- Allow xdm to talk to input device (fingerprint reader)

- Allow octave to run as java
2007-09-26 22:01:27 +00:00 · 2007-09-26 22:01:27 +00:00 · 7c1c1729f9
commit 7c1c1729f9
parent d770c53fe9
2 changed files with 156 additions and 82 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -314,7 +314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 +/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
 --- nsaserefpolicy/policy/modules/admin/alsa.if	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if	2007-09-22 06:43:02.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if	2007-09-25 15:03:17.000000000 -0400
@@ -74,3 +74,39 @@
 	read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
 	read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
@ -1508,7 +1508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
 application_executable_file(gconfd_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2007-09-20 18:08:22.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.fc	2007-09-25 17:13:09.000000000 -0400
@@ -11,6 +11,7 @@
 #
 /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
@ -1528,7 +1528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
 +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
 +
 +/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
-+
+/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-08-02 08:17:26.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/apps/java.if	2007-09-20 18:26:14.000000000 -0400
@ -2565,7 +2565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if	2007-09-25 12:10:32.000000000 -0400
@@ -45,6 +45,11 @@
 	# start with basic domain
 	domain_base_type($1)
@ -5117,7 +5117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-09-24 14:34:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-09-25 15:01:58.000000000 -0400
@@ -48,9 +48,7 @@
 type hplip_t;
 type hplip_exec_t;
@ -5280,15 +5280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	seutil_sigchld_newrole(cupsd_t)
 ')
-@@ -331,6 +355,7 @@
+@@ -377,6 +401,14 @@
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
 dev_read_rand(cupsd_config_t)
 +dev_rw_generic_usb_dev(cupsd_config_t)
 fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
@@ -377,6 +402,14 @@
 ')
 optional_policy(`
@ -5303,19 +5295,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
-@@ -526,11 +559,6 @@
+@@ -525,11 +557,9 @@
 allow hplip_t cupsd_etc_t:dir search;
 cups_stream_connect(hplip_t)
- 
+-
 -allow hplip_t hplip_etc_t:dir list_dir_perms;
 -read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
 -read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
 -files_search_etc(hplip_t)
-
+# For CUPS to run as a backend
 +allow cupsd_t hplip_t:process signal;
 +allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms;
 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
- 
+@@ -560,7 +590,7 @@
@@ -560,7 +588,7 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -5324,7 +5319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +615,6 @@
+@@ -587,8 +617,6 @@
 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
@ -6465,7 +6460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-09-25 11:00:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-09-25 13:08:41.000000000 -0400
@@ -42,6 +42,10 @@
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@ -6477,7 +6472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
-@@ -172,3 +176,47 @@
+@@ -172,3 +176,51 @@
 	allow $1 krb5kdc_conf_t:file read_file_perms;
 ')
@ -6498,11 +6493,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +		type krb5_host_rcache_t;
 +	')
 +
 +	tunable_policy(`allow_kerberos',`
 +		files_search_tmp($1)
 +		allow $1 self:process setfscreate;
 +		selinux_validate_context($1)
 +		seutil_read_file_contexts($1)
 +		allow $1 krb5_host_rcache_t:file manage_file_perms;
 +	')
 +	# creates files as system_u no matter what the selinux user
 +	domain_obj_id_change_exemption($1)
 +')
 +
 +########################################
@ -7649,7 +7648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 /usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postfix.if	2007-09-26 10:26:56.000000000 -0400
@@ -41,6 +41,8 @@
 	allow postfix_$1_t self:unix_stream_socket connectto;
@ -7659,7 +7658,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
 	read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
-@@ -66,6 +68,7 @@
+@@ -56,6 +58,8 @@
 	allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
 	files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
 +	auth_use_nsswitch(postfix_$1_t)
 +
 	kernel_read_system_state(postfix_$1_t)
 	kernel_read_network_state(postfix_$1_t)
 	kernel_read_all_sysctls(postfix_$1_t)
@@ -66,6 +70,7 @@
 	fs_search_auto_mountpoints(postfix_$1_t)
 	fs_getattr_xattr_fs(postfix_$1_t)
@ -7667,19 +7675,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	term_dontaudit_use_console(postfix_$1_t)
-@@ -132,10 +135,8 @@
+@@ -132,11 +137,6 @@
 	corenet_tcp_connect_all_ports(postfix_$1_t)
 	corenet_sendrecv_all_client_packets(postfix_$1_t)
 -	sysnet_read_config(postfix_$1_t)
 -
- 	optional_policy(`
+-	optional_policy(`
 -		nis_use_ypbind(postfix_$1_t)
-+		auth_use_nsswitch(postfix_$1_t)
+-	')
 	')
 ')
-@@ -269,6 +270,42 @@
+ ########################################
@@ -269,6 +269,42 @@
 ########################################
 ## <summary>
@ -7722,7 +7730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ##	Do not audit attempts to use
 ##	postfix master process file
 ##	file descriptors.
-@@ -434,6 +471,25 @@
+@@ -434,6 +470,25 @@
 ########################################
 ## <summary>
@ -7748,7 +7756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ##	Execute postfix user mail programs
 ##	in their respective domains.
 ## </summary>
-@@ -450,3 +506,22 @@
+@@ -450,3 +505,22 @@
 	typeattribute $1 postfix_user_domtrans;
 ')
@ -7773,7 +7781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-09-25 10:06:53.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-09-26 10:27:53.000000000 -0400
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -7813,37 +7821,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix master process local policy
-@@ -168,6 +186,11 @@
+@@ -164,10 +182,9 @@
 # postfix does a "find" on startup for some reason - keep it quiet
 seutil_dontaudit_search_config(postfix_master_t)
 -sysnet_read_config(postfix_master_t)
 -
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 +term_dontaudit_search_ptys(postfix_master_t)
 +
 +optional_policy(`
 +	auth_use_nsswitch(postfix_master_t)
 +')
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
-@@ -179,9 +202,17 @@
+@@ -179,7 +196,11 @@
 ')
 optional_policy(`
 -	nis_use_ypbind(postfix_master_t)
 +	mysql_stream_connect(postfix_master_t)
 +')
 +
 +optional_policy(`
- 	nis_use_ypbind(postfix_master_t)
+	sendmail_signal(postfix_master_t)
 ')
 +optional_policy(`
 +	sendmail_signal(postfix_master_t)
 +')
 +
 ###########################################################
- #
+@@ -263,6 +284,8 @@
 # Partially converted rules.  THESE ARE ONLY TEMPORARY
@@ -263,6 +294,8 @@
 files_read_etc_files(postfix_local_t)
@ -7852,7 +7855,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
-@@ -377,7 +410,7 @@
+@@ -336,8 +359,6 @@
 seutil_read_config(postfix_map_t)
 -sysnet_read_config(postfix_map_t)
 -
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
@@ -377,7 +398,7 @@
 # Postfix pipe local policy
 #
@ -7861,7 +7873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -386,6 +419,10 @@
+@@ -386,6 +407,10 @@
 rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
 optional_policy(`
@ -7872,7 +7884,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	procmail_domtrans(postfix_pipe_t)
 ')
-@@ -426,6 +463,11 @@
+@@ -418,14 +443,17 @@
 term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
 -sysnet_dns_name_resolve(postfix_postdrop_t)
 -
 mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
 optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')
@ -7884,7 +7904,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 optional_policy(`
 	ppp_use_fds(postfix_postqueue_t)
 	ppp_sigchld(postfix_postqueue_t)
-@@ -505,8 +547,6 @@
+@@ -454,8 +482,6 @@
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
 -sysnet_dontaudit_read_config(postfix_postqueue_t)
 -
 ########################################
 #
 # Postfix qmgr local policy
@@ -498,15 +524,11 @@
 term_use_all_user_ptys(postfix_showq_t)
 term_use_all_user_ttys(postfix_showq_t)
 -sysnet_dns_name_resolve(postfix_showq_t)
 -
 ########################################
 #
 # Postfix smtp delivery local policy
 #
@ -7893,7 +7929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 # connect to master process
 stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -514,6 +554,8 @@
+@@ -514,6 +536,8 @@
 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@ -7902,7 +7938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
-@@ -538,9 +580,45 @@
+@@ -538,9 +562,45 @@
 mta_read_aliases(postfix_smtpd_t)
 optional_policy(`
@ -8265,8 +8301,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te	2007-09-22 07:43:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te	2007-09-25 11:50:50.000000000 -0400
-@@ -64,9 +64,10 @@
+@@ -36,6 +36,8 @@
 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
 term_create_pty(rlogind_t,rlogind_devpts_t)
 +domain_interactive_fd(rlogind_t)
 +
 # for /usr/lib/telnetlogin
 can_exec(rlogind_t, rlogind_exec_t)
@@ -64,9 +66,10 @@
 fs_getattr_xattr_fs(rlogind_t)
 fs_search_auto_mountpoints(rlogind_t)
@ -8278,7 +8323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
 files_read_etc_files(rlogind_t)
 files_read_etc_runtime_files(rlogind_t)
-@@ -82,21 +83,17 @@
+@@ -82,21 +85,17 @@
 miscfiles_read_localization(rlogind_t)
@ -8702,7 +8747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.te	2007-09-25 17:09:36.000000000 -0400
@@ -137,6 +137,11 @@
 type winbind_var_run_t;
 files_pid_file(winbind_var_run_t)
@ -9302,7 +9347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te	2007-09-26 11:12:03.000000000 -0400
@@ -67,6 +67,7 @@
 corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
@ -9618,7 +9663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ssh.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ssh.if	2007-09-25 12:18:11.000000000 -0400
@@ -202,6 +202,7 @@
 #
 template(`ssh_per_role_template',`
@ -9743,8 +9788,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/telnet.te	2007-09-22 07:45:00.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/telnet.te	2007-09-25 11:50:42.000000000 -0400
-@@ -32,7 +32,6 @@
+@@ -32,12 +32,13 @@
 allow telnetd_t self:udp_socket create_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@ -9752,7 +9797,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
 allow telnetd_t self:capability { setuid setgid };
 allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
-@@ -62,10 +61,12 @@
+ term_create_pty(telnetd_t,telnetd_devpts_t)
 +domain_interactive_fd(telnetd_t)
 +
 manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
 manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
 files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
@@ -62,10 +63,12 @@
 fs_getattr_xattr_fs(telnetd_t)
@ -9765,7 +9817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
 files_read_etc_files(telnetd_t)
 files_read_etc_runtime_files(telnetd_t)
 # for identd; cjp: this should probably only be inetd_child rules?
-@@ -80,27 +81,26 @@
+@@ -80,27 +83,26 @@
 miscfiles_read_localization(telnetd_t)
@ -10272,7 +10324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-21 19:21:31.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-26 09:40:50.000000000 -0400
@@ -16,6 +16,13 @@
 ## <desc>
@ -10317,7 +10369,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -246,6 +259,7 @@
+@@ -197,6 +210,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
 +dev_rw_input_dev(xdm_t)
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
@@ -246,6 +260,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -10325,7 +10385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
-@@ -257,6 +271,7 @@
+@@ -257,6 +272,7 @@
 libs_exec_lib_files(xdm_t)
 logging_read_generic_logs(xdm_t)
@ -10333,7 +10393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
-@@ -268,9 +283,14 @@
+@@ -268,9 +284,14 @@
 userdom_create_all_users_keys(xdm_t)
 # for .dmrc
 userdom_read_unpriv_users_home_content_files(xdm_t)
@ -10348,7 +10408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +326,11 @@
+@@ -306,6 +327,11 @@
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
@ -10360,7 +10420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 optional_policy(`
-@@ -348,12 +373,8 @@
+@@ -348,12 +374,8 @@
 ')
 optional_policy(`
@ -10374,7 +10434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
-@@ -385,7 +406,7 @@
+@@ -385,7 +407,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -10383,7 +10443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +446,10 @@
+@@ -425,6 +447,10 @@
 ')
 optional_policy(`
@ -10394,7 +10454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
-@@ -434,47 +459,20 @@
+@@ -434,47 +460,20 @@
 ')
 optional_policy(`
@ -13472,12 +13532,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-09-22 06:43:22.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-09-25 15:03:25.000000000 -0400
-@@ -184,6 +184,10 @@
+@@ -184,6 +184,11 @@
 ')
 optional_policy(`
 +	alsa_search_lib(udev_t)
 +	alsa_read_lib(udev_t)
 +')
 +
 +optional_policy(`
@ -15559,7 +15620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/xen.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/xen.te	2007-09-25 15:21:46.000000000 -0400
@@ -45,9 +45,7 @@
 type xenstored_t;
@ -15679,15 +15740,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 corenet_tcp_sendrecv_generic_if(xm_t)
 corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -353,6 +355,7 @@
+@@ -351,8 +353,11 @@
 storage_raw_read_fixed_disk(xm_t)
 +fs_getattr_all_fs(xm_t)
 +
 term_use_all_terms(xm_t)
 +init_stream_connect_script(xm_t)
 init_rw_script_stream_sockets(xm_t)
 init_use_fds(xm_t)
-@@ -366,3 +369,14 @@
+@@ -363,6 +368,19 @@
 sysnet_read_config(xm_t)
 +userdom_dontaudit_search_sysadm_home_dirs(xm_t)
 +
 xen_append_log(xm_t)
 xen_stream_connect(xm_t)
 xen_stream_connect_xenstore(xm_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -365,6 +365,10 @@ exit 0
 %endif
 %changelog
 * Tue Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-14
 - Allow xdm to talk to input device (fingerprint reader)
 - Allow octave to run as java
 * Tue Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-13
 - Allow login programs to set ioctl on /proc