From 7f5d8f30d0f7a6a4da85a728d02d4f2286b28232 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Tue, 27 Jul 2010 17:28:04 +0000
Subject: [PATCH] - Update boinc policy - Fix sysstat policy to allow sys_admin
 - Change failsafe_context to unconfined_r:unconfined_t:s0

---
 config.tgz          | Bin 3007 -> 2987 bytes
 policy-F14.patch    | 113 ++++++++++++++++++++++++++++++++++++--------
 selinux-policy.spec |   7 ++-
 sources             |   1 -
 4 files changed, 98 insertions(+), 23 deletions(-)

diff --git a/config.tgz b/config.tgz
index 32fecce0605ae26257995d2fa5e6e5302fd0469f..261918710c1f7eeb2c19a3dc40b614a9e6193c8c 100644
GIT binary patch
literal 2987
zcmXX{c{tSj7aq&l!<A&skf;!qEKy@^vz3Zu87W(~(4a+MH$u2bMY4@0%O!(k$~M-f
zBIA<1E*k5I!3<``%=hz~=RUvl=li_RdEV!o_q<0nMFbHq=V*rzSn+TRrF_`aAIQ-j
z8((;e-J7BEyUTr_SWvV0?>?(bvI*Y*)cN{+8TOGOEJAvRzBG2H96TVVLRwJr3c7r@
zRD)`2))M1d_T_L>A*NMBf`1CTRPLt~xf7ADJ=CB~u2r6ls*xCCxG#%+)VqIm*Vh)2
zWAQbeiKzb3aMR)S<305?z}Q1*-9Cq+Q`jbPy`zBgnL5>=n^FmpYJX_ovV#tp9ch6f
zC+{<GQRwV9^UY=_UyDE9e6fECV^!w-_w>j=iQaR-_^gHe8Ah~p2^DLp;90hPo}sE-
z+^lkVM1HQhrCsR-#V5z6M>2TG`1<O(ghhfzjs0TfL9sBWjJ|U<*j2S;neb@Lt&I4$
z94diu(lUHP(Dbg$-0or&dR{@+M(*cJWSJ|H6o}e(o+cHyRq1tvd*tH3eEj~m`I4AV
zKx%-qMIE`oUA3R8H0iq}vtZKyg(Y>V?zC(Ujdn9C?lZkOJ6E=2|2O>#anbc-lGO6#
zVoqaI{4!O9t0!vs;m~WCh}%ndl%=Q|m!%&#Nb$Y|zCNBUFnek2pnB&+1;kxmC@aus
zPvW89j{XkiQng1z9r{ND6cP`<*)(6(oBHL`kh~a&QOn%*?bn}XGI@eg>uo33iuj+}
z><elvz3qJH-uD^J3&kzCsI8Jma^1KlJZ-pcz6MSaLAq4goYBryMq%LX<Ii0ZXto=v
zukEO2owBOoxI@GD{3CCl$=|C8RD%ecgza3P(^v!jYAzwT_m0_UT?HV-?45vAq({KN
zZ)KZx3vd!PJE7OIy1o-bGr9)gK=X^4^G)GRghYH#szD0&I{ithK@F>s<<z%oo3~e^
z2-fjU--##1T%e4EE|a~THHS^J20kq{ZpJBB{@4!Qyc8=uDxwB*6?OJLI6Gi{*73Je
z1(OyXX#^AO(mx1J6NSFl9iRF4nC))Mp2;5{+U6_locx4sWxnqj4}X>&S6x*wr|v*2
zDQ%<~k=HbJ*Y50?VWgU=XQ>Udk;T?emny4*oEVLOT*Bo$3{SQZ7KnkYt2;C$xiyS%
zJO^E01zV=aIMS~4tv37;bM6gxOI<yB*zKN2M90&3miwdfN9^*%4Dfa=C|Tb81nj5i
zoDE8?y!gO-^UqKK?ntu0r@YSQREu)aAEa9P^_p7)qO8T;w-Y0ho+RY=D9dlRB)%Mu
zy5n_EmpJYRQH|u+l#?jL=3|A2nazsQK*0`>8M^Y|pExOq#hEO}1148o9qUQtU)&B=
z<(Wc@vC4he_Eldp4EB2#vOp(e&?RIV`q7R+j7|ij@|041pVH0KU}HP#I3vVEc5;%%
znVFd>!?NvP|0I8T=g^4~Uv>#{a6BpdV7J^%Gsag{Qk2*y&CZ}0U-(L*?r_#9T`fLX
z>e=WK=?!RNrjU<|&Q<|oK~hY-K;OZT;UDyX<2PQ7`H_UQV;bGBjQRDE9><Kljdk#f
zq$UC})GTyDJ1xcA<s0IZDgVXwDMoN4hqQTvn<%HO6>}~)k$JYEo5U&%xqd2T==|*j
zw~2t2RST_F#k&FJdF&BB7a15N)fa0VF_{qDj-FzpTO|&FU4;tZ=)>K=AYK3KUpEX}
zcha&OV)_DBjIK_F*tu!GwAs9_F_2kcbf2YKmK$sBO2#4%!%B_4Yf}ch1bDiI!&R;3
zlYh2Tdt)<z{ld!lE=b@6I2FkuM-~A*(hRr_ot#GeYt~ICHsB4%*9tR1&CU81B9b#2
z=Ti5&<oLGEd#Wqx9|z<9^ewk1mG#ykpWf?{=<eR?3Ly8c)~k9ztD`^#H#*r;x?Ype
zMh}kGUJSRUt&YCau}|4*Ab$1@^VgL-Jal>L7!G+9R26x8(4kU1xdt2yFhVf#d>dPZ
z<E<8%k~{S7WgS*+EZI_CKJ`fDJLmW1sW-b(^;8X&2_|1w;^!iKkYVJ-`N?db1y|*F
zvSu0@`coMETG3<EHh&Q=+Gj(msVnNW8fuP7t^=dhpdul@9RwoKA0w(c5sO4bf$$QO
ztVnVjOw8}(t6+t`qZ6|P=;-V1>7YKPr$eB{M}$S}xFKujl8_8an@N4(!(Cg{8b%=N
zMpnp0jBG6iZxi?D)w~cwbI1IR7vPY-r%ihI$ALJN<;&>gl=uu#g-WJ-ow&qA-{B_S
z94`pS^*jNV$7|us;$DHHK2|?~<B)g#IEJ@?I1k{%lm^Qki(F!7k*kJ$=S#<`v<W1K
zv2lCGGIP>5?)l@xV=IF)rvzsoJS)cO4BB6`o^|@A^7oMhG32W4ey#MMdpHd3Q#ZJD
zPP*gYz;{w}7>bY>fQI>Ra05r6<ENa#u$Dc738_Rk!Acd)tw<3T5MxZ?K)Emu2(d#4
zw=lVIZr2hqN0S!-Ld(R;H+kmV6$!Ojq9@m=Yx`jtm!QlGJY9J-yx;Vo+*844#;xjM
zH*F@nSHRLH(e4_kLgD~+TzUgTfU|pQfFM`TBl-|mZ-8-9N`!@X1-;WSoJ&&}0HgdF
zb4@`!%megNMxbjr@CGRprk4Slq!}AL8QEP+P>w#&kQ_K2qS%X8x5@IzZlD)y!qrn{
z;*qUv48sR8mu9qUom1$^)gu{>t)qM6*3r7rd+02FuHJf3v7u;fN*FeC9nB-lRe|$F
zK7ci^27Bmi%rL~MOIvjr4l*at<e}z?&Ro4NI+KMK{{-Goe_Mnq`GxYuy!<pq56lAX
z0Vw?8G*L1Z9`do80Hc+ln+n_#kju~}P6g24eyhYwt_@0W00!GJjc<i0_aE^y^pou<
zX9N~3IC$ZK-x$MgF7%D<c)AK;zVsl#3G+q}m6UObd>a&*oFh#qU^<dI3@wB@1G+j~
zfZdbI!uXOR0rA2z*aW5#{Ou3&+nAho0F`OL0xZp`;lYwM?ggD#4L`s7Bz_v4KrjlA
zD22n0TKsR^fln=knB`{$9L2|&>Dgv7V(85r?BkBpU90h7g+40#L>aGM<#;|rW~<kl
zV0H5(sav3D2P#{xXNM+8vD5FjuNQhi_ZIIrIBnILYn?BZe<PRj?Bib!eeIDDb53pW
z@$70DF`kdLl0PW!PPLd$rtJ#f7uxg-nZI85QQYP0no)<Z!S2Xe(%vKPw)>+K+zHU#
zOB_q@4vzwhY3*$=^fb2e7kcWBJP0*CQVoXq`+18k`D9GzY8Ds#zEuEyR!G%Wy?cT3
zHgRnJW{?|vJ1NE#J0SX3F70TH19!U{dd};>Brid(rNSbdQT_qY6!e*e&KG%=34XBA
z;uDa)muy3giM?*fa7?<*gV=K+JqFuOrj5_C75BXk9N~A5llgC0WqDxzBN0$@aG(T9
zI$zi*H1=qs{JHb?6VvndX9@WuX?CVdD1$9UwFPij9Yx&)?wrsa-f#cY9SAV*i7xU&
z&rZ-<0YogLb$Sz77~KrXPHaNWoIt4eI||}8lNna~EGJk-;sG{%`qRpTbeFD;ROE;E
zlI&lg(%SsR3UN6C0%Resl<qVGopxK5KUfMycC(TKTD$o!txs)!+?uMxaYy-GchLUz
z9?H9GBX%BM(O0KimA30z%~&C8ydIgv4VFnN2ol=y4$^kaUT0KN7Ami4KJdSRBsBqY
z8pur$UM4o+Tma=|OG#|D6$Bu~KQh)SP}!X24jviKl|q37=KVZVnP1@$B(`WEIxT>A
zEnXjBlKgu5A753ceI3M1KsirTBltZ9>LsK`z#^Z)PWE2~Fu0|T5`%NgNSh#r2mA98
zfo&59)3A~<siavruq>gk&N9^K$T|=b;T(0wu^~91{zs3}bIsm@sU(A+5jofLZ*|(5
WZn{Y!{$K8zu#|#+Rv%&wf%qSSvsjb>

literal 3007
zcmXX_c|6nqAD>%9`o>7PN}*ypsAMfy$~TM>xt4MygmR28K3J_oj;LJah*A-vM2@W-
zbCjv3k+g;77=1T3X134!=llJAUw^({kLTn0dOQ!EG<n1|#|wWVq~?6igpVKiqd!En
zv$2(`#jca~*IXE&v`f|>k~*=}e(t5IYFftNRxe+zhyKVFMlLNN|GHtP0;_{>Hqh{R
zi_y*JJL)_{b+=;KoTMavwyAteXKK>h2ER9$5byjatVSYhsOU;S-jn9q>VYx4n&;L<
zfk~+YZXBll^ih)v3*hi_#|q|_ds0+R#ew6La6(Ki`#>GMKdkSZkg>a}Q*BQdNmX0@
z2Y}qp9feE7Cq5owHD?<nA-kFj#{_i8yhqU*eyYsq#&)B5f^PYwSYEAWg9B$r8{--@
zh8RVch7w$acLVWht}VSerhi$l98hp~F1O~fO?KE_a8Z@T=icc(_99?TLLqh{YP6iB
z=*hnq9v(@gz2X-S__#PHi+I?I;(+7$+@QSEES>6<?_NZm`uXZML8YTnn_j@PQ^YYd
zhcWpt&qY<$Mcz72y_-f1xC#|UPREz8n~v;re8Nw(9Mzp~nPUCk1MZxj%1xKXt1Yum
z+WEzMdB2a2B*JeN-ZWk;fJx=*3n<l}ItLzQc2dhi&%h3%QFPo67gY@N>={_N<m`s=
z<1OKmY7|d(PD@pFRKB0y-d~33e5KPZe*9O90$neW6Jq<k)Xg%>J~bBhITb5+$s+4m
zIUM8sHc%_aUMsZSCohoKpLCa+DzCc4Z$02XItZ<IdB=~>AIQ)*=*|V=4%$8D$^*-?
z=h<}`x?PS+ykjoPAD?`EO25_%udF04&!MN&e3%CBZrG$I!Hfpu_Q<di{YB`fhPD9G
z%36Z{pbXcUo8F5{_`y8F0*-X_BDg=@WWIVdOq|@)<g<-y;t@z+uEwvAp%K0}B>AUD
zo7j>lu{>;WqnEvdO~L`w5KTj3UY}vxx>#Ff{)GzR<qJ<lp_)dA>xO3qQ3XrQX+^K=
z=eN2uV6)4EEOI)nb~KwS$7ec6I(^^2T-4c3t;hdqxp!K1jGcC=RO<2D^`4E>Z}*Mz
z63pU#ztO_cCB*M=jo8#dY*rlx7Dli`Q2W_Q=>AWW6ScsC9BeZ6%g(AAcx}E48-_jQ
zG4>1zGTC{^DUxzks{W7D>+c36ZDJ%+DsSfzq{GK`qOzTzATaOMwiErdI#<LeF~hni
zfXcDzcKbcPB?jvroy4T{5xv1QHjGe)-dOwafFxE3jRa0YU*AiK=_yC;{d6PlOx*zc
zPK#-4l089_AoHhY39uMoeS9a~lGx2B-TpqY^=h)4ki;2UCb2x2;PsKsMXhat<FO)6
ziP3STqr}H{L7^IvSXQ)$ut3pF$6q^meVeC?w};V&j%+U`flN=Joz(Sk>mL1?KlD{u
zOgaCUU?|3HoYkQMbbHJZ5M6?XQEeZl-ZG5E;SHgopl<E=$)Neql1FWpM3CxI4GkJ$
ziAbyzK$px1lSr%1Hs38@@$o&&U6p;gX(1KW9wu{^IH7N#Thxp}l5Z9pYE-QEj~31_
zu8cv%xp%^1WG#$odLh)>4%AbsxnPHL#C^1JeFge(fOg4e=t~F>@{2qD5)QY9bCH5L
zmB7y1ccY@}x7!PgFsJ*kWh%Sn3@^Tn@g4ZYeJ^gvJdwywt~3#osF4N1H^H#Ch;dmL
z*stsLb-L8&Y{3l7ke8ivy?Jp8tNh`y>xUCIJ1G5T<*6S-3HJ~i%C33?LbD~>`0r+-
zD^R*53O`c<JUKs6#gLfCFD4~gl{fdfBgBhy<0xq5>W|i9Dt%3tgcIl<6DPpS>>%E<
zm=aDZ%Z$5q_;oBnZ=oxXN)nBau5BIhABJNNLwI~+uo~%R&Pts4^5f1Cvx;j4f#IpU
z@JkD`HdmOF8?AL*H(zTOy%Zb{PfEypQ~o6BYK^8Am(+gbcZXH7!>T2IJccZ&S(BRe
zU|%0D=BP?*B|%<m@VJ~b+9ATPTidQ6tK8FEYs-l5`dK~3;ct~kHpt(*RrDEX!O-m&
zI2l!8xC!zBSlZPMK1n74^$mB_XSsibNrya>61xtXcldAiN+~NrzbU+di_^KZ@2!`{
z*=@c|*Doz?y&1F{y{5P6EfHHsYrl0atM<<M?d>sdE=^CXM@jdniyE3!9M>QVq%(!0
z{jEK7VElrF?x29WyHSuC(k`q)Ml6Dt%8x8#h_MzO8A@^2b<bxV(hoT~qUU<X#y9oQ
zmaP1@>Q4yqB71kpDa57;Zf8LnWKg!|qtN;CUmgn2>ClZaH$|%lApvOdr}yjjR^w$Z
zan8M)2IdZwK*G**mIMKAGX(+fH&$5$cp6IP)FJ~t0qAVNi<Vfak(d?yZEhw#JTqZ<
z$Y9HLeVfCcb_`AFll`UcWXDZ%Ze%BEIW_G<zX0s`IFEz{lrq?`<OA4BKyL?(=(BKz
z%%e9-#0$AnrEsRb*yYG$aKEPm?1V7`AlDv(*Im?*#U^99@Gjl6(c4r1!}o)ragx6+
zVjMEgT7Z%rd?h;;z^A7e1w%e#cas2h8}LhVfYb?c;r0Izw?R`CT&O$&W~}VxGZhbV
zgH`OU$m1;UNVVDQOB=bG-#)ukWji`sWG7Vh-qO6&r9GIvk72XpkfFX&&zU=&SbN52
z-LL=WphL#FETGR=ZE^BA&_!)bl)KOR+YwJXXqqbD&)uwNdI9g4)ek6Fz>Ekr!W3Y9
z)Ok3$2^biL*!-Mg)fw+csb5^VVh%jU`kQ*MD#j^1>q@_JS^fOGt3r%6-(G?xg5JFV
z!`c%dB;^6HVa`^xd61`6W<aKC&*d?tR6Kjb1~4xoDd&Lm1>2`cNRANbw0zX##Tre~
zKm?l+B3Qxv@&oocAV>maA~{^>+p-(=jU1!OmV0`3PpxXrrfdPjgNBo#Ekm;m!1b0I
z1D=Ri-nmNu`rx+eLqlf`7*+vaB#C<}ZxFeZj?%X#2TdLfZTldn+Fb6XXO}WWTgSU+
z^%RV|Kx)_-Odkk{?~qJ}*$58gW8T4r%Kq6;lP2RWfx!g0n1WYwYPeSzSY>FGnDHPw
z#H_UWM@Fd)>0GK?PZG;>=iOF?a)P4i%_Cxm-3IaZFTTi%>DezvErPNzv2h6xXm0@f
z(bTKUBxLs@xHZ(G>iHanD=DR9{~F{wY|Il57fb!C-${u8II~YI#?e<REn_X7l+U&`
zX^jjT{ruqJ6ml}m?oC3UZ<M0;Y%<m<3cJN3Iye266M!uECnZ=yoj%|nFUx^uBsdr!
zbG#Vm*b81oObLqfQe-%o>Ev1vy@1)MXad?-!!Of5jzKTq%t{cN8<H19i%tPSnwp$A
z_@2`cuolxl0{_BL5#_ZWTqaW&v32bi6DezPaS`ZQ)CD$*$zZxpj|Pp3oRycBaK;*d
zEkObVpIGVEggzB2sF;LOMb2mhT+v6w0{%QE-(Qye8<YnkcsQvaYeCM_^x&c5j>?JN
zc!qqbD$~s>6qqeQO&>(mD5WowD>YK*;2Je580=r8-o2Td9G&Kr*q4kf=jx=3aEcUv
z3iMU-7vvd%TyBwsQ7L!L=TXxd)%9KUeE(hle1+QuNYle5Aby|+ME^#inEvv7+##S|
z2m%UZtH1?`8W3#tx6}-@af$|oiE!GvAXpOQA~|e~kxH_Uiar<fLWJ{gr2c|TEQdga
z%ymahm~w6W2=&v;%XVW^*w+~Yhrc@M9JEljJwGX53bTKKc_bN_t@phJ(v%)bxDUly
zKLtT#5I`2-R@GwH>G^^$y{q)za4yTE7Os&YEJ2d5>8EJE-!J;RKda6`*>01?UsK5h
zQ46G|&7e?X5vLfxK;qIe$cQCbT^iWSga{<?T#gK6Md7ZX<|ar#v7`YTP?H6j+Lpy2
b{bt3yru5oK#D7E1{|W8}ho3-j5QzT)0kCRb

diff --git a/policy-F14.patch b/policy-F14.patch
index 65dad377..c703b07b 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7898,7 +7898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.8.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if	2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if	2010-07-27 11:47:12.000000000 -0400
 @@ -1977,7 +1977,7 @@
  	')
  
@@ -11831,14 +11831,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.8.8/policy/modules/services/boinc.fc
 --- nsaserefpolicy/policy/modules/services/boinc.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.fc	2010-07-20 10:46:10.000000000 -0400
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.fc	2010-07-27 09:18:03.000000000 -0400
+@@ -0,0 +1,8 @@
 +
-+/etc/rc\.d/init\.d/boinc_client		--  gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc_client		-- 	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 +
-+/usr/bin/boinc_client				--	gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/bin/boinc_client			--	gen_context(system_u:object_r:boinc_exec_t,s0)
 +
-+/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc(/.*)?				gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc/projects(/.*)?			gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)?          	 	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.8.8/policy/modules/services/boinc.if
 --- nsaserefpolicy/policy/modules/services/boinc.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.8.8/policy/modules/services/boinc.if	2010-07-20 10:46:10.000000000 -0400
@@ -11996,8 +11998,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te	2010-07-20 10:46:10.000000000 -0400
-@@ -0,0 +1,96 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te	2010-07-27 09:18:03.000000000 -0400
+@@ -0,0 +1,143 @@
 +policy_module(boinc,1.0.0)
 +
 +########################################
@@ -12021,13 +12023,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +type boinc_var_lib_t;
 +files_type(boinc_var_lib_t)
 +
++type boinc_project_t;
++domain_type(boinc_project_t)
++role system_r types boinc_project_t;
++
++permissive boinc_project_t;
++
++type boinc_project_var_lib_t;
++files_type(boinc_project_var_lib_t)
++
 +########################################
 +#
 +# boinc local policy
 +#
 +
 +allow boinc_t self:capability { kill };
-+allow boinc_t self:process { execmem ptrace setsched signal signull sigstop sigkill };
++allow boinc_t self:process { setsched };
 +
 +allow boinc_t self:fifo_file rw_fifo_file_perms;
 +allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -12047,10 +12058,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +manage_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
 +files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
 +
++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++manage_files_pattern(boinc_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++
 +kernel_read_system_state(boinc_t)
-+kernel_read_network_state(boinc_t)
-+kernel_read_kernel_sysctls(boinc_t)
-+kernel_search_vm_sysctl(boinc_t)
++
++files_getattr_all_dirs(boinc_t)
++files_getattr_all_files(boinc_t)
 +
 +corecmd_exec_bin(boinc_t)
 +corecmd_exec_shell(boinc_t)
@@ -12094,6 +12108,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +sysnet_dns_name_resolve(boinc_t)
 +
 +mta_send_mail(boinc_t)
++
++########################################
++#
++# boinc-projects local policy
++#
++
++domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++
++allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { execmem execstack };
++
++allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++
++allow boinc_project_t boinc_project_var_lib_t:file execmod;
++
++allow boinc_project_t boinc_t:shm rw_shm_perms;
++allow boinc_project_t boinc_tmpfs_t:file { read write };
++
++rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
++
++kernel_read_system_state(boinc_project_t)
++kernel_read_kernel_sysctls(boinc_project_t)
++kernel_search_vm_sysctl(boinc_project_t)
++kernel_read_network_state(boinc_project_t)
++
++corenet_tcp_connect_boinc_port(boinc_project_t)
++
++dev_rw_xserver_misc(boinc_project_t)
++
++miscfiles_read_localization(boinc_project_t)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.8/policy/modules/services/bugzilla.fc
 --- nsaserefpolicy/policy/modules/services/bugzilla.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.8.8/policy/modules/services/bugzilla.fc	2010-07-20 10:46:10.000000000 -0400
@@ -13716,7 +13765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.if	2010-07-23 08:29:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.if	2010-07-27 11:02:51.000000000 -0400
 @@ -12,6 +12,10 @@
  ## </param>
  #
@@ -13768,11 +13817,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	')
  
  	role $1 types { cronjob_t crontab_t };
-@@ -116,6 +128,12 @@
+@@ -116,6 +128,13 @@
  	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, crontab_exec_t, crontab_t)
  
 +	allow crond_t $2:process transition;
++	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 +	allow $2 crond_t:process sigchld;
 +
 +	# needs to be authorized SELinux context for cron
@@ -13781,7 +13831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# crontab shows up in user ps
  	ps_process_pattern($2, crontab_t)
  	allow $2 crontab_t:process signal;
-@@ -154,27 +172,14 @@
+@@ -154,27 +173,14 @@
  #
  interface(`cron_unconfined_role',`
  	gen_require(`
@@ -13811,7 +13861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	optional_policy(`
  		gen_require(`
  			class dbus send_msg;
-@@ -408,7 +413,43 @@
+@@ -408,7 +414,43 @@
  		type crond_t;
  	')
  
@@ -13856,7 +13906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  ########################################
-@@ -554,7 +595,7 @@
+@@ -554,7 +596,7 @@
  		type system_cronjob_t;
  	')
  
@@ -13865,7 +13915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  ########################################
-@@ -587,11 +628,14 @@
+@@ -587,11 +629,14 @@
  #
  interface(`cron_read_system_job_tmp_files',`
  	gen_require(`
@@ -13881,7 +13931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  ########################################
-@@ -627,7 +671,48 @@
+@@ -627,7 +672,48 @@
  interface(`cron_dontaudit_write_system_job_tmp_files',`
  	gen_require(`
  		type system_cronjob_tmp_t;
@@ -23045,8 +23095,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun
  kernel_read_system_state(stunnel_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.8.8/policy/modules/services/sysstat.te
 --- nsaserefpolicy/policy/modules/services/sysstat.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/sysstat.te	2010-07-20 10:46:11.000000000 -0400
-@@ -68,3 +68,8 @@
++++ serefpolicy-3.8.8/policy/modules/services/sysstat.te	2010-07-27 09:40:49.000000000 -0400
+@@ -18,8 +18,7 @@
+ # Local policy
+ #
+ 
+-allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
+-dontaudit sysstat_t self:capability sys_admin;
++allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
+ allow sysstat_t self:fifo_file rw_fifo_file_perms;
+ 
+ can_exec(sysstat_t, sysstat_exec_t)
+@@ -68,3 +67,8 @@
  optional_policy(`
  	logging_send_syslog_msg(sysstat_t)
  ')
@@ -27720,6 +27780,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
  
  domain_use_interactive_fds(iscsid_t)
  domain_dontaudit_read_all_domains_state(iscsid_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.8.8/policy/modules/system/kdump.te
+--- nsaserefpolicy/policy/modules/system/kdump.te	2010-06-18 13:07:19.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/kdump.te	2010-07-27 11:47:26.000000000 -0400
+@@ -29,6 +29,7 @@
+ 
+ kernel_read_system_state(kdump_t)
+ kernel_read_core_if(kdump_t)
++kernel_read_debugfs(kdump_t)
+ 
+ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-03-23 11:19:40.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/system/libraries.fc	2010-07-22 10:09:46.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8ef795b6..4467fc68 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.8
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-7
+- Update boinc policy
+- Fix sysstat policy to allow sys_admin
+- Change failsafe_context to unconfined_r:unconfined_t:s0
+
 * Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-6
 - New paths for upstart
 
diff --git a/sources b/sources
index dd0fbd89..581c4ed9 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-4c7d323036f1662a06a7a4f2a7da57a5  config.tgz
 1f8151f0184945098f3cc3ca0b53e861  serefpolicy-3.8.8.tgz