- Remove homedir_template

2007-10-05 19:47:10 +00:00 · 2007-10-05 19:47:10 +00:00 · 8fd9df6414
commit 8fd9df6414
parent 922f646a26
3 changed files with 250 additions and 93 deletions
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -1,6 +1,6 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = True
+allow_execmem = true
 # Allow making a modified private filemapping executable (text relocation).
 # 
@ -8,7 +8,7 @@ allow_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = True
+allow_execstack = true
 # Allow ftpd to read cifs directories.
 # 
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -1268,6 +1268,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.8/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2007-09-12 10:34:51.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te	2007-10-05 09:50:03.000000000 -0400
@@ -33,4 +33,5 @@
 optional_policy(`
 	hal_rw_pid_files(vbetool_t)
 	hal_write_log(vbetool_t)
 +	hal_dontaudit_append_lib_files(vbetool_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.0.8/policy/modules/admin/vpn.fc
 --- nsaserefpolicy/policy/modules/admin/vpn.fc	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/vpn.fc	2007-10-03 11:10:24.000000000 -0400
@ -1277,6 +1286,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc
 /sbin/vpnc		--	gen_context(system_u:object_r:vpnc_exec_t,s0)
 +
 +/var/run/vpnc(/.*)?		gen_context(system_u:object_r:vpnc_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.0.8/policy/modules/admin/vpn.if
 --- nsaserefpolicy/policy/modules/admin/vpn.if	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/vpn.if	2007-10-05 10:12:04.000000000 -0400
@@ -67,3 +67,25 @@
 	allow $1 vpnc_t:process signal;
 ')
 +
 +########################################
 +## <summary>
 +##	Send and receive messages from
 +##	Vpnc over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`vpnc_dbus_chat',`
 +	gen_require(`
 +		type vpnc_t;
 +		class dbus send_msg;
 +	')
 +
 +	allow $1 vpnc_t:dbus send_msg;
 +	allow vpnc_t $1:dbus send_msg;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
 --- nsaserefpolicy/policy/modules/admin/vpn.te	2007-07-25 10:37:43.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/vpn.te	2007-10-03 11:10:24.000000000 -0400
@ -2716,7 +2754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2007-10-05 10:05:26.000000000 -0400
@@ -343,8 +343,7 @@
 ########################################
@ -2826,7 +2864,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Manage temporary files and directories in /tmp.
 ## </summary>
 ## <param name="domain">
-@@ -3323,6 +3377,42 @@
+@@ -3198,6 +3252,44 @@
 ########################################
 ## <summary>
 +##	Allow attempts to get the attributes
 +##	of all tmp files. 
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain not to audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_getattr_all_tmp_files',`
 +	gen_require(`
 +		attribute tmpfile;
 +	')
 +
 +	allow $1 tmpfile:file getattr;
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to get the attributes
 +##	of all tmp sock_file. 
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain not to audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`files_dontaudit_getattr_all_tmp_sockets',`
 +	gen_require(`
 +		attribute tmpfile;
 +	')
 +
 +	dontaudit $1 tmpfile:sock_file getattr;
 +')
 +
 +########################################
 +## <summary>
 ##	Read all tmp files.
 ## </summary>
 ## <param name="domain">
@@ -3323,6 +3415,42 @@
 ########################################
 ## <summary>
@ -2869,7 +2952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
-@@ -3381,7 +3471,7 @@
+@@ -3381,7 +3509,7 @@
 ########################################
 ## <summary>
@ -2878,7 +2961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3389,17 +3479,17 @@
+@@ -3389,17 +3517,17 @@
 ##	</summary>
 ## </param>
 #
@ -2899,7 +2982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3407,12 +3497,12 @@
+@@ -3407,12 +3535,12 @@
 ##	</summary>
 ## </param>
 #
@ -2914,7 +2997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 ########################################
-@@ -4043,7 +4133,7 @@
+@@ -4043,7 +4171,7 @@
 		type var_t, var_lock_t;
 	')
@ -2923,7 +3006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 ########################################
-@@ -4560,6 +4650,8 @@
+@@ -4560,6 +4688,8 @@
 	# Need to give access to /selinux/member
 	selinux_compute_member($1)
@ -2932,7 +3015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 	# Need sys_admin capability for mounting
 	allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4674,11 @@
+@@ -4582,6 +4712,11 @@
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
@ -2944,7 +3027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 ########################################
-@@ -4619,3 +4716,28 @@
+@@ -4619,3 +4754,28 @@
 	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
 ')
@ -3003,7 +3086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-04 12:58:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-05 10:23:56.000000000 -0400
@@ -271,45 +271,6 @@
 ########################################
@ -3146,7 +3229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te	2007-10-05 13:59:53.000000000 -0400
@@ -80,6 +80,7 @@
 type fusefs_t;
 fs_noxattr_type(fusefs_t)
@ -3155,6 +3238,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
 genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
@@ -133,6 +134,11 @@
 genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
 files_mountpoint(spufs_t)
 +type squash_t;
 +fs_type(squash_t)
 +genfscon squash / gen_context(system_u:object_r:squash_t,s0)
 +files_mountpoint(squash_t)
 +
 type vxfs_t;
 fs_noxattr_type(vxfs_t)
 files_mountpoint(vxfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-08-22 07:14:06.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-03 11:10:24.000000000 -0400
@ -5196,7 +5291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-10-05 09:02:24.000000000 -0400
@@ -48,9 +48,8 @@
 type hplip_t;
 type hplip_exec_t;
@ -5293,15 +5388,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
-@@ -202,6 +206,7 @@
+@@ -196,12 +200,9 @@
- files_dontaudit_getattr_all_tmp_files(cupsd_t)
+ files_read_var_symlinks(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
 -# smbspool seems to be iterating through all existing tmp files.
 -# redhat bug #214953
 -# cjp: this might be a broken behavior
 -files_dontaudit_getattr_all_tmp_files(cupsd_t)
 selinux_compute_access_vector(cupsd_t)
 +selinux_validate_context(cupsd_t)
 init_exec_script_files(cupsd_t)
-@@ -221,17 +226,37 @@
+@@ -221,17 +222,37 @@
 sysnet_read_config(cupsd_t)
@ -5339,7 +5440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	apm_domtrans_client(cupsd_t)
 ')
-@@ -263,16 +288,16 @@
+@@ -263,16 +284,16 @@
 ')
 optional_policy(`
@ -5360,7 +5461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	seutil_sigchld_newrole(cupsd_t)
 ')
-@@ -377,6 +402,14 @@
+@@ -377,6 +398,14 @@
 ')
 optional_policy(`
@ -5375,7 +5476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
-@@ -393,6 +426,7 @@
+@@ -393,6 +422,7 @@
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
@ -5383,7 +5484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 ')
 optional_policy(`
-@@ -525,11 +559,9 @@
+@@ -525,11 +555,9 @@
 allow hplip_t cupsd_etc_t:dir search;
 cups_stream_connect(hplip_t)
@ -5398,7 +5499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
 files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +592,7 @@
+@@ -560,7 +588,7 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -5407,7 +5508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +619,6 @@
+@@ -587,8 +615,6 @@
 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
@ -5416,6 +5517,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 optional_policy(`
 	seutil_sigchld_newrole(hplip_t)
 ')
@@ -668,3 +694,15 @@
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
 +
 +
 +# This whole section needs to be moved to a smbspool policy
 +# smbspool seems to be iterating through all existing tmp files.
 +# Looking for kerberos files
 +files_getattr_all_tmp_files(cupsd_t)
 +userdom_read_unpriv_users_tmp_files(cupsd_t)
 +files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
 +
 +optional_policy(`
 +	unconfined_read_tmp_files(cupsd_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.8/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/cvs.te	2007-10-03 11:10:24.000000000 -0400
@ -6062,8 +6179,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/exim.te	2007-10-05 09:27:09.000000000 -0400
-@@ -0,0 +1,227 @@
+@@ -0,0 +1,229 @@
 +# $Id: exim.te 687 2007-09-09 00:19:41Z aqua $
 +# Draft SELinux refpolicy module for the Exim MTA
 +# 
@ -6173,6 +6290,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +files_search_var(exim_t)
 +files_read_etc_files(exim_t)
 +
 +fs_getattr_xattr_fs(exim_t)
 +
 +kernel_read_kernel_sysctls(exim_t)
 +kernel_dontaudit_read_system_state(exim_t)
 +
@ -6387,7 +6506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.fc	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.fc	2007-10-05 15:23:01.000000000 -0400
@@ -13,9 +13,12 @@
 /var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
@ -6403,8 +6522,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-05 11:48:00.000000000 -0400
-@@ -93,6 +93,7 @@
+@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
 +typealias hald_log_t alias pmtools_log_t;
 +typealias hald_var_run_t alias pmtools_var_run_t;
 +
 ########################################
 #
 # Local policy
@@ -70,7 +73,7 @@
 manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
 # log files for hald
 -allow hald_t hald_log_t:file manage_file_perms;
 +manage_files_pattern(hald_t, hald_log_t, hald_log_t)
 logging_log_filetrans(hald_t,hald_log_t,file)
 manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
@@ -93,6 +96,7 @@
 kernel_rw_irq_sysctls(hald_t)
 kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
@ -6412,7 +6550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 auth_read_pam_console_data(hald_t)
-@@ -155,6 +156,8 @@
+@@ -155,6 +159,8 @@
 selinux_compute_relabel_context(hald_t)
 selinux_compute_user_contexts(hald_t)
@ -6421,7 +6559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 storage_raw_read_removable_device(hald_t)
 storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
-@@ -293,6 +296,7 @@
+@@ -293,6 +299,7 @@
 #
 allow hald_acl_t self:capability { dac_override fowner };
@ -6429,7 +6567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 allow hald_acl_t self:fifo_file read_fifo_file_perms;
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -344,6 +348,8 @@
+@@ -344,6 +351,8 @@
 files_read_usr_files(hald_mac_t)
@ -7257,7 +7395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +/var/log/wpa_supplicant.log	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if	2007-10-05 10:11:35.000000000 -0400
@@ -97,3 +97,24 @@
 	allow $1 NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t $1:dbus send_msg;
@ -8434,13 +8572,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
 --- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te	2007-10-05 13:58:37.000000000 -0400
@@ -21,11 +21,13 @@
 # rpcbind local policy
 #
 -allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { setuid sys_tty_config };
+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
 allow rpcbind_t self:fifo_file rw_file_perms;
 allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
 allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
@ -13968,7 +14106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-05 14:12:30.000000000 -0400
@@ -5,28 +5,38 @@
 #
 # Declarations
@ -14041,17 +14179,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 optional_policy(`
 -	ada_domtrans(unconfined_t)
-+	ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-')
- ')
+-
- 
+-optional_policy(`
 optional_policy(`
 -	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 -	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
 -	# this is disallowed usage:
 -	unconfined_domain(httpd_unconfined_script_t)
-')
+	ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-
+ ')
-optional_policy(`
+ 
 optional_policy(`
 -	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
@ -14069,7 +14207,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -118,11 +122,11 @@
+@@ -107,6 +111,10 @@
 	optional_policy(`
 		oddjob_dbus_chat(unconfined_t)
 	')
 +
 +	optional_policy(`
 +		vpnc_dbus_chat(unconfined_t)
 +	')
 ')
 optional_policy(`
@@ -118,11 +126,11 @@
 ')
 optional_policy(`
@ -14083,7 +14232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -134,11 +138,7 @@
+@@ -134,11 +142,7 @@
 ')
 optional_policy(`
@ -14096,7 +14245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -155,32 +155,23 @@
+@@ -155,32 +159,23 @@
 optional_policy(`
 	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -14133,7 +14282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -205,11 +196,18 @@
+@@ -205,11 +200,18 @@
 ')
 optional_policy(`
@ -14154,7 +14303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 ########################################
-@@ -225,8 +223,20 @@
+@@ -225,8 +227,20 @@
 	init_dbus_chat_script(unconfined_execmem_t)
 	unconfined_dbus_chat(unconfined_execmem_t)
@ -14186,7 +14335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-04 17:33:14.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-05 14:11:08.000000000 -0400
@@ -29,8 +29,9 @@
 	')
@ -14699,7 +14848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		allow $1_t self:dbus send_msg;
 		dbus_system_bus_client_template($1,$1_t)
-@@ -834,21 +780,18 @@
+@@ -834,20 +780,20 @@
 		')
 		optional_policy(`
@ -14719,13 +14868,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +			evolution_alarm_dbus_chat($1,$1_t)
 		')
-		optional_policy(`
+ 		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
-		')
+			vpnc_dbus_chat($1_t)
 		')
 	')
- 	optional_policy(`
+@@ -876,17 +822,17 @@
@@ -876,17 +819,17 @@
 	')
 	optional_policy(`
@ -14751,7 +14900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	optional_policy(`
-@@ -900,16 +843,6 @@
+@@ -900,16 +846,6 @@
 	')
 	optional_policy(`
@ -14768,7 +14917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		resmgr_stream_connect($1_t)
 	')
-@@ -919,11 +852,6 @@
+@@ -919,11 +855,6 @@
 	')
 	optional_policy(`
@ -14780,7 +14929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		samba_stream_connect_winbind($1_t)
 	')
-@@ -954,21 +882,165 @@
+@@ -954,21 +885,165 @@
 ##	</summary>
 ## </param>
 #
@ -14952,7 +15101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1049,51 @@
+@@ -977,23 +1052,51 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
@ -15015,24 +15164,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1129,7 @@
+@@ -1029,20 +1132,12 @@
 	# and may change other protocols
 	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_all_nodes($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
-	')
+		corenet_tcp_bind_all_unreserved_ports($1_t)
-
+ 	')
-	optional_policy(`
+ 
 	optional_policy(`
 -		kerberos_use($1_t)
 -	')
 -
 -	optional_policy(`
 -		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-+		corenet_tcp_bind_all_unreserved_ports($1_t)
+-	')
 -
 -	optional_policy(`
 -		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 -		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
- 	optional_policy(`
+ 	# Run pppd in pppd_t by default for user
-@@ -1054,17 +1146,6 @@
+@@ -1054,17 +1149,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
@ -15050,7 +15206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 #######################################
-@@ -1102,6 +1183,8 @@
+@@ -1102,6 +1186,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
@ -15059,7 +15215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1210,7 @@
+@@ -1127,7 +1213,7 @@
 	# $1_t local policy
 	#
@ -15068,7 +15224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 	# Set password information for other users.
-@@ -1139,7 +1222,11 @@
+@@ -1139,7 +1225,11 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
@ -15081,7 +15237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1642,9 +1729,11 @@
+@@ -1642,9 +1732,11 @@
 template(`userdom_user_home_content',`
 	gen_require(`
 		attribute $1_file_type;
@ -15093,7 +15249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_type($2)
 ')
-@@ -1894,10 +1983,46 @@
+@@ -1894,10 +1986,46 @@
 template(`userdom_manage_user_home_content_dirs',`
 	gen_require(`
 		type $1_home_dir_t, $1_home_t;
@ -15141,7 +15297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -3078,7 +3203,7 @@
+@@ -3078,7 +3206,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -15150,7 +15306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4740,24 @@
+@@ -4615,6 +4743,24 @@
 	files_list_home($1)
 	allow $1 home_dir_type:dir search_dir_perms;
 ')
@ -15175,7 +15331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ########################################
 ## <summary>
-@@ -4633,6 +4776,14 @@
+@@ -4633,6 +4779,14 @@
 	files_list_home($1)
 	allow $1 home_dir_type:dir list_dir_perms;
@ -15190,7 +15346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5323,7 +5474,7 @@
+@@ -5323,7 +5477,7 @@
 		attribute user_tmpfile;
 	')
@ -15199,7 +15355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5559,3 +5710,380 @@
+@@ -5559,3 +5713,380 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -15422,24 +15578,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		cups_dbus_chat($1_usertype)
 +	')
 +
 +')
 +
-+optional_policy(`
+	optional_policy(`
-+	consolekit_dbus_chat($1_usertype)
+		consolekit_dbus_chat($1_usertype)
-+')
+	')
 +
-+optional_policy(`
+	optional_policy(`
-+	java_per_role_template($1, $1_t, $1_r)
+		java_per_role_template($1, $1_t, $1_r)
-+')
+	')
 +
-+optional_policy(`
+	optional_policy(`
-+	mono_per_role_template($1, $1_t, $1_r)
+		networkmanager_dontaudit_dbus_chat($1_t)
-+')
+	')
 +
-+optional_policy(`
+	optional_policy(`
-+	networkmanager_dontaudit_dbus_chat($1_usertype)
+		mono_per_role_template($1, $1_t, $1_r)
-+')
+	')
 +
 +')
 +optional_policy(`
 +	setroubleshoot_dontaudit_stream_connect($1_usertype)
 +')
@ -15582,7 +15738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te	2007-10-05 08:59:51.000000000 -0400
@@ -24,13 +24,6 @@
 ## <desc>
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -150,9 +150,9 @@ fi
 %define loadpolicy() \
 ( cd /usr/share/selinux/%1; \
-semodule %2 -b base.pp %{expand:%%moduleList %1} -s %1; \
+semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
 );\
-rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
+rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew;
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@ -285,15 +285,14 @@ SELinux Reference policy targeted base module.
 %post targeted
 semodule -s targeted -r moilscanner 2>/dev/null
 %loadpolicy targeted
 if [ $1 = 1 ]; then
 semanage login -m -s "system_u" __default__ 2> /dev/null
 semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 
 semanage user -a -P guest -R guest_r guest_u
 semanage user -a -P xguest -R xguest_r xguest_u 
 # Don't load on initial install
 %loadpolicy targeted
 else
 %loadpolicy targeted
 %relabel targeted
 fi
 exit 0
@ -330,6 +329,7 @@ SELinux Reference policy olpc base module.
 %post olpc 
 %loadpolicy olpc
 if [ $1 != 1 ]; then
 %relabel olpc
 fi
@ -359,6 +359,7 @@ SELinux Reference policy mls base module.
 %post mls 
 %loadpolicy mls
 if [ $1 != 1 ]; then
 %relabel mls
 fi