From ceb150c168c7a377fad7e5302ed7fb61257c18ac Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Tue, 16 Sep 2008 13:47:03 +0000
Subject: [PATCH] - Merge upstream changes - Add Xavier Toth patches

---
 policy-20080710.patch | 194 +++++++++++++++++++++++++++++++-----------
 1 file changed, 146 insertions(+), 48 deletions(-)

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 23598343..bf169e1f 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -284,8 +284,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.8/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/alsa.te	2008-09-12 10:59:28.000000000 -0400
-@@ -51,6 +51,8 @@
++++ serefpolicy-3.5.8/policy/modules/admin/alsa.te	2008-09-15 14:54:22.000000000 -0400
+@@ -48,9 +48,12 @@
+ 
+ files_search_home(alsa_t)
+ files_read_etc_files(alsa_t)
++files_read_usr_files(alsa_t)
  
  auth_use_nsswitch(alsa_t)
  
@@ -1162,7 +1166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.8/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/admin/rpm.te	2008-09-12 10:59:28.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/admin/rpm.te	2008-09-16 09:14:33.000000000 -0400
 @@ -31,6 +31,9 @@
  files_type(rpm_var_lib_t)
  typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1173,7 +1177,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type rpm_script_t;
  type rpm_script_exec_t;
  domain_obj_id_change_exemption(rpm_script_t)
-@@ -89,6 +92,9 @@
+@@ -52,7 +55,8 @@
+ # rpm Local policy
+ #
+ 
+-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
++allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
++
+ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+ allow rpm_t self:fd use;
+@@ -89,8 +93,12 @@
  manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
  files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
  
@@ -1182,8 +1196,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
  kernel_read_system_state(rpm_t)
  kernel_read_kernel_sysctls(rpm_t)
++kernel_read_network_state_symlinks(rpm_t)
  
-@@ -179,10 +185,20 @@
+ corecmd_exec_all_executables(rpm_t)
+ 
+@@ -117,6 +125,7 @@
+ fs_manage_nfs_symlinks(rpm_t)
+ fs_getattr_all_fs(rpm_t)
+ fs_search_auto_mountpoints(rpm_t)
++fs_list_inotifyfs(rpm_t)
+ 
+ mls_file_read_all_levels(rpm_t)
+ mls_file_write_all_levels(rpm_t)
+@@ -179,10 +188,20 @@
  ')
  
  optional_policy(`
@@ -1204,7 +1229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	prelink_domtrans(rpm_t)
  ')
  
-@@ -190,6 +206,7 @@
+@@ -190,6 +209,7 @@
  	unconfined_domain(rpm_t)
  	# yum-updatesd requires this
  	unconfined_dbus_chat(rpm_t)
@@ -1212,16 +1237,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ifdef(`TODO',`
-@@ -216,7 +233,7 @@
+@@ -215,8 +235,8 @@
+ # rpm-script Local policy
  #
  
- allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
 -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill };
 +allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
  allow rpm_script_t self:fd use;
  allow rpm_script_t self:fifo_file rw_fifo_file_perms;
  allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -317,6 +334,7 @@
+@@ -227,12 +247,15 @@
+ allow rpm_script_t self:sem create_sem_perms;
+ allow rpm_script_t self:msgq create_msgq_perms;
+ allow rpm_script_t self:msg { send receive };
++allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ allow rpm_script_t rpm_tmp_t:file read_file_perms;
+ 
+ allow rpm_script_t rpm_script_tmp_t:dir mounton;
+ manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
++manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
++manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+ files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+ 
+ manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -298,6 +321,7 @@
+ files_exec_etc_files(rpm_script_t)
+ files_read_etc_runtime_files(rpm_script_t)
+ files_exec_usr_files(rpm_script_t)
++files_relabel_all_files(rpm_script_t)
+ 
+ init_domtrans_script(rpm_script_t)
+ 
+@@ -317,6 +341,7 @@
  seutil_domtrans_loadpolicy(rpm_script_t)
  seutil_domtrans_setfiles(rpm_script_t)
  seutil_domtrans_semanage(rpm_script_t)
@@ -1229,7 +1280,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_use_all_users_fds(rpm_script_t)
  
-@@ -342,6 +360,7 @@
+@@ -335,6 +360,10 @@
+ ')
+ 
+ optional_policy(`
++	lvm_domtrans(rpm_script_t)
++')
++
++optional_policy(`
+ 	tzdata_domtrans(rpm_t)
+ 	tzdata_domtrans(rpm_script_t)
+ ')
+@@ -342,6 +371,7 @@
  optional_policy(`
  	unconfined_domain(rpm_script_t)
  	unconfined_domtrans(rpm_script_t)
@@ -1237,7 +1299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		java_domtrans(rpm_script_t)
-@@ -352,6 +371,11 @@
+@@ -352,6 +382,11 @@
  	')
  ')
  
@@ -1933,7 +1995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/.pulse(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.8/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/apps/gnome.if	2008-09-12 10:59:28.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/apps/gnome.if	2008-09-15 14:57:34.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		type gconfd_exec_t, gconf_etc_t;
@@ -2081,7 +2143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="userdomain_prefix">
  ##	<summary>
-@@ -183,11 +200,95 @@
+@@ -183,11 +200,96 @@
  ##	</summary>
  ## </param>
  #
@@ -2117,6 +2179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	manage_dirs_pattern($2, gnome_home_t, gnome_home_t)
 +	manage_files_pattern($2, gnome_home_t, gnome_home_t)
++	manage_lnk_files_pattern($2, gnome_home_t, gnome_home_t)
 +')
 +
 +########################################
@@ -4464,8 +4527,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.8/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te	2008-09-12 10:59:28.000000000 -0400
-@@ -0,0 +1,226 @@
++++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.te	2008-09-15 13:09:59.000000000 -0400
+@@ -0,0 +1,228 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -4547,6 +4610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dev_read_video_dev(nsplugin_t)
 +dev_write_video_dev(nsplugin_t)
 +dev_getattr_dri_dev(nsplugin_t)
++dev_rwx_zero(nsplugin_t)
 +
 +kernel_read_kernel_sysctls(nsplugin_t)
 +kernel_read_system_state(nsplugin_t)
@@ -4605,6 +4669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	mplayer_exec(nsplugin_t)
++	mplayer_read_user_home_files(user, nsplugin_t)
 +')
 +
 +optional_policy(`
@@ -4629,7 +4694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# nsplugin_config local policy
 +#
 +
-+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
++allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
 +allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
 +#execing pulseaudio
 +dontaudit nsplugin_t self:process { getcap setcap };
@@ -7091,7 +7156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # /emul
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/kernel/files.if	2008-09-12 10:59:28.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/kernel/files.if	2008-09-16 09:05:30.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -8453,8 +8518,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.8/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/roles/staff.te	2008-09-12 10:59:28.000000000 -0400
-@@ -8,23 +8,52 @@
++++ serefpolicy-3.5.8/policy/modules/roles/staff.te	2008-09-15 14:58:31.000000000 -0400
+@@ -8,23 +8,55 @@
  
  role staff_r;
  
@@ -8467,6 +8532,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
  
 +kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
 +
 +auth_domtrans_pam_console(staff_t)
 +
@@ -20147,7 +20215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.8/policy/modules/services/pads.te
 --- nsaserefpolicy/policy/modules/services/pads.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.8/policy/modules/services/pads.te	2008-09-12 10:59:28.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/pads.te	2008-09-15 13:00:58.000000000 -0400
 @@ -0,0 +1,66 @@
 +
 +policy_module(pads, 0.0.1) 
@@ -20163,7 +20231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +role system_r types pads_t;
 +
 +type pads_script_exec_t;
-+init_script_type(pads_script_exec_t)
++init_script_file(pads_script_exec_t)
 +
 +type pads_config_t;
 +files_config_file(pads_config_t)
@@ -20213,7 +20281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +sysnet_dns_name_resolve(pads_t)
 +
 +optional_policy(`
-+        prelude_rw_spool(pads_t)
++        prelude_manage_spool(pads_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.8/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2008-08-07 11:15:11.000000000 -0400
@@ -20880,7 +20948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-12 10:59:28.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/postfix.te	2008-09-15 10:53:20.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -21098,17 +21166,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	uucp_domtrans_uux(postfix_pipe_t)
  ')
  
-@@ -443,8 +491,7 @@
+@@ -443,8 +491,11 @@
  ')
  
  optional_policy(`
 -	ppp_use_fds(postfix_postqueue_t)
 -	ppp_sigchld(postfix_postqueue_t)
++	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
++')
++
++optional_policy(`
 +	uucp_manage_spool(postfix_postdrop_t)
  ')
  
  #######################################
-@@ -470,6 +517,15 @@
+@@ -470,6 +521,15 @@
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
  
@@ -21124,18 +21196,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Postfix qmgr local policy
-@@ -564,6 +620,10 @@
- 	sasl_connect(postfix_smtpd_t)
- ')
+@@ -553,6 +613,10 @@
+ mta_read_aliases(postfix_smtpd_t)
  
-+optional_policy(`
+ optional_policy(`
 +	dovecot_auth_stream_connect(postfix_smtpd_t)
 +')
 +
- ########################################
- #
- # Postfix virtual local policy
-@@ -579,7 +639,7 @@
++optional_policy(`
+ 	mailman_read_data_files(postfix_smtpd_t)
+ ')
+ 
+@@ -579,7 +643,7 @@
  files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
  
  # connect to master process
@@ -24891,8 +24963,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.8/policy/modules/services/snmp.fc
 --- nsaserefpolicy/policy/modules/services/snmp.fc	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/snmp.fc	2008-09-12 10:59:29.000000000 -0400
-@@ -17,3 +17,6 @@
++++ serefpolicy-3.5.8/policy/modules/services/snmp.fc	2008-09-15 12:30:27.000000000 -0400
+@@ -8,6 +8,7 @@
+ #
+ # /var
+ #
++/var/agentx(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/net-snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ 
+@@ -17,3 +18,6 @@
  
  /var/run/snmpd		-d	gen_context(system_u:object_r:snmpd_var_run_t,s0)
  /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
@@ -30587,7 +30667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2008-09-03 10:17:00.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-12 10:59:29.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/logging.te	2008-09-15 13:03:25.000000000 -0400
 @@ -72,6 +72,12 @@
  logging_log_file(var_log_t)
  files_mountpoint(var_log_t)
@@ -30601,7 +30681,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`enable_mls',`
  	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
  	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
-@@ -145,6 +151,7 @@
+@@ -124,6 +130,7 @@
+ allow auditd_t self:file { getattr read write };
+ allow auditd_t self:unix_dgram_socket create_socket_perms;
+ allow auditd_t self:fifo_file rw_file_perms;
++allow auditd_t self:tcp_socket create_stream_socket_perms;
+ 
+ allow auditd_t auditd_etc_t:dir list_dir_perms;
+ allow auditd_t auditd_etc_t:file read_file_perms;
+@@ -145,9 +152,18 @@
  
  fs_getattr_all_fs(auditd_t)
  fs_search_auto_mountpoints(auditd_t)
@@ -30609,7 +30697,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  selinux_search_fs(auditctl_t)
  
-@@ -241,6 +248,7 @@
++corenet_all_recvfrom_unlabeled(auditd_t)
++corenet_all_recvfrom_netlabel(auditd_t)
++corenet_tcp_sendrecv_all_if(auditd_t)
++corenet_tcp_sendrecv_all_nodes(auditd_t)
++corenet_tcp_sendrecv_all_ports(auditd_t)
++corenet_tcp_bind_all_nodes(auditd_t)
++corenet_tcp_bind_audit_port(auditd_t)
++
+ # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
+ corecmd_exec_bin(auditd_t)
+@@ -241,6 +257,7 @@
  corenet_all_recvfrom_netlabel(audisp_remote_t)
  corenet_tcp_sendrecv_all_if(audisp_remote_t)
  corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
@@ -31625,7 +31724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.8/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/selinuxutil.te	2008-09-12 10:59:29.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/selinuxutil.te	2008-09-15 11:59:39.000000000 -0400
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -31708,17 +31807,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(newrole_t)
  
  miscfiles_read_localization(newrole_t)
-@@ -347,6 +351,9 @@
+@@ -347,6 +351,8 @@
  
  seutil_libselinux_linked(restorecond_t)
  
-+userdom_read_all_users_home_dirs_symlinks(restorecond_t)
 +userdom_read_all_users_home_content_symlinks(restorecond_t)
 +
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -365,7 +372,7 @@
+@@ -365,7 +371,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -31727,7 +31825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -396,7 +403,6 @@
+@@ -396,7 +402,6 @@
  
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
@@ -31735,7 +31833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  auth_dontaudit_read_shadow(run_init_t)
  
  init_spec_domtrans_script(run_init_t)
-@@ -435,64 +441,22 @@
+@@ -435,64 +440,22 @@
  # semodule local policy
  #
  
@@ -31808,7 +31906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -501,12 +465,27 @@
+@@ -501,12 +464,27 @@
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -31836,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -514,121 +493,42 @@
+@@ -514,121 +492,42 @@
  	# Handle pp files created in homedir and /tmp
  	sysadm_read_home_content_files(semanage_t)
  	sysadm_read_tmp_files(semanage_t)
@@ -33142,7 +33240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if	2008-09-12 10:59:29.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/userdomain.if	2008-09-15 11:58:54.000000000 -0400
 @@ -28,10 +28,14 @@
  		class context contains;
  	')
@@ -36115,7 +36213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.8/policy/support/file_patterns.spt
 --- nsaserefpolicy/policy/support/file_patterns.spt	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.8/policy/support/file_patterns.spt	2008-09-12 10:59:29.000000000 -0400
++++ serefpolicy-3.5.8/policy/support/file_patterns.spt	2008-09-16 09:08:28.000000000 -0400
 @@ -537,3 +537,18 @@
  	allow $1 $2:dir rw_dir_perms;
  	type_transition $1 $2:$4 $3;