- Allow unconfined_r unconfined_java_t

2008-12-11 15:21:57 +00:00 · 2008-12-11 15:21:57 +00:00 · dcd0c96f34
commit dcd0c96f34
parent b88015a75b
4 changed files with 315 additions and 37 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -46,6 +46,13 @@ awstats = module
 # 
 amanda = module

+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
 # Layer: services
 # Module: amavis
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -46,6 +46,13 @@ awstats = module
 # 
 amanda = module

+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
 # Layer: services
 # Module: amavis
 #
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
@ -1819,8 +1819,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.1/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/java.if	2008-11-25 09:45:43.000000000 -0500
-@@ -68,3 +68,96 @@
+++ serefpolicy-3.6.1/policy/modules/apps/java.if	2008-12-11 09:33:36.000000000 -0500
+@@ -68,3 +68,121 @@
 	domtrans_pattern($1, java_exec_t, unconfined_java_t)
 	corecmd_search_bin($1)
 ')
@ -1852,6 +1852,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
+##	Execute java in the unconfined java domain, and
+##	allow the specified role the unconfined java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the java domain.
+##	</summary>
+## </param>
+#
+interface(`java_run_unconfined',`
+	gen_require(`
+		type unconfined_java_t;
+	')
+
+	java_domtrans_unconfined($1)
+	role $2 types unconfined_java_t;
+')
+
+########################################
+## <summary>
 +##	Execute the java program in the java domain.
 +## </summary>
 +## <param name="domain">
@ -4786,7 +4811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	all protocols (TCP, UDP, etc)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.1/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/domain.te	2008-12-03 15:24:41.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/kernel/domain.te	2008-12-11 09:54:03.000000000 -0500
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -4810,7 +4835,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Every domain gets the key ring, so we should default
 # to no one allowed to look at it; afs kernel support creates
 # a keyring
-@@ -118,6 +127,7 @@
+@@ -106,6 +115,10 @@
+ ')
+ 
+ optional_policy(`
+	afs_rw_cache(domain)
+')
+
+optional_policy(`
+ 	libs_use_ld_so(domain)
+ 	libs_use_shared_libs(domain)
+ ')
+@@ -118,6 +131,7 @@
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
@ -4818,7 +4854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -136,6 +146,9 @@
+@@ -136,6 +150,9 @@
 allow unconfined_domain_type domain:fd use;
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 
@ -4828,7 +4864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
 
-@@ -145,7 +158,7 @@
+@@ -145,7 +162,7 @@
 
 # For /proc/pid
 allow unconfined_domain_type domain:dir list_dir_perms;
@ -4837,7 +4873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
-@@ -153,3 +166,39 @@
+@@ -153,3 +170,39 @@
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -4879,8 +4915,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dontaudit can_change_object_identity can_change_object_identity:key link;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.1/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/files.fc	2008-11-25 09:45:43.000000000 -0500
-@@ -32,6 +32,7 @@
+++ serefpolicy-3.6.1/policy/modules/kernel/files.fc	2008-12-11 09:47:36.000000000 -0500
+@@ -8,6 +8,8 @@
+ /initrd\.img.*		-l	gen_context(system_u:object_r:boot_t,s0)
+ /vmlinuz.*		-l	gen_context(system_u:object_r:boot_t,s0)
+ 
+/afs			-d	gen_context(system_u:object_r:mnt_t,s0)
+
+ ifdef(`distro_redhat',`
+ /\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /\.autorelabel		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -32,6 +34,7 @@
 /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /boot/lost\+found/.*		<<none>>
 /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
@ -4888,7 +4933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 #
 # /emul
-@@ -49,6 +50,7 @@
+@@ -49,6 +52,7 @@
 /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
@ -7475,6 +7520,211 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +')
 +gen_user(xguest_u, user, xguest_r, s0, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.1/policy/modules/services/afs.fc
+--- nsaserefpolicy/policy/modules/services/afs.fc	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.1/policy/modules/services/afs.fc	2008-12-11 09:47:41.000000000 -0500
+@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_script_exec_t,s0)
+/etc/rc\.d/init\.d/afs	--	gen_context(system_u:object_r:afs_script_exec_t,s0)
+
+ /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+ /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+ /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+@@ -17,6 +20,13 @@
+ 
+ /usr/afs/logs(/.*)?		gen_context(system_u:object_r:afs_logfile_t,s0)
+ 
+/usr/sbin/afsd			--	gen_context(system_u:object_r:afs_exec_t,s0)
+
+ /vicepa				gen_context(system_u:object_r:afs_files_t,s0)
+ /vicepb				gen_context(system_u:object_r:afs_files_t,s0)
+ /vicepc				gen_context(system_u:object_r:afs_files_t,s0)
+
+
+/usr/vice/etc/afsd	--	gen_context(system_u:object_r:afs_exec_t,s0)
+
+/var/cache/afs(/.*)?		gen_context(system_u:object_r:afs_cache_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.1/policy/modules/services/afs.if
+--- nsaserefpolicy/policy/modules/services/afs.if	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.1/policy/modules/services/afs.if	2008-12-11 09:59:32.000000000 -0500
+@@ -1 +1,110 @@
+ ## <summary>Andrew Filesystem server</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run afs.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`afs_domtrans',`
+	gen_require(`
+		type afs_t;
+                type afs_exec_t;
+	')
+
+	domtrans_pattern($1,afs_exec_t,afs_t)
+')
+
+
+########################################
+## <summary>
+##	Read and write afs UDP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`afs_rw_udp_sockets',`
+	gen_require(`
+		type afs_t;
+	')
+
+	allow $1 afs_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##	read/write afs cache files
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`afs_rw_cache',`
+	gen_require(`
+		type afs_cache_t;
+	')
+
+	allow $1 afs_cache_t:file {read write};
+')
+
+
+########################################
+## <summary>
+##	Execute afs server in the afs domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`afs_script_domtrans',`
+	gen_require(`
+		type afs_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,afs_script_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an afs environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the afs domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`afs_admin',`
+	gen_require(`
+		type afs_t;
+		type afs_script_exec_t;
+	')
+
+	allow $1 afs_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, afs_t, afs_t)
+
+	# Allow afs_t to restart the apache service
+	afs_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 afs_script_exec_t system_r;
+	allow $2 system_r;
+
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.1/policy/modules/services/afs.te
+--- nsaserefpolicy/policy/modules/services/afs.te	2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/afs.te	2008-12-11 09:58:19.000000000 -0500
+@@ -6,6 +6,16 @@
+ # Declarations
+ #
+ 
+type afs_t;
+type afs_exec_t;
+init_daemon_domain(afs_t, afs_exec_t)
+
+type afs_script_exec_t;
+init_script_file(afs_script_exec_t)
+
+type afs_cache_t;
+files_type(afs_cache_t)
+
+ type afs_bosserver_t;
+ type afs_bosserver_exec_t;
+ init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t)
+@@ -302,3 +312,46 @@
+ sysnet_read_config(afs_vlserver_t)
+ 
+ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+
+########################################
+#
+# afs local policy
+#
+
+allow afs_t self:capability { sys_nice sys_tty_config };
+allow afs_t self:process setsched;
+allow afs_t self:udp_socket create_socket_perms;
+allow afs_t self:fifo_file rw_file_perms;
+allow afs_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(afs_t,afs_cache_t,afs_cache_t)
+manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t)
+files_var_filetrans(afs_t,afs_cache_t,{file dir})
+
+files_mounton_mnt(afs_t)
+files_read_etc_files(afs_t)
+files_rw_etc_runtime_files(afs_t)
+
+fs_getattr_xattr_fs(afs_t)
+fs_mount_nfs(afs_t)
+
+kernel_rw_afs_state(afs_t)
+
+# Init script handling
+domain_use_interactive_fds(afs_t)
+
+corenet_all_recvfrom_unlabeled(afs_t)
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_all_nodes(afs_t)
+corenet_udp_sendrecv_all_nodes(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_all_nodes(afs_t)
+
+miscfiles_read_localization(afs_t)
+
+logging_send_syslog_msg(afs_t)
+
+permissive afs_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.1/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-11-11 16:13:46.000000000 -0500
 +++ serefpolicy-3.6.1/policy/modules/services/apache.fc	2008-11-25 09:45:43.000000000 -0500
@ -9639,7 +9889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.1/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cron.fc	2008-12-09 14:38:32.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/cron.fc	2008-12-10 11:57:27.000000000 -0500
@@ -17,9 +17,9 @@
 /var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
@ -9669,7 +9919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.1/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cron.if	2008-12-09 14:23:55.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/cron.if	2008-12-10 10:08:50.000000000 -0500
@@ -12,6 +12,10 @@
 ## </param>
 #
@ -9694,21 +9944,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	allow $1_t $1_tmp_t:file manage_file_perms;
 	files_tmp_filetrans($1_t,$1_tmp_t,file)
-@@ -58,6 +66,13 @@
+@@ -58,6 +66,12 @@
 	files_dontaudit_search_pids($1_t)
 
 	logging_send_syslog_msg($1_t)
 +	logging_send_audit_msgs($1_t)
 +	logging_set_loginuid($1_t)
-+
 +	auth_domtrans_chk_passwd($1_t)
-+	init_dontaudit_write_utmp($1_t)
 +
+	init_dontaudit_write_utmp($1_t)
 +	init_read_utmp($1_t)
 
 	miscfiles_read_localization($1_t)
 
-@@ -343,6 +358,24 @@
+@@ -343,6 +357,24 @@
 
 ########################################
 ## <summary>
@ -9733,7 +9982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read and write a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
-@@ -361,7 +394,7 @@
+@@ -361,7 +393,7 @@
 
 ########################################
 ## <summary>
@ -9742,7 +9991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -369,7 +402,7 @@
+@@ -369,7 +401,7 @@
 ##	</summary>
 ## </param>
 #
@ -9751,7 +10000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	gen_require(`
 		type crond_t;
 	')
-@@ -481,11 +514,14 @@
+@@ -481,11 +513,14 @@
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
@ -9767,7 +10016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -506,3 +542,83 @@
+@@ -506,3 +541,83 @@
 
 	dontaudit $1 system_cronjob_tmp_t:file append;
 ')
@ -9853,7 +10102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.1/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cron.te	2008-12-09 14:21:58.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/cron.te	2008-12-10 10:05:12.000000000 -0500
@@ -38,6 +38,10 @@
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
@ -10081,7 +10330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -469,17 +529,11 @@
+@@ -469,24 +529,17 @@
 ')
 
 optional_policy(`
@ -10102,6 +10351,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ########################################
 #
+ # User cronjobs local policy
+ #
+ 
+-allow cronjob_t self:capability dac_override;
+ allow cronjob_t self:process { signal_perms setsched };
+ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.1/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.1/policy/modules/services/cups.fc	2008-11-25 09:45:43.000000000 -0500
@ -13420,7 +13676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.1/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if	2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if	2008-12-11 09:54:36.000000000 -0500
@@ -118,6 +118,24 @@
 
 ########################################
@ -21837,7 +22093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if	2008-12-08 15:05:18.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if	2008-12-11 09:57:10.000000000 -0500
@@ -43,6 +43,7 @@
 interface(`auth_login_pgm_domain',`
 	gen_require(`
@ -21882,7 +22138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	init_rw_utmp($1)
 
-@@ -100,8 +117,40 @@
+@@ -100,8 +117,44 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
@ -21892,6 +22148,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	userdom_search_admin_dir($1)
 +
 +	optional_policy(`
+		afs_rw_udp_sockets($1)
+	')
+
+	optional_policy(`
 +		dbus_system_bus_client($1)
 +		optional_policy(`
 +			oddjob_dbus_chat($1)
@ -21923,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -197,8 +246,11 @@
+@@ -197,8 +250,11 @@
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
 		type chkpwd_t, chkpwd_exec_t, shadow_t;
@ -21935,7 +22195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	corecmd_search_bin($1)
 	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
 
-@@ -207,19 +259,16 @@
+@@ -207,19 +263,16 @@
 	dev_read_rand($1)
 	dev_read_urand($1)
 
@ -21960,7 +22220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	optional_policy(`
-@@ -230,6 +279,29 @@
+@@ -230,6 +283,29 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -21990,7 +22250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -254,6 +326,7 @@
+@@ -254,6 +330,7 @@
 
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -21998,7 +22258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1031,6 +1104,32 @@
+@@ -1031,6 +1108,32 @@
 
 ########################################
 ## <summary>
@ -22031,7 +22291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Manage all files on the filesystem, except
 ##	the shadow passwords and listed exceptions.
 ## </summary>
-@@ -1297,6 +1396,10 @@
+@@ -1297,6 +1400,10 @@
 	')
 
 	optional_policy(`
@ -22042,7 +22302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		nis_use_ypbind($1)
 	')
 
-@@ -1307,6 +1410,7 @@
+@@ -1307,6 +1414,7 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
@ -22050,7 +22310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -1341,3 +1445,80 @@
+@@ -1341,3 +1449,80 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -25451,7 +25711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te	2008-12-03 14:30:00.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te	2008-12-11 09:33:53.000000000 -0500
@@ -6,35 +6,76 @@
 # Declarations
 #
@ -25603,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -119,7 +185,7 @@
+@@ -119,31 +185,33 @@
 ')
 
 optional_policy(`
@ -25612,7 +25872,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -127,23 +193,25 @@
+-	java_domtrans_unconfined(unconfined_t)
+	java_run_unconfined(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.1
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -446,6 +446,9 @@ exit 0
 %endif

 %changelog
+* Thu Dec 11 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-10
+- Allow unconfined_r unconfined_java_t
+
 * Tue Dec 9 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-9
 - Add cron_role back to user domains