2008-02-20 18:30:31 +00:00 · 2008-02-20 18:30:31 +00:00 · e5acebe58c
commit e5acebe58c
parent 306393505f
2 changed files with 122 additions and 86 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1,3 +1,13 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.2.8/Changelog
+--- nsaserefpolicy/Changelog	2008-02-19 17:24:26.000000000 -0500
+++ serefpolicy-3.2.8/Changelog	2008-02-18 14:31:09.000000000 -0500
+@@ -1,6 +1,3 @@
+-- Pam and samba updates from Stefan Schulze Frielinghaus.
+-- Backup update on Debian from Vaclav Ovsik.
+-- Cracklib update on Debian from Vaclav Ovsik.
+ - Label /proc/kallsyms with system_map_t.
+ - 64-bit capabilities from Stephen Smalley.
+ - Labeled networking peer object class updates.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.8/config/appconfig-mcs/failsafe_context
 --- nsaserefpolicy/config/appconfig-mcs/failsafe_context	2007-10-12 08:56:09.000000000 -0400
 +++ serefpolicy-3.2.8/config/appconfig-mcs/failsafe_context	2008-02-18 14:57:04.000000000 -0500
@ -670,7 +680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 -allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.8/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te	2007-12-19 05:32:18.000000000 -0500
+--- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-02-19 17:24:26.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/admin/logrotate.te	2008-02-18 14:57:04.000000000 -0500
@@ -96,9 +96,11 @@
 files_read_etc_files(logrotate_t)
@ -807,7 +817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.8/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/admin/rpm.fc	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/admin/rpm.fc	2008-02-20 12:09:50.000000000 -0500
@@ -11,6 +11,7 @@
 
 /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
@ -826,9 +836,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 ')
 
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+@@ -29,6 +33,7 @@
+ 
+ /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+ /var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
+ 
+ # SuSE
+ ifdef(`distro_suse', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.8/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.8/policy/modules/admin/rpm.if	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/admin/rpm.if	2008-02-20 12:09:57.000000000 -0500
@@ -152,6 +152,24 @@
 
 ########################################
@ -937,7 +955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ')
 
 ########################################
-@@ -289,3 +368,137 @@
+@@ -289,3 +368,157 @@
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
@ -1075,10 +1093,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +
 +	role_transition $1 rpm_exec_t system_r;
 +')
+
+########################################
+## <summary>
+##	Do not audit attempts to write, and delete the 
+##	RPM var run files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_write_pid_files',`
+	gen_require(`
+		type rpm_var_run_t;
+	')
+
+	dontaudit $1 rpm_var_run_t:file write_file_perms;
+')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.8/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/admin/rpm.te	2008-02-18 14:57:04.000000000 -0500
-@@ -179,7 +179,17 @@
+++ serefpolicy-3.2.8/policy/modules/admin/rpm.te	2008-02-20 12:10:32.000000000 -0500
+@@ -31,6 +31,9 @@
+ files_type(rpm_var_lib_t)
+ typealias rpm_var_lib_t alias var_lib_rpm_t;
+ 
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
+ type rpm_script_t;
+ type rpm_script_exec_t;
+ domain_obj_id_change_exemption(rpm_script_t)
+@@ -89,6 +92,9 @@
+ manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t)
+ files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
+ 
+manage_files_pattern(rpm_t,rpm_var_run_t,rpm_var_run_t)
+files_pid_filetrans(rpm_t,rpm_var_run_t, file)
+
+ kernel_read_system_state(rpm_t)
+ kernel_read_kernel_sysctls(rpm_t)
+ 
+@@ -179,7 +185,17 @@
 ')
 
 optional_policy(`
@ -1097,7 +1155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 ')
 
 optional_policy(`
-@@ -190,6 +200,7 @@
+@@ -190,6 +206,7 @@
 	unconfined_domain(rpm_t)
 	# yum-updatesd requires this
 	unconfined_dbus_chat(rpm_t)
@ -1105,7 +1163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 ')
 
 ifdef(`TODO',`
-@@ -216,7 +227,7 @@
+@@ -216,7 +233,7 @@
 #
 
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
@ -1114,7 +1172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 allow rpm_script_t self:fd use;
 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
 allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -317,6 +328,7 @@
+@@ -317,6 +334,7 @@
 seutil_domtrans_loadpolicy(rpm_script_t)
 seutil_domtrans_setfiles(rpm_script_t)
 seutil_domtrans_semanage(rpm_script_t)
@ -1122,7 +1180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 
 userdom_use_all_users_fds(rpm_script_t)
 
-@@ -342,6 +354,7 @@
+@@ -342,6 +360,7 @@
 optional_policy(`
 	unconfined_domain(rpm_script_t)
 	unconfined_domtrans(rpm_script_t)
@ -1384,7 +1442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
 ')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2007-12-19 05:32:18.000000000 -0500
+--- nsaserefpolicy/policy/modules/admin/usermanage.te	2008-02-19 17:24:26.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/admin/usermanage.te	2008-02-18 14:57:04.000000000 -0500
@@ -97,6 +97,7 @@
 
@ -1394,7 +1452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
 
 domain_use_interactive_fds(chfn_t)
 
-@@ -290,6 +291,7 @@
+@@ -297,6 +291,7 @@
 term_use_all_user_ttys(passwd_t)
 term_use_all_user_ptys(passwd_t)
 
@ -1402,7 +1460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
-@@ -309,6 +311,7 @@
+@@ -316,6 +311,7 @@
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
@ -1410,7 +1468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
 
 libs_use_ld_so(passwd_t)
 libs_use_shared_libs(passwd_t)
-@@ -518,6 +521,12 @@
+@@ -525,6 +521,12 @@
 ')
 
 optional_policy(`
@ -4657,7 +4715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/kernel/corecommands.fc	2008-02-19 09:58:42.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/kernel/corecommands.fc	2008-02-20 12:49:07.000000000 -0500
@@ -7,11 +7,11 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -4714,7 +4772,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -185,8 +192,12 @@
+@@ -178,6 +185,8 @@
+ /usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/libsexec/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
+@@ -185,8 +194,12 @@
 /usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
@ -4727,7 +4794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +295,10 @@
+@@ -284,3 +297,10 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -4945,7 +5012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.8/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.8/policy/modules/kernel/devices.if	2008-02-19 10:51:36.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/kernel/devices.if	2008-02-20 08:53:01.000000000 -0500
@@ -65,7 +65,7 @@
 
 	relabelfrom_dirs_pattern($1,device_t,device_node)
@ -5194,7 +5261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.8/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/kernel/devices.te	2008-02-19 10:49:19.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/kernel/devices.te	2008-02-20 08:52:43.000000000 -0500
@@ -32,6 +32,12 @@
 type apm_bios_t;
 dev_node(apm_bios_t)
@ -5236,7 +5303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.8/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/kernel/domain.te	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/kernel/domain.te	2008-02-20 12:07:20.000000000 -0500
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -5268,7 +5335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
-@@ -148,3 +156,26 @@
+@@ -148,3 +156,27 @@
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -5285,6 +5352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +optional_policy(`
 +	rpm_rw_pipes(domain)
 +	rpm_dontaudit_use_script_fds(domain)
+	rpm_dontaudit_write_pid_files(domain)
 +')
 +
 +optional_policy(`
@ -7292,7 +7360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.8/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/automount.te	2008-02-19 10:52:07.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/automount.te	2008-02-20 08:53:39.000000000 -0500
@@ -20,6 +20,9 @@
 files_tmp_file(automount_tmp_t)
 files_mountpoint(automount_tmp_t)
@ -7330,14 +7398,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 
 fs_mount_all_fs(automount_t)
 fs_unmount_all_fs(automount_t)
-@@ -101,6 +104,7 @@
+@@ -98,6 +101,7 @@
+ corenet_udp_bind_all_rpc_ports(automount_t)
+ 
+ dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
 # for SSP
 dev_read_rand(automount_t)
 dev_read_urand(automount_t)
-+dev_rw_autofs(automount_t)
- 
- domain_use_interactive_fds(automount_t)
- domain_dontaudit_read_all_domains_state(automount_t)
@@ -126,8 +130,12 @@
 fs_mount_autofs(automount_t)
 fs_manage_autofs_symlinks(automount_t)
@ -12800,6 +12868,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
 ')
 
 ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.2.8/policy/modules/services/mailman.fc
+--- nsaserefpolicy/policy/modules/services/mailman.fc	2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/mailman.fc	2008-02-20 08:16:48.000000000 -0500
+@@ -31,3 +31,4 @@
+ /var/lock/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
+ /var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
+ ')
+/usr/lib/mailman/mail/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.8/policy/modules/services/mailman.if
 --- nsaserefpolicy/policy/modules/services/mailman.if	2007-12-04 11:02:50.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/services/mailman.if	2008-02-18 14:57:04.000000000 -0500
@ -12839,7 +12915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.8/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/mailman.te	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/mailman.te	2008-02-20 08:52:15.000000000 -0500
@@ -53,10 +53,9 @@
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
@ -12853,7 +12929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 ')
 
 ########################################
-@@ -65,6 +64,11 @@
+@@ -65,8 +64,14 @@
 #
 
 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@ -12864,7 +12940,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_search_spool(mailman_mail_t)
 
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
 
+ ifdef(`TODO',`
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.8/policy/modules/services/mailscanner.fc
 --- nsaserefpolicy/policy/modules/services/mailscanner.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/services/mailscanner.fc	2008-02-18 14:57:04.000000000 -0500
@ -12945,7 +13024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.8/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.8/policy/modules/services/mta.if	2008-02-18 14:57:04.000000000 -0500
+++ serefpolicy-3.2.8/policy/modules/services/mta.if	2008-02-20 08:15:06.000000000 -0500
@@ -133,6 +133,12 @@
 		sendmail_create_log($1_mail_t)
 	')
@ -17802,41 +17881,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2007-12-19 05:32:17.000000000 -0500
+--- nsaserefpolicy/policy/modules/services/samba.te	2008-02-19 17:24:26.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/services/samba.te	2008-02-18 14:57:04.000000000 -0500
-@@ -26,28 +26,28 @@
- 
- ## <desc>
- ## <p>
-## Allow samba to share users home directories.
-+## Allow Samba to share users home directories
- ## </p>
- ## </desc>
- gen_tunable(samba_enable_home_dirs,false)
- 
- ## <desc>
- ## <p>
-## Allow samba to share any file/directory read only.
-+## Allow Samba to share any file/directory read only
- ## </p>
- ## </desc>
- gen_tunable(samba_export_all_ro,false)
- 
- ## <desc>
- ## <p>
-## Allow samba to share any file/directory read/write.
-+## Allow Samba to share any file/directory read/write
- ## </p>
- ## </desc>
- gen_tunable(samba_export_all_rw,false)
- 
- ## <desc>
- ## <p>
-## Allow samba to run unconfined scripts
-+## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory
- ## </p>
- ## </desc>
- gen_tunable(samba_run_unconfined,false)
@@ -59,6 +59,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs,false)
@ -17905,11 +17951,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
 
 -create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+ manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
 -allow smbd_t samba_log_t:dir setattr;
 -dontaudit smbd_t samba_log_t:dir remove_name;
-+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
 
 allow smbd_t samba_net_tmp_t:file getattr;
 
@ -22073,15 +22118,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
 #
 # Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc	2007-12-12 11:35:28.000000000 -0500
+--- nsaserefpolicy/policy/modules/system/authlogin.fc	2008-02-19 17:24:26.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/system/authlogin.fc	2008-02-18 14:57:04.000000000 -0500
-@@ -40,5 +40,10 @@
+@@ -40,6 +40,10 @@
 /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 
 /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
-+/var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+-
+ /var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 +/var/run/sepermit(/.*)?	 	gen_context(system_u:object_r:pam_var_run_t,s0)
- 
+
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 +/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 +
@ -22260,7 +22306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2008-02-06 10:33:22.000000000 -0500
+--- nsaserefpolicy/policy/modules/system/authlogin.te	2008-02-19 17:24:26.000000000 -0500
 +++ serefpolicy-3.2.8/policy/modules/system/authlogin.te	2008-02-18 14:57:04.000000000 -0500
@@ -59,6 +59,9 @@
 type utempter_exec_t;
@ -22307,18 +22353,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 
 auth_manage_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)
-@@ -359,11 +373,6 @@
- ')
- 
- optional_policy(`
-	# Allow utemper to write to /tmp/.xses-*
-	unconfined_write_tmp_files(utempter_t)
-')
-
-optional_policy(`
- 	xserver_use_xdm_fds(utempter_t)
- 	xserver_rw_xdm_pipes(utempter_t)
- ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.8/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2007-09-26 12:15:01.000000000 -0400
 +++ serefpolicy-3.2.8/policy/modules/system/fstools.fc	2008-02-18 14:57:04.000000000 -0500
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -16,8 +16,8 @@
 %define CHECKPOLICYVER 2.0.3-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.2.8
-Release: 2%{?dist}
+Version: 3.2.9
+Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,8 @@ exit 0
 %endif

 %changelog
+* Wed Feb 20 2008 Dan Walsh <dwalsh@redhat.com> 3.2.9-1
+
 * Tue Feb 19 2008 Dan Walsh <dwalsh@redhat.com> 3.2.8-2
 - Fix userdom_list_user_files