- Dontaudit binds to ports < 1024 for named

- Upgrade to latest upstream

policy-20090105.patch

@@ -5392,7 +5392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.11/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if	2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if	2009-04-07 07:25:16.000000000 -0400
 @@ -1197,6 +1197,26 @@
  	')
  
@@ -10869,7 +10869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.11/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/services/devicekit.te	2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/services/devicekit.te	2009-04-07 07:01:32.000000000 -0400
 @@ -0,0 +1,211 @@
 +policy_module(devicekit,1.0.0)
 +
@@ -11019,7 +11019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# DeviceKit disk local policy
 +#
 +
-+allow devicekit_disk_t self:capability sys_nice;
++allow devicekit_disk_t self:capability { sys_nice sys_ptrace };
 +
 +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 +
@@ -18331,7 +18331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	ccs_read_config(ricci_modstorage_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.11/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.11/policy/modules/services/rpc.te	2009-04-06 15:25:10.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/services/rpc.te	2009-04-07 07:27:16.000000000 -0400
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
@@ -18341,7 +18341,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  rpc_domain_template(gssd)
  
-@@ -141,6 +141,7 @@
+@@ -79,16 +79,25 @@
+ fs_read_rpc_symlinks(rpcd_t)
+ fs_rw_rpc_sockets(rpcd_t) 
+ 
++kernel_signal(rpcd_t) 
++
+ selinux_dontaudit_read_fs(rpcd_t)
+ 
+ miscfiles_read_certs(rpcd_t)
+ 
+ seutil_dontaudit_search_config(rpcd_t)
+ 
++userdom_signal_unpriv_users(rpcd_t)
++
+ optional_policy(`
+ 	nis_read_ypserv_config(rpcd_t)
+ ')
+ 
++optional_policy(`
++	unconfined_execmem_signal(rpcd_t)
++	unconfined_signal(rpcd_t)
++')
++
+ ########################################
+ #
+ # NFSD local policy
+@@ -141,6 +150,7 @@
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -18349,7 +18375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -183,9 +184,12 @@
+@@ -183,9 +193,12 @@
  files_read_usr_symlinks(gssd_t) 
  
  auth_use_nsswitch(gssd_t)
@@ -26803,7 +26829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.11/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/system/unconfined.if	2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/system/unconfined.if	2009-04-07 07:26:40.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -26879,7 +26905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -367,6 +374,24 @@
+@@ -367,6 +374,42 @@
  
  ########################################
  ## <summary>
@@ -26900,11 +26926,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +########################################
++## <summary>
++##	Send a signal to the unconfined execmem domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_execmem_signal',`
++	gen_require(`
++		type unconfined_execmem_t;
++	')
++
++	allow $1 unconfined_execmem_t:process signal;
++')
++
++########################################
 +## <summary>
  ##	Send generic signals to the unconfined domain.
  ## </summary>
  ## <param name="domain">
-@@ -458,6 +483,25 @@
+@@ -458,6 +501,25 @@
  
  ########################################
  ## <summary>
@@ -26930,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Connect to the unconfined domain using
  ##	a unix domain stream socket.
  ## </summary>
-@@ -581,3 +625,150 @@
+@@ -581,3 +643,150 @@
  
  	allow $1 unconfined_t:dbus acquire_svc;
  ')
@@ -27460,7 +27504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.11/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.11/policy/modules/system/userdomain.if	2009-04-06 12:59:54.000000000 -0400
++++ serefpolicy-3.6.11/policy/modules/system/userdomain.if	2009-04-07 07:23:04.000000000 -0400
 @@ -30,8 +30,9 @@
  	')