,7 +17282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 logging_search_logs(swat_t)
 miscfiles_read_localization(swat_t)
-@@ -631,6 +663,17 @@
+@@ -631,6 +665,17 @@
 	kerberos_use(swat_t)
 ')
@ -17213,7 +17300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ########################################
 #
 # Winbind local policy
-@@ -679,6 +722,8 @@
+@@ -679,6 +724,8 @@
 manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
 files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@ -17222,7 +17309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(winbind_t)
 kernel_list_proc(winbind_t)
 kernel_read_proc_symlinks(winbind_t)
-@@ -766,6 +811,7 @@
+@@ -766,6 +813,7 @@
 optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
@ -17230,7 +17317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 ########################################
-@@ -790,3 +836,37 @@
+@@ -790,3 +838,37 @@
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
 	')
 ')
@ -18171,7 +18258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +/etc/rc.d/init.d/spamd	--	gen_context(system_u:object_r:spamd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if	2008-01-31 12:54:45.000000000 -0500
@@ -37,7 +37,9 @@
 	gen_require(`
@ -18384,9 +18471,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 -	libs_use_shared_libs($1_spamassassin_t)
 -
 -	logging_send_syslog_msg($1_spamassassin_t)
-
+	ifelse(`$1',`user',`',`
 +		typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
 +		typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
 +		typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
 +	')
 +
 +	manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 -	miscfiles_read_localization($1_spamassassin_t)
-
+	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
 +	domtrans_pattern($2, spamc_exec_t, spamc_t)
 -	# cjp: this could probably be removed
 -	seutil_read_config($1_spamassassin_t)
 -
@ -18448,24 +18549,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 -		# Write pid file and socket in ~/.evolution/cache/tmp
 -		evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
 -	')
-+	ifelse(`$1',`user',`',`
+-
 +		typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
 +		typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
 +		typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
 +	')
 +
 +	manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 +	relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
 -	optional_policy(`
 -		# cjp: clearly some redundancy here
-+	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+-
 +	domtrans_pattern($2, spamc_exec_t, spamc_t)
 -		nis_use_ypbind($1_spamassassin_t)
 -
 -		tunable_policy(`spamassassin_can_network && allow_ypbind',`
@ -18480,6 +18567,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 ')
 ########################################
@@ -370,7 +122,7 @@
 #
 interface(`spamassassin_exec_spamd',`
 	gen_require(`
 -		type spamd_exec_t;
 +		type spamd_eoxec_t;
 	')
 	can_exec($1,spamd_exec_t)
@@ -398,11 +150,65 @@
 ## </param>
 #
@ -18590,7 +18686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 	read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
 ')
-@@ -528,3 +355,101 @@
+@@ -528,3 +355,133 @@
 	dontaudit $1 spamd_tmp_t:sock_file getattr;
 ')
@ -18691,10 +18787,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +        manage_all_pattern($1,spamd_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read spamassassin per user homedir
 +## </summary>
 +## <desc>
 +##	<p>
 +##	Read spamassassin per user homedir
 +##	</p>
 +##	<p>
 +##	This is a templated interface, and should only
 +##	be called from a per-userdomain template.
 +##	</p>
 +## </desc>
 +## <param name="userdomain_prefix">
 +##	<summary>
 +##	The prefix of the user domain (e.g., user
 +##	is the prefix for user_t).
 +##	</summary>
 +## </param>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +template(`spamassassin_manage_user_home_files',`
 +	gen_require(`
 +		type user_spamassassin_home_t;
 +	')
 +
 +	manage_files_pattern($1, user_spamassassin_home_t, user_spamassassin_home_t)
 +	razor_manage_user_home_files(user,$1)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te	2008-01-31 12:52:59.000000000 -0500
@@ -21,8 +21,9 @@
 gen_tunable(spamd_enable_home_dirs,true)
@ -18802,7 +18930,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 	dcc_stream_connect_dccifd(spamd_t)
 ')
-@@ -212,3 +254,206 @@
+@@ -198,6 +240,10 @@
 optional_policy(`
 	razor_domtrans(spamd_t)
 +	tunable_policy(`spamd_enable_home_dirs',`
 +		razor_manage_user_home_files(user,spamd_t)
 +	')
 +
 ')
 optional_policy(`
@@ -212,3 +258,206 @@
 optional_policy(`
 	udev_read_db(spamd_t)
 ')
@ -19847,7 +19986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.if	2008-01-25 16:50:51.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if	2008-01-31 11:12:11.000000000 -0500
@@ -15,6 +15,7 @@
 template(`xserver_common_domain_template',`
 	gen_require(`
@ -21211,7 +21350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-23 09:15:22.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-31 13:43:36.000000000 -0500
@@ -99,7 +99,7 @@
 template(`authlogin_per_role_template',`
@ -21303,15 +21442,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 	optional_policy(`
-@@ -356,6 +398,7 @@
+@@ -356,6 +398,28 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
 +	auth_domtrans_upd_passwd($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Run unix_chkpwd to check a password.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`auth_domtrans_chkpwd',`
 +	gen_require(`
 +		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 +	')
 +
 +	corecmd_search_sbin($1)
 +	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
 +	dontaudit $1 shadow_t:file { getattr read };
 +	auth_domtrans_upd_passwd($1)
 ')
 ########################################
-@@ -369,12 +412,12 @@
+@@ -369,12 +433,12 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -21326,7 +21486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	</summary>
 ## </param>
 #
-@@ -386,6 +429,7 @@
+@@ -386,6 +450,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types system_chkpwd_t;
 	allow system_chkpwd_t $3:chr_file rw_file_perms;
@ -21334,7 +21494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 ########################################
-@@ -1457,6 +1501,7 @@
+@@ -1457,6 +1522,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
@ -21342,7 +21502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
-@@ -1491,3 +1536,23 @@
+@@ -1491,3 +1557,23 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -21368,7 +21528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te	2008-01-22 12:59:23.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te	2008-01-31 11:33:23.000000000 -0500
@@ -59,6 +59,9 @@
 type utempter_exec_t;
 application_domain(utempter_t,utempter_exec_t)
@ -22671,6 +22831,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
 +	xen_append_log(lvm_t)
 +	xen_dontaudit_rw_unix_stream_sockets(lvm_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.2.5/policy/modules/system/miscfiles.fc
 --- nsaserefpolicy/policy/modules/system/miscfiles.fc	2007-08-22 17:33:53.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/system/miscfiles.fc	2008-01-31 08:38:35.000000000 -0500
@@ -80,3 +80,4 @@
 /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 +HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.5/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2007-11-16 13:45:14.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/system/miscfiles.if	2008-01-31 08:40:50.000000000 -0500
@@ -489,3 +489,44 @@
 	manage_lnk_files_pattern($1,locale_t,locale_t)
 ')
 +########################################
 +## <summary>
 +##	Read user homedir fonts.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`miscfiles_read_home_fonts',`
 +	gen_require(`
 +		type user_fonts_home_t;
 +	')
 +
 +	read_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
 +	read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Read user homedir fonts.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`miscfiles_manage_home_fonts',`
 +	gen_require(`
 +		type user_fonts_home_t;
 +	')
 +
 +	manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t)
 +	manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
 +	manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.2.5/policy/modules/system/miscfiles.te
 --- nsaserefpolicy/policy/modules/system/miscfiles.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/system/miscfiles.te	2008-01-31 08:42:09.000000000 -0500
@@ -20,6 +20,14 @@
 files_type(fonts_t)
 #
 +# fonts_t is the type of various font
 +# files in /usr
 +#
 +type user_fonts_home_t;
 +userdom_user_home_type(user_fonts_home_t)
 +files_type(user_fonts_home_t)
 +
 +#
 # type for /usr/share/hwdata
 #
 type hwdata_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.5/policy/modules/system/modutils.if
 --- nsaserefpolicy/policy/modules/system/modutils.if	2007-03-26 10:39:07.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/system/modutils.if	2008-01-18 12:40:46.000000000 -0500
@ -24389,7 +24623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-25 11:51:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-31 08:42:16.000000000 -0500
@@ -29,9 +29,14 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif
 %changelog
 * Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-23
 - Allow allow_httpd_mod_auth_pam to work
 * Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-22
 - Add audisp policy and prelude