- Update an readd modules

2007-08-27 21:43:05 +00:00 · 2007-08-27 21:43:05 +00:00 · e8b5993e52
parent 7f9951d4d3
commit e8b5993e52
5 changed files with 296 additions and 114 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -124,3 +124,4 @@ serefpolicy-3.0.3.tgz
 serefpolicy-3.0.4.tgz
 serefpolicy-3.0.5.tgz
 serefpolicy-3.0.6.tgz
+serefpolicy-3.0.7.tgz
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1298,10 +1298,17 @@ usernetctl = module
 # Layer: system
 # Module: xen
 #
-# TCP/IP encryption
+# virtualization software
 # 
 xen = base

+# Layer: system
+# Module: virt
+#
+# Virtualization libraries
+# 
+virt = base
+
 # Layer: system
 # Module: brctl
 #
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -313,7 +313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 +/sbin/alsactl 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.6/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te	2007-08-24 16:06:03.000000000 -0400
@@ -19,20 +19,24 @@
 # Local policy
 #
@ -342,7 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
-@@ -43,7 +47,14 @@
+@@ -43,7 +47,13 @@
 
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
@ -356,7 +356,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 +	hal_use_fds(alsa_t)
 +	hal_write_log(alsa_t)
 +')
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.6/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/admin/anaconda.te	2007-08-22 08:03:53.000000000 -0400
@ -389,6 +388,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
 ')
 
 optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.0.6/policy/modules/admin/certwatch.if
+--- nsaserefpolicy/policy/modules/admin/certwatch.if	2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/certwatch.if	2007-08-25 06:42:08.000000000 -0400
+@@ -44,7 +44,7 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`certwatach_run',`
+interface(`certwatch_run',`
+ 	gen_require(`
+ 		type certwatch_t;
+ 	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.6/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2007-08-22 07:14:14.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/admin/consoletype.te	2007-08-22 08:03:53.000000000 -0400
@ -1213,7 +1224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.6/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te	2007-08-24 16:33:17.000000000 -0400
@@ -32,4 +32,5 @@
 
 optional_policy(`
@ -1500,6 +1511,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
 -
 type gconfd_exec_t;
 application_executable_file(gconfd_exec_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.6/policy/modules/apps/java.fc
+--- nsaserefpolicy/policy/modules/apps/java.fc	2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/apps/java.fc	2007-08-27 09:51:03.000000000 -0400
+@@ -11,6 +11,7 @@
+ #
+ /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.6/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-08-02 08:17:26.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/apps/java.if	2007-08-22 08:03:53.000000000 -0400
@ -2567,7 +2589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.6/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/kernel/files.if	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/kernel/files.if	2007-08-27 09:57:19.000000000 -0400
@@ -343,8 +343,7 @@
 
 ########################################
@ -2652,10 +2674,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
-@@ -3323,6 +3359,24 @@
+@@ -3323,6 +3359,42 @@
 
 ########################################
 ## <summary>
+##	dontaudit Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
 +##	Create, read, write, and delete files in the /usr directory.
 +## </summary>
 +## <param name="domain">
@ -2677,7 +2717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
-@@ -3381,7 +3435,7 @@
+@@ -3381,7 +3453,7 @@
 
 ########################################
 ## <summary>
@ -2686,7 +2726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3389,17 +3443,17 @@
+@@ -3389,17 +3461,17 @@
 ##	</summary>
 ## </param>
 #
@ -2707,7 +2747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3407,12 +3461,12 @@
+@@ -3407,12 +3479,12 @@
 ##	</summary>
 ## </param>
 #
@ -2722,7 +2762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 
 ########################################
-@@ -4043,7 +4097,7 @@
+@@ -4043,7 +4115,7 @@
 		type var_t, var_lock_t;
 	')
 
@ -2731,7 +2771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 
 ########################################
-@@ -4560,6 +4614,8 @@
+@@ -4560,6 +4632,8 @@
 	# Need to give access to /selinux/member
 	selinux_compute_member($1)
 
@ -2740,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 	# Need sys_admin capability for mounting
 	allow $1 self:capability { chown fsetid sys_admin };
 
-@@ -4582,6 +4638,11 @@
+@@ -4582,6 +4656,11 @@
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
@ -2752,7 +2792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 ')
 
 ########################################
-@@ -4619,3 +4680,28 @@
+@@ -4619,3 +4698,28 @@
 
 	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
 ')
@ -2903,6 +2943,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +	rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.6/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/kernel/filesystem.te	2007-08-27 09:16:03.000000000 -0400
+@@ -80,6 +80,7 @@
+ type fusefs_t;
+ fs_noxattr_type(fusefs_t)
+ allow fusefs_t self:filesystem associate;
+allow fusefs_t fs_t:filesystem associate;
+ genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+ genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.6/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-08-22 07:14:06.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/kernel/kernel.if	2007-08-22 08:03:53.000000000 -0400
@ -3385,7 +3436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.6/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/apache.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/apache.te	2007-08-27 17:32:31.000000000 -0400
@@ -30,6 +30,13 @@
 
 ## <desc>
@ -3466,7 +3517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 # for apache2 memory mapped files
 type httpd_var_lib_t;
 files_type(httpd_var_lib_t)
-@@ -202,7 +245,7 @@
+@@ -202,9 +245,11 @@
 # Apache server local policy
 #
 
@ -3474,8 +3525,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+dontaudit httpd_t self:process setfscreate;
+
 allow httpd_t self:fd use;
-@@ -244,6 +287,7 @@
+ allow httpd_t self:sock_file read_sock_file_perms;
+ allow httpd_t self:fifo_file rw_fifo_file_perms;
+@@ -244,6 +289,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
 read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@ -3483,7 +3538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -284,6 +328,7 @@
+@@ -284,6 +330,7 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -3491,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +375,9 @@
+@@ -330,6 +377,9 @@
 files_read_var_lib_symlinks(httpd_t)
 
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -3501,7 +3556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
-@@ -348,7 +396,9 @@
+@@ -348,7 +398,9 @@
 
 userdom_use_unpriv_users_fds(httpd_t)
 
@ -3512,7 +3567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 tunable_policy(`allow_httpd_anon_write',`
 	miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +410,7 @@
+@@ -360,6 +412,7 @@
 #
 tunable_policy(`allow_httpd_mod_auth_pam',`
 	auth_domtrans_chk_passwd(httpd_t)
@ -3520,7 +3575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ')
 
-@@ -367,6 +418,16 @@
+@@ -367,6 +420,16 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
@ -3537,7 +3592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_can_network_connect_db',`
 	# allow httpd to connect to mysql/posgresql
 	corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +448,17 @@
+@@ -387,6 +450,17 @@
 	corenet_sendrecv_http_cache_client_packets(httpd_t)
 ')
 
@ -3555,7 +3610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
 
-@@ -404,11 +476,21 @@
+@@ -404,11 +478,21 @@
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
@ -3577,7 +3632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +512,12 @@
+@@ -430,6 +514,12 @@
 ')
 
 optional_policy(`
@ -3590,7 +3645,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	calamaris_read_www_files(httpd_t)
 ')
 
-@@ -461,7 +549,6 @@
+@@ -442,6 +532,13 @@
+ ')
+ 
+ optional_policy(`
+	dbus_system_bus_client_template(httpd,httpd_t)
+	dbus_send_system_bus(httpd_t)
+	tunable_policy(`allow_httpd_dbus_avahi',`
+		avahi_dbus_chat(httpd_t)
+	')
+')
+optional_policy(`
+ 	kerberos_use(httpd_t)
+ 	kerberos_read_kdc_config(httpd_t)
+ ')
+@@ -461,7 +558,6 @@
 
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -3598,7 +3667,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 
 optional_policy(`
-@@ -512,10 +599,16 @@
+@@ -481,6 +577,7 @@
+ ')
+ 
+ optional_policy(`
+	files_dontaudit_rw_usr_dirs(httpd_t)
+ 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+@@ -512,10 +609,16 @@
 tunable_policy(`httpd_tty_comm',`
 	# cjp: this is redundant:
 	term_use_controlling_term(httpd_helper_t)
@ -3616,7 +3693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache PHP script local policy
-@@ -567,7 +660,6 @@
+@@ -567,7 +670,6 @@
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@ -3624,7 +3701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
-@@ -581,6 +673,10 @@
+@@ -581,6 +683,10 @@
 manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
@ -3635,7 +3712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +702,10 @@
+@@ -606,6 +712,10 @@
 
 miscfiles_read_localization(httpd_suexec_t)
 
@ -3646,7 +3723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
 	allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +720,13 @@
+@@ -620,10 +730,13 @@
 	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
 	corenet_tcp_connect_all_ports(httpd_suexec_t)
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
@ -3661,7 +3738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 ')
-@@ -634,6 +737,12 @@
+@@ -634,6 +747,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
@ -3674,7 +3751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +760,6 @@
+@@ -651,18 +770,6 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
@ -3693,7 +3770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache system script local policy
-@@ -672,7 +769,8 @@
+@@ -672,7 +779,8 @@
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
@ -3703,7 +3780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +784,66 @@
+@@ -686,15 +794,66 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
@ -3719,15 +3796,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 +
 +tunable_policy(`httpd_use_nfs', `
- 	fs_read_nfs_files(httpd_sys_script_t)
- 	fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
- 
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
 +	fs_read_nfs_files(httpd_sys_script_t)
 +	fs_read_nfs_symlinks(httpd_sys_script_t)
 +')
 +
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ 	fs_read_nfs_files(httpd_sys_script_t)
+ 	fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+ 
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
 +	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 +	allow httpd_sys_script_t self:udp_socket create_socket_perms;
@ -3771,7 +3848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -711,6 +860,19 @@
+@@ -711,6 +870,19 @@
 
 ########################################
 #
@ -3791,7 +3868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 # httpd_rotatelogs local policy
 #
 
-@@ -728,3 +890,27 @@
+@@ -728,3 +900,20 @@
 logging_search_logs(httpd_rotatelogs_t)
 
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -3802,6 +3879,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 +files_search_var_lib(httpd_bugzilla_script_t)
 +
+mta_send_mail(httpd_bugzilla_script_t)
+
 +optional_policy(`
 +	mysql_search_db(httpd_bugzilla_script_t)
 +	mysql_stream_connect(httpd_bugzilla_script_t)
@ -3810,15 +3889,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +optional_policy(`
 +	postgresql_stream_connect(httpd_bugzilla_script_t)
 +')
-+
-+
-+optional_policy(`
-+	dbus_system_bus_client_template(httpd,httpd_t)
-+	dbus_send_system_bus(httpd_t)
-+	tunable_policy(`allow_httpd_dbus_avahi',`
-+		avahi_dbus_chat(httpd_t)
-+	')
-+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.6/policy/modules/services/apcupsd.fc
 --- nsaserefpolicy/policy/modules/services/apcupsd.fc	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/services/apcupsd.fc	2007-08-22 08:03:53.000000000 -0400
@ -5028,6 +5098,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
 ')
 
 optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.6/policy/modules/services/dnsmasq.te
+--- nsaserefpolicy/policy/modules/services/dnsmasq.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/dnsmasq.te	2007-08-27 10:56:52.000000000 -0400
+@@ -94,3 +94,8 @@
+ optional_policy(`
+ 	udev_read_db(dnsmasq_t)
+ ')
+
+optional_policy(`
+	virt_read_lib_files(dnsmasq_t)
+	virt_append_lib_files(dnsmasq_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.6/policy/modules/services/dovecot.fc
 --- nsaserefpolicy/policy/modules/services/dovecot.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/services/dovecot.fc	2007-08-22 08:03:53.000000000 -0400
@ -6255,7 +6337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.6/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/ntp.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/ntp.te	2007-08-24 16:30:03.000000000 -0400
@@ -25,6 +25,12 @@
 type ntpdate_exec_t;
 init_system_domain(ntpd_t,ntpdate_exec_t)
@ -6304,7 +6386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_sysadm_home_dirs(ntpd_t)
 userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-@@ -126,9 +139,14 @@
+@@ -122,6 +135,10 @@
 ')
 
 optional_policy(`
@ -6312,9 +6394,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 +')
 +
 +optional_policy(`
- 	seutil_sigchld_newrole(ntpd_t)
+ 	logrotate_exec(ntpd_t)
 ')
 
+@@ -132,3 +149,4 @@
 optional_policy(`
 	udev_read_db(ntpd_t)
 ')
@ -7822,7 +7905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.6/policy/modules/services/soundserver.te
 --- nsaserefpolicy/policy/modules/services/soundserver.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te	2007-08-24 16:10:39.000000000 -0400
@@ -10,9 +10,6 @@
 type soundd_exec_t;
 init_daemon_domain(soundd_t,soundd_exec_t)
@ -7833,7 +7916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 type soundd_state_t;
 files_type(soundd_state_t)
 
-@@ -28,20 +25,28 @@
+@@ -28,20 +25,24 @@
 
 ########################################
 #
@ -7852,10 +7935,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 +allow soundd_t self:capability { dac_override };
 +
 +fs_getattr_all_fs(soundd_t)
-+
-+optional_policy(`
-+	alsa_domtrans(soundd_t)
-+')
 +
 # for yiff
 allow soundd_t self:shm create_shm_perms;
@ -7867,7 +7946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
 manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
 
-@@ -55,8 +60,10 @@
+@@ -55,8 +56,10 @@
 manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
 fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
@ -7879,6 +7958,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
 
 kernel_read_kernel_sysctls(soundd_t)
 kernel_list_proc(soundd_t)
+@@ -99,6 +102,10 @@
+ userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
+ 
+ optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
+ 	seutil_sigchld_newrole(soundd_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.6/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2007-06-11 16:05:30.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/services/spamassassin.fc	2007-08-22 08:03:53.000000000 -0400
@ -9189,8 +9279,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.6/policy/modules/system/brctl.te
 --- nsaserefpolicy/policy/modules/system/brctl.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.6/policy/modules/system/brctl.te	2007-08-22 08:03:53.000000000 -0400
-@@ -0,0 +1,50 @@
+++ serefpolicy-3.0.6/policy/modules/system/brctl.te	2007-08-27 10:44:36.000000000 -0400
+@@ -0,0 +1,51 @@
 +policy_module(brctl,1.0.0)
 +
 +########################################
@ -9213,6 +9303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
 +allow brctl_t self:tcp_socket create_socket_perms;
 +allow brctl_t self:unix_dgram_socket create_socket_perms;
 +
+dev_write_sysfs_dirs(brctl_t)
 +dev_rw_sysfs(brctl_t)
 +
 +# Init script handling
@ -9409,7 +9500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.6/policy/modules/system/getty.te
 --- nsaserefpolicy/policy/modules/system/getty.te	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/getty.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/getty.te	2007-08-27 10:45:03.000000000 -0400
@@ -33,7 +33,8 @@
 #
 
@ -9803,7 +9894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.6/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/iptables.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/iptables.te	2007-08-27 10:45:25.000000000 -0400
@@ -44,6 +44,8 @@
 
 corenet_relabelto_all_packets(iptables_t)
@ -9821,20 +9912,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
 
 libs_use_ld_so(iptables_t)
 libs_use_shared_libs(iptables_t)
-@@ -96,10 +99,6 @@
+@@ -96,11 +99,11 @@
 ')
 
 optional_policy(`
 -	nscd_socket_use(iptables_t)
-')
-
-optional_policy(`
- 	ppp_dontaudit_use_fds(iptables_t)
+	ppp_dontaudit_use_fds(iptables_t)
 ')
 
+ optional_policy(`
+-	ppp_dontaudit_use_fds(iptables_t)
+	rhgb_dontaudit_use_ptys(iptables_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.6/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc	2007-08-27 10:58:43.000000000 -0400
@@ -65,11 +65,12 @@
 /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
 /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -9867,7 +9961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # vmware 
-@@ -284,3 +289,7 @@
+@@ -284,3 +289,8 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@ -9875,6 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/usr/lib64/mozilla/plugins/libvlcplugin.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/var/cache/ldconfig(/.*)?		    	gen_context(system_u:object_r:ldconfig_cache_t,s0)
+/usr/lib/libtheora\.so.*  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.6/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-08-02 08:17:28.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/system/libraries.te	2007-08-22 08:03:53.000000000 -0400
@ -10437,7 +10532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.6/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/modutils.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/modutils.te	2007-08-24 16:32:27.000000000 -0400
@@ -42,7 +42,7 @@
 # insmod local policy
 #
@ -10544,7 +10639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.6/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/mount.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/mount.te	2007-08-24 16:33:07.000000000 -0400
@@ -8,6 +8,13 @@
 
 ## <desc>
@ -11695,7 +11790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-22 07:14:12.000000000 -0400
+--- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/system/userdomain.if	2007-08-22 08:03:53.000000000 -0400
@@ -62,6 +62,10 @@
 
@ -11719,22 +11814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -183,14 +191,6 @@
- 	read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- 	files_list_home($1_t)
- 
-	# privileged home directory writers
-	manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-
- 	tunable_policy(`use_nfs_home_dirs',`
- 		fs_list_nfs_dirs($1_t)
- 		fs_read_nfs_files($1_t)
-@@ -323,13 +323,19 @@
+@@ -315,13 +323,19 @@
 ## <rolebase/>
 #
 template(`userdom_exec_home_template',`
@ -11757,7 +11837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		fs_exec_cifs_files($1_t)
 	')
 ')
-@@ -403,7 +409,9 @@
+@@ -395,7 +409,9 @@
 ## <rolebase/>
 #
 template(`userdom_exec_tmp_template',`
@ -11768,7 +11848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -517,10 +525,6 @@
+@@ -509,10 +525,6 @@
 ## <rolebase/>
 #
 template(`userdom_exec_generic_pgms_template',`
@ -11779,7 +11859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	corecmd_exec_bin($1_t)
 ')
 
-@@ -538,9 +542,6 @@
+@@ -530,9 +542,6 @@
 ## <rolebase/>
 #
 template(`userdom_basic_networking_template',`
@ -11789,7 +11869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
-@@ -571,32 +572,29 @@
+@@ -563,32 +572,29 @@
 #
 template(`userdom_xwindows_client_template',`
 	gen_require(`
@ -11843,7 +11923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -672,67 +670,39 @@
+@@ -664,67 +670,39 @@
 		attribute unpriv_userdomain;
 	')
 
@ -11914,7 +11994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
 	# Check to see if cdrom is mounted
-@@ -745,12 +715,6 @@
+@@ -737,12 +715,6 @@
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)
 
@ -11927,7 +12007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
 	selinux_validate_context($1_t)
-@@ -763,31 +727,16 @@
+@@ -755,31 +727,16 @@
 	storage_getattr_fixed_disk_dev($1_t)
 
 	auth_read_login_records($1_t)
@ -11961,7 +12041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	seutil_exec_checkpolicy($1_t)
 	seutil_exec_setfiles($1_t)
-@@ -802,19 +751,12 @@
+@@ -794,19 +751,12 @@
 		files_read_default_symlinks($1_t)
 		files_read_default_sockets($1_t)
 		files_read_default_pipes($1_t)
@ -11981,7 +12061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	optional_policy(`
 		alsa_read_rw_config($1_t)
 	')
-@@ -829,11 +771,6 @@
+@@ -821,11 +771,6 @@
 	')
 
 	optional_policy(`
@ -11993,7 +12073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		allow $1_t self:dbus send_msg;
 		dbus_system_bus_client_template($1,$1_t)
 
-@@ -842,21 +779,18 @@
+@@ -834,21 +779,18 @@
 		')
 
 		optional_policy(`
@ -12019,7 +12099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	optional_policy(`
-@@ -884,17 +818,17 @@
+@@ -876,17 +818,17 @@
 	')
 
 	optional_policy(`
@ -12045,7 +12125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	optional_policy(`
-@@ -908,16 +842,6 @@
+@@ -900,16 +842,6 @@
 	')
 
 	optional_policy(`
@ -12062,7 +12142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		resmgr_stream_connect($1_t)
 	')
 
-@@ -927,11 +851,6 @@
+@@ -919,11 +851,6 @@
 	')
 
 	optional_policy(`
@ -12074,7 +12154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		samba_stream_connect_winbind($1_t)
 	')
 
-@@ -962,21 +881,162 @@
+@@ -954,21 +881,162 @@
 ##	</summary>
 ## </param>
 #
@ -12243,7 +12323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1045,51 @@
+@@ -977,23 +1045,51 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
 
@ -12288,10 +12368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	# Declarations
 	#
 
-	corecmd_exec_all_executables($1_t)
+-	# privileged home directory writers
+-	manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+-	manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+-	manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+-	manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+-	manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+-	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
 +	# Inherit rules for ordinary users.
 +	userdom_common_user_template($1)
-+
+ 
+-	corecmd_exec_all_executables($1_t)
 +	##############################
 +	#
 +	# Local policy
@ -12718,7 +12805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.6/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te	2007-08-27 17:33:50.000000000 -0400
@@ -74,6 +74,9 @@
 # users home directory contents
 attribute home_type;
@ -12766,6 +12853,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
 	#apache_run_all_scripts(sysadm_t,sysadm_r)
 	#apache_domtrans_sys_script(sysadm_t)
+@@ -278,7 +283,7 @@
+ ')
+ 
+ optional_policy(`
+-	certwatach_run(sysadm_t,sysadm_r,admin_terminal)
+	certwatch_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ 
+ optional_policy(`
@@ -286,14 +291,6 @@
 ')
 
@ -12816,6 +12912,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +tunable_policy(`allow_console_login', `
 +	term_use_console(userdomain)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.6/policy/modules/system/virt.fc
+--- nsaserefpolicy/policy/modules/system/virt.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.6/policy/modules/system/virt.fc	2007-08-27 10:52:37.000000000 -0400
+@@ -0,0 +1 @@
+/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.6/policy/modules/system/virt.if
+--- nsaserefpolicy/policy/modules/system/virt.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.6/policy/modules/system/virt.if	2007-08-27 10:53:48.000000000 -0400
+@@ -0,0 +1,58 @@
+## <summary>Virtualization </summary>
+
+########################################
+## <summary>
+##	Read virt library files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	read_files_pattern($1, virt_var_lib_t,virt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	append virt library files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`virt_append_lib_files',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	allow $1 virt_var_lib_t:file append;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	virt library files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`virt_rw_lib_files',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.6/policy/modules/system/virt.te
+--- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.6/policy/modules/system/virt.te	2007-08-27 10:52:32.000000000 -0400
+@@ -0,0 +1,3 @@
+# var/lib files
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.6/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2007-07-03 07:06:32.000000000 -0400
 +++ serefpolicy-3.0.6/policy/modules/system/xen.if	2007-08-22 08:03:53.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -16,8 +16,8 @@
 %define CHECKPOLICYVER 2.0.3-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.0.6
-Release: 3%{?dist}
+Version: 3.0.7
+Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -82,8 +82,8 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic}
 cp -f $RPM_SOURCE_DIR/modules-%1.conf  ./policy/modules.conf \
 cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \

-%define moduleList() %([ -f $RPM_SOURCE_DIR/modules-%{1}.conf ] && \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' $RPM_SOURCE_DIR/modules-%{1}.conf )
+%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )

 %define installCmds() \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
@ -289,6 +289,7 @@ semodule -s targeted -r moilscanner 2>/dev/null
 %loadpolicy targeted
 %relabel targeted
 if [ $1 = 0 ]; then
+semanage login -m -s "system_u" __default__ 2> /dev/null
 semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 
 semanage user -a -P guest -R guest_r guest_u
 semanage user -a -P xguest -R xguest_r xguest_u 
@ -361,6 +362,9 @@ exit 0
 %endif

 %changelog
+* Mon Aug 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-1
+- Update an readd modules
+
 * Fri Aug 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-3
 - Cleanup  spec file

--- a/2
+++ b/2
@ -1 +1 @@
-a5d797f1b43fd89f8f815f5cd2664999  serefpolicy-3.0.6.tgz
+cf3ad58b7f285398e7b19a9f2d097f8e  serefpolicy-3.0.7.tgz