diff --git a/modules-minimum.conf b/modules-minimum.conf
index f017e022..51b4aa3e 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -46,6 +46,13 @@ awstats = module
#
amanda = module
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+#
+afs = module
+
# Layer: services
# Module: amavis
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index f017e022..51b4aa3e 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -46,6 +46,13 @@ awstats = module
#
amanda = module
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+#
+afs = module
+
# Layer: services
# Module: amavis
#
diff --git a/policy-20081111.patch b/policy-20081111.patch
index d522cbaa..c16f2303 100644
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
@@ -1819,8 +1819,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.1/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/java.if 2008-11-25 09:45:43.000000000 -0500
-@@ -68,3 +68,96 @@
++++ serefpolicy-3.6.1/policy/modules/apps/java.if 2008-12-11 09:33:36.000000000 -0500
+@@ -68,3 +68,121 @@
domtrans_pattern($1, java_exec_t, unconfined_java_t)
corecmd_search_bin($1)
')
@@ -1852,6 +1852,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Execute java in the unconfined java domain, and
++## allow the specified role the unconfined java domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to be allowed the java domain.
++##
++##
++#
++interface(`java_run_unconfined',`
++ gen_require(`
++ type unconfined_java_t;
++ ')
++
++ java_domtrans_unconfined($1)
++ role $2 types unconfined_java_t;
++')
++
++########################################
++##
+## Execute the java program in the java domain.
+##
+##
@@ -4786,7 +4811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## all protocols (TCP, UDP, etc)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-03 15:24:41.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/domain.te 2008-12-11 09:54:03.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -4810,7 +4835,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
-@@ -118,6 +127,7 @@
+@@ -106,6 +115,10 @@
+ ')
+
+ optional_policy(`
++ afs_rw_cache(domain)
++')
++
++optional_policy(`
+ libs_use_ld_so(domain)
+ libs_use_shared_libs(domain)
+ ')
+@@ -118,6 +131,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -4818,7 +4854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -136,6 +146,9 @@
+@@ -136,6 +150,9 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -4828,7 +4864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -145,7 +158,7 @@
+@@ -145,7 +162,7 @@
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -4837,7 +4873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -153,3 +166,39 @@
+@@ -153,3 +170,39 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -4879,8 +4915,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.1/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/files.fc 2008-11-25 09:45:43.000000000 -0500
-@@ -32,6 +32,7 @@
++++ serefpolicy-3.6.1/policy/modules/kernel/files.fc 2008-12-11 09:47:36.000000000 -0500
+@@ -8,6 +8,8 @@
+ /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
+ /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
+
++/afs -d gen_context(system_u:object_r:mnt_t,s0)
++
+ ifdef(`distro_redhat',`
+ /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -32,6 +34,7 @@
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/boot/lost\+found/.* <>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
@@ -4888,7 +4933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /emul
-@@ -49,6 +50,7 @@
+@@ -49,6 +52,7 @@
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7475,6 +7520,211 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+')
+gen_user(xguest_u, user, xguest_r, s0, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.1/policy/modules/services/afs.fc
+--- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.1/policy/modules/services/afs.fc 2008-12-11 09:47:41.000000000 -0500
+@@ -1,3 +1,6 @@
++/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_script_exec_t,s0)
++/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_script_exec_t,s0)
++
+ /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+ /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+ /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+@@ -17,6 +20,13 @@
+
+ /usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
+
++/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
++
+ /vicepa gen_context(system_u:object_r:afs_files_t,s0)
+ /vicepb gen_context(system_u:object_r:afs_files_t,s0)
+ /vicepc gen_context(system_u:object_r:afs_files_t,s0)
++
++
++/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
++
++/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.1/policy/modules/services/afs.if
+--- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.1/policy/modules/services/afs.if 2008-12-11 09:59:32.000000000 -0500
+@@ -1 +1,110 @@
+ ## Andrew Filesystem server
++
++########################################
++##
++## Execute a domain transition to run afs.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`afs_domtrans',`
++ gen_require(`
++ type afs_t;
++ type afs_exec_t;
++ ')
++
++ domtrans_pattern($1,afs_exec_t,afs_t)
++')
++
++
++########################################
++##
++## Read and write afs UDP sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`afs_rw_udp_sockets',`
++ gen_require(`
++ type afs_t;
++ ')
++
++ allow $1 afs_t:udp_socket { read write };
++')
++
++########################################
++##
++## read/write afs cache files
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`afs_rw_cache',`
++ gen_require(`
++ type afs_cache_t;
++ ')
++
++ allow $1 afs_cache_t:file {read write};
++')
++
++
++########################################
++##
++## Execute afs server in the afs domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`afs_script_domtrans',`
++ gen_require(`
++ type afs_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,afs_script_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an afs environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the afs domain.
++##
++##
++##
++#
++interface(`afs_admin',`
++ gen_require(`
++ type afs_t;
++ type afs_script_exec_t;
++ ')
++
++ allow $1 afs_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, afs_t, afs_t)
++
++ # Allow afs_t to restart the apache service
++ afs_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 afs_script_exec_t system_r;
++ allow $2 system_r;
++
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.1/policy/modules/services/afs.te
+--- nsaserefpolicy/policy/modules/services/afs.te 2008-11-11 16:13:46.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/afs.te 2008-12-11 09:58:19.000000000 -0500
+@@ -6,6 +6,16 @@
+ # Declarations
+ #
+
++type afs_t;
++type afs_exec_t;
++init_daemon_domain(afs_t, afs_exec_t)
++
++type afs_script_exec_t;
++init_script_file(afs_script_exec_t)
++
++type afs_cache_t;
++files_type(afs_cache_t)
++
+ type afs_bosserver_t;
+ type afs_bosserver_exec_t;
+ init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t)
+@@ -302,3 +312,46 @@
+ sysnet_read_config(afs_vlserver_t)
+
+ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
++
++########################################
++#
++# afs local policy
++#
++
++allow afs_t self:capability { sys_nice sys_tty_config };
++allow afs_t self:process setsched;
++allow afs_t self:udp_socket create_socket_perms;
++allow afs_t self:fifo_file rw_file_perms;
++allow afs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(afs_t,afs_cache_t,afs_cache_t)
++manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t)
++files_var_filetrans(afs_t,afs_cache_t,{file dir})
++
++files_mounton_mnt(afs_t)
++files_read_etc_files(afs_t)
++files_rw_etc_runtime_files(afs_t)
++
++fs_getattr_xattr_fs(afs_t)
++fs_mount_nfs(afs_t)
++
++kernel_rw_afs_state(afs_t)
++
++# Init script handling
++domain_use_interactive_fds(afs_t)
++
++corenet_all_recvfrom_unlabeled(afs_t)
++corenet_all_recvfrom_netlabel(afs_t)
++corenet_tcp_sendrecv_generic_if(afs_t)
++corenet_udp_sendrecv_generic_if(afs_t)
++corenet_tcp_sendrecv_all_nodes(afs_t)
++corenet_udp_sendrecv_all_nodes(afs_t)
++corenet_tcp_sendrecv_all_ports(afs_t)
++corenet_udp_sendrecv_all_ports(afs_t)
++corenet_udp_bind_all_nodes(afs_t)
++
++miscfiles_read_localization(afs_t)
++
++logging_send_syslog_msg(afs_t)
++
++permissive afs_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-11-25 09:45:43.000000000 -0500
@@ -9639,7 +9889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.1/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cron.fc 2008-12-09 14:38:32.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/cron.fc 2008-12-10 11:57:27.000000000 -0500
@@ -17,9 +17,9 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -9669,7 +9919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.1/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cron.if 2008-12-09 14:23:55.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/cron.if 2008-12-10 10:08:50.000000000 -0500
@@ -12,6 +12,10 @@
##
#
@@ -9694,21 +9944,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_t,$1_tmp_t,file)
-@@ -58,6 +66,13 @@
+@@ -58,6 +66,12 @@
files_dontaudit_search_pids($1_t)
logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
-+
+ auth_domtrans_chk_passwd($1_t)
-+ init_dontaudit_write_utmp($1_t)
+
++ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
miscfiles_read_localization($1_t)
-@@ -343,6 +358,24 @@
+@@ -343,6 +357,24 @@
########################################
##
@@ -9733,7 +9982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write a cron daemon unnamed pipe.
##
##
-@@ -361,7 +394,7 @@
+@@ -361,7 +393,7 @@
########################################
##
@@ -9742,7 +9991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -369,7 +402,7 @@
+@@ -369,7 +401,7 @@
##
##
#
@@ -9751,7 +10000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gen_require(`
type crond_t;
')
-@@ -481,11 +514,14 @@
+@@ -481,11 +513,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -9767,7 +10016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -506,3 +542,83 @@
+@@ -506,3 +541,83 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
@@ -9853,7 +10102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.1/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-12-09 14:21:58.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/cron.te 2008-12-10 10:05:12.000000000 -0500
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10081,7 +10330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -469,17 +529,11 @@
+@@ -469,24 +529,17 @@
')
optional_policy(`
@@ -10102,6 +10351,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
+ # User cronjobs local policy
+ #
+
+-allow cronjob_t self:capability dac_override;
+ allow cronjob_t self:process { signal_perms setsched };
+ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.1/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.1/policy/modules/services/cups.fc 2008-11-25 09:45:43.000000000 -0500
@@ -13420,7 +13676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.1/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/networkmanager.if 2008-12-11 09:54:36.000000000 -0500
@@ -118,6 +118,24 @@
########################################
@@ -21837,7 +22093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-08 15:05:18.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-11 09:57:10.000000000 -0500
@@ -43,6 +43,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -21882,7 +22138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_rw_utmp($1)
-@@ -100,8 +117,40 @@
+@@ -100,8 +117,44 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -21892,6 +22148,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_search_admin_dir($1)
+
+ optional_policy(`
++ afs_rw_udp_sockets($1)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1)
+ optional_policy(`
+ oddjob_dbus_chat($1)
@@ -21923,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -197,8 +246,11 @@
+@@ -197,8 +250,11 @@
interface(`auth_domtrans_chk_passwd',`
gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t;
@@ -21935,7 +22195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-@@ -207,19 +259,16 @@
+@@ -207,19 +263,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -21960,7 +22220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -230,6 +279,29 @@
+@@ -230,6 +283,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -21990,7 +22250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -254,6 +326,7 @@
+@@ -254,6 +330,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -21998,7 +22258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1031,6 +1104,32 @@
+@@ -1031,6 +1108,32 @@
########################################
##
@@ -22031,7 +22291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
-@@ -1297,6 +1396,10 @@
+@@ -1297,6 +1400,10 @@
')
optional_policy(`
@@ -22042,7 +22302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nis_use_ypbind($1)
')
-@@ -1307,6 +1410,7 @@
+@@ -1307,6 +1414,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -22050,7 +22310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1341,3 +1445,80 @@
+@@ -1341,3 +1449,80 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -25451,7 +25711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-03 14:30:00.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/unconfined.te 2008-12-11 09:33:53.000000000 -0500
@@ -6,35 +6,76 @@
# Declarations
#
@@ -25603,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -119,7 +185,7 @@
+@@ -119,31 +185,33 @@
')
optional_policy(`
@@ -25612,7 +25872,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -127,23 +193,25 @@
+- java_domtrans_unconfined(unconfined_t)
++ java_run_unconfined(unconfined_t, unconfined_r)
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d2ba853d..76d3058d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@ exit 0
%endif
%changelog
+* Thu Dec 11 2008 Dan Walsh 3.6.1-10
+- Allow unconfined_r unconfined_java_t
+
* Tue Dec 9 2008 Dan Walsh 3.6.1-9
- Add cron_role back to user domains