- Allow users to exec restorecond

2009-09-25 18:47:07 +00:00 · 2009-09-25 18:47:07 +00:00 · 85582d623f
parent f5a104d238
commit 85582d623f
4 changed files with 106 additions and 350 deletions
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -245,7 +245,7 @@ allow_nsplugin_execmem=true

 # Allow unconfined domain to transition to confined domain
 # 
-allow_unconfined_nsplugin_transition=true
+allow_unconfined_nsplugin_transition=false

 # System uses init upstart program
 # 
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -12909,7 +12909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te	2009-09-21 19:37:35.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te	2009-09-24 17:38:43.000000000 -0700
@@ -19,6 +19,9 @@
 type NetworkManager_tmp_t;
 files_tmp_file(NetworkManager_tmp_t)
@ -12951,16 +12951,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -63,6 +70,8 @@
+@@ -63,6 +70,9 @@
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
 kernel_load_module(NetworkManager_t)
+kernel_request_load_module(NetworkManager_t)
 +kernel_read_debugfs(NetworkManager_t)
 +kernel_rw_net_sysctls(NetworkManager_t)
 
 corenet_all_recvfrom_unlabeled(NetworkManager_t)
 corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +90,18 @@
+@@ -81,13 +91,18 @@
 corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
 corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
 corenet_sendrecv_all_client_packets(NetworkManager_t)
@ -12979,7 +12980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 mls_file_read_all_levels(NetworkManager_t)
 
-@@ -98,15 +112,20 @@
+@@ -98,15 +113,20 @@
 
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_confined_domains_state(NetworkManager_t)
@ -13001,7 +13002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(NetworkManager_t)
 
 miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +135,40 @@
+@@ -116,25 +136,40 @@
 
 seutil_read_config(NetworkManager_t)
 
@ -13049,7 +13050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -146,8 +180,25 @@
+@@ -146,8 +181,25 @@
 ')
 
 optional_policy(`
@ -13077,7 +13078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -155,23 +206,51 @@
+@@ -155,23 +207,51 @@
 ')
 
 optional_policy(`
@ -13131,7 +13132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -179,12 +258,15 @@
+@@ -179,12 +259,15 @@
 ')
 
 optional_policy(`
@ -15843,7 +15844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.if	2009-09-16 07:03:09.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if	2009-09-25 07:42:34.000000000 -0700
@@ -54,7 +54,7 @@
 	allow $1_t self:unix_dgram_socket create_socket_perms;
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
@ -15853,7 +15854,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
 	manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
-@@ -109,6 +109,10 @@
+@@ -99,6 +99,7 @@
+ 	files_read_etc_runtime_files($1_t)
+ 	files_search_var($1_t)
+ 	files_search_var_lib($1_t)
+	files_list_home($1_t)
+ 
+ 	auth_use_nsswitch($1_t)
+ 
+@@ -109,6 +110,10 @@
 	userdom_dontaudit_use_unpriv_user_fds($1_t)
 
 	optional_policy(`
@ -15866,7 +15875,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.te	2009-09-16 07:03:09.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te	2009-09-25 07:42:43.000000000 -0700
+@@ -53,7 +53,7 @@
+ # RPC local policy
+ #
+ 
+-allow rpcd_t self:capability { chown dac_override setgid setuid };
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+ allow rpcd_t self:fifo_file rw_fifo_file_perms;
+ 
+ allow rpcd_t rpcd_var_run_t:dir setattr;
@@ -91,6 +91,8 @@
 
 seutil_dontaudit_search_config(rpcd_t)
@ -19016,7 +19034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2009-09-16 07:03:09.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2009-09-25 07:58:35.000000000 -0700
@@ -3,12 +3,17 @@
 #
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -19028,7 +19046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +HOME_DIR/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.dmrc		--	gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 
 +/root/\.Xauth.*		--	gen_context(system_u:object_r:xauth_home_t,s0)
 +/root/\.xauth.*		--	gen_context(system_u:object_r:xauth_home_t,s0)
@ -23546,8 +23564,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if	2009-09-16 07:03:09.000000000 -0700
-@@ -535,6 +535,53 @@
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if	2009-09-24 20:11:24.000000000 -0700
+@@ -351,6 +351,27 @@
+ 
+ ########################################
+ ## <summary>
+##	Execute restorecond in the caller domain. 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecond',`
+	gen_require(`
+		type restorecond_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1, restorecond_exec_t)
+')
+
+########################################
+## <summary>
+ ##	Execute run_init in the run_init domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -535,6 +556,53 @@
 
 ########################################
 ## <summary>
@ -23601,7 +23647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute setfiles in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -680,6 +727,7 @@
+@@ -680,6 +748,7 @@
 	')
 
 	files_search_etc($1)
@ -23609,7 +23655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	manage_files_pattern($1, selinux_config_t, selinux_config_t)
 	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
 ')
-@@ -999,6 +1047,26 @@
+@@ -999,6 +1068,26 @@
 
 ########################################
 ## <summary>
@ -23636,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute semanage in the semanage domain, and
 ##	allow the specified role the semanage domain,
 ##	and use the caller's terminal.
-@@ -1010,7 +1078,7 @@
+@@ -1010,7 +1099,7 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -23645,7 +23691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -1028,6 +1096,33 @@
+@@ -1028,6 +1117,33 @@
 
 ########################################
 ## <summary>
@ -23679,7 +23725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Full management of the semanage
 ##	module store.
 ## </summary>
-@@ -1139,3 +1234,194 @@
+@@ -1139,3 +1255,194 @@
 	selinux_dontaudit_get_fs_mount($1)
 	seutil_dontaudit_read_config($1)
 ')
@ -25608,7 +25654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-08-31 10:30:04.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-09-21 05:24:59.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-09-24 20:12:04.000000000 -0700
@@ -30,8 +30,9 @@
 	')
 
@ -26055,7 +26101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	##############################
 	#
-@@ -508,182 +515,208 @@
+@@ -508,182 +515,209 @@
 	# evolution and gnome-session try to create a netlink socket
 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -26160,6 +26206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_exec_checkpolicy($1_t)
 -	seutil_exec_setfiles($1_t)
 +	seutil_exec_setfiles($1_usertype)
+	seutil_exec_restorecond($1_usertype)
 	# for when the network connection is killed
 	# this is needed when a login role can change
 	# to this one.
@ -26337,7 +26384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 #######################################
-@@ -711,13 +744,26 @@
+@@ -711,13 +745,26 @@
 
 	userdom_base_user_template($1)
 
@ -26369,7 +26416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	userdom_change_password_template($1)
 
-@@ -735,70 +781,71 @@
+@@ -735,70 +782,71 @@
 
 	allow $1_t self:context contains;
 
@ -26474,7 +26521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -835,6 +882,32 @@
+@@ -835,6 +883,32 @@
 	# Local policy
 	#
 
@ -26507,7 +26554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		loadkeys_run($1_t,$1_r)
 	')
-@@ -865,51 +938,81 @@
+@@ -865,51 +939,81 @@
 
 	userdom_restricted_user_template($1)
 
@ -26602,7 +26649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -943,8 +1046,8 @@
+@@ -943,8 +1047,8 @@
 	# Declarations
 	#
 
@ -26612,7 +26659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_common_user_template($1)
 
 	##############################
-@@ -953,11 +1056,12 @@
+@@ -953,11 +1057,12 @@
 	#
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -26627,7 +26674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
-@@ -975,36 +1079,53 @@
+@@ -975,36 +1080,53 @@
 		')
 	')
 
@ -26695,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -1040,7 +1161,7 @@
+@@ -1040,7 +1162,7 @@
 template(`userdom_admin_user_template',`
 	gen_require(`
 		attribute admindomain;
@ -26704,7 +26751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	##############################
-@@ -1049,8 +1170,7 @@
+@@ -1049,8 +1171,7 @@
 	#
 
 	# Inherit rules for ordinary users.
@ -26714,7 +26761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
-@@ -1075,6 +1195,9 @@
+@@ -1075,6 +1196,9 @@
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
@ -26724,7 +26771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
-@@ -1089,6 +1212,7 @@
+@@ -1089,6 +1213,7 @@
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -26732,7 +26779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1096,8 +1220,6 @@
+@@ -1096,8 +1221,6 @@
 
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
@ -26741,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1124,6 +1246,8 @@
+@@ -1124,6 +1247,8 @@
 	files_exec_usr_src_files($1_t)
 
 	fs_getattr_all_fs($1_t)
@ -26750,7 +26797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_set_all_quotas($1_t)
 	fs_exec_noxattr($1_t)
 
-@@ -1152,20 +1276,6 @@
+@@ -1152,20 +1277,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -26771,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1211,6 +1321,7 @@
+@@ -1211,6 +1322,7 @@
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -26779,7 +26826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1276,11 +1387,15 @@
+@@ -1276,11 +1388,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -26795,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1391,12 +1506,13 @@
+@@ -1391,12 +1507,13 @@
 	')
 
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -26810,7 +26857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1429,6 +1545,14 @@
+@@ -1429,6 +1546,14 @@
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -26825,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1444,9 +1568,11 @@
+@@ -1444,9 +1569,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -26837,7 +26884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1503,6 +1629,25 @@
+@@ -1503,6 +1630,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -26863,7 +26910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1577,6 +1722,8 @@
+@@ -1577,6 +1723,8 @@
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -26872,7 +26919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1670,6 +1817,7 @@
+@@ -1670,6 +1818,7 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -26880,7 +26927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1797,19 +1945,32 @@
+@@ -1797,19 +1946,32 @@
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -26920,7 +26967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1844,6 +2005,7 @@
+@@ -1844,6 +2006,7 @@
 interface(`userdom_manage_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -26928,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2553,7 @@
+@@ -2391,27 +2554,7 @@
 
 ########################################
 ## <summary>
@ -26957,7 +27004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2765,11 +2907,32 @@
+@@ -2765,11 +2908,32 @@
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -26992,7 +27039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -2897,7 +3060,25 @@
+@@ -2897,7 +3061,25 @@
 		type user_tmp_t;
 	')
 
@ -27019,7 +27066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -2934,6 +3115,7 @@
+@@ -2934,6 +3116,7 @@
 	')
 
 	read_files_pattern($1, userdomain, userdomain)
@ -27027,7 +27074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
 
-@@ -3064,3 +3246,559 @@
+@@ -3064,3 +3247,559 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/300
+++ b/300
@ -1,297 +1,3 @@
-#! /usr/bin/env python
-# Copyright (C) 2006 Red Hat 
-# see file 'COPYING' for use and warranty information
-#
-# policygentool is a tool for the initial generation of SELinux policy
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of the GNU General Public License as
-#    published by the Free Software Foundation; either version 2 of
-#    the License, or (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program; if not, write to the Free Software
-#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
-#                                        02111-1307  USA
-#
-#  
-import os, sys, getopt
-import re
-
-########################### Interface File #############################
-interface="""\
-## <summary>policy for TEMPLATETYPE</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run TEMPLATETYPE.
-## </summary>
-## <param name=\"domain\">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`TEMPLATETYPE_domtrans',`
-	gen_require(`
-		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
-	')
-
-	domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
-
-	allow TEMPLATETYPE_t $1:fd use;
-	allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
-	allow TEMPLATETYPE_t $1:process sigchld;
-')
-"""
-
-########################### Type Enforcement File #############################
-te="""\
-policy_module(TEMPLATETYPE,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type TEMPLATETYPE_t;
-type TEMPLATETYPE_exec_t;
-domain_type(TEMPLATETYPE_t)
-init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
-"""
-te_logfile="""
-# log files
-type TEMPLATETYPE_var_log_t;
-logging_log_file(TEMPLATETYPE_var_log_t)
-"""
-te_pidfile="""
-# pid files
-type TEMPLATETYPE_var_run_t;
-files_pid_file(TEMPLATETYPE_var_run_t)
-"""
-te_libfile="""
-# var/lib files
-type TEMPLATETYPE_var_lib_t;
-files_type(TEMPLATETYPE_var_lib_t)
-"""
-te_sep="""
-########################################
-#
-# TEMPLATETYPE local policy
-#
-# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
-
-# Some common macros (you might be able to remove some)
-files_read_etc_files(TEMPLATETYPE_t)
-libs_use_ld_so(TEMPLATETYPE_t)
-libs_use_shared_libs(TEMPLATETYPE_t)
-miscfiles_read_localization(TEMPLATETYPE_t)
-## internal communication is often done using fifo and unix sockets.
-allow TEMPLATETYPE_t self:fifo_file { read write };
-allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
-"""
-te_pidfile2="""
-# pid file
-allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
-"""
-te_logfile2="""
-# log files
-allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
-"""
-te_libfile2="""
-# var/lib files for TEMPLATETYPE
-allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
-"""
-te_network2="""
-## Networking basics (adjust to your needs!)
-sysnet_dns_name_resolve(TEMPLATETYPE_t)
-corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
-corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
-corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
-corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
-corenet_tcp_connect_http_port(TEMPLATETYPE_t)
-#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
-## if it is a network daemon, consider these:
-#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
-#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
-allow TEMPLATETYPE_t self:tcp_socket { listen accept };
-"""
-te_initsc2="""
-# Init script handling
-init_use_fds(TEMPLATETYPE_t)
-init_use_script_ptys(TEMPLATETYPE_t)
-domain_use_interactive_fds(TEMPLATETYPE_t)
-"""
-
-########################### File Context ##################################
-fc="""\
-# TEMPLATETYPE executable will have:
-# label: system_u:object_r:TEMPLATETYPE_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
-EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
-"""
-fc_pidfile="""\
-FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
-"""
-fc_logfile="""\
-FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
-"""
-fc_libfile="""\
-FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
-"""
-def errorExit(error):
-	sys.stderr.write("%s: " % sys.argv[0])
-	sys.stderr.write("%s\n" % error)
-	sys.stderr.flush()
-	sys.exit(1)
-
-
-def write_te_file(module, pidfile, logfile, libfile, network, initsc):
-	file="%s.te" % module
-	newte=re.sub("TEMPLATETYPE", module, te)
-	if libfile:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
-	if logfile:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
-	if pidfile:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
-	newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
-	if libfile:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
-	if logfile:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
-	if pidfile:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
-	if network:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
-	if initsc:
-		newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
-	if os.path.exists(file):
-		errorExit("%s already exists" % file)
-	fd = open(file, 'w')
-	fd.write(newte)
-	fd.close()
-
-def write_if_file(module):
-	file="%s.if" % module
-	newif=re.sub("TEMPLATETYPE", module, interface)
-	if os.path.exists(file):
-		errorExit("%s already exists" % file)
-	fd = open(file, 'w')
-	fd.write(newif)
-	fd.close()
-
-def write_fc_file(module, executable, pidfile, logfile, libfile):
-	file="%s.fc" % module
-	temp=re.sub("TEMPLATETYPE", module, fc)
-	newfc=re.sub("EXECUTABLE", executable, temp)
-	if pidfile:
-		temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
-		newfc=newfc + re.sub("FILENAME", pidfile, temp)
-	if logfile:
-		temp=re.sub("TEMPLATETYPE", module, fc_logfile)
-		newfc=newfc + re.sub("FILENAME", logfile, temp)
-	if libfile:
-		temp=re.sub("TEMPLATETYPE", module, fc_libfile)
-		newfc=newfc + re.sub("FILENAME", libfile, temp)
-	if os.path.exists(file):
-		errorExit("%s already exists" % file)
-	fd = open(file, 'w')
-	fd.write(newfc)
-	fd.close()
-
-def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
-	write_te_file(module, pidfile, logfile, libfile, initsc, network)
-	write_if_file(module)
-	write_fc_file(module, executable, pidfile, logfile, libfile)
-	
-if __name__ == '__main__':
-	def usage(message = ""):
-		print '%s ModuleName Executable' % sys.argv[0]
-		sys.exit(1)
-		
-	if len(sys.argv) != 3:
-		usage()
-
-	print """\n
-This tool generate three files for policy development, A Type Enforcement (te)
-file, a File Context (fc), and a Interface File(if).  Most of the policy rules
-will be written in the te file.  Use the File Context file to associate file
-paths with security context.  Use the interface rules to allow other protected
-domains to interact with the newly defined domains.
-
-After generating these files use the /usr/share/selinux/devel/Makefile to
-compile your policy package.  Then use the semodule tool to load it.
-
-# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
-# make -f /usr/share/selinux/devel/Makefile
-# semodule -i myapp.pp
-# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
-
-Now you can turn on permissive mode, start your application and avc messages
-will be generated.  You can use audit2allow to help translate the avc messages
-into policy.
-
-# setenforce 0
-# service myapp start
-# audit2allow -R -i /var/log/audit/audit.log
-
-Return to continue:"""
-        sys.stdin.readline().rstrip()
-
-	print 'If the module uses pidfiles, what is the pidfile called?'
-	pidfile = sys.stdin.readline().rstrip()
-	if pidfile == "":
-		pidfile = None
-	print 'If the module uses logfiles, where are they stored?'
-	logfile = sys.stdin.readline().rstrip()
-	if logfile == "":
-		logfile = None
-	print 'If the module has var/lib files, where are they stored?'
-	libfile = sys.stdin.readline().rstrip()
-	if libfile == "":
-		libfile = None
-	print 'Does the module have a init script? [yN]'
-	initsc = sys.stdin.readline().rstrip()
-	if initsc == "" or initsc == "n" or initsc == "N":
-		initsc = False
-	elif initsc == "y" or initsc == "Y":
-		initsc = True
-	else:
-		raise "Please answer with 'y' or 'n'!"
-	print 'Does the module use the network? [yN]'
-	network = sys.stdin.readline().rstrip()
-	if network == "" or network == "n" or network == "N":
-		network = False
-	elif network == "y" or network == "Y":
-		network = True
-	else:
-		raise "Please answer with 'y' or 'n'!"
-
-	gen_policy(
-		module=sys.argv[1],
-		executable=sys.argv[2],
-		pidfile=pidfile,
-		logfile=logfile,
-		libfile=libfile,
-		initsc=initsc,
-		network=network
-	)
-
-	
+#!/bin/sh
+echo "$0 is no longer supported, better tools exist for creating policy"
+echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy"
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -448,6 +448,9 @@ exit 0
 %endif

 %changelog
+* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11
+- Allow users to exec restorecond
+
 * Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
 - Allow sendmail to request kernel modules load