- Fix to add xguest account when inititial install

policy-20070703.patch

@@ -1239,7 +1239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
  /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.8/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/gnome.if	2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gnome.if	2007-09-20 10:51:59.000000000 -0400
 @@ -33,6 +33,51 @@
  ## </param>
  #
@@ -7945,7 +7945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
  manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.if	2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.if	2007-09-20 10:47:23.000000000 -0400
 @@ -89,8 +89,11 @@
  	# bind to arbitary unused ports
  	corenet_tcp_bind_generic_port($1_t)
@@ -7959,6 +7959,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  	fs_rw_rpc_named_pipes($1_t) 
  	fs_search_auto_mountpoints($1_t)
+@@ -214,6 +217,24 @@
+ 
+ ########################################
+ ## <summary>
++##      Execute domain in nfsd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##      The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`rpc_domtrans_rpcd',`
++	gen_require(`
++		type rpcd_t, rpcd_exec_t;
++	')
++
++	domtrans_pattern($1,rpcd_exec_t,rpcd_t)
++')
++
++########################################
++## <summary>
+ ##      Read NFS exported content.
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/rpc.te	2007-09-17 16:20:18.000000000 -0400
@@ -9464,7 +9489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-09-20 09:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-09-20 10:52:36.000000000 -0400
 @@ -126,6 +126,8 @@
  	# read events - the synaptics touchpad driver reads raw events
  	dev_rw_input_dev($1_xserver_t)
@@ -9534,7 +9559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -555,25 +558,49 @@
+@@ -555,25 +558,52 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -9553,6 +9578,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
 +	userdom_manage_user_tmp_dirs($1, xdm_t)
 +	userdom_manage_user_tmp_files($1, xdm_t)
++
++	# Handling of pam_keyring
++	gnome_manage_user_gnome_config($1, xdm_t)
  
  	xserver_ro_session_template(xdm,$2,$3)
 -	xserver_rw_session_template($1,$2,$3)
@@ -9592,7 +9620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	')
  ')
  
-@@ -626,6 +653,24 @@
+@@ -626,6 +656,24 @@
  
  ########################################
  ## <summary>
@@ -9617,7 +9645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -659,6 +704,73 @@
+@@ -659,6 +707,73 @@
  
  ########################################
  ## <summary>
@@ -9691,7 +9719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -927,6 +1039,7 @@
+@@ -927,6 +1042,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -9699,7 +9727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -987,6 +1100,37 @@
+@@ -987,6 +1103,37 @@
  
  ########################################
  ## <summary>
@@ -9737,7 +9765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1136,7 +1280,7 @@
+@@ -1136,7 +1283,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -9746,7 +9774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1325,3 +1469,62 @@
+@@ -1325,3 +1472,62 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -9811,7 +9839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-19 11:59:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-20 10:44:00.000000000 -0400
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -9882,16 +9910,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
  
-@@ -306,6 +324,8 @@
+@@ -306,6 +324,11 @@
  
  optional_policy(`
  	consolekit_dbus_chat(xdm_t)
 +	dbus_system_bus_client_template(xdm, xdm_t)
 +	dbus_send_system_bus(xdm_t)
++	optional_policy(`
++		hal_dbus_chat(xdm_t)
++	')
  ')
  
  optional_policy(`
-@@ -348,12 +368,8 @@
+@@ -348,12 +371,8 @@
  ')
  
  optional_policy(`
@@ -9905,7 +9936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
-@@ -385,7 +401,7 @@
+@@ -385,7 +404,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -9914,7 +9945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +441,10 @@
+@@ -425,6 +444,10 @@
  ')
  
  optional_policy(`
@@ -9925,7 +9956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -434,47 +454,19 @@
+@@ -434,47 +457,19 @@
  ')
  
  optional_policy(`
@@ -11922,7 +11953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.te	2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/mount.te	2007-09-20 10:47:39.000000000 -0400
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -12020,7 +12051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -159,13 +176,8 @@
+@@ -159,13 +176,9 @@
  
  	fs_search_rpc(mount_t)
  
@@ -12031,10 +12062,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 -	optional_policy(`
 -		nis_use_ypbind(mount_t)
 -	')
++	rpc_domtrans_rpcd(mount_t)
  ')
  
  optional_policy(`
-@@ -189,10 +201,6 @@
+@@ -189,10 +202,6 @@
  	samba_domtrans_smbmount(mount_t)
  ')
  
@@ -12045,7 +12077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ########################################
  #
  # Unconfined mount local policy
-@@ -201,4 +209,29 @@
+@@ -201,4 +210,29 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -13131,7 +13163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-20 09:09:10.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-20 10:55:37.000000000 -0400
 @@ -29,8 +29,9 @@
  	')
  
@@ -14124,7 +14156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5705,372 @@
+@@ -5559,3 +5705,375 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -14493,8 +14525,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +template(`userdom_unpriv_usertype',`
 +	gen_require(`
 +		attribute unpriv_userdomain, userdomain;
++		attribute $1_usertype;
 +	')
-+	typeattribute $2  $1_usertype, unpriv_userdomain, userdomain;
++	typeattribute $2  $1_usertype;
++	typeattribute $2  unpriv_userdomain;
++	typeattribute $2  userdomain;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-4
+- Fix to add xguest account when inititial install
+
 * Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-3
 - Allow xserver to search devpts_t
 - Dontaudit ldconfig output to homedir