trunk: su fixes from clip.

Changelog

@@ -1,3 +1,4 @@
+- Several fixes from the CLIP project.
 - Add support for labeled Booleans.
 - Remove node definitions and change node usage to generic nodes.
 - Add kernel_service access vectors, from Stephen Smalley.

policy/modules/admin/su.if

@@ -90,6 +90,15 @@ template(`su_restricted_domain_template', `
 
 	miscfiles_read_localization($1_su_t)
 
+	ifdef(`distro_redhat',`
+		# RHEL5 and possibly newer releases incl. Fedora
+		auth_domtrans_upd_passwd($1_su_t)
+
+		optional_policy(`
+			locallogin_search_keys($1_su_t)
+		')
+	')
+
 	ifdef(`distro_rhel4',`
 		domain_role_change_exemption($1_su_t)
 		domain_subj_id_change_exemption($1_su_t)
@@ -218,6 +227,15 @@ template(`su_role_template',`
 	userdom_use_user_terminals($1_su_t)
 	userdom_search_user_home_dirs($1_su_t)
 
+	ifdef(`distro_redhat',`
+		# RHEL5 and possibly newer releases incl. Fedora
+		auth_domtrans_upd_passwd($1_su_t)
+
+		optional_policy(`
+			locallogin_search_keys($1_su_t)
+		')
+	')
+
 	ifdef(`distro_rhel4',`
 		domain_role_change_exemption($1_su_t)
 		domain_subj_id_change_exemption($1_su_t)

policy/modules/admin/su.te

@@ -1,5 +1,5 @@
 
-policy_module(su, 1.9.0)
+policy_module(su, 1.9.1)
 
 ########################################
 #