rpms/selinux-policy/devel booleans-targeted.conf, 1.35, 1.36 policy-20071130.patch, 1.41, 1.42 selinux-policy.spec, 1.591, 1.592

[Daniel J Walsh (dwalsh)]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13055

Modified Files:
	booleans-targeted.conf policy-20071130.patch 
	selinux-policy.spec 
Log Message:
* Fri Jan 25 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-20
- Allow usertypes to read/write noxattr file systems



Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- booleans-targeted.conf	10 Nov 2007 13:20:34 -0000	1.35
+++ booleans-targeted.conf	28 Jan 2008 16:48:49 -0000	1.36
@@ -258,3 +258,7 @@
 # Allow postfix locat to write to mail spool
 # 
 allow_postfix_local_write_mail_spool=true
+
+# Allow common users to read/write noexattrfile systems
+# 
+user_rw_noexattrfile=true

policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- policy-20071130.patch	24 Jan 2008 18:12:25 -0000	1.41
+++ policy-20071130.patch	28 Jan 2008 16:48:49 -0000	1.42
@@ -1347,7 +1347,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/su.if	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/su.if	2008-01-28 11:21:49.000000000 -0500
 @@ -41,15 +41,13 @@
  
  	allow $2 $1_su_t:process signal;
@@ -1373,7 +1373,18 @@
  	logging_send_syslog_msg($1_su_t)
  
  	miscfiles_read_localization($1_su_t)
-@@ -119,11 +118,6 @@
+@@ -112,6 +111,10 @@
+ 		userdom_spec_domtrans_unpriv_users($1_su_t)
+ 	')
+ 
++	# Deal with unconfined_terminals.
++	term_use_all_user_ttys($1_su_t)
++	term_use_all_user_ptys($1_su_t)
++
+ 	optional_policy(`
+ 		cron_read_pipes($1_su_t)
+ 	')
+@@ -119,11 +122,6 @@
  	optional_policy(`
  		kerberos_use($1_su_t)
  	')
@@ -1385,7 +1396,7 @@
  ')
  
  #######################################
-@@ -172,13 +166,12 @@
+@@ -172,13 +170,12 @@
  	domain_interactive_fd($1_su_t)
  	role $3 types $1_su_t;
  
@@ -1402,7 +1413,7 @@
  	allow $1_su_t self:key { search write };
  
  	# Transition from the user domain to this domain.
-@@ -188,7 +181,7 @@
+@@ -188,7 +185,7 @@
  	corecmd_shell_domtrans($1_su_t,$2)
  	allow $2 $1_su_t:fd use;
  	allow $2 $1_su_t:fifo_file rw_file_perms;
@@ -1411,7 +1422,7 @@
  
  	kernel_read_system_state($1_su_t)
  	kernel_read_kernel_sysctls($1_su_t)
-@@ -203,15 +196,15 @@
+@@ -203,15 +200,15 @@
  	# needed for pam_rootok
  	selinux_compute_access_vector($1_su_t)
  
@@ -1430,7 +1441,7 @@
  	files_read_etc_files($1_su_t)
  	files_read_etc_runtime_files($1_su_t)
  	files_search_var_lib($1_su_t)
-@@ -226,12 +219,14 @@
+@@ -226,12 +223,14 @@
  	libs_use_ld_so($1_su_t)
  	libs_use_shared_libs($1_su_t)
  
@@ -1446,7 +1457,7 @@
  
  	ifdef(`distro_rhel4',`
  		domain_role_change_exemption($1_su_t)
-@@ -295,13 +290,7 @@
+@@ -295,13 +294,7 @@
  		xserver_domtrans_user_xauth($1, $1_su_t)
  	')
  
@@ -2730,7 +2741,7 @@
 +/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/java.if	2008-01-22 12:52:42.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/java.if	2008-01-28 11:17:25.000000000 -0500
 @@ -32,7 +32,7 @@
  ##	</summary>
  ## </param>
@@ -3167,7 +3178,7 @@
  # /bin
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if	2008-01-21 18:10:10.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if	2008-01-25 16:49:06.000000000 -0500
 @@ -35,7 +35,10 @@
  template(`mozilla_per_role_template',`
  	gen_require(`
@@ -3563,7 +3574,7 @@
  ')
  
  ########################################
-@@ -464,11 +385,11 @@
+@@ -464,11 +385,10 @@
  #
  template(`mozilla_write_user_home_files',`
  	gen_require(`
@@ -3573,12 +3584,11 @@
  
 -	allow $2 $1_mozilla_home_t:dir list_dir_perms;
 -	allow $2 $1_mozilla_home_t:file write;
-+	allow $2 user_mozilla_home_t:dir list_dir_perms;
-+	allow $2 user_mozilla_home_t:file write;
++	write_files_pattern($2, user_mozilla_home_t, user_mozilla_home_t)
  ')
  
  ########################################
-@@ -573,3 +494,27 @@
+@@ -573,3 +493,27 @@
  
  	allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
  ')
@@ -3745,8 +3755,8 @@
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if	2008-01-24 13:03:01.000000000 -0500
-@@ -0,0 +1,336 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if	2008-01-25 12:10:23.000000000 -0500
+@@ -0,0 +1,337 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -3916,6 +3926,7 @@
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
 +	allow $2 nsplugin_t:unix_stream_socket connectto;
 +	userdom_use_user_terminals($1, nsplugin_t)
++	userdom_use_user_terminals($1, nsplugin_config_t)
 +')
 +
 +#######################################
@@ -4085,8 +4096,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-24 13:03:48.000000000 -0500
-@@ -0,0 +1,129 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-25 16:48:50.000000000 -0500
+@@ -0,0 +1,135 @@
 +policy_module(nsplugin,1.0.0)
 +
 +########################################
@@ -4107,6 +4118,9 @@
 +type nsplugin_rw_t;
 +files_type(nsplugin_rw_t)
 +
++type nsplugin_tmp_t;
++files_tmp_file(nsplugin_tmp_t)
++
 +type user_nsplugin_home_t;
 +files_poly_member(user_nsplugin_home_t)
 +userdom_user_home_content(user,user_nsplugin_home_t)
@@ -4184,6 +4198,10 @@
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
++manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir })
++
 +can_exec(nsplugin_config_t, nsplugin_rw_t)
 +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
 +manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -4214,7 +4232,6 @@
 +
 +nsplugin_domtrans(nsplugin_config_t)
 +
-+dev_read_sound(nsplugin_t)
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
 --- nsaserefpolicy/policy/modules/apps/screen.fc	2007-10-12 08:56:02.000000000 -0400
@@ -5066,22 +5083,44 @@
 +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc	2008-01-18 12:40:46.000000000 -0500
-@@ -22,6 +22,7 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc	2008-01-24 14:06:12.000000000 -0500
+@@ -1,7 +1,7 @@
+ 
+ /dev			-d	gen_context(system_u:object_r:device_t,s0)
+ /dev/.*				gen_context(system_u:object_r:device_t,s0)
+-
++/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -16,28 +16,40 @@
+ /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
++/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
  /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
  /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 +/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
-@@ -29,10 +30,13 @@
+ /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
  /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
  /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
 +/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 +/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
  /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
++/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5089,6 +5128,56 @@
  /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+ /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -48,6 +60,7 @@
+ /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
+@@ -69,9 +82,8 @@
+ /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
+-/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
+ /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -98,13 +110,23 @@
+ 
+ /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ 
++/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
++/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/ucb1x00	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
++/dev/bometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ 
+ /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ 
+ /dev/pts(/.*)?			<<none>>
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.5/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/kernel/devices.if	2008-01-18 12:40:46.000000000 -0500
@@ -5327,7 +5416,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/files.if	2008-01-21 17:43:20.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/files.if	2008-01-28 10:12:03.000000000 -0500
 @@ -1266,6 +1266,24 @@
  
  ########################################
@@ -5430,8 +5519,34 @@
  # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.5/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if	2008-01-24 12:36:13.000000000 -0500
-@@ -1171,6 +1171,25 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if	2008-01-24 15:48:29.000000000 -0500
+@@ -310,6 +310,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Read and write files on hugetlbfs files
++##	file systems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_rw_hugetlbfs_files',`
++	gen_require(`
++		type hugetlbfs_t;
++
++	')
++
++	rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t)
++')
++########################################
++## <summary>
+ ##	Mount an automount pseudo filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1171,6 +1190,25 @@
  
  ########################################
  ## <summary>
@@ -5459,7 +5574,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.5/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.te	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.te	2008-01-24 15:45:23.000000000 -0500
 @@ -25,6 +25,8 @@
  fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -6825,7 +6940,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.5/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/apcupsd.te	2008-01-18 14:00:42.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/apcupsd.te	2008-01-25 14:08:48.000000000 -0500
 @@ -22,6 +22,9 @@
  type apcupsd_var_run_t;
  files_pid_file(apcupsd_var_run_t)
@@ -7950,10 +8065,39 @@
 +optional_policy(`
 +	mailscanner_manage_spool(clamscan_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.5/policy/modules/services/consolekit.fc
+--- nsaserefpolicy/policy/modules/services/consolekit.fc	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/consolekit.fc	2008-01-28 11:43:14.000000000 -0500
+@@ -1,3 +1,5 @@
+ /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
+ 
+ /var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
++
++/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te	2008-01-18 12:56:56.000000000 -0500
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/consolekit.te	2008-01-28 11:46:35.000000000 -0500
+@@ -13,6 +13,9 @@
+ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+ 
++type consolekit_log_t;
++files_pid_file(consolekit_log_t)
++
+ ########################################
+ #
+ # consolekit local policy
+@@ -24,6 +27,9 @@
+ allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+ allow consolekit_t self:unix_dgram_socket create_socket_perms;
+ 
++manage_files_pattern(consolekit_t,consolekit_log_t,consolekit_log_t)
++logging_log_filetrans(consolekit_t,consolekit_log_t, file)
++
+ manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
+ files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
+ 
+@@ -36,6 +42,7 @@
  
  domain_read_all_domains_state(consolekit_t)
  domain_use_interactive_fds(consolekit_t)
@@ -7961,7 +8105,7 @@
  
  files_read_etc_files(consolekit_t)
  # needs to read /var/lib/dbus/machine-id
-@@ -50,8 +51,16 @@
+@@ -50,12 +57,24 @@
  libs_use_ld_so(consolekit_t)
  libs_use_shared_libs(consolekit_t)
  
@@ -7975,10 +8119,19 @@
 +hal_ptrace(consolekit_t)
 +mcs_ptrace_all(consolekit_t)
 +
++optional_policy(`
++	cron_read_system_job_lib_files(consolekit_t)
++')
++
  optional_policy(`
  	dbus_system_bus_client_template(consolekit, consolekit_t)
  	dbus_connect_system_bus(consolekit_t)
-@@ -67,3 +76,13 @@
+-
++	dbus_system_domain(consolekit_t, consolekit_exec_t)
+ 	hal_dbus_chat(consolekit_t)
+ 
+ 	optional_policy(`
+@@ -67,3 +86,14 @@
  	xserver_read_all_users_xauth(consolekit_t)
  	xserver_stream_connect_xdm_xserver(consolekit_t)
  ')
@@ -7992,6 +8145,7 @@
 +optional_policy(`
 +	userdom_read_user_tmp_files(user, consolekit_t)
 +')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.5/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/cron.fc	2008-01-18 12:40:46.000000000 -0500
@@ -8011,7 +8165,7 @@
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cron.if	2008-01-28 11:45:43.000000000 -0500
 @@ -35,38 +35,23 @@
  #
  template(`cron_per_role_template',`
@@ -9289,7 +9443,7 @@
  # Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-22 12:53:47.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-25 14:07:09.000000000 -0500
 @@ -53,6 +53,7 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -9298,7 +9452,7 @@
  	')
  
  	##############################
-@@ -84,6 +85,9 @@
+@@ -84,14 +85,20 @@
  	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
  	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
  
@@ -9306,9 +9460,11 @@
 +	allow $1_dbusd_t dbusd_unconfined:dbus send_msg;
 +
  	# For connecting to the bus
- 	allow $2 $1_dbusd_t:unix_stream_socket connectto;
+-	allow $2 $1_dbusd_t:unix_stream_socket connectto;
++	allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
++	allow $2 $1_dbusd_t:unix_dgram_socket getattr;
  	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
-@@ -91,7 +95,9 @@
+ 
  	# SE-DBus specific permissions
  	allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
  	allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
@@ -9319,7 +9475,7 @@
  
  	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
  	read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
-@@ -102,10 +108,9 @@
+@@ -102,10 +109,9 @@
  	files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
  
  	domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
@@ -9332,7 +9488,7 @@
  	allow $1_dbusd_t $2:process sigkill;
  	allow $2 $1_dbusd_t:fd use;
  	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -139,6 +144,7 @@
+@@ -139,6 +145,7 @@
  
  	fs_getattr_romfs($1_dbusd_t)
  	fs_getattr_xattr_fs($1_dbusd_t)
@@ -9340,7 +9496,7 @@
  
  	selinux_get_fs_mount($1_dbusd_t)
  	selinux_validate_context($1_dbusd_t)
-@@ -161,7 +167,9 @@
+@@ -161,7 +168,9 @@
  	seutil_read_config($1_dbusd_t)
  	seutil_read_default_contexts($1_dbusd_t)
  
@@ -9351,7 +9507,7 @@
  
  	ifdef(`hide_broken_symptoms', `
  		dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
-@@ -182,6 +190,7 @@
+@@ -182,6 +191,7 @@
  	optional_policy(`
  		xserver_use_xdm_fds($1_dbusd_t)
  		xserver_rw_xdm_pipes($1_dbusd_t)
@@ -9359,7 +9515,7 @@
  	')
  ')
  
-@@ -214,7 +223,7 @@
+@@ -214,7 +224,7 @@
  
  	# SE-DBus specific permissions
  #	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -9368,7 +9524,7 @@
  
  	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($2)
-@@ -223,6 +232,10 @@
+@@ -223,6 +233,10 @@
  	files_search_pids($2)
  	stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
  	dbus_read_config($2)
@@ -9379,7 +9535,7 @@
  ')
  
  #######################################
-@@ -251,6 +264,7 @@
+@@ -251,6 +265,7 @@
  template(`dbus_user_bus_client_template',`
  	gen_require(`
  		type $1_dbusd_t;
@@ -9387,7 +9543,7 @@
  		class dbus send_msg;
  	')
  
-@@ -263,6 +277,7 @@
+@@ -263,6 +278,7 @@
  
  	# For connecting to the bus
  	allow $3 $1_dbusd_t:unix_stream_socket connectto;
@@ -9395,7 +9551,7 @@
  ')
  
  ########################################
-@@ -292,6 +307,59 @@
+@@ -292,6 +308,59 @@
  
  ########################################
  ## <summary>
@@ -9455,7 +9611,7 @@
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -366,3 +434,52 @@
+@@ -366,3 +435,52 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -11935,7 +12091,7 @@
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.if	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mta.if	2008-01-24 14:27:32.000000000 -0500
 @@ -133,6 +133,12 @@
  		sendmail_create_log($1_mail_t)
  	')
@@ -12537,7 +12693,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mysql.te	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mysql.te	2008-01-24 15:46:30.000000000 -0500
 @@ -1,4 +1,3 @@
 -
  policy_module(mysql,1.6.0)
@@ -12563,6 +12719,14 @@
  allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
  allow mysqld_t self:tcp_socket create_stream_socket_perms;
  allow mysqld_t self:udp_socket create_socket_perms;
+@@ -79,6 +82,7 @@
+ 
+ fs_getattr_all_fs(mysqld_t)
+ fs_search_auto_mountpoints(mysqld_t)
++fs_rw_hugetlbfs_files(mysqld_t)
+ 
+ domain_use_interactive_fds(mysqld_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/nagios.fc	2008-01-18 12:40:46.000000000 -0500
@@ -12847,7 +13011,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te	2008-01-22 09:23:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te	2008-01-24 13:26:30.000000000 -0500
 @@ -13,6 +13,9 @@
  type NetworkManager_var_run_t;
  files_pid_file(NetworkManager_var_run_t)
@@ -12923,7 +13087,7 @@
  ')
  
  optional_policy(`
-@@ -155,6 +168,7 @@
+@@ -155,19 +168,20 @@
  	ppp_domtrans(NetworkManager_t)
  	ppp_read_pid_files(NetworkManager_t)
  	ppp_signal(NetworkManager_t)
@@ -12931,18 +13095,23 @@
  ')
  
  optional_policy(`
-@@ -166,11 +180,6 @@
+-	seutil_sigchld_newrole(NetworkManager_t)
++	# Dispatcher starting and stoping ntp
++	ntp_script_domtrans(NetworkManager_t)
+ ')
+ 
+ optional_policy(`
+-	udev_read_db(NetworkManager_t)
++	seutil_sigchld_newrole(NetworkManager_t)
  ')
  
  optional_policy(`
 -	# Read gnome-keyring
 -	unconfined_read_home_content_files(NetworkManager_t)
--')
--
--optional_policy(`
- 	vpn_domtrans(NetworkManager_t)
- 	vpn_signal(NetworkManager_t)
++	udev_read_db(NetworkManager_t)
  ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2007-02-19 11:32:53.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/nis.fc	2008-01-18 12:40:46.000000000 -0500
@@ -13344,7 +13513,7 @@
 +/etc/rc\.d/init\.d/ntpd	--	gen_context(system_u:object_r:ntpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if
 --- nsaserefpolicy/policy/modules/services/ntp.if	2007-03-26 10:39:05.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/ntp.if	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/ntp.if	2008-01-24 13:25:46.000000000 -0500
 @@ -53,3 +53,76 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
@@ -13770,10 +13939,11 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc
 --- nsaserefpolicy/policy/modules/services/polkit.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/polkit.fc	2008-01-18 12:40:46.000000000 -0500
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.2.5/policy/modules/services/polkit.fc	2008-01-28 10:53:34.000000000 -0500
+@@ -0,0 +1,7 @@
 +
 +/usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:polkit_auth_exec_t,s0)
++/usr/libexec/polkitd			--	gen_context(system_u:object_r:polkit_exec_t,s0)
 +
 +/var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 +/var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_run_t,s0)
@@ -13843,8 +14013,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/polkit.te	2008-01-18 12:40:46.000000000 -0500
-@@ -0,0 +1,63 @@
++++ serefpolicy-3.2.5/policy/modules/services/polkit.te	2008-01-28 11:29:32.000000000 -0500
+@@ -0,0 +1,110 @@
 +policy_module(polkit_auth,1.0.0)
 +
 +########################################
@@ -13852,6 +14022,11 @@
 +# Declarations
 +#
 +
++type polkit_t;
++type polkit_exec_t;
++domain_type(polkit_t)
++init_daemon_domain(polkit_t, polkit_exec_t)
++
 +type polkit_auth_t;
 +type polkit_auth_exec_t;
 +domain_type(polkit_auth_t)
@@ -13865,6 +14040,47 @@
 +
 +########################################
 +#
++# polkit local policy
++#
++
++allow polkit_t self:process getattr;
++
++allow polkit_t self:unix_dgram_socket create_socket_perms;
++allow polkit_t self:fifo_file rw_file_perms;
++allow polkit_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_t, polkit_exec_t)
++corecmd_search_bin(polkit_t)
++
++domain_use_interactive_fds(polkit_t)
++
++files_read_etc_files(polkit_t)
++files_read_usr_files(polkit_t)
++
++auth_use_nsswitch(polkit_t)
++
++libs_use_ld_so(polkit_t)
++libs_use_shared_libs(polkit_t)
++
++miscfiles_read_localization(polkit_t)
++
++logging_send_syslog_msg(polkit_t)
++
++manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t)
++
++# pid file
++manage_dirs_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t)
++manage_files_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t)
++files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir })
++
++optional_policy(`
++	dbus_system_bus_client_template(polkit, polkit_t)
++	consolekit_dbus_chat(polkit_t)
++	dbus_system_domain(polkit_t, polkit_exec_t)
++')
++
++########################################
++#
 +# polkit_auth local policy
 +#
 +
@@ -13901,6 +14117,7 @@
 +optional_policy(`
 +	dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
 +	consolekit_dbus_chat(polkit_auth_t)
++	dbus_system_domain(polkit_exec_t, polkit_t)
 +')
 +
 +optional_policy(`
@@ -13926,8 +14143,20 @@
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.if	2008-01-21 09:39:32.000000000 -0500
-@@ -416,7 +416,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/postfix.if	2008-01-24 13:33:34.000000000 -0500
+@@ -206,9 +206,8 @@
+ 		type postfix_etc_t;
+ 	')
+ 
+-	allow $1 postfix_etc_t:dir { getattr read search };
+-	allow $1 postfix_etc_t:file { read getattr };
+-	allow $1 postfix_etc_t:lnk_file { getattr read };
++	read_files_pattern($1, postfix_etc_t, postfix_etc_t)
++	read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ 	files_search_etc($1)
+ ')
+ 
+@@ -416,7 +415,7 @@
  ##	</summary>
  ## </param>
  #
@@ -13936,7 +14165,7 @@
  	gen_require(`
  		type postfix_private_t;
  	')
-@@ -427,6 +427,26 @@
+@@ -427,6 +426,26 @@
  
  ########################################
  ## <summary>
@@ -13963,7 +14192,7 @@
  ##	Execute the master postfix program in the
  ##	postfix_master domain.
  ## </summary>
-@@ -503,6 +523,25 @@
+@@ -503,6 +522,25 @@
  
  ########################################
  ## <summary>
@@ -14331,7 +14560,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postgresql.te	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postgresql.te	2008-01-24 15:46:50.000000000 -0500
 @@ -27,6 +27,9 @@
  type postgresql_var_run_t;
  files_pid_file(postgresql_var_run_t)
@@ -14342,6 +14571,14 @@
  ########################################
  #
  # postgresql Local policy
+@@ -100,6 +103,7 @@
+ 
+ fs_getattr_all_fs(postgresql_t)
+ fs_search_auto_mountpoints(postgresql_t)
++fs_rw_hugetlbfs_files(postgresql_t)
+ 
+ term_use_controlling_term(postgresql_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.2.5/policy/modules/services/postgrey.fc
 --- nsaserefpolicy/policy/modules/services/postgrey.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/postgrey.fc	2008-01-18 12:40:46.000000000 -0500
@@ -18382,7 +18619,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.5/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/squid.te	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/squid.te	2008-01-25 09:45:17.000000000 -0500
 @@ -31,12 +31,15 @@
  type squid_var_run_t;
  files_pid_file(squid_var_run_t)
@@ -18400,7 +18637,15 @@
  dontaudit squid_t self:capability sys_tty_config;
  allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
  allow squid_t self:fifo_file rw_fifo_file_perms;
-@@ -92,6 +95,7 @@
+@@ -85,6 +88,7 @@
+ corenet_udp_sendrecv_all_ports(squid_t)
+ corenet_tcp_bind_all_nodes(squid_t)
+ corenet_udp_bind_all_nodes(squid_t)
++corenet_tcp_bind_http_port(squid_t)
+ corenet_tcp_bind_http_cache_port(squid_t)
+ corenet_udp_bind_http_cache_port(squid_t)
+ corenet_tcp_bind_ftp_port(squid_t)
+@@ -92,6 +96,7 @@
  corenet_udp_bind_gopher_port(squid_t)
  corenet_tcp_bind_squid_port(squid_t)
  corenet_udp_bind_squid_port(squid_t)
@@ -18408,7 +18653,7 @@
  corenet_tcp_connect_ftp_port(squid_t)
  corenet_tcp_connect_gopher_port(squid_t)
  corenet_tcp_connect_http_port(squid_t)
-@@ -109,6 +113,8 @@
+@@ -109,6 +114,8 @@
  
  fs_getattr_all_fs(squid_t)
  fs_search_auto_mountpoints(squid_t)
@@ -18417,7 +18662,7 @@
  
  selinux_dontaudit_getattr_dir(squid_t)
  
-@@ -148,11 +154,7 @@
+@@ -148,11 +155,7 @@
  ')
  
  optional_policy(`
@@ -18430,7 +18675,7 @@
  ')
  
  optional_policy(`
-@@ -167,7 +169,12 @@
+@@ -167,7 +170,12 @@
  	udev_read_db(squid_t)
  ')
  
@@ -19099,7 +19344,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.if	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.if	2008-01-25 16:50:51.000000000 -0500
 @@ -15,6 +15,7 @@
  template(`xserver_common_domain_template',`
  	gen_require(`
@@ -19803,7 +20048,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.5/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.te	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.te	2008-01-24 13:41:40.000000000 -0500
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -19878,11 +20123,13 @@
  xserver_common_domain_template(xdm)
  init_system_domain(xdm_xserver_t,xserver_exec_t)
  
-@@ -96,7 +135,7 @@
+@@ -95,8 +134,8 @@
+ # XDM Local policy
  #
  
- allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
++allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 +allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms };
  allow xdm_t self:fifo_file rw_fifo_file_perms;
  allow xdm_t self:shm create_shm_perms;
@@ -21249,10 +21496,17 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.2.5/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/ipsec.te	2008-01-18 12:40:46.000000000 -0500
-@@ -302,6 +302,7 @@
++++ serefpolicy-3.2.5/policy/modules/system/ipsec.te	2008-01-25 11:41:57.000000000 -0500
+@@ -297,11 +297,14 @@
+ read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
+ read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
+ 
++kernel_read_system_state(racoon_t)
+ kernel_read_network_state(racoon_t)
+ 
  corenet_all_recvfrom_unlabeled(racoon_t)
  corenet_tcp_bind_all_nodes(racoon_t)
++corenet_udp_bind_all_nodes(racoon_t)
  corenet_udp_bind_isakmp_port(racoon_t)
 +corenet_udp_bind_ipsecnat_port(racoon_t)
  
@@ -23147,7 +23401,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2008-01-23 13:13:29.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2008-01-28 10:11:41.000000000 -0500
 @@ -6,35 +6,59 @@
  # Declarations
  #
@@ -23440,7 +23694,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-24 13:04:29.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-25 11:51:09.000000000 -0500
 @@ -29,9 +29,14 @@
  	')
  
@@ -23450,7 +23704,7 @@
 -	type $1_t, userdomain;
 +	type $1_t, userdomain, $1_usertype;
  	domain_type($1_t)
-+	ifdef(`targeted_policy',`
++	ifndef(`enable_mls',`
 +		# ignore user componant labeling on homedir entry
 +		domain_obj_id_change_exemption($1_t)
 +	')
@@ -23557,6 +23811,9 @@
 -	libs_use_ld_so($1_t)
 -	libs_use_shared_libs($1_t)
 -	libs_exec_ld_so($1_t)
+-
+-	miscfiles_read_localization($1_t)
+-	miscfiles_read_certs($1_t)
 +	files_dontaudit_getattr_all_dirs($1_usertype)
 +	files_dontaudit_list_non_security($1_usertype)
 +	files_dontaudit_getattr_non_security_files($1_usertype)
@@ -23573,9 +23830,6 @@
 +	libs_use_shared_libs($1_usertype)
 +	libs_exec_ld_so($1_usertype)
  
--	miscfiles_read_localization($1_t)
--	miscfiles_read_certs($1_t)
--
 -	sysnet_read_config($1_t)
 +	miscfiles_read_localization($1_usertype)
 +	miscfiles_read_certs($1_usertype)
@@ -23928,71 +24182,218 @@
  ')
  
  #######################################
-@@ -717,6 +695,12 @@
- 	# Stat lost+found.
- 	files_getattr_lost_found_dirs($1_t)
+@@ -686,183 +664,192 @@
+ 	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ 
+-	allow $1_t unpriv_userdomain:fd use;
++	allow $1_usertype unpriv_userdomain:fd use;
+ 
+-	kernel_read_system_state($1_t)
+-	kernel_read_network_state($1_t)
+-	kernel_read_net_sysctls($1_t)
++	kernel_read_system_state($1_usertype)
++	kernel_read_network_state($1_usertype)
++	kernel_read_net_sysctls($1_usertype)
+ 	# Very permissive allowing every domain to see every type:
+-	kernel_get_sysvipc_info($1_t)
++	kernel_get_sysvipc_info($1_usertype)
+ 	# Find CDROM devices:
+-	kernel_read_device_sysctls($1_t)
++	kernel_read_device_sysctls($1_usertype)
+ 
+-	corenet_udp_bind_all_nodes($1_t)
+-	corenet_udp_bind_generic_port($1_t)
++	corenet_udp_bind_all_nodes($1_usertype)
++	corenet_udp_bind_generic_port($1_usertype)
  
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
++	dev_read_rand($1_usertype)
++	dev_write_sound($1_usertype)
++	dev_read_sound($1_usertype)
++	dev_read_sound_mixer($1_usertype)
++	dev_write_sound_mixer($1_usertype)
+ 
+-	files_exec_etc_files($1_t)
+-	files_search_locks($1_t)
++	files_exec_etc_files($1_usertype)
++	files_search_locks($1_usertype)
+ 	# Check to see if cdrom is mounted
+-	files_search_mnt($1_t)
++	files_search_mnt($1_usertype)
+ 	# cjp: perhaps should cut back on file reads:
+-	files_read_var_files($1_t)
+-	files_read_var_symlinks($1_t)
+-	files_read_generic_spool($1_t)
+-	files_read_var_lib_files($1_t)
++	files_read_var_files($1_usertype)
++	files_read_var_symlinks($1_usertype)
++	files_read_generic_spool($1_usertype)
++	files_read_var_lib_files($1_usertype)
+ 	# Stat lost+found.
+-	files_getattr_lost_found_dirs($1_t)
++	files_getattr_lost_found_dirs($1_usertype)
++
++	tunable_policy(`user_rw_noexattrfile',`
++		fs_manage_noxattr_fs_files($1_usertype)
++		fs_manage_noxattr_fs_dirs($1_usertype)
++	',`
++		fs_read_noxattr_fs_files($1_usertype)
++	')
++
 +	logging_send_syslog_msg($1_usertype)
-+	logging_dontaudit_send_audit_msgs($1_t)
++	logging_dontaudit_send_audit_msgs($1_usertype)
 +	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-+	logging_send_audit_msgs($1_t)
-+	selinux_get_enforce_mode($1_t)
-+
++	logging_send_audit_msgs($1_usertype)
++	selinux_get_enforce_mode($1_usertype)
+ 
  	# cjp: some of this probably can be removed
- 	selinux_get_fs_mount($1_t)
- 	selinux_validate_context($1_t)
-@@ -728,11 +712,11 @@
+-	selinux_get_fs_mount($1_t)
+-	selinux_validate_context($1_t)
+-	selinux_compute_access_vector($1_t)
+-	selinux_compute_create_context($1_t)
+-	selinux_compute_relabel_context($1_t)
+-	selinux_compute_user_contexts($1_t)
++	selinux_get_fs_mount($1_usertype)
++	selinux_validate_context($1_usertype)
++	selinux_compute_access_vector($1_usertype)
++	selinux_compute_create_context($1_usertype)
++	selinux_compute_relabel_context($1_usertype)
++	selinux_compute_user_contexts($1_usertype)
+ 
  	# for eject
- 	storage_getattr_fixed_disk_dev($1_t)
+-	storage_getattr_fixed_disk_dev($1_t)
++	storage_getattr_fixed_disk_dev($1_usertype)
  
 -	auth_use_nsswitch($1_t)
- 	auth_read_login_records($1_t)
- 	auth_search_pam_console_data($1_t)
+-	auth_read_login_records($1_t)
+-	auth_search_pam_console_data($1_t)
++	auth_read_login_records($1_usertype)
++	auth_search_pam_console_data($1_usertype)
  	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +	authlogin_per_role_template($1, $1_t, $1_r)
  
- 	init_read_utmp($1_t)
+-	init_read_utmp($1_t)
++	init_read_utmp($1_usertype)
  
-@@ -758,10 +742,6 @@
- 		dev_read_mouse($1_t)
+-	seutil_read_file_contexts($1_t)
+-	seutil_read_default_contexts($1_t)
++	seutil_read_file_contexts($1_usertype)
++	seutil_read_default_contexts($1_usertype)
+ 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ 	seutil_exec_checkpolicy($1_t)
+-	seutil_exec_setfiles($1_t)
++	seutil_exec_setfiles($1_usertype)
+ 	# for when the network connection is killed
+ 	# this is needed when a login role can change
+ 	# to this one.
+ 	seutil_dontaudit_signal_newrole($1_t)
+ 
+ 	tunable_policy(`read_default_t',`
+-		files_list_default($1_t)
+-		files_read_default_files($1_t)
+-		files_read_default_symlinks($1_t)
+-		files_read_default_sockets($1_t)
+-		files_read_default_pipes($1_t)
++		files_list_default($1_usertype)
++		files_read_default_files($1_usertype)
++		files_read_default_symlinks($1_usertype)
++		files_read_default_sockets($1_usertype)
++		files_read_default_pipes($1_usertype)
  	')
  
--	tunable_policy(`user_ttyfile_stat',`
--		term_getattr_all_user_ttys($1_t)
+ 	tunable_policy(`user_direct_mouse',`
+-		dev_read_mouse($1_t)
 -	')
 -
+-	tunable_policy(`user_ttyfile_stat',`
+-		term_getattr_all_user_ttys($1_t)
++		dev_read_mouse($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		alsa_read_rw_config($1_t)
++		alsa_read_rw_config($1_usertype)
+ 	')
+ 
  	optional_policy(`
- 		alsa_read_rw_config($1_t)
+ 		# Allow graphical boot to check battery lifespan
+-		apm_stream_connect($1_t)
++		apm_stream_connect($1_usertype)
  	')
-@@ -783,20 +763,20 @@
+ 
+ 	optional_policy(`
+-		canna_stream_connect($1_t)
++		canna_stream_connect($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		dbus_system_bus_client_template($1,$1_t)
++		dbus_system_bus_client_template($1,$1_usertype)
+ 
+ 		optional_policy(`
+-			bluetooth_dbus_chat($1_t)
++			bluetooth_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			evolution_dbus_chat($1,$1_t)
 -			evolution_alarm_dbus_chat($1,$1_t)
-+			consolekit_dbus_chat($1_t)
++			consolekit_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat_config($1_t)
-+			evolution_dbus_chat($1,$1_t)
-+			evolution_alarm_dbus_chat($1,$1_t)
++			evolution_dbus_chat($1,$1_usertype)
++			evolution_alarm_dbus_chat($1,$1_usertype)
  		')
  
  		optional_policy(`
 -			hal_dbus_chat($1_t)
-+			networkmanager_dbus_chat($1_t)
++			networkmanager_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
-+			vpnc_dbus_chat($1_t)
++			vpnc_dbus_chat($1_usertype)
  		')
  	')
  
-@@ -824,11 +804,18 @@
- 		mta_rw_spool($1_t)
+ 	optional_policy(`
+-		inetd_use_fds($1_t)
+-		inetd_rw_tcp_sockets($1_t)
++		inetd_use_fds($1_usertype)
++		inetd_rw_tcp_sockets($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		inn_read_config($1_t)
+-		inn_read_news_lib($1_t)
+-		inn_read_news_spool($1_t)
++		inn_read_config($1_usertype)
++		inn_read_news_lib($1_usertype)
++		inn_read_news_spool($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		locate_read_lib_files($1_t)
++		locate_read_lib_files($1_usertype)
+ 	')
+ 
+ 	# for running depmod as part of the kernel packaging process
+ 	optional_policy(`
+-		modutils_read_module_config($1_t)
++		modutils_read_module_config($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		mta_rw_spool($1_t)
++		mta_rw_spool($1_usertype)
  	')
  
 -
@@ -24000,21 +24401,27 @@
 -		tunable_policy(`allow_user_mysql_connect',`
 -			mysql_stream_connect($1_t)
 -		')
-+		alsa_read_rw_config($1_t)
-+	')
-+
++		alsa_read_rw_config($1_usertype)
+ 	')
+ 
+-	optional_policy(`
+-		# to allow monitoring of pcmcia status
+-		pcmcia_read_pid($1_t)
 +	 optional_policy(`
 +	          tunable_policy(`allow_user_postgresql_connect',`
-+			postgresql_stream_connect($1_t)
++			postgresql_stream_connect($1_usertype)
 +		  ')
 +        ')
 +
 +	tunable_policy(`user_ttyfile_stat',`
-+		term_getattr_all_user_ttys($1_t)
++		term_getattr_all_user_ttys($1_usertype)
  	')
  
  	optional_policy(`
-@@ -842,13 +829,6 @@
+-		pcscd_read_pub_files($1_t)
+-		pcscd_stream_connect($1_t)
++		# to allow monitoring of pcmcia status
++		pcmcia_read_pid($1_usertype)
  	')
  
  	optional_policy(`
@@ -24022,13 +24429,34 @@
 -			postgresql_stream_connect($1_t)
 -			postgresql_tcp_connect($1_t)
 -		')
--	')
--
--	optional_policy(`
- 		resmgr_stream_connect($1_t)
++		pcscd_read_pub_files($1_usertype)
++		pcscd_stream_connect($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		resmgr_stream_connect($1_t)
++		resmgr_stream_connect($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		rpc_dontaudit_getattr_exports($1_t)
+-		rpc_manage_nfs_rw_content($1_t)
++		rpc_dontaudit_getattr_exports($1_usertype)
++		rpc_manage_nfs_rw_content($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		samba_stream_connect_winbind($1_t)
++		samba_stream_connect_winbind($1_usertype)
  	')
  
-@@ -889,6 +869,8 @@
+ 	optional_policy(`
+-		slrnpull_search_spool($1_t)
++		slrnpull_search_spool($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+@@ -889,6 +876,8 @@
  ## </param>
  #
  template(`userdom_login_user_template', `
@@ -24037,7 +24465,7 @@
  	userdom_base_user_template($1)
  
  	userdom_manage_home_template($1)
-@@ -917,26 +899,26 @@
+@@ -917,26 +906,26 @@
  
  	allow $1_t self:context contains;
  
@@ -24078,7 +24506,7 @@
  
  	auth_dontaudit_write_login_records($1_t)
  
-@@ -944,43 +926,43 @@
+@@ -944,43 +933,43 @@
  
  	# The library functions always try to open read-write first,
  	# then fall back to read-only if it fails. 
@@ -24140,7 +24568,7 @@
  	')
  ')
  
-@@ -1014,9 +996,6 @@
+@@ -1014,9 +1003,6 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
@@ -24150,7 +24578,7 @@
  	typeattribute $1_tty_device_t user_ttynode;
  
  	##############################
-@@ -1025,16 +1004,29 @@
+@@ -1025,16 +1011,29 @@
  	#
  
  	# privileged home directory writers
@@ -24186,7 +24614,7 @@
  ')
  
  #######################################
-@@ -1062,6 +1054,13 @@
+@@ -1062,6 +1061,13 @@
  
  	userdom_restricted_user_template($1)
  
@@ -24200,7 +24628,7 @@
  	userdom_xwindows_client_template($1)
  
  	##############################
-@@ -1070,14 +1069,14 @@
+@@ -1070,14 +1076,14 @@
  	#
  
  	authlogin_per_role_template($1, $1_t, $1_r)
@@ -24220,7 +24648,7 @@
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,32 +1084,17 @@
+@@ -1085,32 +1091,17 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
@@ -24260,7 +24688,7 @@
  	')
  ')
  
-@@ -1121,10 +1105,10 @@
+@@ -1121,10 +1112,10 @@
  ## </summary>
  ## <desc>
  ##	<p>
@@ -24275,7 +24703,7 @@
  ##	This template creates a user domain, types, and
  ##	rules for the user's tty, pty, home directories,
  ##	tmp, and tmpfs files.
-@@ -1187,12 +1171,11 @@
+@@ -1187,12 +1178,11 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -24290,7 +24718,7 @@
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1201,7 +1184,7 @@
+@@ -1201,7 +1191,7 @@
  	')
  
  	optional_policy(`
@@ -24299,7 +24727,7 @@
  	')
  ')
  
-@@ -1278,8 +1261,6 @@
+@@ -1278,8 +1268,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -24308,6 +24736,20 @@
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
+@@ -1357,13 +1345,6 @@
+ 	# But presently necessary for installing the file_contexts file.
+ 	seutil_manage_bin_policy($1_t)
+ 
+-	tunable_policy(`user_rw_noexattrfile',`
+-		fs_manage_noxattr_fs_files($1_t)
+-		fs_manage_noxattr_fs_dirs($1_t)
+-	',`
+-		fs_read_noxattr_fs_files($1_t)
+-	')
+-
+ 	optional_policy(`
+ 		userhelper_exec($1_t)
+ 	')
 @@ -1416,6 +1397,7 @@
  	dev_relabel_all_dev_nodes($1)
  
@@ -25033,7 +25475,7 @@
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4301,17 +4397,32 @@
+@@ -4301,12 +4397,27 @@
  ##	</summary>
  ## </param>
  #
@@ -25046,11 +25488,10 @@
  
 -	dontaudit $1 staff_home_t:file append;
 +	dontaudit $1 user_home_t:file append_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read files in the staff users home directory.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to append to the staff
 +##	users home directory.
 +## </summary>
@@ -25062,14 +25503,9 @@
 +#
 +interface(`userdom_dontaudit_append_staff_home_content_files',`
 +	userdom_dontaudit_append_unpriv_home_content_files($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Read files in the staff users home directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
+ ')
+ 
+ ########################################
 @@ -4321,13 +4432,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
@@ -26472,8 +26908,8 @@
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-18 14:02:43.000000000 -0500
-@@ -0,0 +1,42 @@
++++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-24 16:05:12.000000000 -0500
+@@ -0,0 +1,47 @@
 +policy_module(staff,1.0.1)
 +userdom_unpriv_user_template(staff)
 +
@@ -26484,9 +26920,10 @@
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +
-+optional_policy(`
-+	xserver_per_role_template(staff, staff_t, staff_r)
-+')
++files_read_kernel_modules(staff_t)
++
++modutils_read_module_config(staff_t)
++modutils_read_module_deps(staff_t)
 +
 +sudo_per_role_template(staff, staff_t, staff_r)
 +seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
@@ -26516,6 +26953,10 @@
 +	netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
 +')
 +
++optional_policy(`
++	xserver_per_role_template(staff, staff_t, staff_r)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.5/policy/modules/users/user.fc
 --- nsaserefpolicy/policy/modules/users/user.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/users/user.fc	2008-01-18 12:40:46.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.591
retrieving revision 1.592
diff -u -r1.591 -r1.592
--- selinux-policy.spec	24 Jan 2008 18:12:25 -0000	1.591
+++ selinux-policy.spec	28 Jan 2008 16:48:49 -0000	1.592
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
 %endif
 
 %changelog
+* Fri Jan 25 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-20
+- Allow usertypes to read/write noxattr file systems
+
 * Thu Jan 24 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-19
 - Fix nsplugin to allow flashplugin to work in enforcing mode