first part of dans patch Tue, 11 Apr 2006 09:25:24 -0400

2006-04-12 15:04:28 +00:00 · 2006-04-12 15:04:28 +00:00 · 8cfa5a00e1
commit 8cfa5a00e1
parent 03631a52df
29 changed files with 136 additions and 48 deletions
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@ -1,5 +1,5 @@
-policy_module(rpm,1.3.3)
+policy_module(rpm,1.3.4)
 ########################################
 #
@ -117,6 +117,7 @@ fs_search_auto_mountpoints(rpm_t)
 mls_file_read_up(rpm_t)
 mls_file_write_down(rpm_t)
 mls_file_upgrade(rpm_t)
 mls_file_downgrade(rpm_t)
 selinux_get_fs_mount(rpm_t)
 selinux_validate_context(rpm_t)
--- a/refpolicy/policy/modules/apps/java.fc
+++ b/refpolicy/policy/modules/apps/java.fc
@ -1,3 +1,8 @@
 #
 # /opt
 #
 /opt(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
 #
 # /usr
 #
--- a/refpolicy/policy/modules/apps/java.te
+++ b/refpolicy/policy/modules/apps/java.te
@ -1,5 +1,5 @@
-policy_module(java,1.1.0)
+policy_module(java,1.1.1)
 ########################################
 #
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ b/refpolicy/policy/modules/kernel/devices.fc
@ -72,6 +72,8 @@ ifdef(`distro_suse', `
 /dev/dri/.+		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@
-policy_module(devices,1.1.8)
+policy_module(devices,1.1.9)
 ########################################
 #
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@ -197,6 +197,27 @@ template(`apache_content_template',`
 		allow httpd_$1_script_t self:lnk_file read;
 	')
 	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
 		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
 		allow httpd_$1_script_t self:udp_socket create_socket_perms;
 		corenet_non_ipsec_sendrecv(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
 		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
 		corenet_raw_sendrecv_all_if(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
 		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
 		corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
 		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
 		corenet_tcp_bind_all_nodes(httpd_$1_script_t)
 		corenet_udp_bind_all_nodes(httpd_$1_script_t)
 		corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
 		corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
 		sysnet_read_config(httpd_$1_script_t)
 	')
 	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
 		allow httpd_$1_script_t self:udp_socket create_socket_perms;
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@ -1,5 +1,5 @@
-policy_module(apache,1.3.5)
+policy_module(apache,1.3.6)
 #
 # NOTES: 
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@ -1,5 +1,5 @@
-policy_module(automount,1.2.1)
+policy_module(automount,1.2.2)
 ########################################
 #
@ -123,6 +123,7 @@ logging_send_syslog_msg(automount_t)
 logging_search_logs(automount_t)
 miscfiles_read_localization(automount_t)
 miscfiles_read_certs(automount_t)
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@ -1,5 +1,5 @@
-policy_module(bluetooth,1.2.3)
+policy_module(bluetooth,1.2.4)
 ########################################
 #
@ -41,7 +41,7 @@ files_pid_file(bluetooth_var_run_t)
 # Bluetooth services local policy
 #
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
 dontaudit bluetooth_t self:capability sys_tty_config;
 allow bluetooth_t self:process { getsched signal_perms };
 allow bluetooth_t self:fifo_file rw_file_perms;
@ -176,9 +176,10 @@ allow bluetooth_helper_t self:tcp_socket create_socket_perms;
 allow bluetooth_helper_t bluetooth_t:socket { read write };
-allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
+allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms;
-allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
+allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms;
-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
+allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms;
 files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
 kernel_read_system_state(bluetooth_helper_t)
 kernel_read_kernel_sysctls(bluetooth_helper_t)
@ -213,6 +214,8 @@ ifdef(`targeted_policy',`
 	fs_rw_tmpfs_files(bluetooth_helper_t)
 	term_dontaudit_use_generic_ptys(bluetooth_helper_t)
 	unconfined_stream_connect(bluetooth_helper_t)
 	userdom_read_all_users_home_content_files(bluetooth_helper_t)
@ -223,6 +226,7 @@ ifdef(`targeted_policy',`
 ')
 optional_policy(`
 	bluetooth_dbus_chat(bluetooth_helper_t)
 	dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
 	dbus_connect_system_bus(bluetooth_helper_t)
 	dbus_send_system_bus(bluetooth_helper_t)
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@ -1,5 +1,5 @@
-policy_module(cups,1.3.2)
+policy_module(cups,1.3.3)
 ########################################
 #
@ -110,7 +110,7 @@ allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 allow cupsd_t cupsd_var_run_t:file create_file_perms;
-allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
+allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
 allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
 files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@ -1,5 +1,5 @@
-policy_module(dbus,1.2.1)
+policy_module(dbus,1.2.2)
 gen_require(`
 	class dbus { send_msg acquire_svc };
@ -102,6 +102,7 @@ libs_use_shared_libs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 miscfiles_read_localization(system_dbusd_t)
 miscfiles_read_certs(system_dbusd_t)
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@ -1,5 +1,5 @@
-policy_module(ftp,1.2.1)
+policy_module(ftp,1.2.2)
 ########################################
 #
@ -62,6 +62,7 @@ allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
 # Create and modify /var/log/xferlog.
 allow ftpd_t xferlog_t:dir search_dir_perms;
 allow ftpd_t xferlog_t:file create_file_perms;
 logging_log_filetrans(ftpd_t,xferlog_t,file)
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@ -1,5 +1,5 @@
-policy_module(gpm,1.1.1)
+policy_module(gpm,1.1.2)
 ########################################
 #
@ -54,8 +54,7 @@ kernel_read_proc_symlinks(gpm_t)
 dev_read_sysfs(gpm_t)
 # Access the mouse.
-# cjp: why write?
+dev_rw_input_dev(gpm_t)
 dev_rw_input_dev(event_device_t)
 dev_rw_mouse(gpm_t)
 fs_getattr_all_fs(gpm_t)
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@ -1,5 +1,5 @@
-policy_module(hal,1.3.2)
+policy_module(hal,1.3.3)
 ########################################
 #
@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
 #
 # execute openvt which needs setuid
-allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_file_perms;
@ -52,6 +52,9 @@ kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 files_search_boot(hald_t)
 files_getattr_home_dir(hald_t)
 auth_read_pam_console_data(hald_t)
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
@ -93,6 +96,7 @@ files_search_var_lib(hald_t)
 files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
 files_create_boot_flag(hald_t)
 files_getattr_default_dirs(hald_t)
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@ -1,5 +1,5 @@
-policy_module(mysql,1.2.0)
+policy_module(mysql,1.2.1)
 ########################################
 #
@ -104,6 +104,7 @@ logging_send_syslog_msg(mysqld_t)
 miscfiles_read_localization(mysqld_t)
 sysnet_use_ldap(mysqld_t)
 sysnet_read_config(mysqld_t)
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.0)
+policy_module(networkmanager,1.3.1)
 ########################################
 #
@ -155,6 +155,7 @@ optional_policy(`
 optional_policy(`
 	nscd_socket_use(NetworkManager_t)
 	nscd_signal(NetworkManager_t)
 ')
 optional_policy(`
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@ -1,5 +1,23 @@
 ## <summary>Name service cache daemon</summary>
 ########################################
 ## <summary>
 ##	Send generic signals to NSCD.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`nscd_signal',`
 	gen_require(`
 		type nscd_t;
 	')
 	allow $1 nscd_t:process signal;
 ')
 ########################################
 ## <summary>
 ##	Execute NSCD in the nscd domain.
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@ -1,5 +1,5 @@
-policy_module(nscd,1.2.1)
+policy_module(nscd,1.2.2)
 gen_require(`
 	class nscd all_nscd_perms;
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@ -1,5 +1,5 @@
-policy_module(rsync,1.2.0)
+policy_module(rsync,1.2.1)
 ########################################
 #
@ -65,6 +65,7 @@ corenet_udp_sendrecv_all_ports(rsync_t)
 corenet_non_ipsec_sendrecv(rsync_t)
 corenet_tcp_bind_all_nodes(rsync_t)
 corenet_udp_bind_all_nodes(rsync_t)
 corenet_tcp_bind_rsync_port(rsync_t)
 dev_read_urand(rsync_t)
@ -73,10 +74,13 @@ fs_getattr_xattr_fs(rsync_t)
 files_read_etc_files(rsync_t)
 files_search_home(rsync_t)
 init_dontaudit_use_fds(rsync_t)
 libs_use_ld_so(rsync_t)
 libs_use_shared_libs(rsync_t)
 logging_send_syslog_msg(rsync_t)
 logging_dontaudit_search_logs(rsync_t)
 miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@ -1,5 +1,5 @@
-policy_module(samba,1.2.2)
+policy_module(samba,1.2.3)
 #################################
 #
@ -193,6 +193,8 @@ allow smbd_t samba_log_t:dir ra_dir_perms;
 dontaudit smbd_t samba_log_t:dir remove_name;
 allow smbd_t samba_log_t:file { create ra_file_perms };
 allow smbd_t samba_net_tmp_t:file getattr;
 allow smbd_t samba_secrets_t:dir rw_dir_perms;
 allow smbd_t samba_secrets_t:file create_file_perms;
 type_transition smbd_t samba_etc_t:file samba_secrets_t;
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@ -1,5 +1,5 @@
-policy_module(snmp,1.1.0)
+policy_module(snmp,1.1.1)
 ########################################
 #
@ -49,6 +49,7 @@ allow snmpd_t snmpd_var_run_t:file create_file_perms;
 allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
 kernel_read_device_sysctls(snmpd_t)
 kernel_read_kernel_sysctls(snmpd_t)
 kernel_read_net_sysctls(snmpd_t)
 kernel_read_proc_symlinks(snmpd_t)
--- a/refpolicy/policy/modules/system/getty.fc
+++ b/refpolicy/policy/modules/system/getty.fc
@ -6,3 +6,5 @@
 /var/log/mgetty\.log.*	--	gen_context(system_u:object_r:getty_log_t,s0)
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 /var/spool/fax		--	gen_context(system_u:object_r:getty_var_run_t,s0)
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@ -1,5 +1,5 @@
-policy_module(getty,1.1.1)
+policy_module(getty,1.1.2)
 ########################################
 #
@ -109,6 +109,10 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(getty_t)
 ')
 optional_policy(`
 	mta_send_mail(getty_t)
 ')
 optional_policy(`
 	nscd_socket_use(getty_t)
 ')
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@ -33,6 +33,8 @@ ifdef(`distro_redhat',`
 #
 /opt(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
 /opt/.*/jre.*/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/.*/jre.*/libjvm.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 #
 # /sbin
@ -55,17 +57,24 @@ ifdef(`distro_redhat',`
 /usr(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/pgsql/test/regress/.*\.so --	gen_context(system_u:object_r:shlib_t,s0)
+/usr/lib(64)?/pgsql/test/regress/.*\.so	--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware(.*/)?/VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -76,6 +85,7 @@ ifdef(`distro_redhat',`
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ifdef(`distro_redhat',`
 /usr/lib(64)?/.*/program/.*\.so.*		gen_context(system_u:object_r:shlib_t,s0)
@ -92,6 +102,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -168,15 +179,16 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/lib(64)?/libdivxencore.so.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 # vmware 
-/usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*/jre.*/libdeploy.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/.*/jre.*/libjvm.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
+/usr(/.*)?/intellinux/nppdf\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/intellinux/lib/\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr(/.*)?/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
 ifdef(`distro_suse',`
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@ -1,5 +1,5 @@
-policy_module(libraries,1.3.3)
+policy_module(libraries,1.3.4)
 ########################################
 #
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -1,5 +1,5 @@
-policy_module(mount,1.3.3)
+policy_module(mount,1.3.4)
 ########################################
 #
@ -19,7 +19,8 @@ files_tmp_file(mount_tmp_t)
 # mount local policy
 #
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
+# setuid/setgid needed to mount cifs 
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 allow mount_t mount_tmp_t:file create_file_perms;
 allow mount_t mount_tmp_t:dir create_dir_perms;
@ -44,6 +45,7 @@ storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
 fs_getattr_xattr_fs(mount_t)
 fs_getattr_cifs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@ -55,7 +55,7 @@ interface(`unconfined_domain_noaudit',`
 	tunable_policy(`allow_execmem && allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
-		auditallow $1 self:process execstack;
+#		auditallow $1 self:process execstack;
 	', `
 		# These are fairly common but seem to be harmless
 		# caused by using shared libraries built with old tool chains
@ -109,9 +109,10 @@ interface(`unconfined_domain',`
 		auditallow $1 self:process execheap;
 	')
-	tunable_policy(`allow_execmem',`
+# Turn off this audit for FC5
-		auditallow $1 self:process execmem;
+#	tunable_policy(`allow_execmem',`
-	')
+#		auditallow $1 self:process execmem;
 #	')
 ')
 ########################################
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.3)
+policy_module(unconfined,1.3.4)
 ########################################
 #
@ -41,6 +41,10 @@ ifdef(`targeted_policy',`
 	userdom_unconfined(unconfined_t)
 	userdom_priveleged_home_dir_manager(unconfined_t)
 #	optional_policy(`
 #		ada_domtrans(unconfined_t)
 #	')
 	optional_policy(`
 		amanda_domtrans_recover(unconfined_t)
 	')
@ -105,10 +109,6 @@ ifdef(`targeted_policy',`
 		mono_domtrans(unconfined_t)
 	')
 	optional_policy(`
 		netutils_domtrans_ping(unconfined_t)
 	')
 	optional_policy(`
 		portmap_domtrans_helper(unconfined_t)
 	')
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.10)
+policy_module(userdomain,1.3.11)
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@ -181,8 +181,9 @@ ifdef(`targeted_policy',`
 		logging_read_audit_log(secadm_t)
 		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		files_relabel_all_files(secadm_t)
 		auth_relabel_shadow(secadm_t)
 	', `
 		logging_domtrans_auditctl(sysadm_t)
 		logging_read_audit_log(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 	')