rpms/selinux-policy/F-9 booleans-targeted.conf, 1.40, 1.41 policy-20071130.patch, 1.132, 1.133 selinux-policy.spec, 1.658, 1.659

Fri Apr 25 21:13:57 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2708

Modified Files:
	booleans-targeted.conf policy-20071130.patch 
	selinux-policy.spec 
Log Message:
* Fri Apr 25 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-42
- Add boolean to mmap_zero
- allow tor setgid
- Allow gnomeclock to set clock



Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/booleans-targeted.conf,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41

--- booleans-targeted.conf	8 Apr 2008 19:17:28 -0000	1.40
+++ booleans-targeted.conf	25 Apr 2008 21:13:17 -0000	1.41
@@ -274,3 +274,7 @@
 # Allow unconfined domain to transition to confined domain
 # 
 allow_unconfined_nsplugin_transition=false
+
+# Allow unconfined domains mmap low kernel memory
+# 
+allow_unconfined_mmap_low = true

policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.132
retrieving revision 1.133
diff -u -r1.132 -r1.133
--- policy-20071130.patch	24 Apr 2008 21:03:28 -0000	1.132
+++ policy-20071130.patch	25 Apr 2008 21:13:17 -0000	1.133
@@ -8,106 +8,6 @@
  - Label /proc/kallsyms with system_map_t.
  - 64-bit capabilities from Stephen Smalley.
  - Labeled networking peer object class updates.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
---- nsaserefpolicy/Makefile	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/Makefile	2008-04-21 11:02:47.842805000 -0400
-@@ -235,7 +235,7 @@
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
- 
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -309,20 +309,22 @@
- 
- # parse-rolemap modulename,outputfile
- define parse-rolemap
--	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
--		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+	echo "" >> $2
-+#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
- 
- # perrole-expansion modulename,outputfile
- define perrole-expansion
--	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
--	$(call parse-rolemap,$1,$2)
--	$(verbose) echo "')" >> $2
--
--	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
--	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
--	$(call parse-rolemap-compat,$1,$2)
--	$(verbose) echo "')" >> $2
-+	echo "No longer doing perrole-expansion"
-+#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+#	$(call parse-rolemap,$1,$2)
-+#	$(verbose) echo "')" >> $2
-+
-+#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+#	$(call parse-rolemap-compat,$1,$2)
-+#	$(verbose) echo "')" >> $2
- endef
- 
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -521,6 +523,10 @@
- 	@mkdir -p $(appdir)/users
- 	$(verbose) $(INSTALL) -m 644 $^ $@
- 
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+	@mkdir -p $(appdir)
-+	$(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- 	@mkdir -p $(appdir)
- 	$(verbose) $(INSTALL) -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
---- nsaserefpolicy/Rules.modular	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.modular	2008-04-21 11:02:47.848797000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- 	@echo "Compliling $(NAME) $(@F) module"
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
--	$(call perrole-expansion,$(basename $(@F)),$@.role)
--	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+#	$(call perrole-expansion,$(basename $(@F)),$@.role)
-+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
- 
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- 	$(verbose) $(genperm) $(avs) $(secclass) > $@
--	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
- 
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -147,7 +147,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- 	$(verbose) echo "" > $@
--	$(call parse-rolemap,base,$@)
-+#	$(call parse-rolemap,base,$@)
- 
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic	2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.monolithic	2008-04-21 11:02:47.854791000 -0400
-@@ -96,7 +96,7 @@
- #
- # Load the binary policy
- #
--reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
- 	@echo "Loading $(NAME) $(loadpath)"
- 	$(verbose) $(LOADPOLICY) -q $(loadpath)
- 	@touch $(tmpdir)/load
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context
 --- nsaserefpolicy/config/appconfig-mcs/failsafe_context	2007-10-12 08:56:09.000000000 -0400
 +++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context	2008-04-21 11:02:47.859787000 -0400
@@ -791,6 +691,62 @@
 +system_r:sshd_t		xguest_r:xguest_t
 +system_r:crond_t	xguest_r:xguest_crond_t
 +system_r:xdm_t		xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
+--- nsaserefpolicy/Makefile	2008-02-06 10:33:22.000000000 -0500
++++ serefpolicy-3.3.1/Makefile	2008-04-21 11:02:47.842805000 -0400
+@@ -235,7 +235,7 @@
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+ 
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -309,20 +309,22 @@
+ 
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++	echo "" >> $2
++#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+ 
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+-	$(call parse-rolemap,$1,$2)
+-	$(verbose) echo "')" >> $2
+-
+-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+-	$(call parse-rolemap-compat,$1,$2)
+-	$(verbose) echo "')" >> $2
++	echo "No longer doing perrole-expansion"
++#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++#	$(call parse-rolemap,$1,$2)
++#	$(verbose) echo "')" >> $2
++
++#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++#	$(call parse-rolemap-compat,$1,$2)
++#	$(verbose) echo "')" >> $2
+ endef
+ 
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -521,6 +523,10 @@
+ 	@mkdir -p $(appdir)/users
+ 	$(verbose) $(INSTALL) -m 644 $^ $@
+ 
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++	@mkdir -p $(appdir)
++	$(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ 	@mkdir -p $(appdir)
+ 	$(verbose) $(INSTALL) -m 644 $< $@
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
 --- nsaserefpolicy/man/man8/httpd_selinux.8	2008-02-18 14:30:19.000000000 -0500
 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8	2008-04-21 11:02:47.931714000 -0400
@@ -1431,25 +1387,27 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.3.1/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te	2008-04-21 11:02:47.961686000 -0400
-@@ -31,16 +31,13 @@
++++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te	2008-04-25 15:25:33.174422000 -0400
+@@ -31,15 +31,14 @@
  modutils_domtrans_insmod(anaconda_t)
  
  seutil_domtrans_semanage(anaconda_t)
+-
+-unconfined_domain(anaconda_t)
+-
+-userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
 +seutil_domtrans_setsebool(anaconda_t)
  
- unconfined_domain(anaconda_t)
- 
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
- 
  optional_policy(`
 -	dmesg_domtrans(anaconda_t)
--')
--
--optional_policy(`
- 	kudzu_domtrans(anaconda_t)
++	unconfined_domain(anaconda_t)
  ')
  
++userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
++
+ optional_policy(`
+ 	kudzu_domtrans(anaconda_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.3.1/policy/modules/admin/bootloader.te
 --- nsaserefpolicy/policy/modules/admin/bootloader.te	2007-12-19 05:32:18.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/admin/bootloader.te	2008-04-21 11:02:47.966681000 -0400
@@ -1499,8 +1457,27 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.3.1/policy/modules/admin/firstboot.te
 --- nsaserefpolicy/policy/modules/admin/firstboot.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/firstboot.te	2008-04-21 11:02:47.984660000 -0400
-@@ -120,6 +120,10 @@
++++ serefpolicy-3.3.1/policy/modules/admin/firstboot.te	2008-04-25 16:46:46.000277000 -0400
+@@ -35,9 +35,6 @@
+ 
+ allow firstboot_t firstboot_etc_t:file { getattr read };
+ 
+-# The big hammer
+-unconfined_domain(firstboot_t) 
+-
+ kernel_read_system_state(firstboot_t)
+ kernel_read_kernel_sysctls(firstboot_t)
+ 
+@@ -110,6 +107,8 @@
+ 
+ optional_policy(`
+ 	unconfined_domtrans(firstboot_t)
++	# The big hammer
++	unconfined_domain(firstboot_t) 
+ ')
+ 
+ optional_policy(`
+@@ -120,6 +119,10 @@
  	usermanage_domtrans_admin_passwd(firstboot_t)
  ')
  
@@ -1511,7 +1488,7 @@
  ifdef(`TODO',`
  allow firstboot_t proc_t:file write;
  
-@@ -132,7 +136,4 @@
+@@ -132,7 +135,4 @@
  	domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
  ')
  
@@ -2577,6 +2554,109 @@
  	usermanage_domtrans_groupadd(rpm_script_t)
  	usermanage_domtrans_useradd(rpm_script_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if	2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if	2008-04-21 11:02:48.070575000 -0400
+@@ -55,7 +55,7 @@
+ 	#
+ 
+ 	# Use capabilities.
+-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 	allow $1_sudo_t self:process { setexec setrlimit };
+ 	allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ 	allow $1_sudo_t self:unix_dgram_socket sendto;
+ 	allow $1_sudo_t self:unix_stream_socket connectto;
+-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++	allow $1_sudo_t self:key manage_key_perms;
++	allow $1_sudo_t $1_t:key search;
+ 
+ 	# Enter this derived domain from the user domain
+ 	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+ 
+ 	# By default, revert to the calling domain when a shell is executed.
+ 	corecmd_shell_domtrans($1_sudo_t,$2)
++	corecmd_bin_domtrans($1_sudo_t,$2)
+ 	allow $2 $1_sudo_t:fd use;
+ 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ 	allow $2 $1_sudo_t:process sigchld;
+ 
+ 	kernel_read_kernel_sysctls($1_sudo_t)
+ 	kernel_read_system_state($1_sudo_t)
+-	kernel_search_key($1_sudo_t)
++	kernel_link_key($1_sudo_t)
+ 
+ 	dev_read_urand($1_sudo_t)
+ 
+ 	fs_search_auto_mountpoints($1_sudo_t)
+ 	fs_getattr_xattr_fs($1_sudo_t)
+ 
+-	auth_domtrans_chk_passwd($1_sudo_t)
++	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ 	# sudo stores a token in the pam_pid directory
+ 	auth_manage_pam_pid($1_sudo_t)
+ 	auth_use_nsswitch($1_sudo_t)
+ 
+ 	corecmd_read_bin_symlinks($1_sudo_t)
+-	corecmd_getattr_all_executables($1_sudo_t)
++	corecmd_exec_all_executables($1_sudo_t)
+ 
+ 	domain_use_interactive_fds($1_sudo_t)
+ 	domain_sigchld_interactive_fds($1_sudo_t)
+@@ -106,32 +108,42 @@
+ 	files_getattr_usr_files($1_sudo_t)
+ 	# for some PAM modules and for cwd
+ 	files_dontaudit_search_home($1_sudo_t)
++	files_list_tmp($1_sudo_t)
+ 
+ 	init_rw_utmp($1_sudo_t)
+ 
+ 	libs_use_ld_so($1_sudo_t)
+ 	libs_use_shared_libs($1_sudo_t)
+ 
++	logging_send_audit_msgs($1_sudo_t)
+ 	logging_send_syslog_msg($1_sudo_t)
+ 
+ 	miscfiles_read_localization($1_sudo_t)
+ 
++	mta_per_role_template($1, $1_sudo_t, $3)
++
+ 	userdom_manage_user_home_content_files($1,$1_sudo_t)
+ 	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
+ 	userdom_manage_user_tmp_files($1,$1_sudo_t)
+ 	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
++	userdom_exec_user_home_content_files($1,$1_sudo_t)
+ 	userdom_use_user_terminals($1,$1_sudo_t)
+ 	userdom_use_unpriv_users_fds($1_sudo_t)
+ 	# for some PAM modules and for cwd
++	userdom_search_sysadm_home_content_dirs($1_sudo_t)
+ 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+ 
+-	ifdef(`TODO',`
+-	# for when the network connection is killed
+-	dontaudit unpriv_userdomain $1_sudo_t:process signal;
+-
+-	ifdef(`mta.te', `
+-	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+-	')
++	domain_role_change_exemption($1_sudo_t)
++	userdom_spec_domtrans_all_users($1_sudo_t)
+ 
+-	') dnl end TODO
++	selinux_validate_context($1_sudo_t)
++	selinux_compute_relabel_context($1_sudo_t)
++	selinux_getattr_fs($1_sudo_t)
++	seutil_read_config($1_sudo_t)
++	seutil_search_default_contexts($1_sudo_t)
++
++	term_use_all_user_ttys($1_sudo_t)
++	term_use_all_user_ptys($1_sudo_t)
++	term_relabel_all_user_ttys($1_sudo_t)
++	term_relabel_all_user_ptys($1_sudo_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2007-10-12 08:56:09.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/admin/su.if	2008-04-21 11:02:48.064582000 -0400
@@ -2707,109 +2787,6 @@
  ')
  
  #######################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if	2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if	2008-04-21 11:02:48.070575000 -0400
-@@ -55,7 +55,7 @@
- 	#
- 
- 	# Use capabilities.
--	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- 	allow $1_sudo_t self:process { setexec setrlimit };
- 	allow $1_sudo_t self:fd use;
-@@ -68,33 +68,35 @@
- 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- 	allow $1_sudo_t self:unix_dgram_socket sendto;
- 	allow $1_sudo_t self:unix_stream_socket connectto;
--	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+	allow $1_sudo_t self:key manage_key_perms;
-+	allow $1_sudo_t $1_t:key search;
- 
- 	# Enter this derived domain from the user domain
- 	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
- 
- 	# By default, revert to the calling domain when a shell is executed.
- 	corecmd_shell_domtrans($1_sudo_t,$2)
-+	corecmd_bin_domtrans($1_sudo_t,$2)
- 	allow $2 $1_sudo_t:fd use;
- 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
- 	allow $2 $1_sudo_t:process sigchld;
- 
- 	kernel_read_kernel_sysctls($1_sudo_t)
- 	kernel_read_system_state($1_sudo_t)
--	kernel_search_key($1_sudo_t)
-+	kernel_link_key($1_sudo_t)
- 
- 	dev_read_urand($1_sudo_t)
- 
- 	fs_search_auto_mountpoints($1_sudo_t)
- 	fs_getattr_xattr_fs($1_sudo_t)
- 
--	auth_domtrans_chk_passwd($1_sudo_t)
-+	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- 	# sudo stores a token in the pam_pid directory
- 	auth_manage_pam_pid($1_sudo_t)
- 	auth_use_nsswitch($1_sudo_t)
- 
- 	corecmd_read_bin_symlinks($1_sudo_t)
--	corecmd_getattr_all_executables($1_sudo_t)
-+	corecmd_exec_all_executables($1_sudo_t)
- 
- 	domain_use_interactive_fds($1_sudo_t)
- 	domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +108,42 @@
- 	files_getattr_usr_files($1_sudo_t)
- 	# for some PAM modules and for cwd
- 	files_dontaudit_search_home($1_sudo_t)
-+	files_list_tmp($1_sudo_t)
- 
- 	init_rw_utmp($1_sudo_t)
- 
- 	libs_use_ld_so($1_sudo_t)
- 	libs_use_shared_libs($1_sudo_t)
- 
-+	logging_send_audit_msgs($1_sudo_t)
- 	logging_send_syslog_msg($1_sudo_t)
- 
- 	miscfiles_read_localization($1_sudo_t)
- 
-+	mta_per_role_template($1, $1_sudo_t, $3)
-+
- 	userdom_manage_user_home_content_files($1,$1_sudo_t)
- 	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
- 	userdom_manage_user_tmp_files($1,$1_sudo_t)
- 	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
-+	userdom_exec_user_home_content_files($1,$1_sudo_t)
- 	userdom_use_user_terminals($1,$1_sudo_t)
- 	userdom_use_unpriv_users_fds($1_sudo_t)
- 	# for some PAM modules and for cwd
-+	userdom_search_sysadm_home_content_dirs($1_sudo_t)
- 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
- 
--	ifdef(`TODO',`
--	# for when the network connection is killed
--	dontaudit unpriv_userdomain $1_sudo_t:process signal;
--
--	ifdef(`mta.te', `
--	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
--	')
-+	domain_role_change_exemption($1_sudo_t)
-+	userdom_spec_domtrans_all_users($1_sudo_t)
- 
--	') dnl end TODO
-+	selinux_validate_context($1_sudo_t)
-+	selinux_compute_relabel_context($1_sudo_t)
-+	selinux_getattr_fs($1_sudo_t)
-+	seutil_read_config($1_sudo_t)
-+	seutil_search_default_contexts($1_sudo_t)
-+
-+	term_use_all_user_ttys($1_sudo_t)
-+	term_use_all_user_ptys($1_sudo_t)
-+	term_relabel_all_user_ttys($1_sudo_t)
-+	term_relabel_all_user_ptys($1_sudo_t)
- ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2007-10-02 09:54:52.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te	2008-04-21 11:02:48.075572000 -0400
@@ -2913,11 +2890,12 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.3.1/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/vbetool.te	2008-04-21 11:02:48.089558000 -0400
-@@ -23,6 +23,8 @@
++++ serefpolicy-3.3.1/policy/modules/admin/vbetool.te	2008-04-25 14:02:32.453140000 -0400
+@@ -23,6 +23,9 @@
  dev_rwx_zero(vbetool_t)
  dev_read_sysfs(vbetool_t)
  
++domain_mmap_low_type(vbetool_t)
 +domain_mmap_low(vbetool_t)
 +
  term_use_unallocated_ttys(vbetool_t)
@@ -6666,7 +6644,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.3.1/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/wine.te	2008-04-21 11:02:48.426377000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/wine.te	2008-04-25 14:01:56.903068000 -0400
 @@ -9,6 +9,7 @@
  type wine_t;
  type wine_exec_t;
@@ -6675,10 +6653,11 @@
  
  ########################################
  #
-@@ -17,10 +18,16 @@
+@@ -17,10 +18,17 @@
  
  optional_policy(`
  	allow wine_t self:process { execstack execmem execheap };
++	domain_mmap_low_type(wine_t)
 +	domain_mmap_low(wine_t)
  	unconfined_domain_noaudit(wine_t)
  	files_execmod_all_files(wine_t)
@@ -7441,6 +7420,47 @@
  # Type for /dev/mapper/control
  #
  type lvm_control_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if	2007-11-29 13:29:34.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.if	2008-04-25 13:52:39.743424000 -0400
+@@ -1242,18 +1242,34 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`domain_mmap_low',`
++interface(`domain_mmap_low_type',`
+ 	gen_require(`
+ 		attribute mmap_low_domain_type;
+ 	')
+ 
+-	allow $1 self:memprotect mmap_zero;
+-
+ 	typeattribute $1 mmap_low_domain_type;
+ ')
+ 
+ ########################################
+ ## <summary>
++##	Ability to mmap a low area of the address space,
++##      as configured by /proc/sys/kernel/mmap_min_addr.
++##      Preventing such mappings helps protect against
++##      exploiting null deref bugs in the kernel.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to mmap low memory.
++##	</summary>
++## </param>
++#
++interface(`domain_mmap_low',`
++
++	allow $1 self:memprotect mmap_zero;
++')
++
++########################################
++## <summary>
+ ##	Allow specified type to receive labeled
+ ##	networking packets from all domains, over
+ ##	all protocols (TCP, UDP, etc)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-04-21 11:02:48.491312000 -0400
@@ -15395,8 +15415,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-21 11:02:49.165637000 -0400
-@@ -0,0 +1,53 @@
++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te	2008-04-25 09:00:31.943716000 -0400
+@@ -0,0 +1,55 @@
 +policy_module(gnomeclock,1.0.0)
 +########################################
 +#
@@ -15420,6 +15440,8 @@
 +
 +corecmd_exec_bin(gnomeclock_t)
 +
++userdom_ptrace_all_users(gnomeclock_t)
++
 +files_read_etc_files(gnomeclock_t)
 +files_read_usr_files(gnomeclock_t)
 +
@@ -18950,8 +18972,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te	2008-04-21 11:02:49.565394000 -0400
-@@ -0,0 +1,157 @@
++++ serefpolicy-3.3.1/policy/modules/services/polkit.te	2008-04-25 08:52:28.305342000 -0400
+@@ -0,0 +1,158 @@
 +policy_module(polkit_auth,1.0.0)
 +
 +########################################
@@ -18989,7 +19011,7 @@
 +allow polkit_t self:unix_stream_socket create_stream_socket_perms;
 +
 +can_exec(polkit_t, polkit_exec_t)
-+corecmd_search_bin(polkit_t)
++corecmd_exec_bin(polkit_t)
 +
 +domain_use_interactive_fds(polkit_t)
 +
@@ -19099,6 +19121,7 @@
 +polkit_domtrans_auth(polkit_grant_t)
 +
 +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
++userdom_read_all_users_state(polkit_grant_t)
 +
 +optional_policy(`
 +	dbus_system_bus_client_template(polkit_grant, polkit_grant_t)
@@ -19214,6 +19237,100 @@
  ##	Execute postfix user mail programs
  ##	in their respective domains.
  ## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc	2008-04-21 11:02:49.588372000 -0400
+@@ -3,3 +3,5 @@
+ /usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+ 
+ /var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
++
++/etc/rc.d/init.d/postfixpolicyd	--	gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if	2008-04-21 11:02:49.593367000 -0400
+@@ -1 +1,68 @@
+ ## <summary>Postfix policy server</summary>
++
++########################################
++## <summary>
++##	Execute postfixpolicyd server in the postfixpolicyd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`postfixpolicyd_script_domtrans',`
++	gen_require(`
++		type postfix_policyd_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an postfixpolicyd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the postfixpolicyd domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfixpolicyd_admin',`
++	gen_require(`
++		type postfix_policyd_t;
++		type postfix_policyd_script_exec_t;
++		type postfix_policyd_conf_t;
++		type postfix_policyd_var_run_t;
++	')
++
++	allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
++	        
++	# Allow postfix_policyd_t to restart the apache service
++	postfixpolicyd_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 postfix_policyd_script_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_etc($1)
++        manage_all_pattern($1,postfix_policyd_conf_t)
++
++	files_list_pids($1)
++        manage_all_pattern($1,postfix_policyd_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te	2008-04-21 11:02:49.598362000 -0400
+@@ -16,6 +16,9 @@
+ type postfix_policyd_var_run_t;
+ files_pid_file(postfix_policyd_var_run_t)
+ 
++type postfix_policyd_script_exec_t;
++init_script_type(postfix_policyd_script_exec_t)
++
+ ########################################
+ #
+ # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-04-23 15:05:37.257075000 -0400
@@ -19406,105 +19523,11 @@
  
  corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc	2007-11-08 09:29:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc	2008-04-21 11:02:49.588372000 -0400
-@@ -3,3 +3,5 @@
- /usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
- 
- /var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
-+
-+/etc/rc.d/init.d/postfixpolicyd	--	gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if	2007-11-08 09:29:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if	2008-04-21 11:02:49.593367000 -0400
-@@ -1 +1,68 @@
- ## <summary>Postfix policy server</summary>
-+
-+########################################
-+## <summary>
-+##	Execute postfixpolicyd server in the postfixpolicyd domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+#
-+interface(`postfixpolicyd_script_domtrans',`
-+	gen_require(`
-+		type postfix_policyd_script_exec_t;
-+	')
-+
-+	init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an postfixpolicyd environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the postfixpolicyd domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`postfixpolicyd_admin',`
-+	gen_require(`
-+		type postfix_policyd_t;
-+		type postfix_policyd_script_exec_t;
-+		type postfix_policyd_conf_t;
-+		type postfix_policyd_var_run_t;
-+	')
-+
-+	allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
-+	        
-+	# Allow postfix_policyd_t to restart the apache service
-+	postfixpolicyd_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 postfix_policyd_script_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_etc($1)
-+        manage_all_pattern($1,postfix_policyd_conf_t)
-+
-+	files_list_pids($1)
-+        manage_all_pattern($1,postfix_policyd_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te	2007-11-08 09:29:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te	2008-04-21 11:02:49.598362000 -0400
-@@ -16,6 +16,9 @@
- type postfix_policyd_var_run_t;
- files_pid_file(postfix_policyd_var_run_t)
- 
-+type postfix_policyd_script_exec_t;
-+init_script_type(postfix_policyd_script_exec_t)
-+
- ########################################
- #
- # Local Policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
---- nsaserefpolicy/policy/modules/services/postgresql.fc	2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc	2008-04-21 11:02:49.603357000 -0400
-@@ -31,6 +31,7 @@
- /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
+--- nsaserefpolicy/policy/modules/services/postgresql.fc	2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc	2008-04-21 11:02:49.603357000 -0400
+@@ -31,6 +31,7 @@
+ /var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)
  
  /var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
 +/var/lib/pgsql/logfile(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
@@ -21187,6 +21210,123 @@
  ########################################
  #
  # Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc	2008-04-21 11:02:49.886076000 -0400
+@@ -5,3 +5,5 @@
+ /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
++
++/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
+--- nsaserefpolicy/policy/modules/services/rpcbind.if	2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if	2008-04-21 11:02:49.891070000 -0400
+@@ -95,3 +95,70 @@
+ 	manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ 	files_search_var_lib($1)
+ ')
++
++########################################
++## <summary>
++##	Execute rpcbind server in the rpcbind domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`rpcbind_script_domtrans',`
++	gen_require(`
++		type rpcbind_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,rpcbind_script_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an rpcbind environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the rpcbind domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`rpcbind_admin',`
++	gen_require(`
++		type rpcbind_t;
++		type rpcbind_script_exec_t;
++		type rpcbind_var_lib_t;
++		type rpcbind_var_run_t;
++	')
++
++	allow $1 rpcbind_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, rpcbind_t, rpcbind_t)
++	        
++	# Allow rpcbind_t to restart the apache service
++	rpcbind_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 rpcbind_script_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_var_lib($1)
++        manage_all_pattern($1,rpcbind_var_lib_t)
++
++	files_list_pids($1)
++        manage_all_pattern($1,rpcbind_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te	2008-04-21 11:02:49.897064000 -0400
+@@ -16,16 +16,21 @@
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+ 
++type rpcbind_script_exec_t;
++init_script_type(rpcbind_script_exec_t)
++
+ ########################################
+ #
+ # rpcbind local policy
+ #
+ 
+-allow rpcbind_t self:capability setuid;
++allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_file_perms;
+ allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+ allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow rpcbind_t self:udp_socket create_socket_perms;
++# BROKEN ...
++dontaudit rpcbind_t self:udp_socket listen;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+ 
+ manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +42,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+ 
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+ 
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2007-12-04 11:02:50.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/rpc.if	2008-04-21 11:02:49.875087000 -0400
@@ -21323,123 +21463,6 @@
  tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_unpriv_users_tmp(gssd_t) 
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
---- nsaserefpolicy/policy/modules/services/rpcbind.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc	2008-04-21 11:02:49.886076000 -0400
-@@ -5,3 +5,5 @@
- /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+
-+/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
---- nsaserefpolicy/policy/modules/services/rpcbind.if	2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if	2008-04-21 11:02:49.891070000 -0400
-@@ -95,3 +95,70 @@
- 	manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
- 	files_search_var_lib($1)
- ')
-+
-+########################################
-+## <summary>
-+##	Execute rpcbind server in the rpcbind domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+#
-+interface(`rpcbind_script_domtrans',`
-+	gen_require(`
-+		type rpcbind_script_exec_t;
-+	')
-+
-+	init_script_domtrans_spec($1,rpcbind_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an rpcbind environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the rpcbind domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`rpcbind_admin',`
-+	gen_require(`
-+		type rpcbind_t;
-+		type rpcbind_script_exec_t;
-+		type rpcbind_var_lib_t;
-+		type rpcbind_var_run_t;
-+	')
-+
-+	allow $1 rpcbind_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, rpcbind_t, rpcbind_t)
-+	        
-+	# Allow rpcbind_t to restart the apache service
-+	rpcbind_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 rpcbind_script_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_var_lib($1)
-+        manage_all_pattern($1,rpcbind_var_lib_t)
-+
-+	files_list_pids($1)
-+        manage_all_pattern($1,rpcbind_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te	2008-04-21 11:02:49.897064000 -0400
-@@ -16,16 +16,21 @@
- type rpcbind_var_lib_t;
- files_type(rpcbind_var_lib_t)
- 
-+type rpcbind_script_exec_t;
-+init_script_type(rpcbind_script_exec_t)
-+
- ########################################
- #
- # rpcbind local policy
- #
- 
--allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
- allow rpcbind_t self:fifo_file rw_file_perms;
- allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
- allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow rpcbind_t self:udp_socket create_socket_perms;
-+# BROKEN ...
-+dontaudit rpcbind_t self:udp_socket listen;
- allow rpcbind_t self:tcp_socket create_stream_socket_perms;
- 
- manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-@@ -37,6 +42,7 @@
- manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
- 
-+kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
- 
- corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/rshd.te	2008-04-21 11:02:49.902059000 -0400
@@ -24873,8 +24896,8 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.3.1/policy/modules/services/tor.te
 --- nsaserefpolicy/policy/modules/services/tor.te	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/tor.te	2008-04-21 11:02:50.163796000 -0400
-@@ -26,6 +26,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/tor.te	2008-04-25 15:19:54.047888000 -0400
+@@ -26,11 +26,15 @@
  type tor_var_run_t;
  files_pid_file(tor_var_run_t)
  
@@ -24884,6 +24907,28 @@
  ########################################
  #
  # tor local policy
+ #
+ 
++allow tor_t self:capability { setgid setuid };
+ allow tor_t self:fifo_file { read write };
+ allow tor_t self:unix_stream_socket create_stream_socket_perms;
+ allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -86,13 +90,13 @@
+ files_read_etc_files(tor_t)
+ files_read_etc_runtime_files(tor_t)
+ 
++auth_use_nsswitch(tor_t)
++
+ libs_use_ld_so(tor_t)
+ libs_use_shared_libs(tor_t)
+ 
+ miscfiles_read_localization(tor_t)
+ 
+-sysnet_dns_name_resolve(tor_t)
+-
+ optional_policy(`
+ 	seutil_sigchld_newrole(tor_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.3.1/policy/modules/services/uucp.if
 --- nsaserefpolicy/policy/modules/services/uucp.if	2008-02-15 09:52:56.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/uucp.if	2008-04-21 11:02:50.168791000 -0400
@@ -25044,7 +25089,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-04-21 11:02:50.208767000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-04-25 13:53:23.721317000 -0400
 @@ -12,9 +12,15 @@
  ##	</summary>
  ## </param>
@@ -25103,7 +25148,7 @@
  	kernel_read_system_state($1_xserver_t)
  	kernel_read_device_sysctls($1_xserver_t)
  	kernel_read_modprobe_sysctls($1_xserver_t)
-@@ -115,18 +129,23 @@
+@@ -115,18 +129,24 @@
  	dev_rw_agp($1_xserver_t)
  	dev_rw_framebuffer($1_xserver_t)
  	dev_manage_dri_dev($1_xserver_t)
@@ -25123,13 +25168,14 @@
 +	dev_rw_generic_usb_dev($1_xserver_t)
 +	dev_rw_generic_usb_pipes($1_xserver_t)
  
++	domain_mmap_low_type($1_xserver_t)
  	domain_mmap_low($1_xserver_t)
 +	domain_read_all_domains_state($1_xserver_t)
 +	domain_dontaudit_ptrace_all_domains($1_xserver_t)
  
  	files_read_etc_files($1_xserver_t)
  	files_read_etc_runtime_files($1_xserver_t)
-@@ -140,26 +159,37 @@
+@@ -140,26 +160,37 @@
  	fs_getattr_xattr_fs($1_xserver_t)
  	fs_search_nfs($1_xserver_t)
  	fs_search_auto_mountpoints($1_xserver_t)
@@ -25169,7 +25215,7 @@
  
  	ifndef(`distro_redhat',`
  		allow $1_xserver_t self:process { execmem execheap execstack };
-@@ -169,6 +199,46 @@
+@@ -169,6 +200,46 @@
  		allow $1_xserver_t self:process { execmem execheap execstack };
  	')
  
@@ -25216,7 +25262,7 @@
  	optional_policy(`
  		apm_stream_connect($1_xserver_t)
  	')
-@@ -223,8 +293,10 @@
+@@ -223,8 +294,10 @@
  template(`xserver_per_role_template',`
  
  	gen_require(`
@@ -25229,7 +25275,7 @@
  	')
  
  	##############################
-@@ -232,189 +304,119 @@
+@@ -232,189 +305,119 @@
  	# Declarations
  	#
  
@@ -25483,7 +25529,7 @@
  ')
  
  #######################################
-@@ -521,19 +523,18 @@
+@@ -521,19 +524,18 @@
  ## </param>
  #
  template(`xserver_user_client_template',`
@@ -25511,7 +25557,7 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -542,26 +543,535 @@
+@@ -542,26 +544,535 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -26053,7 +26099,7 @@
  ')
  
  ########################################
-@@ -593,26 +1103,44 @@
+@@ -593,26 +1104,44 @@
  #
  template(`xserver_use_user_fonts',`
  	gen_require(`
@@ -26105,7 +26151,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -638,10 +1166,77 @@
+@@ -638,10 +1167,77 @@
  #
  template(`xserver_domtrans_user_xauth',`
  	gen_require(`
@@ -26185,7 +26231,7 @@
  ')
  
  ########################################
-@@ -671,10 +1266,10 @@
+@@ -671,10 +1267,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -26198,7 +26244,7 @@
  ')
  
  ########################################
-@@ -760,7 +1355,7 @@
+@@ -760,7 +1356,7 @@
  		type xconsole_device_t;
  	')
  
@@ -26207,7 +26253,7 @@
  ')
  
  ########################################
-@@ -860,6 +1455,25 @@
+@@ -860,6 +1456,25 @@
  
  ########################################
  ## <summary>
@@ -26233,7 +26279,7 @@
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -914,6 +1528,7 @@
+@@ -914,6 +1529,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -26241,7 +26287,7 @@
  ')
  
  ########################################
-@@ -932,7 +1547,7 @@
+@@ -932,7 +1548,7 @@
  	')
  
  	files_search_pids($1)
@@ -26250,7 +26296,7 @@
  ')
  
  ########################################
-@@ -955,6 +1570,24 @@
+@@ -955,6 +1571,24 @@
  
  ########################################
  ## <summary>
@@ -26275,7 +26321,7 @@
  ##	Execute the X server in the XDM X server domain.
  ## </summary>
  ## <param name="domain">
-@@ -965,15 +1598,47 @@
+@@ -965,15 +1599,47 @@
  #
  interface(`xserver_domtrans_xdm_xserver',`
  	gen_require(`
@@ -26324,7 +26370,7 @@
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1123,7 +1788,7 @@
+@@ -1123,7 +1789,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -26333,7 +26379,7 @@
  ')
  
  ########################################
-@@ -1312,3 +1977,83 @@
+@@ -1312,3 +1978,83 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -31003,7 +31049,7 @@
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-04-21 11:02:50.553564000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-04-25 13:52:57.017888000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -31038,15 +31084,24 @@
  
  	kernel_unconfined($1)
  	corenet_unconfined($1)
-@@ -40,6 +40,7 @@
+@@ -40,10 +40,16 @@
  	domain_unconfined($1)
  	domain_dontaudit_read_all_domains_state($1)
  	domain_dontaudit_ptrace_all_domains($1)
-+	domain_mmap_low($1)
++
  	files_unconfined($1)
  	fs_unconfined($1)
  	selinux_unconfined($1)
-@@ -70,6 +71,7 @@
+ 
++	domain_mmap_low_type($1)
++	tunable_policy(`allow_unconfined_mmap_low',`
++		domain_mmap_low($1)
++	')
++
+ 	tunable_policy(`allow_execheap',`
+ 		# Allow making the stack executable via mprotect.
+ 		allow $1 self:process execheap;
+@@ -70,6 +76,7 @@
  	optional_policy(`
  		# Communicate via dbusd.
  		dbus_system_bus_unconfined($1)
@@ -31054,7 +31109,7 @@
  	')
  
  	optional_policy(`
-@@ -95,6 +97,10 @@
+@@ -95,6 +102,10 @@
  	optional_policy(`
  		storage_unconfined($1)
  	')
@@ -31065,7 +31120,7 @@
  ')
  
  ########################################
-@@ -372,6 +378,24 @@
+@@ -372,6 +383,24 @@
  
  ########################################
  ## <summary>
@@ -31090,7 +31145,7 @@
  ##	Send generic signals to the unconfined domain.
  ## </summary>
  ## <param name="domain">
-@@ -581,7 +605,6 @@
+@@ -581,7 +610,6 @@
  interface(`unconfined_dbus_connect',`
  	gen_require(`
  		type unconfined_t;
@@ -31098,19 +31153,20 @@
  	')
  
  	allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,49 +612,209 @@
+@@ -589,7 +617,7 @@
  
  ########################################
  ## <summary>
 -##	Read files in unconfined users home directories.
 +##	Allow ptrace of unconfined domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -597,20 +625,53 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`unconfined_read_home_content_files',`
 +interface(`unconfined_ptrace',`
 +	gen_require(`
 +		type unconfined_t;
@@ -31148,34 +31204,47 @@
 +## </param>
 +#
 +interface(`unconfined_execmem_rw_shm',`
-+	gen_require(`
+ 	gen_require(`
+-		type unconfined_home_dir_t, unconfined_home_t;
 +		type unconfined_execmem_t;
-+	')
-+
+ 	')
+ 
+-	files_search_home($1)
+-	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+-	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+-	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 +	allow $1 unconfined_execmem_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read unconfined users temporary files.
 +##	Transition to the unconfined_execmem domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -618,20 +679,58 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`unconfined_read_tmp_files',`
 +interface(`unconfined_execmem_domtrans',`
 +
-+	gen_require(`
+ 	gen_require(`
+-		type unconfined_tmp_t;
 +		type unconfined_execmem_t, unconfined_execmem_exec_t;
-+	')
-+
+ 	')
+ 
+-	files_search_tmp($1)
+-	allow $1 unconfined_tmp_t:dir list_dir_perms;
+-	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+-	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
 +	domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write unconfined users temporary files.
 +##	allow attempts to use unconfined ttys and ptys.
 +## </summary>
 +## <param name="domain">
@@ -31217,15 +31286,17 @@
 +########################################
 +## <summary>
 +##	Allow apps to set rlimits on userdomain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -639,10 +738,99 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`unconfined_write_tmp_files',`
 +interface(`unconfined_set_rlimitnh',`
-+	gen_require(`
+ 	gen_require(`
+-		type unconfined_tmp_t;
 +		type unconfined_t;
 +	')
 +
@@ -31254,83 +31325,67 @@
 +########################################
 +## <summary>
 +##	Read/write unconfined tmpfs files.
- ## </summary>
++## </summary>
 +## <desc>
 +##	<p>
 +##	Read/write unconfined tmpfs files.
 +##	</p>
 +## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`unconfined_read_home_content_files',`
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`unconfined_rw_tmpfs_files',`
- 	gen_require(`
--		type unconfined_home_dir_t, unconfined_home_t;
++	gen_require(`
 +		type unconfined_tmpfs_t;
- 	')
- 
--	files_search_home($1)
--	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
--	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
--	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
++	')
++
 +	fs_search_tmpfs($1)
 +	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
 +	rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
 +	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read unconfined users temporary files.
++')
++
++########################################
++## <summary>
 +##	Delete unconfined tmpfs files.
- ## </summary>
++## </summary>
 +## <desc>
 +##	<p>
 +##	Read/write unconfined tmpfs files.
 +##	</p>
 +## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`unconfined_read_tmp_files',`
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`unconfined_delete_tmpfs_files',`
- 	gen_require(`
--		type unconfined_tmp_t;
++	gen_require(`
 +		type unconfined_tmpfs_t;
- 	')
- 
--	files_search_tmp($1)
--	allow $1 unconfined_tmp_t:dir list_dir_perms;
--	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
--	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
++	')
++
 +	fs_search_tmpfs($1)
 +	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
 +	delete_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
 +	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write unconfined users temporary files.
++')
++
++########################################
++## <summary>
 +##	Get the process group of unconfined.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -639,10 +822,10 @@
- ##	</summary>
- ## </param>
- #
--interface(`unconfined_write_tmp_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`unconfined_getpgid',`
- 	gen_require(`
--		type unconfined_tmp_t;
++	gen_require(`
 +		type unconfined_t;
  	')
  
@@ -31339,8 +31394,8 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-24 16:57:46.339086000 -0400
-@@ -6,35 +6,67 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-25 14:52:17.887753000 -0400
+@@ -6,35 +6,74 @@
  # Declarations
  #
  
@@ -31353,6 +31408,13 @@
 +
 +## <desc>
 +## <p>
++## Allow unconfined domain to map low memory in the kernel
++## </p>
++## </desc>
++gen_tunable(allow_unconfined_mmap_low,false)
++
++## <desc>
++## <p>
 +## Transition to confined qemu domains from unconfined user
 +## </p>
 +## </desc>
@@ -31412,7 +31474,7 @@
  
  libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,37 +74,44 @@
+@@ -42,37 +81,44 @@
  logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -31467,7 +31529,7 @@
  ')
  
  optional_policy(`
-@@ -101,12 +140,24 @@
+@@ -101,12 +147,24 @@
  	')
  
  	optional_policy(`
@@ -31492,7 +31554,7 @@
  ')
  
  optional_policy(`
-@@ -118,11 +169,7 @@
+@@ -118,11 +176,7 @@
  ')
  
  optional_policy(`
@@ -31505,7 +31567,7 @@
  ')
  
  optional_policy(`
-@@ -134,82 +181,97 @@
+@@ -134,82 +188,97 @@
  ')
  
  optional_policy(`
@@ -31628,7 +31690,7 @@
  ')
  
  ########################################
-@@ -219,14 +281,35 @@
+@@ -219,14 +288,35 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
@@ -31684,7 +31746,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-24 15:08:40.156331000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-25 08:59:40.282820000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -35308,8 +35370,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-23 10:09:03.411358000 -0400
-@@ -0,0 +1,174 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-04-25 08:55:03.831022000 -0400
+@@ -0,0 +1,176 @@
 +
 +policy_module(virt,1.0.0)
 +
@@ -35383,6 +35445,8 @@
 +manage_files_pattern(virtd_t, virt_log_t,  virt_log_t)
 +logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
 +
++read_files_pattern(virtd_t, virt_image_t,  virt_image_t)
++
 +read_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
 +read_lnk_files_pattern(virtd_t, virt_etc_t,  virt_etc_t)
 +
@@ -36159,3 +36223,47 @@
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular	2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular	2008-04-21 11:02:47.848797000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ 	@echo "Compliling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+-	$(call perrole-expansion,$(basename $(@F)),$@.role)
+-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++#	$(call perrole-expansion,$(basename $(@F)),$@.role)
++	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+ 
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ 	$(verbose) $(genperm) $(avs) $(secclass) > $@
+-	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+ 
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ 	$(verbose) echo "" > $@
+-	$(call parse-rolemap,base,$@)
++#	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic	2007-11-20 06:55:20.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic	2008-04-21 11:02:47.854791000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ 	@echo "Loading $(NAME) $(loadpath)"
+ 	$(verbose) $(LOADPOLICY) -q $(loadpath)
+ 	@touch $(tmpdir)/load


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.658
retrieving revision 1.659
diff -u -r1.658 -r1.659
--- selinux-policy.spec	24 Apr 2008 21:03:28 -0000	1.658
+++ selinux-policy.spec	25 Apr 2008 21:13:17 -0000	1.659
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 41%{?dist}
+Release: 42%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,11 @@
 %endif
 
 %changelog
+* Fri Apr 25 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-42
+- Add boolean to mmap_zero
+- allow tor setgid
+- Allow gnomeclock to set clock
+
 * Thu Apr 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-41
 - Don't run crontab from unconfined_t
 


