- Add boolean to disallow unconfined_t login

2009-02-03 20:23:12 +00:00 · 2009-02-03 20:23:12 +00:00 · bc2add3885
commit bc2add3885
parent 574cab47f1
1 changed files with 96 additions and 58 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -2875,7 +2875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te	2009-02-02 09:39:29.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te	2009-02-03 10:55:18.000000000 -0500
@@ -0,0 +1,288 @@
 +
 +policy_module(nsplugin, 1.0.0)
@ -2897,7 +2897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## Allow nsplugin code to connect to unreserved ports
 +## </p>
 +## </desc>
-+gen_tunable(nsplugin_can_network, True)
+gen_tunable(nsplugin_can_network, true)
 +
 +type nsplugin_exec_t;
 +application_executable_file(nsplugin_exec_t)
@ -12453,7 +12453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.3/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te	2009-02-03 14:14:11.000000000 -0500
@@ -69,21 +69,22 @@
 
 # allow access to dnsmasq.conf
@ -12480,6 +12480,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
+@@ -96,4 +97,5 @@
+ 
+ optional_policy(`
+ 	virt_manage_lib_files(dnsmasq_t)
+	virt_read_pid_files(dnsmasq_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.3/policy/modules/services/dovecot.fc
 --- nsaserefpolicy/policy/modules/services/dovecot.fc	2008-11-11 16:13:47.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/services/dovecot.fc	2009-01-19 13:10:02.000000000 -0500
@ -13022,7 +13028,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.3/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/ftp.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/ftp.te	2009-02-03 11:10:55.000000000 -0500
+@@ -26,7 +26,7 @@
+ ## <desc>
+ ## <p>
+ ## Allow ftp servers to use cifs
+-## used for public file transfer services.
+## for public file transfer services.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_ftpd_use_cifs, false)
+@@ -34,7 +34,7 @@
+ ## <desc>
+ ## <p>
+ ## Allow ftp servers to use nfs
+-## used for public file transfer services.
+## for public file transfer services.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_ftpd_use_nfs, false)
@@ -160,6 +160,7 @@
 
 fs_search_auto_mountpoints(ftpd_t)
@ -22512,7 +22536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/VirtualMachines/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.if	2009-01-30 09:30:42.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/virt.if	2009-02-03 14:14:04.000000000 -0500
@@ -293,6 +293,41 @@
 
 ########################################
@ -23335,7 +23359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-02-02 14:36:35.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-02-03 10:52:31.000000000 -0500
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -23735,7 +23759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
 
-@@ -550,9 +651,11 @@
+@@ -550,8 +651,9 @@
 ')
 
 optional_policy(`
@ -23745,11 +23769,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	unconfined_signal(xdm_t)
 +')
 
-+optional_policy(`
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
+@@ -560,7 +662,6 @@
+ 	ifdef(`distro_rhel4',`
+ 		allow xdm_t self:process { execheap execmem };
 	')
-@@ -571,6 +674,10 @@
+-')
+ 
+ optional_policy(`
+ 	userhelper_dontaudit_search_config(xdm_t)
+@@ -571,6 +672,10 @@
 ')
 
 optional_policy(`
@ -23760,7 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -587,7 +694,7 @@
+@@ -587,7 +692,7 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -23769,7 +23799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +709,11 @@
+@@ -602,9 +707,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -23781,7 +23811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
 
-@@ -622,7 +731,7 @@
+@@ -622,7 +729,7 @@
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
@ -23790,7 +23820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,6 +744,15 @@
+@@ -635,6 +742,15 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -23806,7 +23836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Create files in /var/log with the xserver_log_t type.
 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -680,9 +798,14 @@
+@@ -680,9 +796,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -23821,7 +23851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +820,13 @@
+@@ -697,8 +818,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -23835,7 +23865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +848,7 @@
+@@ -720,6 +846,7 @@
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -23843,7 +23873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 modutils_domtrans_insmod(xserver_t)
 
-@@ -742,7 +871,7 @@
+@@ -742,7 +869,7 @@
 ')
 
 ifdef(`enable_mls',`
@ -23852,7 +23882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
 
-@@ -774,6 +903,10 @@
+@@ -774,6 +901,10 @@
 ')
 
 optional_policy(`
@ -23863,7 +23893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rhgb_getpgid(xserver_t)
 	rhgb_signal(xserver_t)
 ')
-@@ -806,7 +939,7 @@
+@@ -806,7 +937,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
@ -23872,7 +23902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +960,14 @@
+@@ -827,9 +958,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -23887,7 +23917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +982,14 @@
+@@ -844,11 +980,14 @@
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -23903,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -856,6 +997,11 @@
+@@ -856,6 +995,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
@ -23915,7 +23945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1027,8 @@
+@@ -881,6 +1025,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -23924,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
 
-@@ -905,6 +1053,8 @@
+@@ -905,6 +1051,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
 
@ -23933,7 +23963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,6 +1122,37 @@
+@@ -972,6 +1120,37 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
@ -23971,7 +24001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`TODO',`
 tunable_policy(`allow_polyinstantiation',`
 # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1167,12 @@
+@@ -986,3 +1165,12 @@
 #
 allow xdm_t user_home_type:file unlink;
 ') dnl end TODO
@ -24810,7 +24840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.te	2009-01-28 09:55:56.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/init.te	2009-02-03 14:13:10.000000000 -0500
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -24988,7 +25018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 +domain_dontaudit_use_interactive_fds(daemon)
 +
-+userdom_dontaudit_search_admin_dir(daemon)
+userdom_dontaudit_list_admin_dir(daemon)
 +
 +tunable_policy(`allow_daemons_use_tty',`
 +	term_use_unallocated_ttys(daemon)
@ -25292,7 +25322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.3/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc	2009-01-26 13:53:03.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc	2009-02-03 14:11:21.000000000 -0500
@@ -60,12 +60,15 @@
 #
 # /opt
@ -25322,7 +25352,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/ibm/java.*/jre/.+\.jar		--	gen_context(system_u:object_r:lib_t,s0)
 /opt/ibm/java.*/jre/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -115,9 +119,17 @@
+@@ -103,6 +107,7 @@
+ #
+ /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ /usr/(.*/)?java/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
+@@ -115,9 +120,17 @@
 
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@ -25340,7 +25378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -127,12 +139,14 @@
+@@ -127,12 +140,14 @@
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25355,7 +25393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-@@ -168,7 +182,8 @@
+@@ -168,7 +183,8 @@
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25365,7 +25403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,6 +202,7 @@
+@@ -187,6 +203,7 @@
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/codecs/[^/]*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25373,7 +25411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,12 +262,13 @@
+@@ -246,12 +263,13 @@
 
 # Flash plugin, Macromedia
 HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25389,7 +25427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +284,9 @@
+@@ -267,6 +285,9 @@
 /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@ -25399,7 +25437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +311,8 @@
+@@ -291,6 +312,8 @@
 /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25408,7 +25446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ') dnl end distro_redhat
 
 #
-@@ -303,6 +325,8 @@
+@@ -303,6 +326,8 @@
 
 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
 
@ -25417,7 +25455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
 ')
-@@ -310,3 +334,20 @@
+@@ -310,3 +335,20 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@ -27721,7 +27759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if	2009-02-02 14:49:54.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if	2009-02-03 10:47:05.000000000 -0500
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -27784,14 +27822,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 interface(`unconfined_shell_domtrans',`
 	gen_require(`
 -		type unconfined_t;
-+		type unconfined_login_domain;
+		attribute unconfined_login_domain;
 	')
 -
 -	corecmd_shell_domtrans($1,unconfined_t)
 -	allow unconfined_t $1:fd use;
 -	allow unconfined_t $1:fifo_file rw_file_perms;
 -	allow unconfined_t $1:process sigchld;
-+	typeattribute $1 unconfined_login_domain
+	typeattribute $1 unconfined_login_domain;
 ')
 
 ########################################
@ -27973,7 +28011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te	2009-02-02 14:52:21.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te	2009-02-03 15:14:47.000000000 -0500
@@ -5,36 +5,86 @@
 #
 # Declarations
@ -28068,7 +28106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
-@@ -42,26 +92,39 @@
+@@ -42,26 +92,46 @@
 logging_run_auditctl(unconfined_t, unconfined_r)
 
 mount_run_unconfined(unconfined_t, unconfined_r)
@ -28084,6 +28122,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
 
+tunable_policy(`unconfined_login',`
+	corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+	allow unconfined_t unconfined_login_domain:fd use;
+	allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+	allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
 +optional_policy(`
 +	nsplugin_role_notrans(unconfined_r, unconfined_t)
 +	tunable_policy(`allow_unconfined_nsplugin_transition',`
@ -28110,7 +28155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -102,12 +165,24 @@
+@@ -102,12 +172,24 @@
 	')
 
 	optional_policy(`
@ -28135,7 +28180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -119,31 +194,33 @@
+@@ -119,31 +201,33 @@
 ')
 
 optional_policy(`
@ -28176,7 +28221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -155,36 +232,38 @@
+@@ -155,36 +239,38 @@
 ')
 
 optional_policy(`
@ -28227,7 +28272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -192,7 +271,7 @@
+@@ -192,7 +278,7 @@
 ')
 
 optional_policy(`
@ -28236,7 +28281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -204,11 +283,12 @@
+@@ -204,11 +290,12 @@
 ')
 
 optional_policy(`
@ -28251,7 +28296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -218,14 +298,68 @@
+@@ -218,14 +305,61 @@
 
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -28276,7 +28321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	xserver_rw_shm(unconfined_execmem_t)
-+')
+ ')
 +
 +########################################
 +#
@ -28295,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		type mplayer_exec_t;
 +	')
 +	domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
- ')
+')
 +
 +optional_policy(`
 +tunable_policy(`allow_unconfined_nsplugin_transition',`', `
@ -28314,13 +28359,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
-+tunable_policy(`unconfined_login',`
-+	corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
-+	allow unconfined_t unconfined_login_domain:fd use;
-+	allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
-+	allow unconfined_t unconfined_login_domain:process sigchld;
-+')
 +	
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2008-11-11 16:13:48.000000000 -0500