- Change unconfined_t to transition to unconfined_mono_t when running mono

- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work
2008-04-29 16:05:11 +00:00 · 2008-04-29 16:05:11 +00:00 · 86881dd93f
parent 2d8ff5157a
commit 86881dd93f
2 changed files with 168 additions and 121 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -793,7 +793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg
 +system_r:xdm_t		xguest_r:xguest_t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.3.1/man/man8/ftpd_selinux.8
 --- nsaserefpolicy/man/man8/ftpd_selinux.8	2007-10-12 08:56:10.000000000 -0400
-+++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8	2008-04-28 08:39:05.840182000 -0400
+++ serefpolicy-3.3.1/man/man8/ftpd_selinux.8	2008-04-28 08:39:05.000000000 -0400
@@ -35,10 +35,6 @@
 directorories, you need to set the ftp_home_dir boolean. 
 .TP
@ -3239,7 +3239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if	2008-04-21 11:02:48.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if	2008-04-29 09:37:23.004992000 -0400
@@ -33,9 +33,60 @@
 ## </param>
 #
@ -4522,8 +4522,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
 +userdom_dontaudit_list_sysadm_home_dirs(loadkeys_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/mono.if	2008-04-21 11:02:48.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/mono.if	2008-04-29 11:57:14.653875000 -0400
-@@ -18,3 +18,101 @@
+@@ -18,3 +18,102 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, mono_exec_t, mono_t)
 ')
@ -4624,6 +4624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
 +	domtrans_pattern($2, mono_exec_t, $1_mono_t)
 +
 +	fs_dontaudit_rw_tmpfs_files($1_mono_t)
 +	corecmd_bin_domtrans($1_mono_t, $1_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te
 --- nsaserefpolicy/policy/modules/apps/mono.te	2007-12-19 05:32:09.000000000 -0500
@ -7480,7 +7481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if	2008-04-28 09:14:07.261479000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if	2008-04-28 09:14:07.000000000 -0400
@@ -1242,18 +1242,34 @@
 ##	</summary>
 ## </param>
@ -7917,7 +7918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if	2008-04-28 17:00:20.022613000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if	2008-04-28 17:00:20.000000000 -0400
@@ -310,6 +310,25 @@
 ########################################
@ -8616,7 +8617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc	2008-04-28 15:02:52.901366000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc	2008-04-28 15:02:52.000000000 -0400
@@ -13,6 +13,7 @@
 /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -8635,7 +8636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
 /dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.3.1/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if	2008-04-28 16:19:58.789387000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if	2008-04-28 16:19:58.000000000 -0400
@@ -81,6 +81,26 @@
 ########################################
@ -8665,7 +8666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
 ##	SELinux protections for filesystem objects, and
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.3.1/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2007-09-12 10:34:17.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/terminal.if	2008-04-28 15:49:59.242976000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/terminal.if	2008-04-28 15:49:59.000000000 -0400
@@ -525,11 +525,13 @@
 interface(`term_use_generic_ptys',`
 	gen_require(`
@ -12506,7 +12507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te	2008-04-28 15:33:05.015286000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/cups.te	2008-04-28 15:33:05.000000000 -0400
@@ -43,14 +43,13 @@
 type cupsd_var_run_t;
@ -13211,7 +13212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-04-21 12:08:05.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-04-29 10:45:04.731105000 -0400
@@ -53,6 +53,7 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -13478,7 +13479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-04-28 17:24:06.516754000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-04-28 17:24:06.000000000 -0400
@@ -9,9 +9,10 @@
 #
 # Delcarations
@ -15489,7 +15490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-28 10:32:02.385047000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-28 10:32:02.000000000 -0400
@@ -0,0 +1,55 @@
 +policy_module(gnomeclock,1.0.0)
 +########################################
@ -17421,7 +17422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
 +/etc/rc\.d/init\.d/mysqld	--	gen_context(system_u:object_r:mysqld_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if
 --- nsaserefpolicy/policy/modules/services/mysql.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.if	2008-04-28 14:00:53.714473000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/mysql.if	2008-04-28 14:00:53.000000000 -0400
@@ -32,9 +32,11 @@
 interface(`mysql_stream_connect',`
 	gen_require(`
@ -17786,7 +17787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-04-28 17:01:05.578193000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-04-28 17:01:05.000000000 -0400
@@ -1,7 +1,11 @@
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@ -17801,7 +17802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +/etc/NetworkManager/dispatcher.d(/.*)	gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2007-06-12 10:15:45.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if	2008-04-28 17:23:33.835317000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if	2008-04-28 17:23:33.000000000 -0400
@@ -97,3 +97,40 @@
 	allow $1 NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t $1:dbus send_msg;
@ -17845,7 +17846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te	2008-04-28 17:20:44.106667000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te	2008-04-28 17:20:44.000000000 -0400
@@ -13,6 +13,13 @@
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
@ -18872,7 +18873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.3.1/policy/modules/services/polkit.fc
 --- nsaserefpolicy/policy/modules/services/polkit.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.fc	2008-04-28 15:14:56.271771000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/polkit.fc	2008-04-28 15:14:56.000000000 -0400
@@ -0,0 +1,9 @@
 +
 +/usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:polkit_auth_exec_t,s0)
@ -18885,7 +18886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.if	2008-04-28 15:56:30.712486000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/polkit.if	2008-04-28 15:56:30.000000000 -0400
@@ -0,0 +1,208 @@
 +
 +## <summary>policy for polkit_auth</summary>
@ -19097,7 +19098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te	2008-04-28 16:10:18.292199000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/polkit.te	2008-04-28 16:10:18.000000000 -0400
@@ -0,0 +1,190 @@
 +policy_module(polkit_auth,1.0.0)
 +
@ -21410,7 +21411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te	2008-04-28 16:23:06.250792000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/rpc.te	2008-04-28 16:23:06.000000000 -0400
@@ -23,7 +23,7 @@
 gen_tunable(allow_nfsd_anon_write,false)
@ -22999,7 +23000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te	2008-04-28 15:21:41.039805000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te	2008-04-28 15:21:41.000000000 -0400
@@ -22,13 +22,16 @@
 type setroubleshoot_var_run_t;
 files_pid_file(setroubleshoot_var_run_t)
@ -25255,7 +25256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-04-25 13:53:23.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-04-29 09:37:38.934561000 -0400
@@ -12,9 +12,15 @@
 ##	</summary>
 ## </param>
@ -26631,7 +26632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-04-23 10:06:49.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-04-29 11:09:45.700467000 -0400
@@ -8,6 +8,14 @@
 ## <desc>
@ -26820,7 +26821,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +239,22 @@
+@@ -124,6 +232,8 @@
 manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
 manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
 files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
 +relabelfrom_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
 +relabelfrom_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
 manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
@@ -131,15 +241,22 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -26845,7 +26855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +268,7 @@
+@@ -153,6 +270,7 @@
 allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -26853,7 +26863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -173,6 +289,8 @@
+@@ -173,6 +291,8 @@
 corecmd_exec_shell(xdm_t)
 corecmd_exec_bin(xdm_t)
@ -26862,7 +26872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_all_recvfrom_unlabeled(xdm_t)
 corenet_all_recvfrom_netlabel(xdm_t)
-@@ -184,6 +302,7 @@
+@@ -184,6 +304,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -26870,7 +26880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -196,6 +315,7 @@
+@@ -196,6 +317,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -26878,7 +26888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -208,14 +328,15 @@
+@@ -208,14 +330,15 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
@ -26896,7 +26906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -226,9 +347,13 @@
+@@ -226,9 +349,13 @@
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -26910,7 +26920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -237,6 +362,7 @@
+@@ -237,6 +364,7 @@
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -26918,7 +26928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
-@@ -245,6 +371,7 @@
+@@ -245,6 +373,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -26926,7 +26936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
-@@ -256,22 +383,29 @@
+@@ -256,22 +385,29 @@
 libs_exec_lib_files(xdm_t)
 logging_read_generic_logs(xdm_t)
@ -26959,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_t)
-@@ -297,14 +431,20 @@
+@@ -297,14 +433,20 @@
 #	xserver_rw_session_template(xdm,unpriv_userdomain)
 #	dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
 #	allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
@ -26981,7 +26991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 optional_policy(`
-@@ -312,6 +452,23 @@
+@@ -312,6 +454,23 @@
 ')
 optional_policy(`
@ -27005,7 +27015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +479,10 @@
+@@ -322,6 +481,10 @@
 ')
 optional_policy(`
@ -27016,7 +27026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	loadkeys_exec(xdm_t)
 ')
-@@ -335,6 +496,11 @@
+@@ -335,6 +498,11 @@
 ')
 optional_policy(`
@ -27028,7 +27038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -343,8 +509,8 @@
+@@ -343,8 +511,8 @@
 ')
 optional_policy(`
@ -27038,7 +27048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +546,7 @@
+@@ -380,7 +548,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -27047,7 +27057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +558,15 @@
+@@ -392,6 +560,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
@ -27063,7 +27073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +579,18 @@
+@@ -404,9 +581,18 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -27082,7 +27092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_xserver_t)
 	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +604,22 @@
+@@ -420,6 +606,22 @@
 ')
 optional_policy(`
@ -27105,7 +27115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
-@@ -429,47 +629,138 @@
+@@ -429,47 +631,138 @@
 ')
 optional_policy(`
@ -27506,7 +27516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-04-28 09:15:47.070186000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-04-29 10:58:08.742336000 -0400
@@ -99,7 +99,7 @@
 template(`authlogin_per_role_template',`
@ -27553,7 +27563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	# for SSP/ProPolice
 	dev_read_urand($1)
 	# for fingerprint readers
-@@ -226,8 +243,38 @@
+@@ -226,8 +243,40 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
@ -27589,10 +27599,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 		files_polyinstantiate_all($1)
 +		userdom_manage_user_home_content_dirs(user, $1)
 +		userdom_manage_user_home_content_files(user, $1)
 +		userdom_relabel_all_home_dirs($1)
 +		userdom_relabel_all_home_files($1)
 	')
 ')
-@@ -342,6 +389,8 @@
+@@ -342,6 +391,8 @@
 	optional_policy(`
 		kerberos_use($1)
@ -27601,7 +27613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 	optional_policy(`
-@@ -356,6 +405,28 @@
+@@ -356,6 +407,28 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -27630,7 +27642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 ########################################
-@@ -369,12 +440,12 @@
+@@ -369,12 +442,12 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -27645,7 +27657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	</summary>
 ## </param>
 #
-@@ -386,6 +457,7 @@
+@@ -386,6 +459,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types system_chkpwd_t;
 	allow system_chkpwd_t $3:chr_file rw_file_perms;
@ -27653,7 +27665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 ########################################
-@@ -1457,6 +1529,7 @@
+@@ -1457,6 +1531,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
@ -27661,7 +27673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
-@@ -1491,3 +1564,59 @@
+@@ -1491,3 +1566,59 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -27915,7 +27927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 -
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-04-28 09:15:35.654776000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-04-28 09:15:35.000000000 -0400
@@ -211,6 +211,13 @@
 			kernel_dontaudit_use_fds($1)
 		')
@ -28593,7 +28605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te	2008-04-28 10:29:25.956857000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te	2008-04-28 10:29:25.000000000 -0400
@@ -29,7 +29,7 @@
 #
@ -28838,7 +28850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if	2008-04-21 11:02:50.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/logging.if	2008-04-29 08:53:40.798973000 -0400
@@ -213,12 +213,7 @@
 ## </param>
 #
@ -29304,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
 +/var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-04-23 10:09:00.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-04-29 08:38:10.482745000 -0400
@@ -22,7 +22,7 @@
 role system_r types lvm_t;
@ -29615,7 +29627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-04-21 11:02:50.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-04-29 08:36:55.595920000 -0400
@@ -22,6 +22,8 @@
 type insmod_exec_t;
 application_domain(insmod_t,insmod_exec_t)
@ -30246,7 +30258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
 --- nsaserefpolicy/policy/modules/system/qemu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.te	2008-04-28 16:14:23.857051000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/qemu.te	2008-04-28 16:14:23.000000000 -0400
@@ -0,0 +1,49 @@
 +policy_module(qemu,1.0.0)
 +
@ -30299,7 +30311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/raid.te	2008-04-21 11:02:50.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/raid.te	2008-04-29 08:35:21.523317000 -0400
@@ -19,7 +19,7 @@
 # Local policy
 #
@ -30623,7 +30635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te	2008-04-28 10:24:53.045591000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te	2008-04-28 10:24:53.000000000 -0400
@@ -75,7 +75,6 @@
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -31165,7 +31177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 	xen_append_log(ifconfig_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.3.1/policy/modules/system/udev.if
 --- nsaserefpolicy/policy/modules/system/udev.if	2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/udev.if	2008-04-28 10:54:03.940707000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/udev.if	2008-04-29 08:34:43.098742000 -0400
@@ -96,6 +96,24 @@
 ########################################
@ -31191,7 +31203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
 ##	Allow process to read list of devices.
 ## </summary>
 ## <param name="domain">
-@@ -106,11 +124,11 @@
+@@ -106,11 +124,13 @@
 #
 interface(`udev_read_db',`
 	gen_require(`
@ -31201,11 +31213,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
 	dev_list_all_dev_nodes($1)
 -	allow $1 udev_tdb_t:file read_file_perms;
 +	allow $1 udev_tbl_t:dir list_dir_perms;
 +	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
 +	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
 ')
 ########################################
-@@ -125,9 +143,9 @@
+@@ -125,9 +145,9 @@
 #
 interface(`udev_rw_db',`
 	gen_require(`
@ -31646,7 +31660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-25 14:52:17.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-29 12:04:03.912060000 -0400
@@ -6,35 +6,74 @@
 # Declarations
 #
@ -31819,26 +31833,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -134,82 +188,97 @@
+@@ -134,14 +188,6 @@
 ')
 optional_policy(`
 -	mono_domtrans(unconfined_t)
-+	oddjob_domtrans_mkhomedir(unconfined_t)
+-')
- ')
+-
- 
+-optional_policy(`
 optional_policy(`
 -	mta_per_role_template(unconfined, unconfined_t, unconfined_r)
-+	prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-')
 -
 -optional_policy(`
 	oddjob_domtrans_mkhomedir(unconfined_t)
 ')
@@ -154,38 +200,46 @@
 ')
 optional_policy(`
-	oddjob_domtrans_mkhomedir(unconfined_t)
+-	postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+	portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	# cjp: this should probably be removed:
- ')
+-	postfix_domtrans_master(unconfined_t)
- 
+-')
- optional_policy(`
+-
-	prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-
 -optional_policy(`
 -	pyzor_per_role_template(unconfined)
 +	tunable_policy(`allow_unconfined_qemu_transition', `
 +		qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	', `
@ -31849,7 +31870,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-	portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	# cjp: this should probably be removed:
 -	rpc_domtrans_nfsd(unconfined_t)
 +	rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	# Allow SELinux aware applications to request rpm_script execution
 +	rpm_transition_script(unconfined_t)
@ -31857,9 +31879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-	postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
 +	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
 +	# this is disallowed usage:
 +	unconfined_domain(unconfined_crond_t)
@ -31868,81 +31888,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	rpm_transition_script(unconfined_crond_t)
 ')
 -
 optional_policy(`
-	pyzor_per_role_template(unconfined)
+ 	samba_per_role_template(unconfined)
-+	samba_per_role_template(unconfined)
+-	samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+	samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ 	samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
-	# cjp: this should probably be removed:
+-	spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
 -	rpc_domtrans_nfsd(unconfined_t)
 +	sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
-	rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ 	sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+	sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ 	sysnet_dbus_chat_dhcpc(unconfined_t)
 +	sysnet_dbus_chat_dhcpc(unconfined_t)
 +	sysnet_role_transition_dhcpc(unconfined_r)
 ')
 optional_policy(`
-	samba_per_role_template(unconfined)
+@@ -193,23 +247,33 @@
 -	samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 -	samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
 +	vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 -	sysnet_dbus_chat_dhcpc(unconfined_t)
 +	webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+	java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+	mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+	mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+	wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	unconfined_domain(unconfined_mozilla_t)
 +	allow unconfined_mozilla_t self:process { execstack execmem };
 ')
 optional_policy(`
 -	wine_domtrans(unconfined_t)
-+	kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+	java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 optional_policy(`
 -	xserver_domtrans_xdm_xserver(unconfined_t)
 +	mono_per_role_template(unconfined, unconfined_t, unconfined_r)
 +	unconfined_domain(unconfined_mono_t)
 +')
 +
 +optional_policy(`
 +	kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
 +')
 +
 +optional_policy(`
 +	xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 +	xserver_xdm_rw_shm(unconfined_t)
 ')
 ########################################
-@@ -219,14 +288,35 @@
+@@ -219,14 +283,35 @@
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -31998,7 +32003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-28 15:32:37.832254000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-29 10:58:27.618425000 -0400
@@ -29,9 +29,14 @@
 	')
@ -34596,7 +34601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -5704,3 +6135,370 @@
+@@ -5704,3 +6135,408 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -34967,6 +34972,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +')
 +
 +
 +########################################
 +## <summary>
 +##	Relabel to all user home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_relabel_all_home_dirs',`
 +	gen_require(`
 +		type user_home_type;
 +	')
 +
 +	files_search_home($1)
 +	relabel_dirs_pattern($1, user_home_type,  user_home_type)
 +')
 +
 +########################################
 +## <summary>
 +##	Relabel to all user home files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_relabel_all_home_files',`
 +	gen_require(`
 +		type user_home_type;
 +	')
 +
 +	files_search_home($1)
 +	relabel_files_pattern($1, user_home_type,  user_home_type)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.te	2008-04-21 11:02:50.000000000 -0400
@ -35294,7 +35337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
 +/etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.3.1/policy/modules/system/virt.if
 --- nsaserefpolicy/policy/modules/system/virt.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.if	2008-04-28 16:10:44.344207000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/virt.if	2008-04-28 16:10:44.000000000 -0400
@@ -0,0 +1,324 @@
 +
 +## <summary>policy for virt</summary>
@ -35622,7 +35665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-28 16:24:22.547363000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-28 16:24:22.000000000 -0400
@@ -0,0 +1,197 @@
 +
 +policy_module(virt,1.0.0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 43%{?dist}
+Release: 44%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -385,6 +385,10 @@ exit 0
 %endif
 %changelog
 * Mon Apr 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-44
 - Change unconfined_t to transition to unconfined_mono_t when running mono
 - Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work
 * Mon Apr 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-43
 - Remove old booleans from targeted-booleans.conf file