- Merge upstream changes

- Add Xavier Toth patches
2008-09-16 13:47:03 +00:00 · 2008-09-16 13:47:03 +00:00 · ceb150c168
commit ceb150c168
parent 8a482d67b3
1 changed files with 146 additions and 48 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -284,8 +284,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.8/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/alsa.te	2008-09-12 10:59:28.000000000 -0400
-@@ -51,6 +51,8 @@
+++ serefpolicy-3.5.8/policy/modules/admin/alsa.te	2008-09-15 14:54:22.000000000 -0400
+@@ -48,9 +48,12 @@
+ 
+ files_search_home(alsa_t)
+ files_read_etc_files(alsa_t)
+files_read_usr_files(alsa_t)
 
 auth_use_nsswitch(alsa_t)
 
@ -1162,7 +1166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.8/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/rpm.te	2008-09-12 10:59:28.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/admin/rpm.te	2008-09-16 09:14:33.000000000 -0400
@@ -31,6 +31,9 @@
 files_type(rpm_var_lib_t)
 typealias rpm_var_lib_t alias var_lib_rpm_t;
@ -1173,7 +1177,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
-@@ -89,6 +92,9 @@
+@@ -52,7 +55,8 @@
+ # rpm Local policy
+ #
+ 
+-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+
+ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+ allow rpm_t self:fd use;
+@@ -89,8 +93,12 @@
 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
 files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
 
@ -1182,8 +1196,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
 
-@@ -179,10 +185,20 @@
+ corecmd_exec_all_executables(rpm_t)
+ 
+@@ -117,6 +125,7 @@
+ fs_manage_nfs_symlinks(rpm_t)
+ fs_getattr_all_fs(rpm_t)
+ fs_search_auto_mountpoints(rpm_t)
+fs_list_inotifyfs(rpm_t)
+ 
+ mls_file_read_all_levels(rpm_t)
+ mls_file_write_all_levels(rpm_t)
+@@ -179,10 +188,20 @@
 ')
 
 optional_policy(`
@ -1204,7 +1229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	prelink_domtrans(rpm_t)
 ')
 
-@@ -190,6 +206,7 @@
+@@ -190,6 +209,7 @@
 	unconfined_domain(rpm_t)
 	# yum-updatesd requires this
 	unconfined_dbus_chat(rpm_t)
@ -1212,16 +1237,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ifdef(`TODO',`
-@@ -216,7 +233,7 @@
+@@ -215,8 +235,8 @@
+ # rpm-script Local policy
 #
 
- allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
 -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill };
 +allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
 allow rpm_script_t self:fd use;
 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
 allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -317,6 +334,7 @@
+@@ -227,12 +247,15 @@
+ allow rpm_script_t self:sem create_sem_perms;
+ allow rpm_script_t self:msgq create_msgq_perms;
+ allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ allow rpm_script_t rpm_tmp_t:file read_file_perms;
+ 
+ allow rpm_script_t rpm_script_tmp_t:dir mounton;
+ manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+ files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+ 
+ manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -298,6 +321,7 @@
+ files_exec_etc_files(rpm_script_t)
+ files_read_etc_runtime_files(rpm_script_t)
+ files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+ 
+ init_domtrans_script(rpm_script_t)
+ 
+@@ -317,6 +341,7 @@
 seutil_domtrans_loadpolicy(rpm_script_t)
 seutil_domtrans_setfiles(rpm_script_t)
 seutil_domtrans_semanage(rpm_script_t)
@ -1229,7 +1280,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 userdom_use_all_users_fds(rpm_script_t)
 
-@@ -342,6 +360,7 @@
+@@ -335,6 +360,10 @@
+ ')
+ 
+ optional_policy(`
+	lvm_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ 	tzdata_domtrans(rpm_t)
+ 	tzdata_domtrans(rpm_script_t)
+ ')
+@@ -342,6 +371,7 @@
 optional_policy(`
 	unconfined_domain(rpm_script_t)
 	unconfined_domtrans(rpm_script_t)
@ -1237,7 +1299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	optional_policy(`
 		java_domtrans(rpm_script_t)
-@@ -352,6 +371,11 @@
+@@ -352,6 +382,11 @@
 	')
 ')
 
@ -1933,7 +1995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/.pulse(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.8/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/apps/gnome.if	2008-09-12 10:59:28.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/apps/gnome.if	2008-09-15 14:57:34.000000000 -0400
@@ -36,6 +36,7 @@
 	gen_require(`
 		type gconfd_exec_t, gconf_etc_t;
@ -2081,7 +2143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="userdomain_prefix">
 ##	<summary>
-@@ -183,11 +200,95 @@
+@@ -183,11 +200,96 @@
 ##	</summary>
 ## </param>
 #
@ -2117,6 +2179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	manage_dirs_pattern($2, gnome_home_t, gnome_home_t)
 +	manage_files_pattern($2, gnome_home_t, gnome_home_t)
+	manage_lnk_files_pattern($2, gnome_home_t, gnome_home_t)
 +')
 +
 +########################################
@ -4464,8 +4527,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.8/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te	2008-09-12 10:59:28.000000000 -0400
-@@ -0,0 +1,226 @@
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te	2008-09-15 13:09:59.000000000 -0400
+@@ -0,0 +1,228 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@ -4547,6 +4610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dev_read_video_dev(nsplugin_t)
 +dev_write_video_dev(nsplugin_t)
 +dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
 +
 +kernel_read_kernel_sysctls(nsplugin_t)
 +kernel_read_system_state(nsplugin_t)
@ -4605,6 +4669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	mplayer_exec(nsplugin_t)
+	mplayer_read_user_home_files(user, nsplugin_t)
 +')
 +
 +optional_policy(`
@ -4629,7 +4694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# nsplugin_config local policy
 +#
 +
-+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
 +allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
 +#execing pulseaudio
 +dontaudit nsplugin_t self:process { getcap setcap };
@ -7091,7 +7156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # /emul
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/kernel/files.if	2008-09-12 10:59:28.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/kernel/files.if	2008-09-16 09:05:30.000000000 -0400
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -8453,8 +8518,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.8/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/roles/staff.te	2008-09-12 10:59:28.000000000 -0400
-@@ -8,23 +8,52 @@
+++ serefpolicy-3.5.8/policy/modules/roles/staff.te	2008-09-15 14:58:31.000000000 -0400
+@@ -8,23 +8,55 @@
 
 role staff_r;
 
@ -8467,6 +8532,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 
 +kernel_read_ring_buffer(staff_t)
+kernel_getattr_core_if(staff_t)
+kernel_getattr_message_if(staff_t)
+kernel_read_software_raid_state(staff_t)
 +
 +auth_domtrans_pam_console(staff_t)
 +
@ -20147,7 +20215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.8/policy/modules/services/pads.te
 --- nsaserefpolicy/policy/modules/services/pads.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.8/policy/modules/services/pads.te	2008-09-12 10:59:28.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/pads.te	2008-09-15 13:00:58.000000000 -0400
@@ -0,0 +1,66 @@
 +
 +policy_module(pads, 0.0.1) 
@ -20163,7 +20231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +role system_r types pads_t;
 +
 +type pads_script_exec_t;
-+init_script_type(pads_script_exec_t)
+init_script_file(pads_script_exec_t)
 +
 +type pads_config_t;
 +files_config_file(pads_config_t)
@ -20213,7 +20281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +sysnet_dns_name_resolve(pads_t)
 +
 +optional_policy(`
-+        prelude_rw_spool(pads_t)
+        prelude_manage_spool(pads_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.8/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2008-08-07 11:15:11.000000000 -0400
@ -20880,7 +20948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-12 10:59:28.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-15 10:53:20.000000000 -0400
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -21098,17 +21166,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
 
-@@ -443,8 +491,7 @@
+@@ -443,8 +491,11 @@
 ')
 
 optional_policy(`
 -	ppp_use_fds(postfix_postqueue_t)
 -	ppp_sigchld(postfix_postqueue_t)
+	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+')
+
+optional_policy(`
 +	uucp_manage_spool(postfix_postdrop_t)
 ')
 
 #######################################
-@@ -470,6 +517,15 @@
+@@ -470,6 +521,15 @@
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
 
@ -21124,18 +21196,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Postfix qmgr local policy
-@@ -564,6 +620,10 @@
- 	sasl_connect(postfix_smtpd_t)
- ')
+@@ -553,6 +613,10 @@
+ mta_read_aliases(postfix_smtpd_t)
 
-+optional_policy(`
+ optional_policy(`
 +	dovecot_auth_stream_connect(postfix_smtpd_t)
 +')
 +
- ########################################
- #
- # Postfix virtual local policy
-@@ -579,7 +639,7 @@
+optional_policy(`
+ 	mailman_read_data_files(postfix_smtpd_t)
+ ')
+ 
+@@ -579,7 +643,7 @@
 files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
 
 # connect to master process
@ -24891,8 +24963,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.8/policy/modules/services/snmp.fc
 --- nsaserefpolicy/policy/modules/services/snmp.fc	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/snmp.fc	2008-09-12 10:59:29.000000000 -0400
-@@ -17,3 +17,6 @@
+++ serefpolicy-3.5.8/policy/modules/services/snmp.fc	2008-09-15 12:30:27.000000000 -0400
+@@ -8,6 +8,7 @@
+ #
+ # /var
+ #
+/var/agentx(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/net-snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ 
+@@ -17,3 +18,6 @@
 
 /var/run/snmpd		-d	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
@ -30587,7 +30667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-12 10:59:29.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-15 13:03:25.000000000 -0400
@@ -72,6 +72,12 @@
 logging_log_file(var_log_t)
 files_mountpoint(var_log_t)
@ -30601,7 +30681,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
-@@ -145,6 +151,7 @@
+@@ -124,6 +130,7 @@
+ allow auditd_t self:file { getattr read write };
+ allow auditd_t self:unix_dgram_socket create_socket_perms;
+ allow auditd_t self:fifo_file rw_file_perms;
+allow auditd_t self:tcp_socket create_stream_socket_perms;
+ 
+ allow auditd_t auditd_etc_t:dir list_dir_perms;
+ allow auditd_t auditd_etc_t:file read_file_perms;
+@@ -145,9 +152,18 @@
 
 fs_getattr_all_fs(auditd_t)
 fs_search_auto_mountpoints(auditd_t)
@ -30609,7 +30697,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 selinux_search_fs(auditctl_t)
 
-@@ -241,6 +248,7 @@
+corenet_all_recvfrom_unlabeled(auditd_t)
+corenet_all_recvfrom_netlabel(auditd_t)
+corenet_tcp_sendrecv_all_if(auditd_t)
+corenet_tcp_sendrecv_all_nodes(auditd_t)
+corenet_tcp_sendrecv_all_ports(auditd_t)
+corenet_tcp_bind_all_nodes(auditd_t)
+corenet_tcp_bind_audit_port(auditd_t)
+
+ # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
+ corecmd_exec_bin(auditd_t)
+@@ -241,6 +257,7 @@
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_all_if(audisp_remote_t)
 corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
@ -31625,7 +31724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.8/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/selinuxutil.te	2008-09-12 10:59:29.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/selinuxutil.te	2008-09-15 11:59:39.000000000 -0400
@@ -23,6 +23,9 @@
 type selinux_config_t;
 files_type(selinux_config_t)
@ -31708,17 +31807,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(newrole_t)
 
 miscfiles_read_localization(newrole_t)
-@@ -347,6 +351,9 @@
+@@ -347,6 +351,8 @@
 
 seutil_libselinux_linked(restorecond_t)
 
-+userdom_read_all_users_home_dirs_symlinks(restorecond_t)
 +userdom_read_all_users_home_content_symlinks(restorecond_t)
 +
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(restorecond_t)
-@@ -365,7 +372,7 @@
+@@ -365,7 +371,7 @@
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 allow run_init_t self:fifo_file rw_file_perms;
@ -31727,7 +31825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # often the administrator runs such programs from a directory that is owned
 # by a different user or has restrictive SE permissions, do not want to audit
-@@ -396,7 +403,6 @@
+@@ -396,7 +402,6 @@
 
 auth_use_nsswitch(run_init_t)
 auth_domtrans_chk_passwd(run_init_t)
@ -31735,7 +31833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_dontaudit_read_shadow(run_init_t)
 
 init_spec_domtrans_script(run_init_t)
-@@ -435,64 +441,22 @@
+@@ -435,64 +440,22 @@
 # semodule local policy
 #
 
@ -31808,7 +31906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # netfilter_contexts:
 seutil_manage_default_contexts(semanage_t)
 
-@@ -501,12 +465,27 @@
+@@ -501,12 +464,27 @@
 	files_read_var_lib_symlinks(semanage_t)
 ')
 
@ -31836,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # cjp: need a more general way to handle this:
 ifdef(`enable_mls',`
 	# read secadm tmp files
-@@ -514,121 +493,42 @@
+@@ -514,121 +492,42 @@
 	# Handle pp files created in homedir and /tmp
 	sysadm_read_home_content_files(semanage_t)
 	sysadm_read_tmp_files(semanage_t)
@ -33142,7 +33240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if	2008-09-12 10:59:29.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if	2008-09-15 11:58:54.000000000 -0400
@@ -28,10 +28,14 @@
 		class context contains;
 	')
@ -36115,7 +36213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.8/policy/support/file_patterns.spt
 --- nsaserefpolicy/policy/support/file_patterns.spt	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/support/file_patterns.spt	2008-09-12 10:59:29.000000000 -0400
+++ serefpolicy-3.5.8/policy/support/file_patterns.spt	2008-09-16 09:08:28.000000000 -0400
@@ -537,3 +537,18 @@
 	allow $1 $2:dir rw_dir_perms;
 	type_transition $1 $2:$4 $3;