- Prepare policy for beta release

- Change some of the system domains back to unconfined
- Turn on some of the booleans

booleans-targeted.conf

@@ -1,14 +1,14 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = false
+allow_execmem = true
 
 # Allow making a modified private filemapping executable (text relocation).
 # 
-allow_execmod = false
+allow_execmod = true
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = false
+allow_execstack = true
 
 # Allow ftpd to read cifs directories.
 # 
@@ -266,3 +266,11 @@ user_rw_noexattrfile=true
 # Allow qemu to connect fully to the network
 # 
 allow_qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+# 
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+# 
+allow_unconfined_nsplugin_transition=true

policy-20071130.patch

@@ -4127,7 +4127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.3.1/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/java.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/java.te	2008-02-27 23:56:52.000000000 -0500
 @@ -6,16 +6,10 @@
  # Declarations
  #
@@ -4146,7 +4146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
  
  ########################################
  #
-@@ -23,11 +17,23 @@
+@@ -23,11 +17,28 @@
  #
  
  # execheap is needed for itanium/BEA jrocket
@@ -4163,16 +4163,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
 +	optional_policy(`
 +		unconfined_dbus_chat(java_t)
 +	')
++')
++
++optional_policy(`
++	rpm_domtrans(java_t)
 +')
  
  optional_policy(`
  	unconfined_domain_noaudit(java_t)
 -	unconfined_dbus_chat(java_t)
-+')
+ ')
 +
 +optional_policy(`
 +	xserver_xdm_rw_shm(java_t)
- ')
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.3.1/policy/modules/apps/loadkeys.te
 --- nsaserefpolicy/policy/modules/apps/loadkeys.te	2007-12-19 05:32:09.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/apps/loadkeys.te	2008-02-26 08:29:22.000000000 -0500
@@ -26657,8 +26662,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
 +/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
 --- nsaserefpolicy/policy/modules/system/qemu.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if	2008-02-27 23:40:38.000000000 -0500
-@@ -0,0 +1,290 @@
+@@ -0,0 +1,291 @@
 +
 +## <summary>policy for qemu</summary>
 +
@@ -26896,6 +26901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
 +
 +	domain_use_interactive_fds($1_t)
 +
++	allow $1_t self:capability { dac_read_search dac_override };
 +	allow $1_t self:process { execstack execmem signal getsched };
 +	allow $1_t self:tcp_socket create_stream_socket_perms;
 +

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz