- Add setrans contains from upstream

2009-02-09 22:07:20 +00:00 · 2009-02-09 22:07:20 +00:00 · bd0db4f147
commit bd0db4f147
parent 4ed140a4b7
4 changed files with 148 additions and 50 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -159,3 +159,4 @@ serefpolicy-3.6.1.tgz
 serefpolicy-3.6.2.tgz
 serefpolicy-3.6.3.tgz
 serefpolicy-3.6.4.tgz
+serefpolicy-3.6.5.tgz
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -284,8 +284,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
 You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.4/man/man8/nfs_selinux.8
 --- nsaserefpolicy/man/man8/nfs_selinux.8	2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8	2009-02-03 22:57:28.000000000 -0500
-@@ -26,5 +26,5 @@
+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8	2009-02-09 10:19:24.000000000 -0500
+@@ -1,14 +1,12 @@
+-.TH  "nfs_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.TH  "nfs_selinux"  "8"  "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
+ .SH "NAME"
+ nfs_selinux \- Security Enhanced Linux Policy for NFS
+ .SH "DESCRIPTION"
+ 
+-Security-Enhanced Linux secures the nfs server via flexible mandatory access
+Security Enhanced Linux secures the NFS server via flexible mandatory access
+ control.  
+ .SH BOOLEANS
+-SELinux policy is customizable based on least access required.  So by 
+-default SElinux policy does not allow nfs to share files.  If you want to 
+-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
+SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+ 
+ .TP
+ setsebool -P nfs_export_all_ro 1
+@@ -18,7 +16,10 @@
+ setsebool -P nfs_export_all_rw 1
+ 
+ .TP
+-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
+
+.TP
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
+ .TP
+ setsebool -P use_nfs_home_dirs 1
+ .TP
+@@ -26,5 +27,5 @@
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 
@ -712,7 +742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc	2009-02-05 13:41:50.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc	2009-02-09 15:39:27.000000000 -0500
@@ -3,6 +3,7 @@
 /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
@ -731,7 +761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 ifdef(`distro_redhat', `
-@@ -21,14 +23,17 @@
+@@ -21,14 +23,18 @@
 /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@ -745,6 +775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 -
 -/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
 +/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
 +/var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
@ -8884,7 +8915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/apache.te	2009-02-06 16:08:00.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/apache.te	2009-02-09 15:59:54.000000000 -0500
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -9105,7 +9136,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_pam, false)
 +
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+-	auth_domtrans_chk_passwd(httpd_t)
 +	auth_domtrans_chkpwd(httpd_t)
 +')
 +
@ -9116,8 +9148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 +optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
-	auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`allow_httpd_mod_auth_pam',`
 +		samba_domtrans_winbind_helper(httpd_t)
 ')
 ')
@ -9211,7 +9242,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -459,8 +575,13 @@
+@@ -451,6 +567,10 @@
+ ')
+ 
+ optional_policy(`
+	cvs_read_data(httpd_t)
+')
+
+optional_policy(`
+ 	cron_system_entry(httpd_t, httpd_exec_t)
+ ')
+ 
+@@ -459,8 +579,13 @@
 ')
 
 optional_policy(`
@ -9227,7 +9269,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -472,18 +593,13 @@
+@@ -468,22 +593,18 @@
+ 	mailman_domtrans_cgi(httpd_t)
+ 	# should have separate types for public and private archives
+ 	mailman_search_data(httpd_t)
+	mailman_read_data_files(httpd_t)
+ 	mailman_read_archive(httpd_t)
 ')
 
 optional_policy(`
@ -9247,7 +9294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -493,6 +609,12 @@
+@@ -493,6 +614,12 @@
 	openca_kill(httpd_t)
 ')
 
@ -9260,7 +9307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
-@@ -500,6 +622,7 @@
+@@ -500,6 +627,7 @@
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
@ -9268,7 +9315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -508,6 +631,7 @@
+@@ -508,6 +636,7 @@
 ')
 
 optional_policy(`
@ -9276,7 +9323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -535,6 +659,22 @@
+@@ -535,6 +664,22 @@
 
 userdom_use_user_terminals(httpd_helper_t)
 
@ -9299,7 +9346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache PHP script local policy
-@@ -564,20 +704,25 @@
+@@ -564,20 +709,25 @@
 
 fs_search_auto_mountpoints(httpd_php_t)
 
@ -9331,7 +9378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -595,23 +740,24 @@
+@@ -595,23 +745,24 @@
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 
@ -9360,7 +9407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +770,7 @@
+@@ -624,6 +775,7 @@
 logging_send_syslog_msg(httpd_suexec_t)
 
 miscfiles_read_localization(httpd_suexec_t)
@ -9368,7 +9415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -641,12 +788,19 @@
+@@ -641,12 +793,19 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
@ -9391,7 +9438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +826,14 @@
+@@ -672,15 +831,14 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
@ -9410,7 +9457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +852,24 @@
+@@ -699,12 +857,24 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
@ -9437,7 +9484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +877,35 @@
+@@ -712,6 +882,35 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
@ -9473,7 +9520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +918,10 @@
+@@ -724,6 +923,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -9484,7 +9531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -735,6 +933,8 @@
+@@ -735,6 +938,8 @@
 # httpd_rotatelogs local policy
 #
 
@ -9493,7 +9540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +954,12 @@
+@@ -754,6 +959,12 @@
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -9506,7 +9553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 # allow accessing files/dirs below the users home dir
-@@ -762,3 +968,66 @@
+@@ -762,3 +973,66 @@
 	userdom_search_user_home_dirs(httpd_suexec_t)
 	userdom_search_user_home_dirs(httpd_user_script_t)
 ')
@ -11779,6 +11826,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
 +miscfiles_read_fonts(cups_pdf_t)
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.4/policy/modules/services/cvs.if
+--- nsaserefpolicy/policy/modules/services/cvs.if	2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/cvs.if	2009-02-09 16:00:34.000000000 -0500
+@@ -15,7 +15,9 @@
+ 		type cvs_data_t;
+ 	')
+ 
+-	allow $1 cvs_data_t:file { getattr read };
+	list_dirs_pattern($1, cvs_data_t, cvs_data_t)
+	read_files_pattern($1, cvs_data_t, cvs_data_t)
+	read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.4/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.4/policy/modules/services/cvs.te	2009-02-03 22:57:29.000000000 -0500
@ -13170,7 +13231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.4/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/ftp.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/ftp.te	2009-02-09 09:53:23.000000000 -0500
@@ -26,7 +26,7 @@
 ## <desc>
 ## <p>
@ -13197,17 +13258,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 auth_use_nsswitch(ftpd_t)
 auth_domtrans_chk_passwd(ftpd_t)
-@@ -223,6 +224,10 @@
+@@ -222,8 +223,12 @@
+ 	userdom_manage_user_home_content_dirs(ftpd_t)
 	userdom_manage_user_home_content_files(ftpd_t)
 	userdom_manage_user_home_content_symlinks(ftpd_t)
- 	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+-	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
 +
 +	auth_read_all_dirs_except_shadow(ftpd_t)
 +	auth_read_all_files_except_shadow(ftpd_t)
 +	auth_read_all_symlinks_except_shadow(ftpd_t)
 ')
+userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
 
 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+ 	fs_manage_nfs_files(ftpd_t)
@@ -258,7 +263,9 @@
 ')
 
@ -14054,7 +14118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/mailman/mail/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.4/policy/modules/services/mailman.if
 --- nsaserefpolicy/policy/modules/services/mailman.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/mailman.if	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/mailman.if	2009-02-09 15:34:52.000000000 -0500
@@ -31,6 +31,12 @@
 	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
 	allow mailman_$1_t self:udp_socket create_socket_perms;
@ -14076,7 +14140,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	corecmd_exec_all_executables(mailman_$1_t)
 
-@@ -209,6 +216,7 @@
+@@ -191,6 +198,7 @@
+ 	')
+ 
+ 	read_files_pattern($1, mailman_data_t, mailman_data_t)
+	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+ ')
+ 
+ #######################################
+@@ -209,6 +217,7 @@
 		type mailman_data_t;
 	')
 
@ -14084,7 +14156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	manage_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
-@@ -250,6 +258,25 @@
+@@ -250,6 +259,25 @@
 
 #######################################
 ## <summary>
@ -18916,7 +18988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.4/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/prelude.te	2009-02-04 08:49:43.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/prelude.te	2009-02-09 15:50:22.000000000 -0500
@@ -13,25 +13,57 @@
 type prelude_spool_t;
 files_type(prelude_spool_t)
@ -18986,7 +19058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corecmd_search_bin(prelude_t)
 
 corenet_all_recvfrom_unlabeled(prelude_t)
-@@ -56,15 +91,24 @@
+@@ -56,15 +91,25 @@
 corenet_tcp_sendrecv_generic_if(prelude_t)
 corenet_tcp_sendrecv_generic_node(prelude_t)
 corenet_tcp_bind_generic_node(prelude_t)
@ -18997,6 +19069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_read_rand(prelude_t)
 dev_read_urand(prelude_t)
 
+kernel_read_system_state(prelude_t)
 +kernel_read_sysctl(prelude_t)
 +
 # Init script handling
@ -19011,7 +19084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 auth_use_nsswitch(prelude_t)
 
-@@ -86,7 +130,7 @@
+@@ -86,7 +131,7 @@
 #
 # prelude_audisp local policy
 #
@ -19020,7 +19093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow prelude_audisp_t self:fifo_file rw_file_perms;
 allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
 allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -107,6 +151,7 @@
+@@ -107,6 +152,7 @@
 corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
 corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
 corenet_tcp_bind_generic_node(prelude_audisp_t)
@ -19028,7 +19101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 dev_read_rand(prelude_audisp_t)
 dev_read_urand(prelude_audisp_t)
-@@ -114,12 +159,134 @@
+@@ -114,12 +160,135 @@
 # Init script handling
 domain_use_interactive_fds(prelude_audisp_t)
 
@ -19127,6 +19200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dev_read_rand(prelude_lml_t)
 +dev_read_urand(prelude_lml_t)
 +
+kernel_read_system_state(prelude_lml_t)
 +kernel_read_sysctl(prelude_lml_t)
 +
 +files_list_etc(prelude_lml_t)
@ -19163,7 +19237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # prewikka_cgi Declarations
-@@ -128,6 +295,20 @@
+@@ -128,6 +297,20 @@
 optional_policy(`
 	apache_content_template(prewikka)
 	files_read_etc_files(httpd_prewikka_script_t)
@ -20094,7 +20168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/rpc.te	2009-02-09 09:05:45.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te	2009-02-09 09:51:37.000000000 -0500
@@ -23,7 +23,7 @@
 gen_tunable(allow_nfsd_anon_write, false)
 
@ -20124,10 +20198,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
-+	userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
 +	dev_getattr_all_blk_files(nfsd_t)
 +	dev_getattr_all_chr_files(nfsd_t)
 ')
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
 
 tunable_policy(`nfs_export_all_ro',`
 	fs_read_noxattr_fs_files(nfsd_t) 
@ -20172,7 +20246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_write_login_records(rshd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.4/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/rsync.te	2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/rsync.te	2009-02-09 15:32:24.000000000 -0500
@@ -119,5 +119,9 @@
 
 tunable_policy(`rsync_export_all_ro',`
@ -20614,7 +20688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/samba.te	2009-02-07 07:19:23.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/samba.te	2009-02-09 10:49:17.000000000 -0500
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
@ -20825,7 +20899,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -381,8 +426,10 @@
+@@ -376,13 +421,15 @@
+ tunable_policy(`samba_create_home_dirs',`
+ 	allow smbd_t self:capability chown;
+ 	userdom_create_user_home_dirs(smbd_t)
+-	userdom_home_filetrans_user_home_dir(smbd_t)
+ ')
+userdom_home_filetrans_user_home_dir(smbd_t)
 
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
@ -20836,6 +20916,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
 
+@@ -391,8 +438,8 @@
+ 	auth_manage_all_files_except_shadow(smbd_t)
+ 	fs_read_noxattr_fs_files(nmbd_t) 
+ 	auth_manage_all_files_except_shadow(nmbd_t)
+-	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+ ')
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+ 
+ ########################################
+ #
@@ -454,6 +501,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 
@ -21004,7 +21094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	tunable_policy(`samba_run_unconfined',`
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
-+', `
+',`
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
 	')
 -')
@ -28666,7 +28756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-08 17:11:31.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-09 11:05:11.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
@ -29664,9 +29754,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# the same domain and outside users) disabling this forces FTP passive mode
 	# and may change other protocols
 	tunable_policy(`user_tcp_server',`
- 		corenet_tcp_bind_generic_node($1_t)
+-		corenet_tcp_bind_generic_node($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
-+		corenet_tcp_bind_all_unreserved_ports($1_t)
+		corenet_tcp_bind_all_nodes($1_usertype)
+		corenet_tcp_bind_all_unreserved_ports($1_usertype)
 	')
 
 	optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,8 +19,8 @@
 %define CHECKPOLICYVER 2.0.16-3
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.6.4
-Release: 5%{?dist}
+Version: 3.6.5
+Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -184,7 +184,7 @@ fi;

 %description
 SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision  2907.
+Based off of reference policy: Checked out revision  2908.

 %build

@ -444,6 +444,12 @@ exit 0
 %endif

 %changelog
+* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.5-1
+- Add setrans contains from upstream 
+
+* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-6
+- Do transitions outside of the booleans
+
 * Sun Feb 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-5
 - Allow xdm to create user_tmp_t sockets for switch user to work

--- a/2
+++ b/2
@ -1 +1 @@
-5c9f2ee48dab2742927fb099740e9fbc  serefpolicy-3.6.4.tgz
+5911f8b7b5cd991b6367110b0617ac4c  serefpolicy-3.6.5.tgz