- Fix initial install

2008-04-08 03:17:46 +00:00 · 2008-04-08 03:17:46 +00:00 · 7f851af8d9
parent c3c4a525c2
commit 7f851af8d9
3 changed files with 193 additions and 58 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1932,8 +1932,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/netutils.te	2008-04-04 12:06:55.000000000 -0400
-@@ -94,6 +94,10 @@
+++ serefpolicy-3.3.1/policy/modules/admin/netutils.te	2008-04-07 21:56:32.000000000 -0400
+@@ -50,6 +50,7 @@
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+ 
+ kernel_search_proc(netutils_t)
+kernel_read_sysctl(netutils_t)
+ 
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
+@@ -78,6 +79,8 @@
+ init_use_fds(netutils_t)
+ init_use_script_ptys(netutils_t)
+ 
+auth_use_nsswitch(netutils_t)
+
+ libs_use_ld_so(netutils_t)
+ libs_use_shared_libs(netutils_t)
+ 
+@@ -85,8 +88,6 @@
+ 
+ miscfiles_read_localization(netutils_t)
+ 
+-sysnet_read_config(netutils_t)
+-
+ userdom_use_all_users_fds(netutils_t)
+ 
+ optional_policy(`
+@@ -94,6 +95,10 @@
 ')
 
 optional_policy(`
@ -1944,7 +1970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 	xen_append_log(netutils_t)
 ')
 
-@@ -107,12 +111,14 @@
+@@ -107,12 +112,14 @@
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
@ -1959,6 +1985,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 corenet_tcp_sendrecv_all_nodes(ping_t)
 corenet_tcp_sendrecv_all_ports(ping_t)
 
+@@ -123,6 +130,8 @@
+ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+ 
+auth_use_nsswitch(ping_t)
+
+ libs_use_ld_so(ping_t)
+ libs_use_shared_libs(ping_t)
+ 
+@@ -130,9 +139,6 @@
+ 
+ miscfiles_read_localization(ping_t)
+ 
+-sysnet_read_config(ping_t)
+-sysnet_dns_name_resolve(ping_t)
+-
+ ifdef(`hide_broken_symptoms',`
+ 	init_dontaudit_use_fds(ping_t)
+ ')
+@@ -143,14 +149,6 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(ping_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(ping_t)
+-')
+-
+-optional_policy(`
+ 	pcmcia_use_cardmgr_fds(ping_t)
+ ')
+ 
+@@ -166,7 +164,6 @@
+ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+ allow traceroute_t self:rawip_socket create_socket_perms;
+ allow traceroute_t self:packet_socket create_socket_perms;
+-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+ allow traceroute_t self:udp_socket create_socket_perms;
+ 
+ kernel_read_system_state(traceroute_t)
+@@ -200,6 +197,8 @@
+ 
+ init_use_fds(traceroute_t)
+ 
+auth_use_nsswitch(traceroute_t)
+
+ libs_use_ld_so(traceroute_t)
+ libs_use_shared_libs(traceroute_t)
+ 
+@@ -212,17 +211,7 @@
+ dev_read_urand(traceroute_t)
+ files_read_usr_files(traceroute_t)
+ 
+-sysnet_read_config(traceroute_t)
+-
+ tunable_policy(`user_ping',`
+ 	term_use_all_user_ttys(traceroute_t)
+ 	term_use_all_user_ptys(traceroute_t)
+ ')
+-
+-optional_policy(`
+-	nis_use_ypbind(traceroute_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(traceroute_t)
+-')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.3.1/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-12-19 05:32:18.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/admin/prelink.te	2008-04-04 12:06:55.000000000 -0400
@ -6480,7 +6575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-04-04 12:06:55.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-04-07 14:56:13.000000000 -0400
@@ -7,11 +7,11 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -6494,16 +6589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 # /dev
 #
-@@ -58,6 +58,8 @@
- 
- /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
- 
-+/etc/NetworkManager/dispatcher.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-+
- /etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
- /etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
- /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -67,6 +69,12 @@
+@@ -67,6 +67,12 @@
 
 /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
 
@ -6516,7 +6602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/network-scripts/ifup-.*	-l gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -99,11 +107,6 @@
+@@ -99,11 +105,6 @@
 /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
@ -6528,7 +6614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 # /sbin
 #
-@@ -127,6 +130,8 @@
+@@ -127,6 +128,8 @@
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
@ -6537,7 +6623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 #
 # /usr
 #
-@@ -144,10 +149,7 @@
+@@ -144,10 +147,7 @@
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -6549,7 +6635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -178,6 +180,8 @@
+@@ -178,6 +178,8 @@
 /usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -6558,7 +6644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
-@@ -185,8 +189,12 @@
+@@ -185,8 +187,12 @@
 /usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
@ -6571,7 +6657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -213,9 +221,10 @@
+@@ -213,9 +219,10 @@
 /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -6583,7 +6669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig\.py --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +293,10 @@
+@@ -284,3 +291,10 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -7294,6 +7380,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +
 +# broken kernel
 +dontaudit can_change_object_identity can_change_object_identity:key link;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.3.1/policy/modules/kernel/files.fc
+--- nsaserefpolicy/policy/modules/kernel/files.fc	2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/files.fc	2008-04-07 21:39:29.000000000 -0400
+@@ -31,7 +31,7 @@
+ /boot/\.journal			<<none>>
+ /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /boot/lost\+found/.*		<<none>>
+-/boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
+/boot(/.*)?/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
+ 
+ #
+ # /emul
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-04-06 06:52:30.000000000 -0400
@ -8848,7 +8946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-04-04 16:08:27.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-04-07 14:54:08.000000000 -0400
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -10895,7 +10993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te	2008-04-05 11:51:54.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te	2008-04-07 22:36:44.000000000 -0400
@@ -13,6 +13,9 @@
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
@ -14637,8 +14735,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
 --- nsaserefpolicy/policy/modules/services/gamin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.te	2008-04-04 12:06:55.000000000 -0400
-@@ -0,0 +1,39 @@
+++ serefpolicy-3.3.1/policy/modules/services/gamin.te	2008-04-07 22:37:02.000000000 -0400
+@@ -0,0 +1,40 @@
 +policy_module(gamin,1.0.0)
 +
 +########################################
@ -14657,6 +14755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +
 +# Init script handling
 +domain_use_interactive_fds(gamin_t)
+allow gamin_t self:capability sys_ptrace;
 +
 +# internal communication is often done using fifo and unix sockets.
 +allow gamin_t self:fifo_file rw_file_perms;
@ -14766,7 +14865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-04 12:06:55.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-07 22:47:29.000000000 -0400
@@ -0,0 +1,53 @@
 +policy_module(gnomeclock,1.0.0)
 +########################################
@ -14789,7 +14888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +allow gnomeclock_t self:fifo_file rw_file_perms;
 +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
 +
-+corecmd_search_bin(gnomeclock_t)
+corecmd_exec_bin(gnomeclock_t)
 +
 +files_read_etc_files(gnomeclock_t)
 +files_read_usr_files(gnomeclock_t)
@ -15344,7 +15443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/etc/rc.d/init.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.3.1/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.if	2008-04-04 12:06:55.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/kerberos.if	2008-04-07 20:46:54.000000000 -0400
@@ -43,7 +43,13 @@
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@ -15371,11 +15470,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 	optional_policy(`
 		tunable_policy(`allow_kerberos',`
 			pcscd_stream_connect($1)
-@@ -172,3 +174,156 @@
- 	allow $1 krb5kdc_conf_t:file read_file_perms;
+@@ -169,6 +171,158 @@
+ 	')
+ 
+ 	files_search_etc($1)
+-	allow $1 krb5kdc_conf_t:file read_file_perms;
+	read_files_pattern($1, krb5kdc_conf_t,  krb5kdc_conf_t)
+')
 
- ')
-+
 +########################################
 +## <summary>
 +##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
@ -15422,7 +15524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +		corenet_udp_sendrecv_kerberos_master_port($1)
 +		corenet_udp_bind_all_nodes($1)
 +	')
-+')
+ ')
 +
 +########################################
 +## <summary>
@ -17019,8 +17121,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-04-04 12:06:55.000000000 -0400
-@@ -1,7 +1,10 @@
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-04-07 14:55:55.000000000 -0400
+@@ -1,7 +1,11 @@
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@ -17031,6 +17133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/log/wpa_supplicant\.log.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/etc/NetworkManager/dispatcher.d(/.*)	gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2007-06-12 10:15:45.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if	2008-04-04 12:06:55.000000000 -0400
@ -17058,18 +17161,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te	2008-04-05 15:04:32.000000000 -0400
-@@ -13,6 +13,9 @@
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te	2008-04-07 14:54:21.000000000 -0400
+@@ -13,6 +13,13 @@
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
 +type NetworkManager_log_t;
 +logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_script_exec_t;
+init_script_type(NetworkManager_script_exec_t)
+init_script_domtrans_spec(NetworkManager_t,httpd_script_exec_t)
 +
 ########################################
 #
 # Local policy
-@@ -20,9 +23,9 @@
+@@ -20,9 +27,9 @@
 
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
@ -17081,7 +17188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
 allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -38,10 +41,14 @@
+@@ -38,10 +45,14 @@
 manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
 
@ -17096,7 +17203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 
 corenet_all_recvfrom_unlabeled(NetworkManager_t)
 corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -67,6 +74,7 @@
+@@ -67,6 +78,7 @@
 
 fs_getattr_all_fs(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
@ -17104,7 +17211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 
 mls_file_read_all_levels(NetworkManager_t)
 
-@@ -84,8 +92,11 @@
+@@ -84,8 +96,11 @@
 files_read_usr_files(NetworkManager_t)
 
 init_read_utmp(NetworkManager_t)
@ -17116,7 +17223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 libs_use_ld_so(NetworkManager_t)
 libs_use_shared_libs(NetworkManager_t)
 
-@@ -129,21 +140,21 @@
+@@ -129,21 +144,21 @@
 ')
 
 optional_policy(`
@ -17143,7 +17250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 ')
 
 optional_policy(`
-@@ -155,19 +166,20 @@
+@@ -155,19 +170,20 @@
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)
 	ppp_signal(NetworkManager_t)
@ -20497,7 +20604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te	2008-04-04 12:06:56.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/rpc.te	2008-04-07 22:12:28.000000000 -0400
@@ -60,10 +60,14 @@
 manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -20566,11 +20673,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
-@@ -157,8 +177,13 @@
+@@ -157,8 +177,14 @@
 files_list_tmp(gssd_t) 
 files_read_usr_symlinks(gssd_t) 
 
-+auth_read_cache(gssd_t) 
+auth_use_nsswitch(gssd_t)
+auth_rw_cache(gssd_t) 
 +
 miscfiles_read_certs(gssd_t)
 
@ -25506,7 +25614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-04-06 06:54:26.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-04-07 22:44:31.000000000 -0400
@@ -8,6 +8,14 @@
 
 ## <desc>
@ -25757,7 +25865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 domain_use_interactive_fds(xdm_t)
 # Do not audit denied probes of /proc.
 domain_dontaudit_read_all_domains_state(xdm_t)
-+domain_dontaudit_ptrace_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
@ -26363,7 +26471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-04-05 07:50:51.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-04-07 22:13:19.000000000 -0400
@@ -99,7 +99,7 @@
 template(`authlogin_per_role_template',`
 
@ -26517,7 +26625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
 
-@@ -1491,3 +1563,23 @@
+@@ -1491,3 +1563,41 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -26541,6 +26649,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +	read_files_pattern($1, auth_cache_t,  auth_cache_t)
 +')
 +
+########################################
+## <summary>
+##	Read/Write authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_rw_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	rw_files_pattern($1, auth_cache_t,  auth_cache_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2008-02-19 17:24:26.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-04-04 12:06:56.000000000 -0400
@ -30630,7 +30756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-06 07:10:40.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-07 22:54:48.000000000 -0400
@@ -29,9 +29,14 @@
 	')
 
@ -33100,6 +33226,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Read and write unprivileged user ttys.
 ## </summary>
 ## <param name="domain">
+@@ -5559,7 +5933,7 @@
+ 		attribute userdomain;
+ 	')
+ 
+-	read_files_pattern($1,userdomain,userdomain)
+	ps_process_pattern($1,userdomain)
+ 	kernel_search_proc($1)
+ ')
+ 
@@ -5674,7 +6048,7 @@
 
 ########################################
--- a/2
+++ b/2
@ -241,7 +241,7 @@ compile your policy package.  Then use the semodule tool to load it.

 # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
 # make -f /usr/share/selinux/devel/Makefile
-# semodule -l myapp.pp
+# semodule -i myapp.pp
 # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

 Now you can turn on permissive mode, start your application and avc messages
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -292,11 +292,11 @@ SELinux Reference policy targeted base module.
 %post targeted
 if [ $1 -eq 1 ]; then
 %loadpolicy targeted
-semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
-semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
-semanage user -a -P guest -R guest_r guest_u
-semanage user -a -P xguest -R xguest_r xguest_u 
+semanage user -a -S targeted -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
+semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
+semanage user -a -S targeted -R guest_r guest_u
+semanage user -a -S targeted -R xguest_r xguest_u 
 restorecon -R /root /var/log /var/run 2> /dev/null
 else
 semodule -s targeted -r moilscanner 2>/dev/null
@ -388,7 +388,7 @@ exit 0

 %changelog
 * Sat Apr 5 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-29
- 
+- Fix initial install

 * Fri Apr 4 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-28
 - Allow radvd to use fifo_file