- Add setransd for mls policy

2007-08-21 20:08:22 +00:00 · 2007-08-21 20:08:22 +00:00 · c77aca56ae
parent 4f23c46830
commit c77aca56ae
2 changed files with 175 additions and 48 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -280,8 +280,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
 class key
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.5/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.5/policy/global_tunables	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/global_tunables	2007-08-21 14:01:26.000000000 -0400
-@@ -133,3 +133,10 @@
+@@ -133,3 +133,18 @@
 ## </desc>
 gen_tunable(write_untrusted_content,false)
@ -292,6 +292,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +## </desc>
 +gen_tunable(allow_console_login,false)
 +
 +
 +## <desc>
 +## <p>
 +## Allow xen to manage nfs files
 +## </p>
 +## </desc>
 +gen_tunable(xen_use_nfs,false)
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.5/policy/mls
 --- nsaserefpolicy/policy/mls	2007-07-03 07:06:36.000000000 -0400
 +++ serefpolicy-3.0.5/policy/mls	2007-08-07 09:39:49.000000000 -0400
@ -2903,7 +2911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.5/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/kernel/filesystem.if	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/kernel/filesystem.if	2007-08-21 13:48:48.000000000 -0400
@@ -1192,6 +1192,24 @@
 ########################################
@ -3560,7 +3568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.5/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.te	2007-08-20 15:04:52.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/apache.te	2007-08-21 14:00:56.000000000 -0400
@@ -30,6 +30,13 @@
 ## <desc>
@ -4164,7 +4172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
 fs_getattr_all_fs(entropyd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.5/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/automount.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/automount.te	2007-08-21 13:37:55.000000000 -0400
@@ -69,6 +69,7 @@
 files_mounton_all_mountpoints(automount_t)
 files_mount_all_file_type_fs(automount_t)
@ -4192,6 +4200,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 	bind_search_cache(automount_t)
 ')
@@ -173,6 +171,11 @@
 ')
 optional_policy(`
 +	samba_read_config(automount_t)
 +	samba_read_var_files(automount_t)
 +')
 +
 +optional_policy(`
 	seutil_sigchld_newrole(automount_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.5/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/avahi.te	2007-08-07 09:39:49.000000000 -0400
@ -5807,6 +5827,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 	unconfined_domain(inetd_child_t)
 +	inetd_service_domain(inetd_child_t,bin_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.5/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/kerberos.if	2007-08-21 10:33:38.000000000 -0400
@@ -42,6 +42,10 @@
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
 +	
 +	#kerberos libraries are attempting to set the correct file context
 +	dontaudit $1 self:process setfscreate;
 +	seutil_dontaudit_read_file_contexts($1)
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.5/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/kerberos.te	2007-08-07 09:39:49.000000000 -0400
@ -5969,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.5/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/mta.if	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/mta.if	2007-08-21 15:32:16.000000000 -0400
@@ -392,6 +392,7 @@
 	allow $1 mail_spool_t:dir list_dir_perms;
 	create_files_pattern($1,mail_spool_t,mail_spool_t)
@ -7457,7 +7491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.5/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/samba.if	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/samba.if	2007-08-21 13:36:36.000000000 -0400
@@ -349,6 +349,7 @@
 	files_search_var($1)
 	files_search_var_lib($1)
@ -7754,8 +7788,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.5/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/sendmail.te	2007-08-10 13:14:09.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/sendmail.te	2007-08-21 15:36:07.000000000 -0400
-@@ -130,6 +130,10 @@
+@@ -32,7 +32,6 @@
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
 allow sendmail_t self:tcp_socket create_stream_socket_perms;
 allow sendmail_t self:udp_socket create_socket_perms;
 -allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
 allow sendmail_t sendmail_log_t:dir setattr;
 manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
@@ -49,6 +48,8 @@
 # for piping mail to a command
 kernel_read_system_state(sendmail_t)
 +auth_use_nsswitch(sendmail_t)
 +
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
 corenet_tcp_sendrecv_all_if(sendmail_t)
@@ -93,9 +94,6 @@
 miscfiles_read_localization(sendmail_t)
 -sysnet_dns_name_resolve(sendmail_t)
 -sysnet_read_config(sendmail_t)
 -
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
 userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
@@ -106,17 +104,14 @@
 # Write to /var/spool/mail and /var/spool/mqueue.
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
 +mta_sendmail_exec(sendmail_t)
 optional_policy(`
 -	clamav_search_lib(sendmail_t)
 -')
 -
 -optional_policy(`
 -	nis_use_ypbind(sendmail_t)
 +	cron_read_pipes(sendmail_t)
 ')
 optional_policy(`
 -	nscd_socket_use(sendmail_t)
 +	clamav_search_lib(sendmail_t)
 ')
 optional_policy(`
@@ -130,6 +125,10 @@
 ')
 optional_policy(`
@ -7884,7 +7966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 +/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.5/policy/modules/services/soundserver.if
 --- nsaserefpolicy/policy/modules/services/soundserver.if	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/soundserver.if	2007-08-20 18:36:50.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/soundserver.if	2007-08-21 13:15:20.000000000 -0400
@@ -13,3 +13,64 @@
 interface(`soundserver_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
@ -7926,10 +8008,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 +#
 +interface(`soundserver_dontaudit_read_socket_files',`
 +	gen_require(`
-+		type soundd_socket_t;
+		type soundd_var_run_t;
 +	')
 +
-+	dontaudit $1 soundd_socket_t:sock_file r_file_perms;
+	dontaudit $1 soundd_var_run_t:sock_file r_file_perms;
 +')
 +
 +########################################
@ -7944,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 +#
 +interface(`soundserver_read_socket_files',`
 +	gen_require(`
-+		type soundd_socket_t;
+		type soundd_var_run_t;
 +	')
 +
 +	allow $1 soundd_var_run_t:sock_file r_file_perms;
@ -7952,7 +8034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.5/policy/modules/services/soundserver.te
 --- nsaserefpolicy/policy/modules/services/soundserver.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/soundserver.te	2007-08-20 16:59:45.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/soundserver.te	2007-08-21 13:15:59.000000000 -0400
@@ -1,5 +1,5 @@
 -policy_module(soundserver,1.3.0)
@ -8012,7 +8094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
 -files_pid_filetrans(soundd_t,soundd_var_run_t,file)
 +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
-+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir sock_file })
+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
 kernel_read_kernel_sysctls(soundd_t)
 kernel_list_proc(soundd_t)
@ -8212,7 +8294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.5/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-20 15:13:39.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-21 10:15:49.000000000 -0400
@@ -24,7 +24,7 @@
 # Type for the ssh-agent executable.
@ -8222,7 +8304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 # ssh client executable.
 type ssh_exec_t;
-@@ -73,8 +73,12 @@
+@@ -73,6 +73,8 @@
 manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
 files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
@ -8230,12 +8312,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
 +# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
 +kernel_write_proc_files(sshd_t)
- # for X forwarding
+@@ -100,6 +102,11 @@
 corenet_tcp_bind_xserver_port(sshd_t)
@@ -100,6 +104,11 @@
 	userdom_use_unpriv_users_ptys(sshd_t)
 ')
@ -8247,7 +8325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
-@@ -119,7 +128,12 @@
+@@ -119,7 +126,12 @@
 ')
 optional_policy(`
@ -8819,7 +8897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.5/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/authlogin.if	2007-08-20 15:21:45.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/authlogin.if	2007-08-21 10:18:43.000000000 -0400
@@ -26,7 +26,8 @@
 	type $1_chkpwd_t, can_read_shadow_passwords;
 	application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -8849,10 +8927,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	domain_type($1)
 	domain_subj_id_change_exemption($1)
-@@ -176,6 +180,12 @@
+@@ -176,6 +180,16 @@
 	domain_obj_id_change_exemption($1)
 	role system_r types $1;
 +	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
 +	kernel_write_proc_files(sshd_t)
 +
 +
 +	auth_keyring_domain($1)
 +	allow $1 keyring_type:key { search link };
 +
@ -8862,7 +8944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	# for SSP/ProPolice
 	dev_read_urand($1)
-@@ -196,22 +206,27 @@
+@@ -196,22 +210,27 @@
 	mls_fd_share_all_levels($1)
 	auth_domtrans_chk_passwd($1)
@ -8891,7 +8973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
-@@ -309,9 +324,6 @@
+@@ -309,9 +328,6 @@
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
@ -8901,7 +8983,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	corecmd_search_bin($1)
 	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -347,6 +359,37 @@
+@@ -329,6 +345,7 @@
 	optional_policy(`
 		kerberos_use($1)
 +		kerberos_read_keytab($1)
 	')
 	optional_policy(`
@@ -347,6 +364,37 @@
 ########################################
 ## <summary>
@ -8939,7 +9029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	Get the attributes of the shadow passwords file.
 ## </summary>
 ## <param name="domain">
-@@ -695,6 +738,24 @@
+@@ -695,6 +743,24 @@
 ########################################
 ## <summary>
@ -8964,7 +9054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	Execute pam programs in the PAM domain.
 ## </summary>
 ## <param name="domain">
-@@ -1318,14 +1379,9 @@
+@@ -1318,14 +1384,9 @@
 ## </param>
 #
 interface(`auth_use_nsswitch',`
@ -8979,7 +9069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	files_list_var_lib($1)
 	miscfiles_read_certs($1)
-@@ -1381,3 +1437,163 @@
+@@ -1381,3 +1442,163 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -9348,7 +9438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.5/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/fstools.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/fstools.te	2007-08-21 14:01:43.000000000 -0400
@@ -69,6 +69,7 @@
 dev_getattr_all_chr_files(fsadm_t)
@ -9357,7 +9447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 # mkreiserfs and other programs need this for UUID
 dev_read_rand(fsadm_t)
 dev_read_urand(fsadm_t)
-@@ -179,3 +180,8 @@
+@@ -179,3 +180,12 @@
 	fs_dontaudit_write_ramfs_pipes(fsadm_t)
 	rhgb_stub(fsadm_t)
 ')
@ -9366,6 +9456,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 +	xen_append_log(fsadm_t)
 +	xen_rw_image_files(fsadm_t)
 +')
 +
 +tunable_policy(`xen_use_nfs',`
 +	fs_manage_nfs_files(fsadm_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.5/policy/modules/system/fusermount.fc
 --- nsaserefpolicy/policy/modules/system/fusermount.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.5/policy/modules/system/fusermount.fc	2007-08-07 09:39:49.000000000 -0400
@ -10540,7 +10634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.5/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/modutils.te	2007-08-10 14:08:13.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/modutils.te	2007-08-21 09:07:48.000000000 -0400
@@ -42,7 +42,7 @@
 # insmod local policy
 #
@ -10839,7 +10933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.5/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.if	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.if	2007-08-21 10:32:03.000000000 -0400
@@ -432,6 +432,7 @@
 	role $2 types run_init_t;
 	allow run_init_t $3:chr_file rw_term_perms;
@ -10848,7 +10942,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ')
 ########################################
-@@ -968,6 +969,26 @@
+@@ -778,6 +779,28 @@
 ########################################
 ## <summary>
 +##	dontaudit Read the file_contexts files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`seutil_dontaudit_read_file_contexts',`
 +	gen_require(`
 +		type selinux_config_t, default_context_t, file_context_t;
 +	')
 +
 +	files_search_etc($1)
 +	dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms;
 +	dontaudit $1 file_context_t:dir search_dir_perms;
 +	dontaudit $1 file_context_t:file r_file_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	Read and write the file_contexts files.
 ## </summary>
 ## <param name="domain">
@@ -968,6 +991,26 @@
 ########################################
 ## <summary>
@ -10875,7 +10998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ##	Execute semanage in the semanage domain, and
 ##	allow the specified role the semanage domain,
 ##	and use the caller's terminal.
-@@ -979,7 +1000,7 @@
+@@ -979,7 +1022,7 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -10884,7 +11007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ##	</summary>
 ## </param>
 ## <param name="terminal">
-@@ -1001,6 +1022,39 @@
+@@ -1001,6 +1044,39 @@
 ########################################
 ## <summary>
@ -10924,7 +11047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ##	Full management of the semanage
 ##	module store.
 ## </summary>
-@@ -1058,3 +1112,120 @@
+@@ -1058,3 +1134,120 @@
 	files_search_etc($1)
 	rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
 ')
@ -12919,7 +13042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.5/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/xen.te	2007-08-09 14:54:50.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/xen.te	2007-08-21 14:01:46.000000000 -0400
@@ -176,6 +176,7 @@
 files_manage_etc_runtime_files(xend_t)
 files_etc_filetrans_etc_runtime(xend_t,file)
@ -12962,7 +13085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 corenet_tcp_sendrecv_generic_if(xm_t)
 corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -366,3 +369,13 @@
+@@ -366,3 +369,14 @@
 xen_append_log(xm_t)
 xen_stream_connect(xm_t)
 xen_stream_connect_xenstore(xm_t)
@ -12973,9 +13096,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 +fs_getattr_all_fs(xend_t)
 +fs_read_dos_files(xend_t)
 +
-+fs_write_nfs_files(xend_t)
+tunable_policy(`xen_use_nfs',`
-+fs_read_nfs_files(xend_t)
+	fs_manage_nfs_files(xend_t)
-+fs_read_nfs_symlinks(xend_t)
+	fs_read_nfs_symlinks(xend_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.5/policy/modules/users/guest.fc
 --- nsaserefpolicy/policy/modules/users/guest.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.5/policy/modules/users/guest.fc	2007-08-07 09:39:49.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,12 +12,12 @@
 %endif
 %define POLICYVER 21
 %define libsepolver 2.0.3-2
-%define POLICYCOREUTILSVER 2.0.22-10
+%define POLICYCOREUTILSVER 2.0.23-1
 %define CHECKPOLICYVER 2.0.3-1
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.5
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -74,7 +74,7 @@ SELinux Policy development package
 %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
 %post devel
-[ -x /usr/sbin/sepolgen-ifgen ] && /usr/sbin/sepolgen-ifgen  > /dev/null
+[ -x /usr/bin/sepolgen-ifgen ] && /usr/bin/sepolgen-ifgen  > /dev/null
 exit 0
 %define setupCmds() \
@ -338,7 +338,7 @@ Summary: SELinux mls base policy
 Group: System Environment/Base
 Provides: selinux-policy-base
 Obsoletes: selinux-policy-mls-sources
-Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER}
+Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
 Prereq: policycoreutils >= %{POLICYCOREUTILSVER}
 Prereq: coreutils
 Prereq: selinux-policy = %{version}-%{release}
@ -360,6 +360,9 @@ exit 0
 %endif
 %changelog
 * Tue Aug 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-11
 - Add setransd for mls policy
 * Mon Aug 20 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-10
 - Add ldconfig_cache_t