- Pass the UNK_PERMS param to makefile

- Fix gdm location
2007-10-13 14:15:08 +00:00 · 2007-10-13 14:15:08 +00:00 · 9185bf2fee
commit 9185bf2fee
parent ce77000b95
2 changed files with 166 additions and 77 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -2763,6 +2763,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
 	auth_manage_pam_pid($1_userhelper_t)
 	auth_manage_var_auth($1_userhelper_t)
 	auth_search_pam_console_data($1_userhelper_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.8/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-09-12 10:34:49.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/apps/vmware.fc	2007-10-12 08:22:18.000000000 -0400
@@ -30,10 +30,12 @@
 /usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
 /usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 +/usr/lib/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
 /usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
 +/usr/lib64/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
 ifdef(`distro_gentoo',`
 /opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2007-09-12 10:34:49.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/apps/vmware.te	2007-10-03 11:10:24.000000000 -0400
@ -3609,7 +3625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-10 16:06:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-12 11:58:32.000000000 -0400
@@ -271,45 +271,6 @@
 ########################################
@ -4117,7 +4133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.if	2007-10-12 09:25:42.000000000 -0400
@@ -18,10 +18,6 @@
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
@ -7433,16 +7449,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mailman.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mailman.te	2007-10-12 09:27:35.000000000 -0400
-@@ -55,6 +55,7 @@
+@@ -55,6 +55,8 @@
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
 	apache_search_sys_script_state(mailman_cgi_t)
 +	apache_read_config(mailman_cgi_t)
 +	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
 	optional_policy(`
 		nscd_socket_use(mailman_cgi_t)
-@@ -96,6 +97,7 @@
+@@ -96,6 +98,7 @@
 kernel_read_proc_symlinks(mailman_queue_t)
 auth_domtrans_chk_passwd(mailman_queue_t)
@ -8616,7 +8633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-10-12 09:13:21.000000000 -0400
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -8656,7 +8673,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix master process local policy
-@@ -164,10 +182,9 @@
+@@ -93,6 +111,7 @@
 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
 +allow postfix_master_t self:process setrlimit;
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -164,10 +183,11 @@
 # postfix does a "find" on startup for some reason - keep it quiet
 seutil_dontaudit_search_config(postfix_master_t)
@ -8664,11 +8689,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 -
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 +mta_getattr_spool(postfix_master_t)
 +
 +term_dontaudit_search_ptys(postfix_master_t)
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
-@@ -179,7 +196,11 @@
+@@ -179,7 +199,11 @@
 ')
 optional_policy(`
@ -8681,7 +8708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ')
 ###########################################################
-@@ -263,6 +284,8 @@
+@@ -263,6 +287,8 @@
 files_read_etc_files(postfix_local_t)
@ -8690,7 +8717,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
-@@ -336,8 +359,6 @@
+@@ -275,6 +301,7 @@
 optional_policy(`
 #	for postalias
 	mailman_manage_data_files(postfix_local_t)
 +	mailman_append_log(postfix_local_t)
 ')
 optional_policy(`
@@ -336,8 +363,6 @@
 seutil_read_config(postfix_map_t)
@ -8699,7 +8734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
-@@ -377,7 +398,7 @@
+@@ -377,7 +402,7 @@
 # Postfix pipe local policy
 #
@ -8708,7 +8743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -386,6 +407,10 @@
+@@ -386,6 +411,10 @@
 rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
 optional_policy(`
@ -8719,7 +8754,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	procmail_domtrans(postfix_pipe_t)
 ')
-@@ -418,14 +443,17 @@
+@@ -394,6 +423,10 @@
 ')
 optional_policy(`
 +	mta_manage_spool(postfix_pipe_t)
 +')
 +
 +optional_policy(`
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
@@ -418,14 +451,17 @@
 term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
@ -8739,7 +8785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 optional_policy(`
 	ppp_use_fds(postfix_postqueue_t)
 	ppp_sigchld(postfix_postqueue_t)
-@@ -454,8 +482,6 @@
+@@ -454,8 +490,6 @@
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
@ -8748,7 +8794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix qmgr local policy
-@@ -498,15 +524,11 @@
+@@ -498,15 +532,11 @@
 term_use_all_user_ptys(postfix_showq_t)
 term_use_all_user_ttys(postfix_showq_t)
@ -8764,7 +8810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 # connect to master process
 stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -514,6 +536,8 @@
+@@ -514,6 +544,8 @@
 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@ -8773,7 +8819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
-@@ -538,9 +562,45 @@
+@@ -538,9 +570,45 @@
 mta_read_aliases(postfix_smtpd_t)
 optional_policy(`
@ -10831,7 +10877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
 dev_read_sysfs(xfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc	2007-10-08 13:25:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc	2007-10-13 10:12:41.000000000 -0400
@@ -32,11 +32,6 @@
 /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
@ -10844,7 +10890,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 #
 # /opt
 #
-@@ -92,13 +87,16 @@
+@@ -59,6 +54,7 @@
 /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +/usr/sbin/gdm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth		--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -92,13 +88,16 @@
 /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
@ -15135,7 +15189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-11 16:34:44.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-12 11:59:04.000000000 -0400
@@ -29,8 +29,9 @@
 	')
@ -15730,7 +15784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		samba_stream_connect_winbind($1_t)
 	')
-@@ -954,21 +886,165 @@
+@@ -954,21 +886,167 @@
 ##	</summary>
 ## </param>
 #
@ -15823,6 +15877,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	fs_search_auto_mountpoints($1_usertype)
 +	fs_list_inotifyfs($1_usertype)
 +
 +	fs_rw_anon_inodefs_files($1_usertype)
 +
 +	# Stop warnings about access to /dev/console
 +	init_dontaudit_rw_utmp($1_usertype)
 +	init_dontaudit_use_fds($1_usertype)
@ -15902,7 +15958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1053,51 @@
+@@ -977,23 +1055,51 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
@ -15965,31 +16021,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,20 +1133,12 @@
+@@ -1029,15 +1135,7 @@
 	# and may change other protocols
 	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_all_nodes($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
-+		corenet_tcp_bind_all_unreserved_ports($1_t)
+-	')
- 	')
+-
- 
+-	optional_policy(`
 	optional_policy(`
 -		kerberos_use($1_t)
 -	')
 -
 -	optional_policy(`
 -		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-	')
+		corenet_tcp_bind_all_unreserved_ports($1_t)
 -
 -	optional_policy(`
 -		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 -		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
- 	# Run pppd in pppd_t by default for user
+ 	optional_policy(`
-@@ -1054,17 +1150,6 @@
+@@ -1054,17 +1152,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
@ -16007,7 +16056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 #######################################
-@@ -1102,6 +1187,8 @@
+@@ -1102,6 +1189,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
@ -16016,7 +16065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1214,7 @@
+@@ -1127,7 +1216,7 @@
 	# $1_t local policy
 	#
@ -16025,7 +16074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 	# Set password information for other users.
-@@ -1139,7 +1226,11 @@
+@@ -1139,7 +1228,11 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
@ -16038,7 +16087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1642,9 +1733,13 @@
+@@ -1642,9 +1735,13 @@
 template(`userdom_user_home_content',`
 	gen_require(`
 		attribute $1_file_type;
@ -16052,7 +16101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_type($2)
 ')
-@@ -1894,10 +1989,46 @@
+@@ -1894,10 +1991,46 @@
 template(`userdom_manage_user_home_content_dirs',`
 	gen_require(`
 		type $1_home_dir_t, $1_home_t;
@ -16100,7 +16149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -3078,7 +3209,7 @@
+@@ -3078,7 +3211,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -16109,7 +16158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4609,11 +4740,29 @@
+@@ -4609,11 +4742,29 @@
 #
 interface(`userdom_search_all_users_home_dirs',`
 	gen_require(`
@ -16140,7 +16189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -4633,6 +4782,14 @@
+@@ -4633,6 +4784,14 @@
 	files_list_home($1)
 	allow $1 home_dir_type:dir list_dir_perms;
@ -16155,7 +16204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5323,7 +5480,7 @@
+@@ -5323,7 +5482,7 @@
 		attribute user_tmpfile;
 	')
@ -16164,7 +16213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5559,3 +5716,380 @@
+@@ -5559,3 +5718,380 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -16932,8 +16981,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-10-12 12:03:20.000000000 -0400
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,13 @@
 +policy_module(guest,1.0.0)
 +userdom_unpriv_login_user(guest)
 +userdom_unpriv_login_user(gadmin)
@ -16943,6 +16992,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
 +optional_policy(`
 +	hal_dbus_chat(xguest_t)
 +')
 +
 +optional_policy(`
 +	bluetooth_dbus_chat(xguest_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/policy/modules/users/logadm.fc	2007-10-03 11:10:25.000000000 -0400
@ -17103,21 +17156,53 @@ Binary files nsaserefpolicy/ru/samba_selinux.8.gz and serefpolicy-3.0.8/ru/samba
 Binary files nsaserefpolicy/ru/ypbind_selinux.8.gz and serefpolicy-3.0.8/ru/ypbind_selinux.8.gz differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
 --- nsaserefpolicy/Rules.modular	2007-05-25 09:09:10.000000000 -0400
-+++ serefpolicy-3.0.8/Rules.modular	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/Rules.modular	2007-10-12 08:57:13.000000000 -0400
-@@ -219,6 +219,16 @@
+@@ -96,6 +96,9 @@
 	@test -d $(builddir) || mkdir -p $(builddir)
 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
- ########################################
+ifneq "$(UNK_PERMS)" ""
 +$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
 +endif
 $(base_mod): $(base_conf)
 	@echo "Compiling $(NAME) base module"
 	$(verbose) $(CHECKMODULE) $^ -o $@
@@ -144,6 +147,7 @@
 $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
 $(tmpdir)/rolemap.conf: $(rolemap)
 +	$(verbose) echo "" > $@
 	$(call parse-rolemap,base,$@)
 $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.0.8/Rules.monolithic
 --- nsaserefpolicy/Rules.monolithic	2007-05-25 09:09:10.000000000 -0400
 +++ serefpolicy-3.0.8/Rules.monolithic	2007-10-12 08:57:21.000000000 -0400
@@ -63,6 +63,9 @@
 #
-+# Validate File Contexts
+ # Build a binary policy locally
 +#
 +validatefc: $(base_pkg) $(base_fc) 
 +	@echo "Validating file context."
 +	$(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
 +	$(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
 +	@echo "Success."
 +
 +########################################
 +#
 # Clean the sources
 #
- clean:
+ifneq "$(UNK_PERMS)" ""
 +$(polver): CHECKPOLICY += -U $(UNK_PERMS)
 +endif
 $(polver): $(policy_conf)
 	@echo "Compiling $(NAME) $(polver)"
 ifneq ($(pv),$(kv))
@@ -76,6 +79,9 @@
 #
 # Install a binary policy
 #
 +ifneq "$(UNK_PERMS)" ""
 +$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
 +endif
 $(loadpath): $(policy_conf)
 	@mkdir -p $(policypath)
 	@echo "Compiling and installing $(NAME) $(loadpath)"
@@ -127,6 +133,7 @@
 	@echo "divert" >> $@
 $(tmpdir)/rolemap.conf: $(rolemap)
 +	$(verbose) echo "" > $@
 	$(call parse-rolemap,base,$@)
 $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -77,8 +77,8 @@ SELinux Policy development package
 exit 0
 %define setupCmds() \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024  conf \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024  conf \
 cp -f $RPM_SOURCE_DIR/modules-%1.conf  ./policy/modules.conf \
 cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
@ -86,10 +86,10 @@ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
 awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
 %define installCmds() \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
 #%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \
@ -192,24 +192,24 @@ make clean
 %if %{BUILD_TARGETED}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs n y
+%setupCmds targeted mcs n y allow
-%installCmds targeted mcs n y
+%installCmds targeted mcs n y allow
 %endif
 %if %{BUILD_MLS}
 # Build mls policy
-%setupCmds mls mls n y
+%setupCmds mls mls n y deny
-%installCmds mls mls n y 
+%installCmds mls mls n y deny
 %endif
 %if %{BUILD_OLPC}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds olpc mcs n y
+%setupCmds olpc mcs n y allow
-%installCmds olpc mcs n y
+%installCmds olpc mcs n y allow
 %endif
-make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@ -371,6 +371,10 @@ exit 0
 %endif
 %changelog
 * Fri Oct 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-22
 - Pass the UNK_PERMS param to makefile
 - Fix gdm location
 * Wed Oct 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-21
 - Make alsa work