From af0084d92b45998357880e1ac653ac483801056f Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Mon, 10 Mar 2008 20:16:22 +0000
Subject: [PATCH] - Additional changes for MLS policy

---
 policy-20071130.patch | 982 +++++++++++++++++++++++++++---------------
 1 file changed, 623 insertions(+), 359 deletions(-)

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 29972b4c..fde4db6c 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -2050,7 +2050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
  ifdef(`distro_suse', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.3.1/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.if	2008-03-09 08:33:16.000000000 -0400
 @@ -152,6 +152,24 @@
  
  ########################################
@@ -2076,10 +2076,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -173,6 +191,27 @@
+@@ -173,6 +191,48 @@
  
  ########################################
  ## <summary>
++##	dontaudit attempts to Send and receive messages from
++##	rpm over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpm_dontaudit_dbus_chat',`
++	gen_require(`
++		type rpm_t;
++		class dbus send_msg;
++	')
++
++	dontaudit $1 rpm_t:dbus send_msg;
++	dontaudit rpm_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
 +##	Send and receive messages from
 +##	rpm_script over dbus.
 +## </summary>
@@ -2104,7 +2125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
  ##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
-@@ -210,6 +249,24 @@
+@@ -210,6 +270,24 @@
  
  ########################################
  ## <summary>
@@ -2129,7 +2150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
  ##	Create, read, write, and delete RPM
  ##	script temporary files.
  ## </summary>
-@@ -225,7 +282,29 @@
+@@ -225,7 +303,29 @@
  	')
  
  	files_search_tmp($1)
@@ -2159,7 +2180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
  ')
  
  ########################################
-@@ -289,3 +368,157 @@
+@@ -289,3 +389,157 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -5055,7 +5076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-04 14:46:08.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-10 14:36:14.000000000 -0400
 @@ -0,0 +1,344 @@
 +
 +## <summary>policy for nsplugin</summary>
@@ -5272,7 +5293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	nsplugin_use($1, $2)
 +
 +	optional_policy(`
-+		xserver_common_app_template($2, nsplugin_t)
++		xserver_common_app_to_user($2, nsplugin_t)
 +	')
 +
 +	role $3 types nsplugin_t;
@@ -5403,8 +5424,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-04 10:03:36.000000000 -0500
-@@ -0,0 +1,154 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-10 14:35:49.000000000 -0400
+@@ -0,0 +1,166 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -5471,6 +5492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +dev_read_rand(nsplugin_t)
 +dev_read_sound(nsplugin_t)
++dev_write_sound(nsplugin_t)
 +
 +kernel_read_kernel_sysctls(nsplugin_t)
 +kernel_read_system_state(nsplugin_t)
@@ -5495,6 +5517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +miscfiles_manage_home_fonts(nsplugin_t)
 +
 +userdom_read_user_home_content_files(user, nsplugin_t)
++userdom_read_user_tmp_files(user, nsplugin_t)
 +userdom_write_user_tmp_sockets(user, nsplugin_t)
 +userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
 +
@@ -5503,6 +5526,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 +
 +optional_policy(`
++	gnome_exec_gconf(nsplugin_t)
++')
++
++optional_policy(`
 +	mozilla_read_user_home_files(user, nsplugin_t)
 +	mozilla_write_user_home_files(user, nsplugin_t)
 +')
@@ -5511,6 +5538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	xserver_stream_connect_xdm_xserver(nsplugin_t)
 +	xserver_xdm_rw_shm(nsplugin_t)
 +	xserver_read_xdm_tmp_files(nsplugin_t)
++	xserver_read_user_xauth(user, nsplugin_t)
 +')
 +
 +########################################
@@ -5519,16 +5547,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +#
 +
 +allow nsplugin_config_t self:capability { sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched getsched execmem };
++allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
 +allow nsplugin_t self:sem create_sem_perms;
 +allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
 +
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
 +manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir })
++manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
 +
 +can_exec(nsplugin_config_t, nsplugin_rw_t)
 +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -5559,6 +5589,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +userdom_search_all_users_home_content(nsplugin_config_t)
 +
 +nsplugin_domtrans(nsplugin_config_t)
++
++allow nsplugin_t user_home_t:dir { write read };
++allow nsplugin_t user_home_t:file write;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.3.1/policy/modules/apps/screen.fc
 --- nsaserefpolicy/policy/modules/apps/screen.fc	2007-10-12 08:56:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/apps/screen.fc	2008-02-26 08:29:22.000000000 -0500
@@ -10430,7 +10463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te	2008-02-26 10:37:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te	2008-03-10 13:34:57.000000000 -0400
 @@ -13,6 +13,9 @@
  type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
@@ -10470,7 +10503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
  # needs to read /var/lib/dbus/machine-id
  files_read_var_lib_files(consolekit_t)
  
-@@ -47,16 +57,33 @@
+@@ -47,16 +57,37 @@
  
  auth_use_nsswitch(consolekit_t)
  
@@ -10491,23 +10524,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +
 +hal_ptrace(consolekit_t)
 +mcs_ptrace_all(consolekit_t)
++
++optional_policy(`
++	cron_read_system_job_lib_files(consolekit_t)
++')
 +
  optional_policy(`
 -	dbus_system_bus_client_template(consolekit, consolekit_t)
 -	dbus_connect_system_bus(consolekit_t)
-+	cron_read_system_job_lib_files(consolekit_t)
-+')
- 
--	hal_dbus_chat(consolekit_t)
-+optional_policy(`
 +	dbus_system_domain(consolekit_t, consolekit_exec_t)
 +	optional_policy(`
 +		hal_dbus_chat(consolekit_t)
++	')
+ 
+-	hal_dbus_chat(consolekit_t)
++	optional_policy(`
++		rpm_dbus_chat(consolekit_t)
 +	')
  
  	optional_policy(`
  		unconfined_dbus_chat(consolekit_t)
-@@ -64,6 +91,33 @@
+@@ -64,6 +95,33 @@
  ')
  
  optional_policy(`
@@ -10519,7 +10556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
  	xserver_read_all_users_xauth(consolekit_t)
  	xserver_stream_connect_xdm_xserver(consolekit_t)
 +	xserver_ptrace_xdm(consolekit_t)
-+')
+ ')
 +
 +optional_policy(`
 +	#reading .Xauthity
@@ -10534,7 +10571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_dontaudit_list_nfs(consolekit_t)
 +	fs_dontaudit_rw_nfs_files(consolekit_t)
- ')
++')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_dontaudit_list_cifs(consolekit_t)
@@ -11199,8 +11236,65 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.3.1/policy/modules/services/cups.if
 --- nsaserefpolicy/policy/modules/services/cups.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.if	2008-02-26 08:29:22.000000000 -0500
-@@ -247,3 +247,102 @@
++++ serefpolicy-3.3.1/policy/modules/services/cups.if	2008-03-10 12:18:38.000000000 -0400
+@@ -20,6 +20,30 @@
+ 
+ ########################################
+ ## <summary>
++##	Setup cups to transtion to the cups backend domain
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`cups_backend',`
++	gen_require(`
++		type cupsd_t;
++	')
++
++	domtrans_pattern(cupsd_t,$2, $1)
++
++	allow cupsd_t $1:process signal;
++	allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
++
++	cups_read_config($1)
++	cups_append_log($1)
++')
++
++########################################
++## <summary>
+ ##	Connect to cupsd over an unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+@@ -212,6 +236,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Append cups log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cups_append_log',`
++	gen_require(`
++		type cupsd_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, cupsd_log_t, cupsd_log_t)
++')
++
++########################################
++## <summary>
+ ##	Write cups log files.
+ ## </summary>
+ ## <param name="domain">
+@@ -247,3 +290,102 @@
  	files_search_pids($1)
  	stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t)
  ')
@@ -11305,8 +11399,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te	2008-03-04 10:00:21.000000000 -0500
-@@ -43,14 +43,12 @@
++++ serefpolicy-3.3.1/policy/modules/services/cups.te	2008-03-10 12:08:24.000000000 -0400
+@@ -43,14 +43,13 @@
  
  type cupsd_var_run_t;
  files_pid_file(cupsd_var_run_t)
@@ -11318,12 +11412,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 -
 -type hplip_etc_t;
 -files_config_file(hplip_etc_t)
-+domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
++# For CUPS to run as a backend
++cups_backend(hplip_t, hplip_exec_t)
 +domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
  
  type hplip_var_run_t;
  files_pid_file(hplip_var_run_t)
-@@ -65,12 +63,17 @@
+@@ -65,12 +64,17 @@
  type ptal_var_run_t;
  files_pid_file(ptal_var_run_t)
  
@@ -11341,7 +11436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ')
  
  ########################################
-@@ -79,13 +82,14 @@
+@@ -79,13 +83,14 @@
  #
  
  # /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -11359,7 +11454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  allow cupsd_t self:tcp_socket create_stream_socket_perms;
  allow cupsd_t self:udp_socket create_socket_perms;
  allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -104,7 +108,7 @@
+@@ -104,7 +109,7 @@
  
  # allow cups to execute its backend scripts
  can_exec(cupsd_t, cupsd_exec_t)
@@ -11368,7 +11463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  allow cupsd_t cupsd_exec_t:lnk_file read;
  
  manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -116,13 +120,19 @@
+@@ -116,13 +121,19 @@
  manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
  files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
  
@@ -11390,7 +11485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  allow cupsd_t hplip_var_run_t:file { read getattr };
  
  stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -149,32 +159,35 @@
+@@ -149,32 +160,35 @@
  corenet_tcp_bind_reserved_port(cupsd_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
  corenet_tcp_connect_all_ports(cupsd_t)
@@ -11430,7 +11525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
  corecmd_exec_shell(cupsd_t)
  corecmd_exec_bin(cupsd_t)
-@@ -186,7 +199,7 @@
+@@ -186,7 +200,7 @@
  # read python modules
  files_read_usr_files(cupsd_t)
  # for /var/lib/defoma
@@ -11439,7 +11534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  files_list_world_readable(cupsd_t)
  files_read_world_readable_files(cupsd_t)
  files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +208,15 @@
+@@ -195,15 +209,15 @@
  files_read_var_symlinks(cupsd_t)
  # for /etc/printcap
  files_dontaudit_write_etc_files(cupsd_t)
@@ -11459,7 +11554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  auth_use_nsswitch(cupsd_t)
  
  libs_use_ld_so(cupsd_t)
-@@ -219,17 +232,22 @@
+@@ -219,17 +233,22 @@
  miscfiles_read_fonts(cupsd_t)
  
  seutil_read_config(cupsd_t)
@@ -11484,7 +11579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ')
  
  optional_policy(`
-@@ -242,12 +260,21 @@
+@@ -242,12 +261,21 @@
  
  optional_policy(`
  	dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -11506,7 +11601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ')
  
  optional_policy(`
-@@ -263,6 +290,10 @@
+@@ -263,6 +291,10 @@
  ')
  
  optional_policy(`
@@ -11517,7 +11612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	# cups execs smbtool which reads samba_etc_t files
  	samba_read_config(cupsd_t)
  	samba_rw_var_files(cupsd_t)
-@@ -326,6 +357,7 @@
+@@ -326,6 +358,7 @@
  dev_read_sysfs(cupsd_config_t)
  dev_read_urand(cupsd_config_t)
  dev_read_rand(cupsd_config_t)
@@ -11525,7 +11620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  fs_getattr_all_fs(cupsd_config_t)
  fs_search_auto_mountpoints(cupsd_config_t)
-@@ -353,6 +385,7 @@
+@@ -353,6 +386,7 @@
  logging_send_syslog_msg(cupsd_config_t)
  
  miscfiles_read_localization(cupsd_config_t)
@@ -11533,7 +11628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  seutil_dontaudit_search_config(cupsd_config_t)
  
-@@ -372,6 +405,10 @@
+@@ -372,6 +406,10 @@
  ')
  
  optional_policy(`
@@ -11544,7 +11639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
-@@ -387,6 +424,7 @@
+@@ -387,6 +425,7 @@
  optional_policy(`
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
@@ -11552,7 +11647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ')
  
  optional_policy(`
-@@ -499,14 +537,12 @@
+@@ -499,15 +538,10 @@
  allow hplip_t self:udp_socket create_socket_perms;
  allow hplip_t self:rawip_socket create_socket_perms;
  
@@ -11560,18 +11655,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +allow hplip_t cupsd_etc_t:dir search_dir_perms;
  
  cups_stream_connect(hplip_t)
--
+ 
 -allow hplip_t hplip_etc_t:dir list_dir_perms;
 -read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
 -read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
 -files_search_etc(hplip_t)
-+# For CUPS to run as a backend
-+allow cupsd_t hplip_t:process signal;
-+allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms;
- 
+-
  manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
  files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,14 +573,14 @@
+ 
+@@ -537,14 +571,14 @@
  dev_read_urand(hplip_t)
  dev_read_rand(hplip_t)
  dev_rw_generic_usb_dev(hplip_t)
@@ -11588,10 +11681,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  domain_use_interactive_fds(hplip_t)
  
  files_read_etc_files(hplip_t)
-@@ -565,6 +601,7 @@
+@@ -564,7 +598,8 @@
+ userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
  userdom_dontaudit_search_all_users_home_content(hplip_t)
  
- lpd_read_config(cupsd_t)
+-lpd_read_config(cupsd_t)
++lpd_read_config(hplip_t)
 +lpd_manage_spool(hplip_t)
  
  optional_policy(`
@@ -14156,7 +14251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-03-10 09:28:37.000000000 -0400
 @@ -0,0 +1,51 @@
 +policy_module(gnomeclock,1.0.0)
 +########################################
@@ -14173,7 +14268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
 +#
 +# gnomeclock local policy
 +#
-+allow gnomeclock_t self:capability sys_time;
++allow gnomeclock_t self:capability { sys_nice sys_time };
 +allow gnomeclock_t self:process getsched;
 +
 +# internal communication is often done using fifo and unix sockets.
@@ -14951,8 +15046,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern
 +/etc/rc.d/init.d/kerneloops	--	gen_context(system_u:object_r:kerneloops_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.3.1/policy/modules/services/kerneloops.if
 --- nsaserefpolicy/policy/modules/services/kerneloops.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if	2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,104 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if	2008-03-09 08:34:14.000000000 -0400
+@@ -0,0 +1,125 @@
 +
 +## <summary>policy for kerneloops</summary>
 +
@@ -15017,6 +15112,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern
 +
 +########################################
 +## <summary>
++##	dontaudit attempts to Send and receive messages from
++##	kerneloops over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kerneloops_dontaudit_dbus_chat',`
++	gen_require(`
++		type kerneloops_t;
++		class dbus send_msg;
++	')
++
++	dontaudit $1 kerneloops_t:dbus send_msg;
++	dontaudit kerneloops_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate 
 +##	an kerneloops environment
 +## </summary>
@@ -21013,8 +21129,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +/etc/rc.d/init.d/setroubleshoot	--	gen_context(system_u:object_r:setroubleshoot_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.3.1/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2007-09-04 15:22:23.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.if	2008-02-26 08:29:22.000000000 -0500
-@@ -16,8 +16,8 @@
++++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.if	2008-03-10 11:51:45.000000000 -0400
+@@ -16,14 +16,13 @@
  	')
  
  	files_search_pids($1)
@@ -21025,9 +21141,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  ')
  
  ########################################
-@@ -39,3 +39,74 @@
- 	dontaudit $1 setroubleshoot_var_run_t:sock_file write;
+ ## <summary>
+-##	Dontaudit attempts to connect to setroubleshootd
+-##	over an unix stream socket.
++##	dontaudit attempts to connect to setroubleshootd over an unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -36,6 +35,77 @@
+ 		type setroubleshootd_t, setroubleshoot_var_run_t;
+ 	')
+ 
+-	dontaudit $1 setroubleshoot_var_run_t:sock_file write;
  	dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
++	dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
  ')
 +
 +########################################
@@ -23256,7 +23383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-06 17:09:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-10 14:41:25.000000000 -0400
 @@ -12,9 +12,15 @@
  ##	</summary>
  ## </param>
@@ -23577,15 +23704,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
 -	allow $1_xauth_t self:process signal;
 -	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
--
++	domtrans_pattern($2, xauth_exec_t, xauth_t)
+ 
 -	allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
 -	userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
 -
 -	manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-+	domtrans_pattern($2, xauth_exec_t, xauth_t)
- 
+-
 -	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 -
 -	allow $2 $1_xauth_t:process signal;
@@ -23599,10 +23726,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -
 -	allow xdm_t $1_xauth_home_t:file manage_file_perms;
 -	userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
+-
+-	domain_use_interactive_fds($1_xauth_t)
 +	ps_process_pattern($2,xauth_t)
  
--	domain_use_interactive_fds($1_xauth_t)
--
 -	files_read_etc_files($1_xauth_t)
 -	files_search_pids($1_xauth_t)
 -
@@ -23652,42 +23779,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	# allow ps to show iceauth
 -	ps_process_pattern($2,$1_iceauth_t)
 +	ps_process_pattern($2,iceauth_t)
- 
--	allow $2 $1_iceauth_home_t:file manage_file_perms;
--	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
++
 +	allow $2 user_iceauth_home_t:file manage_file_perms;
 +	allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
  
--	allow xdm_t $1_iceauth_home_t:file read_file_perms;
+-	allow $2 $1_iceauth_home_t:file manage_file_perms;
+-	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
 +	userdom_use_user_terminals($1,iceauth_t)
  
--	fs_search_auto_mountpoints($1_iceauth_t)
+-	allow xdm_t $1_iceauth_home_t:file read_file_perms;
 +	optional_policy(`
 +		xserver_read_user_iceauth($1, $2)
 +	')
  
--	libs_use_ld_so($1_iceauth_t)
--	libs_use_shared_libs($1_iceauth_t)
+-	fs_search_auto_mountpoints($1_iceauth_t)
 +	##############################
 +	#
 +	# User X object manager local policy
 +	#
  
--	userdom_use_user_terminals($1,$1_iceauth_t)
+-	libs_use_ld_so($1_iceauth_t)
+-	libs_use_shared_libs($1_iceauth_t)
 +	# Device rules
 +	allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
  
+-	userdom_use_user_terminals($1,$1_iceauth_t)
++	allow $2 { input_xevent_t }:x_event send;
++	allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
+ 
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_manage_nfs_files($1_iceauth_t)
 -	')
-+	allow $2 { input_xevent_t }:x_event send;
-+	allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
++	mls_xwin_read_to_clearance($2)
  
 -	tunable_policy(`use_samba_home_dirs',`
 -		fs_manage_cifs_files($1_iceauth_t)
 -	')
-+	mls_xwin_read_to_clearance($2)
-+
 +	xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
  ')
  
@@ -23720,7 +23847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -542,25 +540,474 @@
+@@ -542,25 +540,540 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -23870,13 +23997,189 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		attribute xdm_x_domain;
 +	')
 +
++	allow $1 self:x_cursor { create use setattr };
++	allow $1 self:x_drawable { write getattr read destroy create add_child };
++	allow $1 self:x_gc { destroy create use setattr };
++	allow $1 self:x_resource { write read };
++
++	allow $1 xevent_type:x_event receive;
++
++	allow $1 std_xext_t:x_extension query;
++	allow $1 x_rootwindow_t:x_drawable { get_property getattr };
++
++
++	# Hacks
++	# everyone can get the input focus of everyone else
++	# this is a fundamental brokenness in the X protocol
++	allow $1 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab force_cursor };
++
++	allow $1 { x_domain xserver_unconfined_type }:x_drawable { receive get_property set_property setattr send };
++	allow $1 { x_domain xserver_unconfined_type }:x_event receive;
++
++	tunable_policy(`allow_read_x_device',`
++		allow $1 { x_domain x_server_domain }:x_device read;
++	')
++
++	# everyone can grab the server
++	# everyone does it, it is basically a free DOS attack
++	allow $1 x_server_domain:x_server grab;
++	# everyone can get the font path, etc.
++	# this could leak out sensitive information
++	allow $1 x_server_domain:x_server { getattr manage };
++	# everyone can do override-redirect windows.
++	# this could be used to spoof labels
++	allow $1 $1:x_drawable override;
++	# everyone can receive management events on the root window
++	# allows to know when new windows appear, among other things
++	allow $1 manage_xevent_t:x_event receive;
++
++	allow $1 accelgraphics_xext_t:x_extension use;
++
++	# X Server
++	# can read server-owned resources
++	allow $1 x_server_domain:x_resource read;
++	# can mess with own clients
++	allow $1 $1:x_client { manage destroy };
++
++	# X Protocol Extensions
++	allow $1 std_xext_t:x_extension { use };
++	allow $1 shmem_xext_t:x_extension { use };
++	allow $1 xextension_type:x_extension query;
++
++	# X Properties
++	# can read and write client properties
++	allow $1 $1:x_property { create destroy read write };
++	allow $1 default_xproperty_t:x_property { read write destroy create };
++	allow $1 output_xext_t:x_extension { use };
++	allow $1 output_xext_t:x_property read;
++	allow $1 xserver_unconfined_type:x_property read;
++
++#	type_transition $2_t default_xproperty_t:x_property $2_t;
++	# can read and write cut buffers
++	allow $1 clipboard_xproperty_t:x_property { create read write };
++	# can read/write info properties
++	allow $1 info_xproperty_t:x_property { read write };
++
++	# can change properties of root window
++	allow $1 x_rootwindow_t:x_drawable { list_property get_property set_property };
++	# can change properties of own windows
++	allow $1 $1:x_drawable { list_property get_property set_property };
++
++	# X Windows
++	# operations allowed on root windows
++	allow $1 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show override destroy create hide };
++
++	# operations allowed on my windows
++	allow $1 $1:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
++
++	# X Colormaps
++	# can use the default colormap
++	allow $1 x_rootcolormap_t:x_colormap { read use add_color install uninstall };
++
++	allow $1 $1:x_client destroy;
++	allow $1 $1:x_drawable { receive get_property getattr list_child };
++
++	# X Input
++	# can receive own events
++	allow $1 input_xevent_t:{ x_event x_synthetic_event } receive;
++	allow $1 $1:{ x_event x_synthetic_event } { send receive };
++	allow $1 default_xevent_t:x_event receive;
++
++	# can receive certain root window events
++	allow $1 focus_xevent_t:x_event receive;
++	allow $1 property_xevent_t:x_event receive;
++	allow $1 client_xevent_t:x_synthetic_event receive;
++	allow $1 manage_xevent_t:x_synthetic_event receive;
++	# can send ICCCM events to myself
++	allow $1 $1:x_synthetic_event send;
++	# can send ICCCM events to the root window
++	allow $1 manage_xevent_t:x_synthetic_event send;
++	allow $1 client_xevent_t:x_synthetic_event send;
++
++	# X Selections
++	# can use the clipboard
++	allow $1 clipboard_xselection_t:x_selection { getattr setattr read };
++	# can query all other selections
++	allow $1 default_xselection_t:x_selection { getattr setattr read };
++
++	# Other X Objects
++	# can create and use cursors
++	allow $1 $1:x_cursor *;
++	# can create and use graphics contexts
++	allow $1 $1:x_gc *;
++	# can create and use colormaps
++	allow $1 $1:x_colormap *;
++	# can read and write own objects
++	allow $1 $1:x_resource { read write };
++
++	allow $1 screensaver_xext_t:x_extension { use };
++	allow $1 unknown_xext_t:x_extension { use };
++
++	allow $1 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
++
++        allow $1 disallowed_xext_t:x_extension { use };
++
++	allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr };
++	allow $1 xdm_xserver_t:x_resource read;
++	allow $1 xdm_xserver_t:x_server grab;
++
++')
++
++#######################################
++## <summary>
++##	Interface to provide X object permissions on an X Application
++##      Provides the minimal set required by a basic X client application.
++## </summary>
++## <param name="user">
++##	<summary>
++##	The X user domain (e.g., user_t).
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	Client domain allowed access.
++##	</summary>
++## </param>
++#
++template(`xserver_common_app_to_user',`
++	gen_require(`
++		type x_rootwindow_t, x_rootcolormap_t, std_xext_t, shmem_xext_t;
++		type default_xproperty_t, info_xproperty_t, clipboard_xproperty_t;
++		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
++		type default_xevent_t, client_xevent_t;
++		type clipboard_xselection_t, default_xselection_t;
++		type  screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
++		type disallowed_xext_t;
++		type output_xext_t;
++
++		attribute x_server_domain, x_domain;
++		attribute xproperty_type;
++		attribute xevent_type, xextension_type;
++		class x_drawable all_x_drawable_perms;
++		class x_screen all_x_screen_perms;
++		class x_gc all_x_gc_perms;
++		class x_font all_x_font_perms;
++		class x_colormap all_x_colormap_perms;
++		class x_property all_x_property_perms;
++		class x_selection all_x_selection_perms;
++		class x_cursor all_x_cursor_perms;	
++		class x_client all_x_client_perms;
++		class x_device all_x_device_perms;
++		class x_server all_x_server_perms;
++		class x_extension all_x_extension_perms;
++		class x_resource all_x_resource_perms;
++		class x_event all_x_event_perms;
++		class x_synthetic_event all_x_synthetic_event_perms;
++
++		attribute xdm_x_domain;
++	')
++
++	xserver_common_app_template($2)
++
 +	allow $2 $1:x_drawable { hide setattr show receive create manage add_child write read getattr remove_child list_child destroy set_property };
 +	allow $2 $1:x_event receive;
 +	allow $2 $1:x_synthetic_event receive;
 +	allow $1 $2:x_property read;
-+
-+	allow $2 std_xext_t:x_extension query;
-+	allow $2 x_rootwindow_t:x_drawable { get_property getattr };
 +')
 +
 +#######################################
@@ -23963,125 +24266,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# Local Policy
 +	#
 +
-+	# Hacks
-+	# everyone can get the input focus of everyone else
-+	# this is a fundamental brokenness in the X protocol
-+	allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab force_cursor };
-+
-+	allow $3 { x_domain xserver_unconfined_type }:x_drawable receive;
-+	allow $3 { x_domain xserver_unconfined_type }:x_event receive;
-+
-+	tunable_policy(`allow_read_x_device',`
-+		allow $3 { x_domain x_server_domain }:x_device read;
-+	')
-+
-+	# everyone can grab the server
-+	# everyone does it, it is basically a free DOS attack
-+	allow $3 x_server_domain:x_server grab;
-+	# everyone can get the font path, etc.
-+	# this could leak out sensitive information
-+	allow $3 x_server_domain:x_server { getattr manage };
-+	# everyone can do override-redirect windows.
-+	# this could be used to spoof labels
-+	allow $3 $3:x_drawable override;
-+	# everyone can receive management events on the root window
-+	# allows to know when new windows appear, among other things
-+	allow $3 manage_xevent_t:x_event receive;
-+
-+	allow $3 accelgraphics_xext_t:x_extension use;
-+
-+	# X Server
-+	# can read server-owned resources
-+	allow $3 x_server_domain:x_resource read;
-+	# can mess with own clients
-+	allow $3 $3:x_client { manage destroy };
-+
-+	# X Protocol Extensions
-+	allow $3 std_xext_t:x_extension { use };
-+	allow $3 shmem_xext_t:x_extension { use };
-+	allow $3 xextension_type:x_extension query;
-+
-+	# X Properties
-+	# can read and write client properties
-+	allow $3 $3:x_property { create destroy read write };
-+	allow $3 default_xproperty_t:x_property { read write destroy create };
-+	allow $3 output_xext_t:x_extension { use };
-+	allow $3 output_xext_t:x_property read;
-+
-+	type_transition $2_t default_xproperty_t:x_property $2_t;
-+	# can read and write cut buffers
-+	allow $3 clipboard_xproperty_t:x_property { create read write };
-+	# can read/write info properties
-+	allow $3 info_xproperty_t:x_property { read write };
-+
-+	# can change properties of root window
-+	allow $3 x_rootwindow_t:x_drawable { list_property get_property set_property };
-+	# can change properties of own windows
-+	allow $3 $3:x_drawable { list_property get_property set_property };
-+
-+	# X Windows
-+	# operations allowed on root windows
-+	allow $3 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show override destroy create hide };
-+
-+	# operations allowed on my windows
-+	allow $3 $3:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-+	type_transition $2_t x_rootwindow_t:x_drawable $2_t;
-+
-+	# X Colormaps
-+	# can use the default colormap
-+	allow $3 x_rootcolormap_t:x_colormap { read use add_color install uninstall };
-+
-+	allow $3 $3:x_client destroy;
-+	allow $3 $3:x_drawable { receive get_property getattr list_child };
-+
-+	# X Input
-+	# can receive own events
-+	allow $3 input_xevent_t:{ x_event x_synthetic_event } receive;
-+	allow $3 $3:{ x_event x_synthetic_event } { send receive };
-+
 +	type_transition $2_t input_xevent_t:x_event $2_t;
 +	type_transition $2_t property_xevent_t:x_event $2_t;
 +	type_transition $2_t focus_xevent_t:x_event $2_t;
 +	type_transition $2_t manage_xevent_t:x_event $2_t;
 +	type_transition $2_t default_xevent_t:x_event $2_t;
 +
-+	allow $3 default_xevent_t:x_event receive;
-+
 +	type_transition $2_t client_xevent_t:x_event $2_t;
 +
-+	# can receive certain root window events
-+	allow $3 focus_xevent_t:x_event receive;
-+	allow $3 property_xevent_t:x_event receive;
-+	allow $3 client_xevent_t:x_synthetic_event receive;
-+	allow $3 manage_xevent_t:x_synthetic_event receive;
-+	# can send ICCCM events to myself
-+	allow $3 $3:x_synthetic_event send;
-+	# can send ICCCM events to the root window
-+	allow $3 manage_xevent_t:x_synthetic_event send;
-+	allow $3 client_xevent_t:x_synthetic_event send;
-+
-+	# X Selections
-+	# can use the clipboard
-+	allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-+	# can query all other selections
-+	allow $3 default_xselection_t:x_selection { getattr setattr read };
-+
-+	# Other X Objects
-+	# can create and use cursors
-+	allow $3 $3:x_cursor *;
-+	# can create and use graphics contexts
-+	allow $3 $3:x_gc *;
-+	# can create and use colormaps
-+	allow $3 $3:x_colormap *;
-+	# can read and write own objects
-+	allow $3 $3:x_resource { read write };
-+
-+	allow $3 screensaver_xext_t:x_extension { use };
-+	allow $3 unknown_xext_t:x_extension { use };
-+
-+	allow $3 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
-+
-+        allow $3 disallowed_xext_t:x_extension { use };
++	xserver_common_app_template($3)
 +
 +	tunable_policy(`! xserver_object_manager',`
 +		# should be xserver_unconfined($3),
@@ -24201,7 +24394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	')
  ')
  
-@@ -593,26 +1040,44 @@
+@@ -593,26 +1106,44 @@
  #
  template(`xserver_use_user_fonts',`
  	gen_require(`
@@ -24253,14 +24446,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -638,10 +1103,77 @@
+@@ -638,10 +1169,77 @@
  #
  template(`xserver_domtrans_user_xauth',`
  	gen_require(`
 -		type $1_xauth_t, xauth_exec_t;
 +		type xauth_exec_t, xauth_t;
-+	')
-+
+ 	')
+ 
+-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	domtrans_pattern($2, xauth_exec_t, xauth_t)
 +')
 +
@@ -24292,9 +24486,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +template(`xserver_read_user_xauth',`
 +	gen_require(`
 +		type user_xauth_home_t;
- 	')
- 
--	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++	')
++
 +	allow $2 user_xauth_home_t:file { getattr read };
 +')
 +
@@ -24333,7 +24526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -671,10 +1203,10 @@
+@@ -671,10 +1269,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -24346,7 +24539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -760,7 +1292,7 @@
+@@ -760,7 +1358,7 @@
  		type xconsole_device_t;
  	')
  
@@ -24355,7 +24548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -860,6 +1392,25 @@
+@@ -860,6 +1458,25 @@
  
  ########################################
  ## <summary>
@@ -24381,7 +24574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -914,6 +1465,7 @@
+@@ -914,6 +1531,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -24389,7 +24582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -955,6 +1507,24 @@
+@@ -955,6 +1573,24 @@
  
  ########################################
  ## <summary>
@@ -24414,7 +24607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Execute the X server in the XDM X server domain.
  ## </summary>
  ## <param name="domain">
-@@ -965,15 +1535,47 @@
+@@ -965,15 +1601,47 @@
  #
  interface(`xserver_domtrans_xdm_xserver',`
  	gen_require(`
@@ -24463,7 +24656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1123,7 +1725,7 @@
+@@ -1123,7 +1791,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -24472,7 +24665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1312,3 +1914,82 @@
+@@ -1312,3 +1980,83 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -24555,9 +24748,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +	typeattribute $1 xserver_unconfined_type;
 +')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-03-06 15:35:49.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-03-10 14:23:28.000000000 -0400
 @@ -8,6 +8,14 @@
  
  ## <desc>
@@ -24621,6 +24815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +type debug_xext_t, xextension_type;
 +type default_xevent_t, xevent_type;
 +type default_xproperty_t, xproperty_type;
++type info_xproperty_t, xproperty_type;
 +type default_xselection_t, xselection_type;
 +type disallowed_xext_t, xextension_type;
 +type focus_xevent_t, xevent_type;
@@ -24630,7 +24825,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -application_executable_file(iceauth_exec_t)
 +application_domain(iceauth_t,iceauth_exec_t)
  
-+type info_xproperty_t, xproperty_type;
 +type input_xevent_t, xevent_type;
 +type manage_xevent_t, xevent_type;
 +type output_xext_t, xextension_type;
@@ -24977,7 +25171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -429,47 +610,138 @@
+@@ -429,47 +610,139 @@
  ')
  
  optional_policy(`
@@ -25135,6 +25329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +allow xserver_unconfined_type xextension_type:x_extension *;
 +allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *;
 +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
++allow xserver_unconfined_type xserver_unconfined_type:x_property *;
 +
 +gen_require(`
 +	attribute domain;
@@ -25718,7 +25913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 -
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-02-26 14:08:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-03-10 12:24:38.000000000 -0400
 @@ -211,6 +211,13 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -25747,7 +25942,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  ')
  
-@@ -540,18 +547,19 @@
+@@ -463,11 +470,12 @@
+ interface(`init_telinit',`
+ 	gen_require(`
+ 		type initctl_t;
++		type init_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+-
++	allow $1 init_t:unix_dgram_socket sendto;
+ 	init_exec($1)
+ ')
+ 
+@@ -540,18 +548,19 @@
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -25771,7 +25980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  ')
  
-@@ -567,23 +575,70 @@
+@@ -567,19 +576,66 @@
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -25819,11 +26028,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 $2:process s0 - mls_systemhigh;
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -25836,17 +26045,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
+ 	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -609,11 +664,11 @@
+ ')
+ 
+ ########################################
+@@ -609,11 +665,11 @@
  # cjp: added for gentoo integrated run_init
  interface(`init_script_file_domtrans',`
  	gen_require(`
@@ -25860,7 +26065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -684,11 +739,11 @@
+@@ -684,11 +740,11 @@
  #
  interface(`init_getattr_script_files',`
  	gen_require(`
@@ -25874,7 +26079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -703,11 +758,11 @@
+@@ -703,11 +759,11 @@
  #
  interface(`init_exec_script_files',`
  	gen_require(`
@@ -25888,7 +26093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -931,6 +986,7 @@
+@@ -931,6 +987,7 @@
  
  	dontaudit $1 initrc_t:unix_stream_socket connectto;
  ')
@@ -25896,7 +26101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ########################################
  ## <summary>
  ##	Send messages to init scripts over dbus.
-@@ -1030,11 +1086,11 @@
+@@ -1030,11 +1087,11 @@
  #
  interface(`init_read_script_files',`
  	gen_require(`
@@ -25910,7 +26115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -1097,6 +1153,25 @@
+@@ -1097,6 +1154,25 @@
  
  ########################################
  ## <summary>
@@ -25936,7 +26141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1252,7 +1327,7 @@
+@@ -1252,7 +1328,7 @@
  		type initrc_var_run_t;
  	')
  
@@ -25945,7 +26150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -1273,3 +1348,114 @@
+@@ -1273,3 +1349,114 @@
  	files_search_pids($1)
  	allow $1 initrc_var_run_t:file manage_file_perms;
  ')
@@ -26062,7 +26267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-02-26 10:49:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-07 16:07:39.000000000 -0500
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -26125,7 +26330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  # is ~sys_module really needed? observed: 
  # sys_boot
  # sys_tty_config
-@@ -102,6 +128,8 @@
+@@ -102,8 +128,11 @@
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
  
@@ -26133,8 +26338,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +
  corecmd_exec_chroot(init_t)
  corecmd_exec_bin(init_t)
++corecmd_exec_shell(init_t)
  
-@@ -154,6 +182,8 @@
+ dev_read_sysfs(init_t)
+ 
+@@ -154,6 +183,8 @@
  
  miscfiles_read_localization(init_t)
  
@@ -26143,7 +26351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -163,22 +193,31 @@
+@@ -163,22 +194,31 @@
  	fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
  ')
  
@@ -26182,7 +26390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  ########################################
-@@ -187,7 +226,7 @@
+@@ -187,7 +227,7 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -26191,7 +26399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  
-@@ -201,10 +240,9 @@
+@@ -201,10 +241,9 @@
  allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
  term_create_pty(initrc_t,initrc_devpts_t)
  
@@ -26204,7 +26412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
  manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -283,7 +321,6 @@
+@@ -283,7 +322,6 @@
  mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
@@ -26212,7 +26420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -496,6 +533,31 @@
+@@ -496,6 +534,31 @@
  	')
  ')
  
@@ -26244,7 +26452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +621,6 @@
+@@ -559,14 +622,6 @@
  ')
  
  optional_policy(`
@@ -26259,7 +26467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	ftp_read_config(initrc_t)
  ')
  
-@@ -639,12 +693,6 @@
+@@ -639,12 +694,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -26272,7 +26480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -705,6 +753,9 @@
+@@ -705,6 +754,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -26282,7 +26490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -717,9 +768,11 @@
+@@ -717,9 +769,11 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -26297,7 +26505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -738,6 +791,11 @@
+@@ -738,6 +792,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -26309,7 +26517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -752,6 +810,10 @@
+@@ -752,6 +811,10 @@
  ')
  
  optional_policy(`
@@ -26320,7 +26528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -774,3 +836,4 @@
+@@ -774,3 +837,4 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -26716,8 +26924,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te	2008-02-26 08:29:22.000000000 -0500
-@@ -61,10 +61,23 @@
++++ serefpolicy-3.3.1/policy/modules/system/logging.te	2008-03-10 12:22:41.000000000 -0400
+@@ -61,10 +61,24 @@
  logging_log_file(var_log_t)
  files_mountpoint(var_log_t)
  
@@ -26729,6 +26937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +
  ifdef(`enable_mls',`
  	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
++	init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh)
  ')
  
 +type audisp_t;
@@ -26741,7 +26950,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ########################################
  #
  # Auditctl local policy
-@@ -171,6 +184,10 @@
+@@ -158,6 +172,7 @@
+ 
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_fd_use_all_levels(auditd_t)
+ 
+ seutil_dontaudit_read_config(auditd_t)
+ 
+@@ -171,6 +186,10 @@
  ')
  
  optional_policy(`
@@ -26752,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  	seutil_sigchld_newrole(auditd_t)
  ')
  
-@@ -208,6 +225,7 @@
+@@ -208,6 +227,7 @@
  
  fs_getattr_all_fs(klogd_t)
  fs_search_auto_mountpoints(klogd_t)
@@ -26760,7 +26977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  domain_use_interactive_fds(klogd_t)
  
-@@ -252,7 +270,6 @@
+@@ -252,7 +272,6 @@
  dontaudit syslogd_t self:capability sys_tty_config;
  # setpgid for metalog
  allow syslogd_t self:process { signal_perms setpgid };
@@ -26768,7 +26985,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -327,6 +344,7 @@
+@@ -262,7 +281,7 @@
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+ 
+ allow syslogd_t syslog_conf_t:file read_file_perms;
+-
++ 
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
+@@ -274,6 +293,9 @@
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+ 
++mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_fd_use_all_levels(syslogd_t)
++
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
+ manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
+@@ -327,6 +349,7 @@
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
  corenet_tcp_connect_syslogd_port(syslogd_t)
@@ -26776,7 +27012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  # syslog-ng can send or receive logs
  corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -344,14 +362,14 @@
+@@ -344,14 +367,14 @@
  # /initrd is not umounted before minilog starts
  files_dontaudit_search_isid_type_dirs(syslogd_t)
  
@@ -26793,7 +27029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  miscfiles_read_localization(syslogd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-@@ -380,15 +398,11 @@
+@@ -380,15 +403,11 @@
  ')
  
  optional_policy(`
@@ -26811,7 +27047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ')
  
  optional_policy(`
-@@ -399,3 +413,40 @@
+@@ -399,3 +418,37 @@
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -26841,17 +27077,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +
 +miscfiles_read_localization(audisp_t)
 +
++mls_file_write_all_levels(audisp_t) 
++
 +corecmd_search_bin(audisp_t)
 +allow audisp_t self:unix_dgram_socket create_socket_perms;
 +
 +logging_domtrans_audisp(auditd_t)
 +logging_audisp_signal(auditd_t)
 +
-+#gen_require(`
-+#	type zos_remote_exec_t, zos_remote_t;
-+#')
-+
-+#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-02-27 23:23:39.000000000 -0500
@@ -27109,8 +27342,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-02-26 08:29:22.000000000 -0500
-@@ -42,7 +42,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-03-10 12:26:24.000000000 -0400
+@@ -22,6 +22,8 @@
+ type insmod_exec_t;
+ application_domain(insmod_t,insmod_exec_t)
+ mls_file_write_all_levels(insmod_t)
++mls_process_write_to_clearance(insmod_t)
++
+ role system_r types insmod_t;
+ 
+ type depmod_t;
+@@ -42,7 +44,7 @@
  # insmod local policy
  #
  
@@ -27119,7 +27361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
  
  allow insmod_t self:udp_socket create_socket_perms; 
-@@ -63,6 +63,7 @@
+@@ -63,6 +65,7 @@
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
  kernel_read_hotplug_sysctls(insmod_t)
@@ -27127,7 +27369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  files_read_kernel_modules(insmod_t)
  # for locking: (cjp: ????)
-@@ -76,9 +77,7 @@
+@@ -76,9 +79,7 @@
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -27138,7 +27380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  fs_getattr_xattr_fs(insmod_t)
  
-@@ -101,6 +100,7 @@
+@@ -101,6 +102,7 @@
  init_use_fds(insmod_t)
  init_use_script_fds(insmod_t)
  init_use_script_ptys(insmod_t)
@@ -27146,7 +27388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  libs_use_ld_so(insmod_t)
  libs_use_shared_libs(insmod_t)
-@@ -118,11 +118,28 @@
+@@ -118,11 +120,28 @@
  	')
  ')
  
@@ -27175,7 +27417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  	hotplug_search_config(insmod_t)
  ')
  
-@@ -155,10 +172,12 @@
+@@ -155,10 +174,12 @@
  
  optional_policy(`
  	rpm_rw_pipes(insmod_t)
@@ -27188,7 +27430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  ')
  
  optional_policy(`
-@@ -185,6 +204,7 @@
+@@ -185,6 +206,7 @@
  
  files_read_kernel_symbol_table(depmod_t)
  files_read_kernel_modules(depmod_t)
@@ -27196,7 +27438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  fs_getattr_xattr_fs(depmod_t)
  
-@@ -208,9 +228,11 @@
+@@ -208,9 +230,11 @@
  
  # Read System.map from home directories.
  files_list_home(depmod_t)
@@ -27209,7 +27451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(depmod_t)
-@@ -219,11 +241,12 @@
+@@ -219,11 +243,12 @@
  
  optional_policy(`
  	# Read System.map from home directories.
@@ -27389,7 +27631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
 +/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
 --- nsaserefpolicy/policy/modules/system/qemu.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-03-06 09:35:23.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-03-10 10:10:04.000000000 -0400
 @@ -0,0 +1,294 @@
 +
 +## <summary>policy for qemu</summary>
@@ -27605,7 +27847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +		type qemu_unconfined_t;
 +	')
 +
-+	qemu_domtrans($1)
++	qemu_domtrans_unconfined($1)
 +	allow qemu_unconfined_t $3:chr_file rw_file_perms;
 +')
 +
@@ -28320,7 +28562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.3.1/policy/modules/system/setrans.te
 --- nsaserefpolicy/policy/modules/system/setrans.te	2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/setrans.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/setrans.te	2008-03-10 11:01:35.000000000 -0400
 @@ -28,7 +28,7 @@
  #
  
@@ -28330,6 +28572,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
  allow setrans_t self:unix_stream_socket create_stream_socket_perms;
  allow setrans_t self:unix_dgram_socket create_socket_perms;
  allow setrans_t self:netlink_selinux_socket create_socket_perms;
+@@ -58,6 +58,7 @@
+ mls_socket_write_all_levels(setrans_t)
+ mls_process_read_up(setrans_t)
+ mls_socket_read_all_levels(setrans_t)
++mls_fd_use_all_levels(setrans_t)
+ 
+ selinux_compute_access_vector(setrans_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-07-16 14:09:49.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if	2008-03-06 11:55:26.000000000 -0500
@@ -29265,7 +29515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-06 09:14:52.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-09 08:38:37.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -29750,7 +30000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -568,30 +553,31 @@
+@@ -568,30 +553,32 @@
  #
  template(`userdom_xwindows_client_template',`
  	gen_require(`
@@ -29795,10 +30045,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# Needed for escd, remove if we get escd policy
 -	xserver_manage_xdm_tmp_files($1_t)
 +	xserver_manage_xdm_tmp_files($1_usertype)
++	xserver_stream_connect_xdm_xserver($1_usertype)
  ')
  
  #######################################
-@@ -622,13 +608,7 @@
+@@ -622,13 +609,7 @@
  ## <summary>
  ##	The template for allowing the user to change roles.
  ## </summary>
@@ -29813,7 +30064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	<summary>
  ##	The prefix of the user domain (e.g., user
  ##	is the prefix for user_t).
-@@ -692,183 +672,194 @@
+@@ -692,183 +673,194 @@
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
@@ -30089,7 +30340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -895,6 +886,8 @@
+@@ -895,6 +887,8 @@
  ## </param>
  #
  template(`userdom_login_user_template', `
@@ -30098,7 +30349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	userdom_base_user_template($1)
  
  	userdom_manage_home_template($1)
-@@ -923,26 +916,26 @@
+@@ -923,26 +917,26 @@
  
  	allow $1_t self:context contains;
  
@@ -30139,7 +30390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	auth_dontaudit_write_login_records($1_t)
  
-@@ -950,43 +943,43 @@
+@@ -950,43 +944,43 @@
  
  	# The library functions always try to open read-write first,
  	# then fall back to read-only if it fails. 
@@ -30201,7 +30452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1020,9 +1013,6 @@
+@@ -1020,9 +1014,6 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
@@ -30211,7 +30462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	typeattribute $1_tty_device_t user_ttynode;
  
  	##############################
-@@ -1031,16 +1021,29 @@
+@@ -1031,16 +1022,29 @@
  	#
  
  	# privileged home directory writers
@@ -30247,7 +30498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1068,6 +1071,13 @@
+@@ -1068,6 +1072,13 @@
  
  	userdom_restricted_user_template($1)
  
@@ -30261,7 +30512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	userdom_xwindows_client_template($1)
  
  	##############################
-@@ -1076,14 +1086,16 @@
+@@ -1076,14 +1087,16 @@
  	#
  
  	authlogin_per_role_template($1, $1_t, $1_r)
@@ -30283,7 +30534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1103,25 @@
+@@ -1091,32 +1104,25 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
@@ -30325,7 +30576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1127,10 +1132,10 @@
+@@ -1127,10 +1133,10 @@
  ## </summary>
  ## <desc>
  ##	<p>
@@ -30340,7 +30591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	This template creates a user domain, types, and
  ##	rules for the user's tty, pty, home directories,
  ##	tmp, and tmpfs files.
-@@ -1193,12 +1198,11 @@
+@@ -1193,12 +1199,11 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -30355,7 +30606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1207,7 +1211,27 @@
+@@ -1207,7 +1212,27 @@
  	')
  
  	optional_policy(`
@@ -30384,7 +30635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1284,8 +1308,6 @@
+@@ -1284,8 +1309,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -30393,7 +30644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1363,13 +1385,6 @@
+@@ -1363,13 +1386,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -30407,7 +30658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	optional_policy(`
  		userhelper_exec($1_t)
  	')
-@@ -1422,6 +1437,7 @@
+@@ -1422,6 +1438,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -30415,7 +30666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1787,10 +1803,14 @@
+@@ -1787,10 +1804,14 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -30431,7 +30682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1886,11 +1906,11 @@
+@@ -1886,11 +1907,11 @@
  #
  template(`userdom_search_user_home_dirs',`
  	gen_require(`
@@ -30445,7 +30696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1920,11 +1940,11 @@
+@@ -1920,11 +1941,11 @@
  #
  template(`userdom_list_user_home_dirs',`
  	gen_require(`
@@ -30459,7 +30710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1968,12 +1988,12 @@
+@@ -1968,12 +1989,12 @@
  #
  template(`userdom_user_home_domtrans',`
  	gen_require(`
@@ -30475,7 +30726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2003,10 +2023,10 @@
+@@ -2003,10 +2024,10 @@
  #
  template(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
@@ -30488,7 +30739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2038,11 +2058,47 @@
+@@ -2038,11 +2059,47 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -30538,7 +30789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2074,10 +2130,10 @@
+@@ -2074,10 +2131,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -30551,7 +30802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2107,11 +2163,11 @@
+@@ -2107,11 +2164,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -30565,7 +30816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2141,11 +2197,11 @@
+@@ -2141,11 +2198,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -30580,7 +30831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2175,10 +2231,14 @@
+@@ -2175,10 +2232,14 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -30597,7 +30848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2208,11 +2268,11 @@
+@@ -2208,11 +2269,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -30611,7 +30862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2242,11 +2302,11 @@
+@@ -2242,11 +2303,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -30625,7 +30876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2276,10 +2336,10 @@
+@@ -2276,10 +2337,10 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -30638,7 +30889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2311,12 +2371,12 @@
+@@ -2311,12 +2372,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -30654,7 +30905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2348,10 +2408,10 @@
+@@ -2348,10 +2409,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -30667,7 +30918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2383,12 +2443,12 @@
+@@ -2383,12 +2444,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -30683,7 +30934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2420,12 +2480,12 @@
+@@ -2420,12 +2481,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -30699,7 +30950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2457,12 +2517,12 @@
+@@ -2457,12 +2518,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -30715,7 +30966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2507,11 +2567,11 @@
+@@ -2507,11 +2568,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -30729,7 +30980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2556,11 +2616,11 @@
+@@ -2556,11 +2617,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -30743,7 +30994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2600,11 +2660,11 @@
+@@ -2600,11 +2661,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -30757,7 +31008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2634,11 +2694,11 @@
+@@ -2634,11 +2695,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -30771,7 +31022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2668,11 +2728,11 @@
+@@ -2668,11 +2729,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -30785,7 +31036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2704,10 +2764,10 @@
+@@ -2704,10 +2765,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -30798,7 +31049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2739,10 +2799,10 @@
+@@ -2739,10 +2800,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -30811,7 +31062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2772,12 +2832,12 @@
+@@ -2772,12 +2833,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -30827,7 +31078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2809,10 +2869,10 @@
+@@ -2809,10 +2870,10 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -30840,7 +31091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2844,10 +2904,48 @@
+@@ -2844,10 +2905,48 @@
  #
  template(`userdom_dontaudit_append_user_tmp_files',`
  	gen_require(`
@@ -30891,7 +31142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2877,12 +2975,12 @@
+@@ -2877,12 +2976,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -30907,7 +31158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2914,10 +3012,10 @@
+@@ -2914,10 +3013,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -30920,7 +31171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2949,12 +3047,12 @@
+@@ -2949,12 +3048,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -30936,7 +31187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2986,11 +3084,11 @@
+@@ -2986,11 +3085,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -30950,7 +31201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3022,11 +3120,11 @@
+@@ -3022,11 +3121,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -30964,7 +31215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3058,11 +3156,11 @@
+@@ -3058,11 +3157,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -30978,7 +31229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3094,11 +3192,11 @@
+@@ -3094,11 +3193,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -30992,7 +31243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3130,11 +3228,11 @@
+@@ -3130,11 +3229,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -31006,7 +31257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3179,10 +3277,10 @@
+@@ -3179,10 +3278,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -31019,7 +31270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($2)
  ')
  
-@@ -3223,10 +3321,10 @@
+@@ -3223,10 +3322,10 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -31032,7 +31283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3254,6 +3352,42 @@
+@@ -3254,6 +3353,42 @@
  ##	</summary>
  ## </param>
  #
@@ -31075,7 +31326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
  		type $1_tmpfs_t;
-@@ -4231,11 +4365,11 @@
+@@ -4231,11 +4366,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -31089,7 +31340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4251,10 +4385,10 @@
+@@ -4251,10 +4386,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -31102,7 +31353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4270,11 +4404,11 @@
+@@ -4270,11 +4405,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -31116,7 +31367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4289,16 +4423,16 @@
+@@ -4289,16 +4424,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -31136,7 +31387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4441,27 @@
+@@ -4307,12 +4442,27 @@
  ##	</summary>
  ## </param>
  #
@@ -31167,7 +31418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4327,13 +4476,13 @@
+@@ -4327,13 +4477,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -31185,7 +31436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4531,10 +4680,10 @@
+@@ -4531,10 +4681,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -31198,7 +31449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4551,10 +4700,10 @@
+@@ -4551,10 +4701,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -31211,7 +31462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4569,10 +4718,10 @@
+@@ -4569,10 +4719,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -31224,7 +31475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4588,10 +4737,10 @@
+@@ -4588,10 +4738,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -31237,7 +31488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4606,10 +4755,10 @@
+@@ -4606,10 +4756,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -31250,7 +31501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4625,10 +4774,10 @@
+@@ -4625,10 +4775,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -31263,7 +31514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4644,12 +4793,11 @@
+@@ -4644,12 +4794,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -31279,7 +31530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4676,10 +4824,10 @@
+@@ -4676,10 +4825,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -31292,7 +31543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4694,10 +4842,10 @@
+@@ -4694,10 +4843,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -31305,7 +31556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4712,13 +4860,13 @@
+@@ -4712,13 +4861,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -31323,7 +31574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4754,11 +4902,49 @@
+@@ -4754,11 +4903,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -31374,7 +31625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4778,6 +4964,14 @@
+@@ -4778,6 +4965,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -31389,7 +31640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4839,6 +5033,26 @@
+@@ -4839,6 +5034,26 @@
  
  ########################################
  ## <summary>
@@ -31416,7 +31667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5073,25 @@
+@@ -4859,6 +5074,25 @@
  
  ########################################
  ## <summary>
@@ -31442,7 +31693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5112,26 @@
+@@ -4879,6 +5113,26 @@
  
  ########################################
  ## <summary>
@@ -31469,7 +31720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5368,7 @@
+@@ -5115,7 +5369,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -31478,7 +31729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5557,50 @@
+@@ -5304,6 +5558,50 @@
  
  ########################################
  ## <summary>
@@ -31529,7 +31780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,6 +5806,42 @@
+@@ -5509,6 +5807,42 @@
  
  ########################################
  ## <summary>
@@ -31572,7 +31823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5674,6 +6007,42 @@
+@@ -5674,6 +6008,42 @@
  
  ########################################
  ## <summary>
@@ -31615,7 +31866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6073,368 @@
+@@ -5704,3 +6074,368 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -33213,11 +33464,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if
 +## <summary>Policy for user user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.3.1/policy/modules/users/user.te
 --- nsaserefpolicy/policy/modules/users/user.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.te	2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.3.1/policy/modules/users/user.te	2008-03-10 11:57:48.000000000 -0400
+@@ -0,0 +1,17 @@
 +policy_module(user,1.0.1)
 +userdom_unpriv_user_template(user)
 +
++optional_policy(`
++	kerneloops_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++	rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++	setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
++
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.3.1/policy/modules/users/webadm.fc
 --- nsaserefpolicy/policy/modules/users/webadm.fc	1969-12-31 19:00:00.000000000 -0500