rpms/selinux-policy/F-8 policy-20070703.patch, 1.149, 1.150 selinux-policy.spec, 1.589, 1.590

[Daniel J Walsh (dwalsh)]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12202

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Tue Dec 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-65
- Allow httpd_sys_script_t to search users homedirs


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -r1.149 -r1.150
--- policy-20070703.patch	3 Dec 2007 03:29:59 -0000	1.149
+++ policy-20070703.patch	5 Dec 2007 03:19:26 -0000	1.150
@@ -4505,7 +4505,7 @@
  /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if	2007-12-04 22:17:10.000000000 -0500
 @@ -343,8 +343,7 @@
  
  ########################################
@@ -5623,7 +5623,7 @@
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.if	2007-12-04 08:45:26.000000000 -0500
 @@ -18,10 +18,6 @@
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -5717,9 +5717,10 @@
  	gen_require(`
  		attribute httpdcontent, httpd_script_domains;
 -		attribute httpd_exec_scripts;
+-		type httpd_t, httpd_suexec_t, httpd_log_t;
 +		attribute httpd_exec_scripts, httpd_user_content_type;
 +		attribute httpd_user_script_exec_type;
- 		type httpd_t, httpd_suexec_t, httpd_log_t;
++		type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
  	')
  
  	apache_content_template($1)
@@ -5733,7 +5734,15 @@
  	typeattribute httpd_$1_script_t httpd_script_domains;
  	userdom_user_home_content($1,httpd_$1_content_t)
  
-@@ -345,12 +301,11 @@
+@@ -324,6 +280,7 @@
+ 		userdom_search_user_home_dirs($1,httpd_t)
+ 		userdom_search_user_home_dirs($1,httpd_suexec_t)
+ 		userdom_search_user_home_dirs($1,httpd_$1_script_t)
++		userdom_search_user_home_dirs($1,httpd_sys_script_t)
+ 	')
+ ')
+ 
+@@ -345,12 +302,11 @@
  #
  template(`apache_read_user_scripts',`
  	gen_require(`
@@ -5750,7 +5759,7 @@
  ')
  
  ########################################
-@@ -371,12 +326,12 @@
+@@ -371,12 +327,12 @@
  #
  template(`apache_read_user_content',`
  	gen_require(`
@@ -5767,7 +5776,7 @@
  ')
  
  ########################################
-@@ -754,6 +709,7 @@
+@@ -754,6 +710,7 @@
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -5775,7 +5784,7 @@
  ')
  
  ########################################
-@@ -838,6 +794,10 @@
+@@ -838,6 +795,10 @@
  		type httpd_sys_script_t;
  	')
  
@@ -5786,7 +5795,7 @@
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
  		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
  	')
-@@ -925,7 +885,7 @@
+@@ -925,7 +886,7 @@
  		type httpd_squirrelmail_t;
  	')
  
@@ -5795,7 +5804,7 @@
  ')
  
  ########################################
-@@ -1005,6 +965,31 @@
+@@ -1005,6 +966,31 @@
  
  ########################################
  ## <summary>
@@ -5827,7 +5836,7 @@
  ##	Search system script state directory.
  ## </summary>
  ## <param name="domain">
-@@ -1056,3 +1041,138 @@
+@@ -1056,3 +1042,138 @@
  
  	allow httpd_t $1:process signal;
  ')
@@ -10652,6 +10661,16 @@
  files_pid_filetrans(openct_t,openct_var_run_t,file)
  
  kernel_read_kernel_sysctls(openct_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.0.8/policy/modules/services/openvpn.fc
+--- nsaserefpolicy/policy/modules/services/openvpn.fc	2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/openvpn.fc	2007-12-04 11:28:30.000000000 -0500
+@@ -11,5 +11,5 @@
+ #
+ # /var
+ #
+-/var/log/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_log_t,s0)
++/var/log/openvpn.*		gen_context(system_u:object_r:openvpn_var_log_t,s0)
+ /var/run/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2007-10-22 13:21:36.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/openvpn.te	2007-12-02 21:15:34.000000000 -0500
@@ -13935,7 +13954,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-12-04 15:52:53.000000000 -0500
 @@ -116,8 +116,7 @@
  	dev_rw_agp($1_xserver_t)
  	dev_rw_framebuffer($1_xserver_t)
@@ -14059,13 +14078,14 @@
  		nis_use_ypbind($1_xauth_t)
  	')
  
-@@ -536,17 +533,15 @@
+@@ -536,17 +533,16 @@
  template(`xserver_user_client_template',`
  
  	gen_require(`
 -		type xdm_t, xdm_tmp_t;
 -		type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
 +		type xdm_t, xdm_tmp_t, xdm_xserver_t;
++		type xdm_var_run_t;
  	')
  
 -	allow $2 self:shm create_shm_perms;
@@ -14083,10 +14103,14 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -555,25 +550,51 @@
+@@ -555,25 +551,55 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
++	# consolekit needs this for fast user switching
++	allow $2 xdm_var_run_t:dir search_dir_perms;
++	allow $2 xdm_var_run_t:sock_file getattr;
++
 +	corenet_tcp_connect_xserver_port($2)
 +
  	# Allow connections to X server.
@@ -14143,7 +14167,7 @@
  	')
  ')
  
-@@ -626,6 +647,24 @@
+@@ -626,6 +652,24 @@
  
  ########################################
  ## <summary>
@@ -14168,7 +14192,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -659,6 +698,73 @@
+@@ -659,6 +703,73 @@
  
  ########################################
  ## <summary>
@@ -14242,7 +14266,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -927,6 +1033,7 @@
+@@ -927,6 +1038,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -14250,7 +14274,7 @@
  ')
  
  ########################################
-@@ -987,6 +1094,37 @@
+@@ -987,6 +1099,37 @@
  
  ########################################
  ## <summary>
@@ -14288,7 +14312,7 @@
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1136,7 +1274,7 @@
+@@ -1136,7 +1279,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -14297,7 +14321,7 @@
  ')
  
  ########################################
-@@ -1325,3 +1463,82 @@
+@@ -1325,3 +1468,82 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -15120,7 +15144,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-12-03 18:47:24.000000000 -0500
 @@ -9,6 +9,13 @@
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
@@ -15171,7 +15195,7 @@
  term_use_all_user_ttys(pam_t)
  term_use_all_user_ptys(pam_t)
  
-@@ -111,6 +129,7 @@
+@@ -111,19 +129,12 @@
  logging_send_syslog_msg(pam_t)
  
  userdom_use_unpriv_users_fds(pam_t)
@@ -15179,7 +15203,20 @@
  
  optional_policy(`
  	locallogin_use_fds(pam_t)
-@@ -149,6 +168,8 @@
+ ')
+ 
+-optional_policy(`
+-	nis_use_ypbind(pam_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(pam_t)
+-')
+-
+ ########################################
+ #
+ # PAM console local policy
+@@ -149,6 +160,8 @@
  dev_setattr_apm_bios_dev(pam_console_t)
  dev_getattr_dri_dev(pam_console_t)
  dev_setattr_dri_dev(pam_console_t)
@@ -15188,7 +15225,7 @@
  dev_getattr_framebuffer_dev(pam_console_t)
  dev_setattr_framebuffer_dev(pam_console_t)
  dev_getattr_generic_usb_dev(pam_console_t)
-@@ -159,6 +180,8 @@
+@@ -159,6 +172,8 @@
  dev_setattr_mouse_dev(pam_console_t)
  dev_getattr_power_mgmt_dev(pam_console_t)
  dev_setattr_power_mgmt_dev(pam_console_t)
@@ -15197,7 +15234,7 @@
  dev_getattr_scanner_dev(pam_console_t)
  dev_setattr_scanner_dev(pam_console_t)
  dev_getattr_sound_dev(pam_console_t)
-@@ -200,6 +223,7 @@
+@@ -200,6 +215,7 @@
  
  fs_list_auto_mountpoints(pam_console_t)
  fs_list_noxattr_fs(pam_console_t)
@@ -15205,7 +15242,7 @@
  
  init_use_fds(pam_console_t)
  init_use_script_ptys(pam_console_t)
-@@ -236,7 +260,7 @@
+@@ -236,7 +252,7 @@
  
  optional_policy(`
  	xserver_read_xdm_pid(pam_console_t)
@@ -15214,7 +15251,15 @@
  ')
  
  ########################################
-@@ -302,3 +326,28 @@
+@@ -256,6 +272,7 @@
+ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+ userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
+ userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
++userdom_unlink_unpriv_users_tmp_files(pam_t)
+ 
+ ########################################
+ #
+@@ -302,3 +319,28 @@
  	xserver_use_xdm_fds(utempter_t)
  	xserver_rw_xdm_pipes(utempter_t)
  ')
@@ -18709,7 +18754,7 @@
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-12-04 22:17:40.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
@@ -18721,7 +18766,7 @@
  	domain_type($1_t)
  	corecmd_shell_entry_type($1_t)
  	corecmd_bin_entry_type($1_t)
-@@ -45,65 +46,72 @@
+@@ -45,65 +46,73 @@
  	type $1_tty_device_t; 
  	term_user_tty($1_t,$1_tty_device_t)
  
@@ -18795,6 +18840,7 @@
 +	domain_dontaudit_getattr_all_domains($1_usertype)
 +	domain_dontaudit_getsession_all_domains($1_usertype)
 +
++	files_list_mnt($1_usertype)
 +	files_read_etc_files($1_usertype)
 +	files_read_etc_runtime_files($1_usertype)
 +	files_read_usr_files($1_usertype)
@@ -18845,7 +18891,7 @@
  
  	tunable_policy(`allow_execmem',`
  		# Allow loading DSOs that require executable stack.
-@@ -114,6 +122,10 @@
+@@ -114,6 +123,10 @@
  		# Allow making the stack executable via mprotect.
  		allow $1_t self:process execstack;
  	')
@@ -18856,7 +18902,7 @@
  ')
  
  #######################################
-@@ -184,7 +196,7 @@
+@@ -184,7 +197,7 @@
  	files_list_home($1_t)
  
  	tunable_policy(`use_nfs_home_dirs',`
@@ -18865,7 +18911,7 @@
  		fs_read_nfs_files($1_t)
  		fs_read_nfs_symlinks($1_t)
  		fs_read_nfs_named_sockets($1_t)
-@@ -195,7 +207,7 @@
+@@ -195,7 +208,7 @@
  	')
  
  	tunable_policy(`use_samba_home_dirs',`
@@ -18874,7 +18920,7 @@
  		fs_read_cifs_files($1_t)
  		fs_read_cifs_symlinks($1_t)
  		fs_read_cifs_named_sockets($1_t)
-@@ -262,42 +274,42 @@
+@@ -262,42 +275,42 @@
  
  	# full control of the home directory
  	allow $1_t $1_home_t:file entrypoint;
@@ -18944,7 +18990,7 @@
  	')
  ')
  
-@@ -315,14 +327,20 @@
+@@ -315,14 +328,20 @@
  ## <rolebase/>
  #
  template(`userdom_exec_home_template',`
@@ -18970,7 +19016,7 @@
  	')
  ')
  
-@@ -374,12 +392,12 @@
+@@ -374,12 +393,12 @@
  	type $1_tmp_t, $1_file_type;
  	files_tmp_file($1_tmp_t)
  
@@ -18989,7 +19035,7 @@
  ')
  
  #######################################
-@@ -395,7 +413,9 @@
+@@ -395,7 +414,9 @@
  ## <rolebase/>
  #
  template(`userdom_exec_tmp_template',`
@@ -19000,7 +19046,7 @@
  ')
  
  #######################################
-@@ -509,10 +529,6 @@
+@@ -509,10 +530,6 @@
  ## <rolebase/>
  #
  template(`userdom_exec_generic_pgms_template',`
@@ -19011,7 +19057,7 @@
  	corecmd_exec_bin($1_t)
  ')
  
-@@ -530,9 +546,6 @@
+@@ -530,9 +547,6 @@
  ## <rolebase/>
  #
  template(`userdom_basic_networking_template',`
@@ -19021,7 +19067,7 @@
  
  	allow $1_t self:tcp_socket create_stream_socket_perms;
  	allow $1_t self:udp_socket create_socket_perms;
-@@ -563,32 +576,29 @@
+@@ -563,32 +577,29 @@
  #
  template(`userdom_xwindows_client_template',`
  	gen_require(`
@@ -19075,7 +19121,7 @@
  ')
  
  #######################################
-@@ -664,67 +674,39 @@
+@@ -664,67 +675,39 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -19146,7 +19192,7 @@
  	files_exec_etc_files($1_t)
  	files_search_locks($1_t)
  	# Check to see if cdrom is mounted
-@@ -737,12 +719,6 @@
+@@ -737,12 +720,6 @@
  	# Stat lost+found.
  	files_getattr_lost_found_dirs($1_t)
  
@@ -19159,7 +19205,7 @@
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
  	selinux_validate_context($1_t)
-@@ -755,31 +731,14 @@
+@@ -755,31 +732,14 @@
  	storage_getattr_fixed_disk_dev($1_t)
  
  	auth_read_login_records($1_t)
@@ -19191,7 +19237,7 @@
  	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
  	seutil_exec_checkpolicy($1_t)
  	seutil_exec_setfiles($1_t)
-@@ -794,19 +753,12 @@
+@@ -794,19 +754,12 @@
  		files_read_default_symlinks($1_t)
  		files_read_default_sockets($1_t)
  		files_read_default_pipes($1_t)
@@ -19211,7 +19257,7 @@
  	optional_policy(`
  		alsa_read_rw_config($1_t)
  	')
-@@ -821,11 +773,6 @@
+@@ -821,11 +774,6 @@
  	')
  
  	optional_policy(`
@@ -19223,7 +19269,7 @@
  		allow $1_t self:dbus send_msg;
  		dbus_system_bus_client_template($1,$1_t)
  
-@@ -834,20 +781,20 @@
+@@ -834,20 +782,20 @@
  		')
  
  		optional_policy(`
@@ -19249,7 +19295,7 @@
  		')
  	')
  
-@@ -876,17 +823,17 @@
+@@ -876,17 +824,17 @@
  	')
  
  	optional_policy(`
@@ -19275,7 +19321,7 @@
  	')
  
  	optional_policy(`
-@@ -900,16 +847,6 @@
+@@ -900,16 +848,6 @@
  	')
  
  	optional_policy(`
@@ -19292,7 +19338,7 @@
  		resmgr_stream_connect($1_t)
  	')
  
-@@ -919,11 +856,6 @@
+@@ -919,11 +857,6 @@
  	')
  
  	optional_policy(`
@@ -19304,7 +19350,7 @@
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -954,21 +886,164 @@
+@@ -954,21 +887,164 @@
  ##	</summary>
  ## </param>
  #
@@ -19475,7 +19521,7 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1052,51 @@
+@@ -977,23 +1053,51 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -19538,7 +19584,7 @@
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,42 +1132,22 @@
+@@ -1029,42 +1133,22 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -19586,7 +19632,7 @@
  ')
  
  #######################################
-@@ -1102,6 +1185,8 @@
+@@ -1102,6 +1186,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -19595,7 +19641,7 @@
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1212,7 @@
+@@ -1127,7 +1213,7 @@
  	# $1_t local policy
  	#
  
@@ -19604,7 +19650,7 @@
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,7 +1224,11 @@
+@@ -1139,7 +1225,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -19617,7 +19663,7 @@
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1277,6 +1366,7 @@
+@@ -1277,6 +1367,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -19625,7 +19671,7 @@
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1642,9 +1732,13 @@
+@@ -1642,9 +1733,13 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -19639,7 +19685,7 @@
  	files_type($2)
  ')
  
-@@ -1894,10 +1988,46 @@
+@@ -1894,10 +1989,46 @@
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
  		type $1_home_dir_t, $1_home_t;
@@ -19687,7 +19733,7 @@
  ')
  
  ########################################
-@@ -2994,6 +3124,25 @@
+@@ -2994,6 +3125,25 @@
  
  ########################################
  ## <summary>
@@ -19713,7 +19759,7 @@
  ##	Create objects in a user temporary directory
  ##	with an automatic type transition to
  ##	a specified private type.
-@@ -3078,7 +3227,7 @@
+@@ -3078,7 +3228,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -19722,7 +19768,7 @@
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4410,6 +4559,7 @@
+@@ -4410,6 +4560,7 @@
  	')
  
  	dontaudit $1 sysadm_home_dir_t:dir getattr;
@@ -19730,7 +19776,7 @@
  ')
  
  ########################################
-@@ -4574,6 +4724,7 @@
+@@ -4574,6 +4725,7 @@
  	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
  	read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
  	read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
@@ -19738,7 +19784,7 @@
  ')
  
  ########################################
-@@ -4609,11 +4760,29 @@
+@@ -4609,11 +4761,29 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -19769,7 +19815,7 @@
  ')
  
  ########################################
-@@ -4633,6 +4802,14 @@
+@@ -4633,6 +4803,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -19784,7 +19830,7 @@
  ')
  
  ########################################
-@@ -5323,7 +5500,7 @@
+@@ -5323,7 +5501,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -19793,7 +19839,7 @@
  ')
  
  ########################################
-@@ -5346,6 +5523,25 @@
+@@ -5346,6 +5524,25 @@
  
  ########################################
  ## <summary>
@@ -19819,7 +19865,7 @@
  ##	Write all unprivileged users files in /tmp
  ## </summary>
  ## <param name="domain">
-@@ -5529,6 +5725,24 @@
+@@ -5529,6 +5726,24 @@
  
  ########################################
  ## <summary>
@@ -19844,7 +19890,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5559,3 +5773,403 @@
+@@ -5559,3 +5774,396 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -20031,13 +20077,6 @@
 +template(`userdom_restricted_xwindows_user_template', `
 +
 +userdom_restricted_user_template($1)
-+# Should be optional but policy will not build because of compiler problems
-+# Must be before xwindows calls
-+#optional_policy(`
-+	gnome_per_role_template(xguest, xguest_t, xguest_r)
-+	gnome_exec_gconf(xguest_t)
-+#')
-+
 +userdom_xwindows_client_template($1)
 +
 +logging_send_syslog_msg($1_usertype)
@@ -20696,12 +20735,11 @@
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-12-02 21:15:34.000000000 -0500
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-12-04 14:31:41.000000000 -0500
+@@ -0,0 +1,3 @@
 +policy_module(guest,1.0.1)
 +userdom_restricted_user_template(guest)
 +userdom_restricted_user_template(gadmin)
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/policy/modules/users/logadm.fc	2007-12-02 21:15:34.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.589
retrieving revision 1.590
diff -u -r1.589 -r1.590
--- selinux-policy.spec	3 Dec 2007 03:29:59 -0000	1.589
+++ selinux-policy.spec	5 Dec 2007 03:19:26 -0000	1.590
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 64%{?dist}
+Release: 65%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
 %endif
 
 %changelog
+* Tue Dec 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-65
+- Allow httpd_sys_script_t to search users homedirs
+
 * Sun Dec 2 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-64
 - Allow xdm to list all filesystem directories