- Fix staff_t domain

2009-02-06 17:48:29 +00:00 · 2009-02-06 17:48:29 +00:00 · bc861e624e
parent 73fe81bbab
commit bc861e624e
2 changed files with 284 additions and 163 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -712,8 +712,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc	2009-02-03 22:57:29.000000000 -0500
-@@ -11,7 +11,8 @@
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc	2009-02-05 13:41:50.000000000 -0500
+@@ -3,6 +3,7 @@
+ /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+ 
+ /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
+ 
+ /usr/lib(64)?/rpm/rpmd		-- 	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
+@@ -11,7 +12,8 @@
 
 /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@ -723,7 +731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 ifdef(`distro_redhat', `
-@@ -21,14 +22,17 @@
+@@ -21,14 +23,17 @@
 /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@ -1706,7 +1714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#/usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.4/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/apps/gnome.if	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/apps/gnome.if	2009-02-05 15:12:13.000000000 -0500
@@ -89,5 +89,154 @@
 
 	allow $1 gnome_home_t:dir manage_dir_perms;
@ -6204,7 +6212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.4/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if	2009-02-06 11:11:26.000000000 -0500
@@ -1197,6 +1197,26 @@
 	')
 
@ -6331,6 +6339,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.4/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-02-03 22:50:50.000000000 -0500
 +++ serefpolicy-3.6.4/policy/modules/kernel/kernel.te	2009-02-03 22:57:29.000000000 -0500
+@@ -1,5 +1,5 @@
+ 
+-policy_module(kernel, 1.10.3)
+policy_module(kernel, 1.10.2)
+ 
+ ########################################
+ #
@@ -63,6 +63,15 @@
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
 
@ -6375,6 +6390,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow kernel_t proc_t:dir list_dir_perms;
 allow kernel_t proc_t:file read_file_perms;
 allow kernel_t proc_t:lnk_file read_lnk_file_perms;
+@@ -221,10 +237,8 @@
+ # connections with invalidated labels:
+ allow kernel_t unlabeled_t:packet send;
+ 
+-# Allow unlabeled network traffic
+# Forwarded network traffic
+ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+-corenet_in_generic_if(unlabeled_t)
+-corenet_in_generic_node(unlabeled_t)
+ 
+ corenet_all_recvfrom_unlabeled(kernel_t)
+ corenet_all_recvfrom_netlabel(kernel_t)
@@ -248,7 +262,8 @@
 
 selinux_load_policy(kernel_t)
@ -7047,16 +7074,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.4/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/roles/staff.te	2009-02-03 22:57:29.000000000 -0500
-@@ -8,112 +8,32 @@
- 
- role staff_r;
- 
-userdom_unpriv_user_template(staff)
-+userdom_admin_login_user_template(staff)
- 
- ########################################
- #
+++ serefpolicy-3.6.4/policy/modules/roles/staff.te	2009-02-05 13:52:52.000000000 -0500
+@@ -15,156 +15,87 @@
 # Local policy
 #
 
@ -7119,112 +7138,131 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	java_role(staff_r, staff_t)
 -')
-
-optional_policy(`
-	lockdev_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	lpd_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	mozilla_role(staff_r, staff_t)
-')
 +kernel_read_ring_buffer(staff_t)
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
 
 -optional_policy(`
-	mplayer_role(staff_r, staff_t)
+-	lockdev_role(staff_r, staff_t)
 -')
 +auth_domtrans_pam_console(staff_t)
 
 -optional_policy(`
-	mta_role(staff_r, staff_t)
+-	lpd_role(staff_r, staff_t)
 -')
 +libs_manage_shared_libs(staff_t)
 
+-optional_policy(`
+-	mozilla_role(staff_r, staff_t)
+-')
+seutil_run_newrole(staff_t, staff_r)
+ 
 optional_policy(`
-	oident_manage_user_content(staff_t)
-	oident_relabel_user_content(staff_t)
-')
-
-optional_policy(`
-	pyzor_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	razor_role(staff_r, staff_t)
+-	mplayer_role(staff_r, staff_t)
+	sudo_role_template(staff, staff_r, staff_t)
+ ')
+ 
+ optional_policy(`
+-	mta_role(staff_r, staff_t)
 +	auditadm_role_change(staff_r)
 ')
 
 optional_policy(`
-	rssh_role(staff_r, staff_t)
+-	oident_manage_user_content(staff_t)
+-	oident_relabel_user_content(staff_t)
 +	kerneloops_manage_tmp_files(staff_t)
 ')
 
 optional_policy(`
-	screen_role_template(staff, staff_r, staff_t)
+-	pyzor_role(staff_r, staff_t)
 +	logadm_role_change(staff_r)
 ')
 
 optional_policy(`
-@@ -121,50 +41,21 @@
+-	razor_role(staff_r, staff_t)
+	secadm_role_change(staff_r)
 ')
 
 optional_policy(`
-	spamassassin_role(staff_r, staff_t)
-')
-
-optional_policy(`
- 	ssh_role_template(staff, staff_r, staff_t)
+-	rssh_role(staff_r, staff_t)
+	ssh_role_template(staff, staff_r, staff_t)
 ')
 
 optional_policy(`
-	su_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
-	sudo_role_template(staff, staff_r, staff_t)
-')
-
-optional_policy(`
- 	sysadm_role_change(staff_r)
-	userdom_dontaudit_use_user_terminals(staff_t)
-')
-
-optional_policy(`
-	thunderbird_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	tvtime_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	uml_role(staff_r, staff_t)
-')
-
-optional_policy(`
-	userhelper_role_template(staff, staff_r, staff_t)
+-	screen_role_template(staff, staff_r, staff_t)
+	sysadm_role_change(staff_r)
 ')
 
 optional_policy(`
-	vmware_role(staff_r, staff_t)
+-	secadm_role_change(staff_r)
 +	usernetctl_run(staff_t, staff_r)
 ')
 
 optional_policy(`
-	wireshark_role(staff_r, staff_t)
+-	spamassassin_role(staff_r, staff_t)
 +	unconfined_role_change(staff_r)
 ')
 
 optional_policy(`
-	xserver_role(staff_r, staff_t)
+-	ssh_role_template(staff, staff_r, staff_t)
 +	webadm_role_change(staff_r)
 ')
+ 
+-optional_policy(`
+-	su_role_template(staff, staff_r, staff_t)
+-')
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
+ 
+-optional_policy(`
+-	sudo_role_template(staff, staff_r, staff_t)
+-')
+files_read_kernel_modules(staff_t)
+ 
+-optional_policy(`
+-	sysadm_role_change(staff_r)
+-	userdom_dontaudit_use_user_terminals(staff_t)
+-')
+kernel_read_fs_sysctls(staff_t)
+ 
+-optional_policy(`
+-	thunderbird_role(staff_r, staff_t)
+-')
+modutils_read_module_config(staff_t)
+modutils_read_module_deps(staff_t)
+ 
+-optional_policy(`
+-	tvtime_role(staff_r, staff_t)
+-')
+miscfiles_read_hwdata(staff_t)
+ 
+ optional_policy(`
+-	uml_role(staff_r, staff_t)
+	gnomeclock_dbus_chat(staff_t)
+ ')
+ 
+ optional_policy(`
+-	userhelper_role_template(staff, staff_r, staff_t)
+	kerneloops_dbus_chat(staff_t)
+ ')
+ 
+ optional_policy(`
+-	vmware_role(staff_r, staff_t)
+	rpm_dbus_chat(staff_usertype)
+ ')
+ 
+ optional_policy(`
+-	wireshark_role(staff_r, staff_t)
+	setroubleshoot_stream_connect(staff_t)
+	setroubleshoot_dbus_chat(staff_t)
+ ')
+ 
+ optional_policy(`
+-	xserver_role(staff_r, staff_t)
+	virt_stream_connect(staff_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.4/policy/modules/roles/sysadm.if
 --- nsaserefpolicy/policy/modules/roles/sysadm.if	2009-01-19 11:07:34.000000000 -0500
 +++ serefpolicy-3.6.4/policy/modules/roles/sysadm.if	2009-02-03 22:57:29.000000000 -0500
@ -7561,7 +7599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.4/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te	2009-02-05 10:45:18.000000000 -0500
@@ -14,142 +14,13 @@
 userdom_unpriv_user_template(user)
 
@ -12263,8 +12301,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.4/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te	2009-02-04 08:40:38.000000000 -0500
-@@ -0,0 +1,125 @@
+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te	2009-02-06 11:17:45.000000000 -0500
+@@ -0,0 +1,131 @@
 +policy_module(devicekit,1.0.0)
 +
 +########################################
@ -12309,6 +12347,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dbus_system_bus_client(devicekit_t)
 +')
 +
+optional_policy(`
+	udev_read_db(devicekit_t)
+')
+
 +#
 +# DeviceKit-Power local policy
 +#
@ -12324,7 +12366,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +domain_read_all_domains_state(devicekit_power_t)
 +
 +kernel_read_system_state(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
 +kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
 +
 +dev_rw_generic_usb_dev(devicekit_power_t)
 +dev_rw_netcontrol(devicekit_power_t)
@ -12419,6 +12463,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	All of the rules required to administrate 
 ##	an dhcp environment
 ## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc
+--- nsaserefpolicy/policy/modules/services/dnsmasq.fc	2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc	2009-02-06 11:38:55.000000000 -0500
+@@ -5,3 +5,4 @@
+ /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+ /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.4/policy/modules/services/dnsmasq.if
 --- nsaserefpolicy/policy/modules/services/dnsmasq.if	2008-11-18 18:57:21.000000000 -0500
 +++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.if	2009-02-03 22:57:29.000000000 -0500
@ -12522,7 +12574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.4/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te	2009-02-06 11:39:09.000000000 -0500
@@ -69,21 +69,22 @@
 
 # allow access to dnsmasq.conf
@ -12705,7 +12757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.4/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/dovecot.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/dovecot.te	2009-02-06 11:32:01.000000000 -0500
@@ -15,12 +15,21 @@
 domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
@ -12795,12 +12847,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
- allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
- 
+-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
 +manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 +manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 +files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-+
+ 
 # Allow dovecot to create and read SSL parameters file
 manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
 files_search_var_lib(dovecot_t)
@ -22173,8 +22226,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.4/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/ssh.te	2009-02-03 22:57:29.000000000 -0500
-@@ -75,7 +75,7 @@
+++ serefpolicy-3.6.4/policy/modules/services/ssh.te	2009-02-06 12:43:43.000000000 -0500
+@@ -41,6 +41,9 @@
+ files_tmp_file(sshd_tmp_t)
+ files_poly_parent(sshd_tmp_t)
+ 
+type sshd_tmpfs_t;
+files_tmpfs_file(sshd_tmpfs_t)
+
+ ifdef(`enable_mcs',`
+ 	init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
+ ')
+@@ -75,7 +78,7 @@
 ubac_constrained(ssh_tmpfs_t)
 
 type home_ssh_t;
@ -22183,7 +22246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 files_type(home_ssh_t)
 userdom_user_home_content(home_ssh_t)
-@@ -95,7 +95,7 @@
+@@ -95,7 +98,7 @@
 allow ssh_t self:sem create_sem_perms;
 allow ssh_t self:msgq create_msgq_perms;
 allow ssh_t self:msg { send receive };
@ -22192,7 +22255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
 
 # Read the ssh key file.
-@@ -115,6 +115,7 @@
+@@ -115,6 +118,7 @@
 manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
 manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
 userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
@ -22200,7 +22263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Allow the ssh program to communicate with ssh-agent.
 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -139,6 +140,8 @@
+@@ -139,6 +143,8 @@
 corenet_tcp_sendrecv_all_ports(ssh_t)
 corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
@ -22209,7 +22272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 dev_read_urand(ssh_t)
 
-@@ -173,6 +176,7 @@
+@@ -173,6 +179,7 @@
 userdom_use_user_terminals(ssh_t)
 # needs to read krb tgt
 userdom_read_user_tmp_files(ssh_t)
@ -22217,7 +22280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 tunable_policy(`allow_ssh_keysign',`
 	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -202,6 +206,7 @@
+@@ -202,6 +209,7 @@
 # for port forwarding
 tunable_policy(`user_tcp_server',`
 	corenet_tcp_bind_ssh_port(ssh_t)
@ -22225,7 +22288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -310,6 +315,8 @@
+@@ -310,6 +318,8 @@
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
 
@ -22234,18 +22297,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_use_all_user_ptys(sshd_t)
 term_setattr_all_user_ptys(sshd_t)
 term_relabelto_all_user_ptys(sshd_t)
-@@ -318,6 +325,10 @@
+@@ -318,6 +328,13 @@
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
 +userdom_read_user_home_content_files(sshd_t)
 +userdom_read_user_home_content_symlinks(sshd_t)
 +userdom_search_admin_dir(sshd_t)
+
+manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t)
+fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file)
 +
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -331,6 +342,14 @@
+@@ -331,6 +348,14 @@
 ')
 
 optional_policy(`
@ -22260,7 +22326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
-@@ -349,7 +368,11 @@
+@@ -349,7 +374,11 @@
 ')
 
 optional_policy(`
@ -22273,7 +22339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_shell_domtrans(sshd_t)
 ')
 
-@@ -408,6 +431,8 @@
+@@ -408,6 +437,8 @@
 init_use_fds(ssh_keygen_t)
 init_use_script_ptys(ssh_keygen_t)
 
@ -22606,8 +22672,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/VirtualMachines/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.4/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/virt.if	2009-02-03 22:57:29.000000000 -0500
-@@ -293,6 +293,41 @@
+++ serefpolicy-3.6.4/policy/modules/services/virt.if	2009-02-06 11:23:27.000000000 -0500
+@@ -117,12 +117,12 @@
+ 	')
+ 
+ 	files_search_pids($1)
+-	allow $1 virt_var_run_t:file read_file_perms;
+	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage virt pid files.
+##	Manage virt PID files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -135,6 +135,7 @@
+ 		type virt_var_run_t;
+ 	')
+ 
+	files_search_pids($1)
+          manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ ')
+ 
+@@ -293,6 +294,41 @@
 
 ########################################
 ## <summary>
@ -23458,7 +23547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/xserver.te	2009-02-04 11:20:11.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/xserver.te	2009-02-05 18:20:04.000000000 -0500
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -23810,7 +23899,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -504,10 +569,12 @@
+@@ -472,6 +537,7 @@
+ # Search /proc for any user domain processes.
+ userdom_read_all_users_state(xdm_t)
+ userdom_signal_all_users(xdm_t)
+userdom_write_user_tmp_files(xdm_t)
+ 
+ xserver_rw_session(xdm_t,xdm_tmpfs_t)
+ xserver_unconfined(xdm_t)
+@@ -504,10 +570,12 @@
 
 optional_policy(`
 	alsa_domtrans(xdm_t)
@ -23823,7 +23920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -515,12 +582,41 @@
+@@ -515,12 +583,41 @@
 ')
 
 optional_policy(`
@ -23865,7 +23962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
 
-@@ -542,6 +638,19 @@
+@@ -542,6 +639,19 @@
 ')
 
 optional_policy(`
@ -23885,7 +23982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
 
-@@ -550,8 +659,9 @@
+@@ -550,8 +660,9 @@
 ')
 
 optional_policy(`
@ -23897,7 +23994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +670,6 @@
+@@ -560,7 +671,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -23905,7 +24002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +680,10 @@
+@@ -571,6 +681,10 @@
 ')
 
 optional_policy(`
@ -23916,7 +24013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -587,7 +700,7 @@
+@@ -587,7 +701,7 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -23925,7 +24022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +715,11 @@
+@@ -602,9 +716,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -23937,7 +24034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
 
-@@ -622,7 +737,7 @@
+@@ -622,7 +738,7 @@
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
@ -23946,7 +24043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +750,19 @@
+@@ -635,9 +751,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -23966,7 +24063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +805,14 @@
+@@ -680,9 +806,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -23981,7 +24078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +827,13 @@
+@@ -697,8 +828,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -23995,7 +24092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +855,7 @@
+@@ -720,6 +856,7 @@
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -24003,7 +24100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 modutils_domtrans_insmod(xserver_t)
 
-@@ -742,7 +878,7 @@
+@@ -742,7 +879,7 @@
 ')
 
 ifdef(`enable_mls',`
@ -24012,7 +24109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
 
-@@ -774,6 +910,10 @@
+@@ -774,6 +911,10 @@
 ')
 
 optional_policy(`
@ -24023,7 +24120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rhgb_getpgid(xserver_t)
 	rhgb_signal(xserver_t)
 ')
-@@ -806,7 +946,7 @@
+@@ -806,7 +947,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
@ -24032,7 +24129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +967,14 @@
+@@ -827,9 +968,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -24047,7 +24144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +989,14 @@
+@@ -844,11 +990,14 @@
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -24063,7 +24160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -856,6 +1004,11 @@
+@@ -856,6 +1005,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
@ -24075,7 +24172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1034,8 @@
+@@ -881,6 +1035,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -24084,7 +24181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
 
-@@ -905,6 +1060,8 @@
+@@ -905,6 +1061,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
 
@ -24093,7 +24190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1129,51 @@
+@@ -972,17 +1130,51 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
@ -28524,7 +28621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-04 10:39:52.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-05 18:26:44.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
@ -29435,7 +29532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	logging_dontaudit_send_audit_msgs($1_t)
 
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +953,28 @@
+@@ -899,28 +953,29 @@
 	selinux_get_enforce_mode($1_t)
 
 	optional_policy(`
@ -29447,12 +29544,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -		dbus_role_template($1, $1_r, $1_t)
 -		dbus_system_bus_client($1_t)
 +		apache_role($1_r, $1_usertype)
-+		')
+	')
 
 		optional_policy(`
 -			consolekit_dbus_chat($1_t)
 +		gnome_manage_config($1_usertype)
 +		gnome_manage_gconf_home_files($1_usertype)
+		gnome_read_gconf_config($1_usertype)
 		')
 
 		optional_policy(`
@ -29472,7 +29570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -931,8 +985,7 @@
+@@ -931,8 +986,7 @@
 ## </summary>
 ## <desc>
 ##	<p>
@ -29482,7 +29580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	</p>
 ##	<p>
 ##	This template creates a user domain, types, and
-@@ -954,8 +1007,8 @@
+@@ -954,8 +1008,8 @@
 	# Declarations
 	#
 
@ -29492,7 +29590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_common_user_template($1)
 
 	##############################
-@@ -964,11 +1017,12 @@
+@@ -964,11 +1018,12 @@
 	#
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -29507,7 +29605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
-@@ -986,37 +1040,47 @@
+@@ -986,37 +1041,47 @@
 		')
 	')
 
@ -29568,7 +29666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 #######################################
-@@ -1050,7 +1114,7 @@
+@@ -1050,7 +1115,7 @@
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
@ -29577,7 +29675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	##############################
-@@ -1059,8 +1123,7 @@
+@@ -1059,8 +1124,7 @@
 	#
 
 	# Inherit rules for ordinary users.
@ -29587,7 +29685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
-@@ -1083,7 +1146,8 @@
+@@ -1083,7 +1147,8 @@
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
@ -29597,7 +29695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1099,6 +1163,7 @@
+@@ -1099,6 +1164,7 @@
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -29605,7 +29703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1106,8 +1171,6 @@
+@@ -1106,8 +1172,6 @@
 
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
@ -29614,7 +29712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1225,6 @@
+@@ -1162,20 +1226,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -29635,7 +29733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1221,6 +1270,7 @@
+@@ -1221,6 +1271,7 @@
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -29643,7 +29741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1286,11 +1336,15 @@
+@@ -1286,11 +1337,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -29659,7 +29757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1387,7 +1441,7 @@
+@@ -1387,7 +1442,7 @@
 
 ########################################
 ## <summary>
@ -29668,7 +29766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1420,6 +1474,14 @@
+@@ -1420,6 +1475,14 @@
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -29683,7 +29781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1435,9 +1497,11 @@
+@@ -1435,9 +1498,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -29695,7 +29793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1494,6 +1558,25 @@
+@@ -1494,6 +1559,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -29721,7 +29819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1547,9 +1630,9 @@
+@@ -1547,9 +1631,9 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -29733,7 +29831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1568,6 +1651,8 @@
+@@ -1568,6 +1652,8 @@
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -29742,7 +29840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1643,6 +1728,7 @@
+@@ -1643,6 +1729,7 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -29750,7 +29848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1741,6 +1827,62 @@
+@@ -1741,6 +1828,62 @@
 
 ########################################
 ## <summary>
@ -29813,7 +29911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute user home files.
 ## </summary>
 ## <param name="domain">
-@@ -1757,14 +1899,6 @@
+@@ -1757,14 +1900,6 @@
 
 	files_search_home($1)
 	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@ -29828,7 +29926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1787,6 +1921,46 @@
+@@ -1787,6 +1922,46 @@
 
 ########################################
 ## <summary>
@ -29875,7 +29973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete files
 ##	in a user home subdirectory.
 ## </summary>
-@@ -1799,6 +1973,7 @@
+@@ -1799,6 +1974,7 @@
 interface(`userdom_manage_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -29883,7 +29981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -1921,7 +2096,7 @@
+@@ -1921,7 +2097,7 @@
 
 ########################################
 ## <summary>
@ -29892,7 +29990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	with an automatic type transition to
 ##	a specified private type.
 ## </summary>
-@@ -1941,28 +2116,58 @@
+@@ -1941,28 +2117,58 @@
 ##	</summary>
 ## </param>
 #
@ -29958,10 +30056,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	<summary>
 ##	The class of the object to be created.
 ##	</summary>
-@@ -2819,6 +3024,24 @@
+@@ -2814,7 +3020,43 @@
+ 		type user_tmp_t;
+ 	')
 
- ########################################
- ## <summary>
+-	allow $1 user_tmp_t:file write_file_perms;
+	write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Write all users files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
 +##	Delete all users files in /tmp
 +## </summary>
 +## <param name="domain">
@ -29976,14 +30098,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +
 +	allow $1 user_tmp_t:file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to use user ttys.
- ## </summary>
- ## <param name="domain">
-@@ -2851,6 +3074,7 @@
+ ')
+ 
+ ########################################
+@@ -2851,6 +3093,7 @@
 	')
 
 	read_files_pattern($1,userdomain,userdomain)
@ -29991,7 +30109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
 
-@@ -2965,6 +3189,24 @@
+@@ -2965,6 +3208,24 @@
 
 ########################################
 ## <summary>
@ -30016,7 +30134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -2981,3 +3223,313 @@
+@@ -2981,3 +3242,313 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.4
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
 %endif

 %changelog
+* Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-4
+- Fix staff_t domain
+
 * Thu Feb 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-3
 - Grab remainder of network_peer_controls patch