- Allow xfs to bind to port 7100

2007-09-11 16:07:47 +00:00 · 2007-09-11 16:07:47 +00:00 · bf7f975f77
parent 25d586808d
commit bf7f975f77
2 changed files with 415 additions and 92 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -370,7 +370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.7/policy/modules/admin/amanda.if
 --- nsaserefpolicy/policy/modules/admin/amanda.if	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/amanda.if	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/admin/amanda.if	2007-09-11 08:55:05.000000000 -0400
@@ -71,6 +71,26 @@
 ########################################
@ -403,6 +403,74 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
 	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
 ')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.0.7/policy/modules/admin/amanda.te
 --- nsaserefpolicy/policy/modules/admin/amanda.te	2007-07-25 10:37:43.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/admin/amanda.te	2007-09-11 08:54:52.000000000 -0400
@@ -74,7 +74,6 @@
 allow amanda_t self:unix_dgram_socket create_socket_perms;
 allow amanda_t self:tcp_socket create_stream_socket_perms;
 allow amanda_t self:udp_socket create_socket_perms;
 -allow amanda_t self:netlink_route_socket r_netlink_socket_perms;
 # access to amanda_amandates_t
 allow amanda_t amanda_amandates_t:file { getattr lock read write };
@@ -108,6 +107,8 @@
 manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
 files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
 +auth_use_nsswitch(amanda_t)
 +
 kernel_read_system_state(amanda_t)
 kernel_read_kernel_sysctls(amanda_t)
 kernel_dontaudit_getattr_unlabeled_files(amanda_t)
@@ -154,8 +155,6 @@
 libs_use_ld_so(amanda_t)
 libs_use_shared_libs(amanda_t)
 -sysnet_read_config(amanda_t)
 -
 optional_policy(`
 	auth_read_shadow(amanda_t)
 ')
@@ -164,14 +163,6 @@
 	logging_send_syslog_msg(amanda_t)
 ')
 -optional_policy(`
 -	nis_use_ypbind(amanda_t)
 -')
 -
 -optional_policy(`
 -	nscd_socket_use(amanda_t)
 -')
 -
 ########################################
 #
 # Amanda recover local policy
@@ -201,6 +192,8 @@
 manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
 files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
 +auth_use_nsswitch(amanda_recover_t)
 +
 kernel_read_system_state(amanda_recover_t)
 kernel_read_kernel_sysctls(amanda_recover_t)
@@ -237,14 +230,4 @@
 miscfiles_read_localization(amanda_recover_t)
 -sysnet_read_config(amanda_recover_t)
 -
 userdom_search_sysadm_home_content_dirs(amanda_recover_t)
 -
 -optional_policy(`
 -	nis_use_ypbind(amanda_recover_t)
 -')
 -
 -optional_policy(`
 -	nscd_socket_use(amanda_recover_t)
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.7/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/admin/anaconda.te	2007-09-06 15:43:06.000000000 -0400
@ -2505,7 +2573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in	2007-09-07 15:02:19.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in	2007-09-11 09:22:25.000000000 -0400
@@ -55,6 +55,11 @@
 type reserved_port_t, port_type, reserved_port_type;
@ -2556,7 +2624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
 network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +166,18 @@
+@@ -160,13 +166,19 @@
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
@ -2564,6 +2632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 +network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 -network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
 +network_port(xfs, tcp,7100,s0)
 +network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
 network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
 network_port(zope, tcp,8021,s0)
@ -2745,7 +2814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.7/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.if	2007-09-10 16:27:16.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/files.if	2007-09-11 08:45:38.000000000 -0400
@@ -343,8 +343,7 @@
 ########################################
@ -3004,7 +3073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.7/policy/modules/kernel/files.te
 --- nsaserefpolicy/policy/modules/kernel/files.te	2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/files.te	2007-09-11 10:46:12.000000000 -0400
@@ -55,6 +55,8 @@
 # compatibility aliases for removed types:
 typealias etc_t alias automount_etc_t;
@ -3014,9 +3083,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 #
 # etc_runtime_t is the type of various
@@ -188,6 +190,7 @@
 fs_associate(file_type)
 fs_associate_noxattr(file_type)
 fs_associate_tmpfs(file_type)
 +fs_associate_ramfs(file_type)
 ########################################
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.7/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/filesystem.if	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/filesystem.if	2007-09-11 10:45:23.000000000 -0400
@@ -271,45 +271,6 @@
 ########################################
@ -3072,7 +3149,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 ## </summary>
 ## <param name="domain">
 ##      <summary>
-@@ -2276,7 +2237,7 @@
+@@ -2139,6 +2100,7 @@
 	rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
 ')
 +
 ########################################
 ## <summary>
 ##	Mount a RAM filesystem.
@@ -2214,6 +2176,24 @@
 ########################################
 ## <summary>
 +##	Allow the type to associate to ramfs filesystems.
 +## </summary>
 +## <param name="type">
 +##	<summary>
 +##	The type of the object to be associated.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_associate_ramfs',`
 +	gen_require(`
 +		type ramfs_t;
 +	')
 +
 +	allow $1 ramfs_t:filesystem associate;
 +')
 +
 +########################################
 +## <summary>
 ##	Search directories on a ramfs
 ## </summary>
 ## <param name="domain">
@@ -2276,7 +2256,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -3081,7 +3191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 interface(`fs_dontaudit_read_ramfs_files',`
 	gen_require(`
 		type ramfs_t;
-@@ -3533,3 +3494,42 @@
+@@ -3533,3 +3513,42 @@
 	relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
 	relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
 ')
@ -4854,7 +4964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.7/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cron.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/cron.te	2007-09-11 09:00:57.000000000 -0400
@@ -50,6 +50,7 @@
 type crond_tmp_t;
@ -5296,7 +5406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.7/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dbus.if	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/dbus.if	2007-09-11 11:08:24.000000000 -0400
@@ -50,6 +50,12 @@
 ## </param>
 #
@ -6542,7 +6652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.0.7/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.fc	2007-09-10 14:42:55.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.fc	2007-09-11 09:03:41.000000000 -0400
@@ -16,3 +16,4 @@
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
@ -6550,7 +6660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.7/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.if	2007-09-10 17:37:40.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.if	2007-09-11 09:02:54.000000000 -0400
@@ -42,6 +42,10 @@
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@ -6590,7 +6700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te	2007-09-10 14:42:59.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te	2007-09-11 09:02:44.000000000 -0400
@@ -54,6 +54,9 @@
 type krb5kdc_var_run_t;
 files_pid_file(krb5kdc_var_run_t)
@ -7400,7 +7510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 corenet_tcp_connect_all_ports(ypxfr_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.7/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nscd.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/nscd.te	2007-09-11 10:21:10.000000000 -0400
@@ -28,14 +28,14 @@
 # Local policy
 #
@ -7526,7 +7636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.7/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ntp.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/ntp.te	2007-09-11 10:21:22.000000000 -0400
@@ -25,6 +25,12 @@
 type ntpdate_exec_t;
 init_system_domain(ntpd_t,ntpdate_exec_t)
@ -7566,16 +7676,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 auth_use_nsswitch(ntpd_t)
-@@ -107,6 +118,8 @@
+@@ -106,6 +117,9 @@
 miscfiles_read_localization(ntpd_t)
 sysnet_read_config(ntpd_t)
- 
+sysnet_dontaudit_dhcpc_use_fds(ntpd_t)
 +term_use_ptmx(ntpd_t)
 +
 +term_use_ptmx(ntpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_sysadm_home_dirs(ntpd_t)
- userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+@@ -122,6 +136,10 @@
@@ -122,6 +135,10 @@
 ')
 optional_policy(`
@ -7586,7 +7697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 	logrotate_exec(ntpd_t)
 ')
-@@ -132,3 +149,4 @@
+@@ -132,3 +150,4 @@
 optional_policy(`
 	udev_read_db(ntpd_t)
 ')
@ -8392,7 +8503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
 # Only permit unprivileged user domains to be entered via rlogin,
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.7/policy/modules/services/rhgb.te
 --- nsaserefpolicy/policy/modules/services/rhgb.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rhgb.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rhgb.te	2007-09-11 11:38:16.000000000 -0400
@@ -59,6 +59,7 @@
 corenet_sendrecv_all_client_packets(rhgb_t)
@ -8409,6 +8520,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
 xserver_read_xdm_xserver_tmp_files(rhgb_t)
 xserver_kill_xdm_xserver(rhgb_t)
@@ -117,6 +119,7 @@
 xserver_domtrans_xdm_xserver(rhgb_t)
 xserver_signal_xdm_xserver(rhgb_t)
 xserver_read_xdm_tmp_files(rhgb_t)
 +xserver_stream_connect_xdm_xserver(rhgb_t)
 optional_policy(`
 	consoletype_exec(rhgb_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.7/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/ricci.te	2007-09-06 15:43:06.000000000 -0400
@ -8441,15 +8560,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.7/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rlogin.te	2007-09-10 17:48:31.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rlogin.te	2007-09-11 08:27:48.000000000 -0400
-@@ -65,6 +65,7 @@
+@@ -64,9 +64,10 @@
 fs_getattr_xattr_fs(rlogind_t)
 fs_search_auto_mountpoints(rlogind_t)
 +auth_use_nsswitch(rlogind_t)
 auth_domtrans_chk_passwd(rlogind_t)
 +auth_domtrans_upd_passwd(rlogind_t)
 auth_rw_login_records(rlogind_t)
- auth_use_nsswitch(rlogind_t)
+-auth_use_nsswitch(rlogind_t)
 files_read_etc_files(rlogind_t)
 files_read_etc_runtime_files(rlogind_t)
@@ -82,7 +83,7 @@
 miscfiles_read_localization(rlogind_t)
@ -8585,7 +8708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 	userdom_read_unpriv_users_tmp_files(gssd_t) 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.7/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rshd.te	2007-09-10 16:54:18.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rshd.te	2007-09-11 09:10:14.000000000 -0400
@@ -11,15 +11,17 @@
 domain_subj_id_change_exemption(rshd_t)
 domain_role_change_exemption(rshd_t)
@ -8614,7 +8737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
 corenet_sendrecv_rsh_server_packets(rshd_t)
 dev_read_urand(rshd_t)
-@@ -44,26 +48,31 @@
+@@ -44,28 +48,44 @@
 selinux_compute_relabel_context(rshd_t)
 selinux_compute_user_contexts(rshd_t)
@ -8648,25 +8771,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
 -
 userdom_search_all_users_home_content(rshd_t)
- tunable_policy(`use_nfs_home_dirs',`
+optional_policy(`
-@@ -78,13 +87,12 @@
+	kerberos_use(rshd_t)
 optional_policy(`
 	kerberos_use(rshd_t)
 +	kerberos_read_keytab(rshd_t)
 +	kerberos_manage_host_rcache(rshd_t)
 +')
 +
 +optional_policy(`
 +	unconfined_shell_domtrans(rshd_t)
 +	unconfined_signal(rshd_t)
 +')
 +
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(rshd_t)
 	fs_read_nfs_symlinks(rshd_t)
@@ -76,15 +96,3 @@
 	fs_read_cifs_symlinks(rshd_t)
 ')
- optional_policy(`
+-optional_policy(`
 -	kerberos_use(rshd_t)
 -')
 -
 -optional_policy(`
 -	nscd_socket_use(rshd_t)
 -')
 -
 -optional_policy(`
 -	unconfined_domain(rshd_t)
- 	unconfined_shell_domtrans(rshd_t)
+-	unconfined_shell_domtrans(rshd_t)
-+	unconfined_signal(rshd_t)
+-')
 ')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.7/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/rsync.te	2007-09-06 15:43:06.000000000 -0400
@ -8768,7 +8902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho
 corenet_all_recvfrom_unlabeled(rwho_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.7/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.fc	2007-09-10 14:04:38.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/samba.fc	2007-09-11 09:23:37.000000000 -0400
@@ -15,6 +15,7 @@
 /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
 /usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
@ -8788,7 +8922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.7/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.if	2007-09-10 14:06:00.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/samba.if	2007-09-11 09:24:00.000000000 -0400
@@ -349,6 +349,7 @@
 	files_search_var($1)
 	files_search_var_lib($1)
@ -8902,7 +9036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.7/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.te	2007-09-10 14:03:09.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/samba.te	2007-09-11 10:50:53.000000000 -0400
@@ -137,6 +137,11 @@
 type winbind_var_run_t;
 files_pid_file(winbind_var_run_t)
@ -8915,16 +9049,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ########################################
 #
 # Samba net local policy
-@@ -190,6 +195,8 @@
+@@ -146,7 +151,6 @@
 allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
 allow samba_net_t self:udp_socket create_socket_perms;
 allow samba_net_t self:tcp_socket create_socket_perms;
 -allow samba_net_t self:netlink_route_socket r_netlink_socket_perms;
 allow samba_net_t samba_etc_t:file read_file_perms;
@@ -161,6 +165,8 @@
 manage_files_pattern(samba_net_t,samba_var_t,samba_var_t)
 manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
 +auth_use_nsswitch(samba_net_t)
 +
 kernel_read_proc_symlinks(samba_net_t)
 corenet_all_recvfrom_unlabeled(samba_net_t)
@@ -190,8 +196,7 @@
 miscfiles_read_localization(samba_net_t) 
 -sysnet_read_config(samba_net_t)
 -sysnet_use_ldap(samba_net_t)
 +samba_read_var_files(samba_net_t) 
 +
 sysnet_read_config(samba_net_t)
 sysnet_use_ldap(samba_net_t)
-@@ -226,8 +233,8 @@
+ userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
@@ -199,10 +204,6 @@
 	kerberos_use(samba_net_t)
 ')
 -optional_policy(`
 -	nscd_socket_use(samba_net_t)
 -')
 -
 ########################################
 #
 # smbd Local policy
@@ -217,17 +218,16 @@
 allow smbd_t self:msgq create_msgq_perms;
 allow smbd_t self:sem create_sem_perms;
 allow smbd_t self:shm create_shm_perms;
 -allow smbd_t self:sock_file read_file_perms;
 +allow smbd_t self:sock_file read_sock_file_perms;
 allow smbd_t self:tcp_socket create_stream_socket_perms;
 allow smbd_t self:udp_socket create_socket_perms;
 allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 -allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@ -8935,7 +9108,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow smbd_t samba_log_t:dir setattr;
 dontaudit smbd_t samba_log_t:dir remove_name;
-@@ -298,6 +305,7 @@
+@@ -256,7 +256,7 @@
 manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
 files_pid_filetrans(smbd_t,smbd_var_run_t,file)
 -allow smbd_t winbind_var_run_t:sock_file { read write getattr };
 +allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
@@ -298,6 +298,7 @@
 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
@ -8943,7 +9125,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 domain_use_interactive_fds(smbd_t)
 domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -350,6 +358,14 @@
+@@ -321,8 +322,6 @@
 miscfiles_read_localization(smbd_t)
 miscfiles_read_public_files(smbd_t)
 -sysnet_read_config(smbd_t)
 -
 userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
 userdom_dontaudit_use_unpriv_user_fds(smbd_t)
 userdom_use_unpriv_users_fds(smbd_t)
@@ -350,6 +349,14 @@
 ')
 optional_policy(`
@ -8958,7 +9149,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 	cups_read_rw_config(smbd_t)
 	cups_stream_connect(smbd_t)
 ')
-@@ -533,6 +549,7 @@
+@@ -398,7 +405,7 @@
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
 -allow nmbd_t self:sock_file read_file_perms;
 +allow nmbd_t self:sock_file read_sock_file_perms;
 allow nmbd_t self:tcp_socket create_stream_socket_perms;
 allow nmbd_t self:udp_socket create_socket_perms;
 allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -421,6 +428,8 @@
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
 +auth_use_nsswitch(nmbd_t)
 +
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
 kernel_read_kernel_sysctls(nmbd_t)
@@ -462,17 +471,11 @@
 miscfiles_read_localization(nmbd_t)
 -sysnet_read_config(nmbd_t)
 -
 userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
 userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
 userdom_use_unpriv_users_fds(nmbd_t)
 optional_policy(`
 -	nis_use_ypbind(nmbd_t)
 -')
 -
 -optional_policy(`
 	seutil_sigchld_newrole(nmbd_t)
 ')
@@ -506,6 +509,8 @@
 manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
 files_list_var_lib(smbmount_t)
 +auth_use_nsswitch(smbmount_t)
 +
 kernel_read_system_state(smbmount_t)
 corenet_all_recvfrom_unlabeled(smbmount_t)
@@ -533,6 +538,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 term_list_ptys(smbmount_t)
@ -8966,19 +9202,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 corecmd_list_bin(smbmount_t)
-@@ -556,6 +573,11 @@
+@@ -553,16 +559,11 @@
 sysnet_read_config(smbmount_t)
 logging_search_logs(smbmount_t)
 -sysnet_read_config(smbmount_t)
 -
 userdom_use_all_users_fds(smbmount_t)
 +userdom_use_sysadm_ttys(smbmount_t)
 +
 +optional_policy(`
 +	cups_read_rw_config(smbmount_t)
 +')
 optional_policy(`
- 	nis_use_ypbind(smbmount_t)
+-	nis_use_ypbind(smbmount_t)
-@@ -570,15 +592,18 @@
+-')
 -
 -optional_policy(`
 -	nscd_socket_use(smbmount_t)
 +	cups_read_rw_config(smbmount_t)
 ')
 ########################################
@@ -570,24 +571,28 @@
 # SWAT Local policy
 #
@ -8990,9 +9233,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow swat_t self:tcp_socket create_stream_socket_perms;
 allow swat_t self:udp_socket create_socket_perms;
- allow swat_t self:netlink_route_socket r_netlink_socket_perms;
+-allow swat_t self:netlink_route_socket r_netlink_socket_perms;
 -allow swat_t nmbd_exec_t:file { execute read };
 +allow swat_t self:unix_stream_socket connectto;
 +can_exec(swat_t, smbd_exec_t)
 +allow swat_t smbd_port_t:tcp_socket name_bind;
 +allow swat_t smbd_t:process { signal signull };
 +allow swat_t smbd_var_run_t:file { lock unlink };
 +
 +can_exec(swat_t, nmbd_exec_t)
 +allow swat_t nmbd_port_t:udp_socket name_bind;
 +allow swat_t nmbd_t:process { signal signull };
@ -9000,7 +9249,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
-@@ -597,7 +622,9 @@
+ append_files_pattern(swat_t,samba_log_t,samba_log_t)
 -allow swat_t smbd_exec_t:file execute ;
 -
 -allow swat_t smbd_t:process signull;
 -
 allow swat_t smbd_var_run_t:file read;
 manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
@@ -597,7 +602,11 @@
 manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
 files_pid_filetrans(swat_t,swat_var_run_t,file)
@ -9008,10 +9266,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +can_exec(swat_t, winbind_exec_t)
 +allow swat_t winbind_var_run_t:dir { write add_name remove_name };
 +allow swat_t winbind_var_run_t:sock_file { create unlink };
 +
 +auth_use_nsswitch(swat_t)
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -622,17 +649,20 @@
+@@ -622,23 +631,24 @@
 dev_read_urand(swat_t)
@ -9032,14 +9292,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 logging_search_logs(swat_t)
 miscfiles_read_localization(swat_t)
-@@ -660,6 +690,24 @@
+ 
- 	nscd_socket_use(swat_t)
+-sysnet_read_config(swat_t)
 -
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
@@ -652,13 +662,16 @@
 	kerberos_use(swat_t)
 ')
-+	
+-optional_policy(`
 -	nis_use_ypbind(swat_t)
 -')
 +init_read_utmp(swat_t)
 +init_dontaudit_write_utmp(swat_t)
-+
+ 
 -optional_policy(`
 -	nscd_socket_use(swat_t)
 -')
 +manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
 +create_files_pattern(swat_t,samba_log_t,samba_log_t)
 +
@ -9047,17 +9318,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 +manage_files_pattern(swat_t,samba_var_t,samba_var_t)
 +files_list_var_lib(swat_t)
-+
+ 
 +allow swat_t self:unix_stream_socket connectto;
 +allow swat_t smbd_exec_t:file { execute_no_trans read };
 +allow swat_t smbd_port_t:tcp_socket name_bind;
 +allow swat_t smbd_t:process signal;
 +allow swat_t smbd_var_run_t:file { lock unlink };
 +
 ########################################
 #
- # Winbind local policy
+@@ -672,7 +685,6 @@
@@ -672,7 +720,6 @@
 allow winbind_t self:fifo_file { read write };
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@ -9065,7 +9329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow winbind_t self:tcp_socket create_stream_socket_perms;
 allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +756,8 @@
+@@ -709,6 +721,8 @@
 manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
 files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@ -9074,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(winbind_t)
 kernel_list_proc(winbind_t)
 kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +782,9 @@
+@@ -733,7 +747,9 @@
 fs_getattr_all_fs(winbind_t)
 fs_search_auto_mountpoints(winbind_t)
@ -9084,7 +9348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 domain_use_interactive_fds(winbind_t)
-@@ -746,9 +797,6 @@
+@@ -746,9 +762,6 @@
 miscfiles_read_localization(winbind_t)
@ -9094,7 +9358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 userdom_dontaudit_use_unpriv_user_fds(winbind_t)
 userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
 userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +806,6 @@
+@@ -758,10 +771,6 @@
 ')
 optional_policy(`
@ -9105,7 +9369,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 	seutil_sigchld_newrole(winbind_t)
 ')
-@@ -804,6 +848,7 @@
+@@ -784,6 +793,8 @@
 allow winbind_helper_t samba_var_t:dir search;
 files_list_var_lib(winbind_helper_t)
 +auth_use_nsswitch(winbind_helper_t)
 +
 stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
 term_list_ptys(winbind_helper_t)
@@ -804,6 +815,7 @@
 optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
@ -9113,7 +9386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 ########################################
-@@ -828,3 +873,36 @@
+@@ -828,3 +840,36 @@
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
 	')
 ')
@ -9396,7 +9669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te	2007-09-11 11:09:25.000000000 -0400
@@ -33,7 +33,6 @@
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -9432,13 +9705,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 selinux_get_enforce_mode(setroubleshootd_t)
 selinux_validate_context(setroubleshootd_t)
-@@ -108,6 +113,3 @@
+@@ -109,5 +114,7 @@
         rpm_use_script_fds(setroubleshootd_t)
 ')
-optional_policy(`
+ optional_policy(`
 -	nis_use_ypbind(setroubleshootd_t)
-')
+	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
 +	dbus_send_system_bus(setroubleshootd_t)
 ')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.0.7/policy/modules/services/snmp.fc
 --- nsaserefpolicy/policy/modules/services/snmp.fc	2007-06-19 16:23:35.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/snmp.fc	2007-09-06 15:43:06.000000000 -0400
@ -9770,7 +10045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.7/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ssh.if	2007-09-10 17:53:16.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/ssh.if	2007-09-11 09:12:11.000000000 -0400
@@ -202,6 +202,7 @@
 #
 template(`ssh_per_role_template',`
@ -9904,7 +10179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.7/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/telnet.te	2007-09-10 17:54:44.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/telnet.te	2007-09-11 08:25:22.000000000 -0400
@@ -32,7 +32,6 @@
 allow telnetd_t self:udp_socket create_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
@ -10013,6 +10288,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
 +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
 +
 +miscfiles_read_certs(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-3.0.7/policy/modules/services/xfs.te
 --- nsaserefpolicy/policy/modules/services/xfs.te	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/xfs.te	2007-09-11 08:19:36.000000000 -0400
@@ -37,6 +37,15 @@
 kernel_read_kernel_sysctls(xfs_t)
 kernel_read_system_state(xfs_t)
 +corenet_all_recvfrom_unlabeled(xfs_t)
 +corenet_all_recvfrom_netlabel(xfs_t)
 +corenet_tcp_sendrecv_generic_if(xfs_t)
 +corenet_tcp_sendrecv_all_nodes(xfs_t)
 +corenet_tcp_sendrecv_all_ports(xfs_t)
 +corenet_tcp_bind_all_nodes(xfs_t)
 +corenet_tcp_bind_xfs_port(xfs_t)
 +corenet_sendrecv_xfs_client_packets(xfs_t)
 +
 corecmd_list_bin(xfs_t)
 dev_read_sysfs(xfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.7/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2007-08-22 07:14:07.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/xserver.fc	2007-09-06 15:43:06.000000000 -0400
@ -10041,7 +10335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.7/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xserver.if	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/xserver.if	2007-09-11 11:45:01.000000000 -0400
@@ -126,6 +126,8 @@
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
@ -10374,7 +10668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.7/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xserver.te	2007-09-07 16:19:01.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/xserver.te	2007-09-11 09:22:25.000000000 -0400
@@ -16,6 +16,13 @@
 ## <desc>
@ -11863,7 +12157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
 # Sulogin local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.7/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/logging.fc	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/logging.fc	2007-09-11 11:58:06.000000000 -0400
@@ -1,12 +1,15 @@
 -
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
@ -11881,16 +12175,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
-@@ -32,6 +35,8 @@
+@@ -32,7 +35,10 @@
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
 ')
 +/var/named/chroot/var/log	-d	gen_context(system_u:object_r:var_log_t,s0)
 +
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 +/var/run/audispd_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
-@@ -43,3 +48,8 @@
+ /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
@@ -43,3 +49,8 @@
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
@ -13224,7 +13520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.7/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/sysnetwork.if	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/sysnetwork.if	2007-09-11 10:23:22.000000000 -0400
@@ -522,6 +522,8 @@
 	files_search_etc($1)
@ -13234,6 +13530,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 ########################################
@@ -556,3 +558,23 @@
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
 ')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to use
 +##	the dhcp file descriptors.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	The domain sending the SIGCHLD.
 +##	</summary>
 +## </param>
 +#
 +interface(`sysnet_dontaudit_dhcpc_use_fds',`
 +	gen_require(`
 +		type dhcpc_t;
 +	')
 +
 +	dontaudit $1 dhcpc_t:fd use;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.7/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/system/sysnetwork.te	2007-09-06 15:43:06.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,9 @@ exit 0
 %endif
 %changelog
 * Tue Sep 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-9
 - Allow xfs to bind to port 7100
 * Mon Sep 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-8
 - Allow newalias/sendmail dac_override
 - Allow bind to bind to all udp ports