rpms/selinux-policy/devel policy-20071130.patch, 1.6, 1.7 selinux-policy.spec, 1.565, 1.566

Wed Dec 12 14:53:13 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4049

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Tue Dec 11 2007 Dan Walsh <dwalsh at redhat.com> 3.2.3-2
- Fixes for polkit
- Allow xserver to ptrace


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7

--- policy-20071130.patch	11 Dec 2007 06:03:18 -0000	1.6
+++ policy-20071130.patch	12 Dec 2007 14:53:07 -0000	1.7
@@ -6145,7 +6145,7 @@
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.3/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dbus.if	2007-12-06 16:37:24.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dbus.if	2007-12-11 17:07:29.000000000 -0500
 @@ -91,7 +91,7 @@
  	# SE-DBus specific permissions
  	allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@@ -6165,7 +6165,17 @@
  	allow $1_dbusd_t $2:process sigkill;
  	allow $2 $1_dbusd_t:fd use;
  	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -214,7 +213,7 @@
+@@ -161,7 +160,8 @@
+ 	seutil_read_config($1_dbusd_t)
+ 	seutil_read_default_contexts($1_dbusd_t)
+ 
+-	userdom_read_user_home_content_files($1, $1_dbusd_t)
++	userdom_read_unpriv_users_home_content_files($1_dbusd_t)
++	userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t)
+ 
+ 	ifdef(`hide_broken_symptoms', `
+ 		dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
+@@ -214,7 +214,7 @@
  
  	# SE-DBus specific permissions
  #	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -6174,7 +6184,7 @@
  
  	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($2)
-@@ -366,3 +365,35 @@
+@@ -366,3 +366,35 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -6868,7 +6878,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.3/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/hal.te	2007-12-11 00:56:25.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/hal.te	2007-12-11 16:49:43.000000000 -0500
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -6905,18 +6915,19 @@
  storage_raw_read_removable_device(hald_t)
  storage_raw_write_removable_device(hald_t)
  storage_raw_read_fixed_disk(hald_t)
-@@ -265,6 +271,10 @@
+@@ -265,6 +271,11 @@
  ')
  
  optional_policy(`
 +	polkit_domtrans_auth(hald_t)
++	polkit_read_lib(hald_t)
 +')
 +
 +optional_policy(`
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -291,6 +301,7 @@
+@@ -291,6 +302,7 @@
  #
  
  allow hald_acl_t self:capability { dac_override fowner };
@@ -6924,19 +6935,19 @@
  allow hald_acl_t self:fifo_file read_fifo_file_perms;
  
  domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -325,6 +336,11 @@
+@@ -325,6 +337,11 @@
  
  miscfiles_read_localization(hald_acl_t)
  
 +optional_policy(`
 +	polkit_domtrans_auth(hald_acl_t)
-+	polkit_search_lib(hald_acl_t)
++	polkit_read_lib(hald_acl_t)
 +')
 +
  ########################################
  #
  # Local hald mac policy
-@@ -338,10 +354,14 @@
+@@ -338,10 +355,14 @@
  manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
@@ -6951,7 +6962,7 @@
  libs_use_ld_so(hald_mac_t)
  libs_use_shared_libs(hald_mac_t)
  
-@@ -391,3 +411,4 @@
+@@ -391,3 +412,4 @@
  libs_use_shared_libs(hald_keymap_t)
  
  miscfiles_read_localization(hald_keymap_t)
@@ -8351,8 +8362,8 @@
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.3/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/polkit.if	2007-12-11 00:56:05.000000000 -0500
-@@ -0,0 +1,41 @@
++++ serefpolicy-3.2.3/policy/modules/services/polkit.if	2007-12-11 16:49:17.000000000 -0500
+@@ -0,0 +1,60 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@@ -8394,6 +8405,25 @@
 +	files_search_var_lib($1)
 +')
 +
++########################################
++## <summary>
++##	read polkit lib files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`polkit_read_lib',`
++	gen_require(`
++		type polkit_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, polkit_var_lib_t,  polkit_var_lib_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.3/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.2.3/policy/modules/services/polkit.te	2007-12-11 00:18:16.000000000 -0500
@@ -10792,7 +10822,16 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.3/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/xserver.if	2007-12-06 16:37:24.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/xserver.if	2007-12-11 17:02:56.000000000 -0500
+@@ -45,7 +45,7 @@
+ 	# execheap needed until the X module loader is fixed.
+ 	# NVIDIA Needs execstack
+ 
+-	allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++	allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_ptrace sys_tty_config mknod net_bind_service };
+ 	dontaudit $1_xserver_t self:capability chown;
+ 	allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 	allow $1_xserver_t self:memprotect mmap_zero;
 @@ -115,8 +115,7 @@
  	dev_rw_agp($1_xserver_t)
  	dev_rw_framebuffer($1_xserver_t)
@@ -10803,7 +10842,7 @@
  	# raw memory access is needed if not using the frame buffer
  	dev_read_raw_memory($1_xserver_t)
  	dev_wx_raw_memory($1_xserver_t)
-@@ -125,8 +124,12 @@
+@@ -125,8 +124,13 @@
  	# read events - the synaptics touchpad driver reads raw events
  	dev_rw_input_dev($1_xserver_t)
  	dev_rwx_zero($1_xserver_t)
@@ -10813,10 +10852,11 @@
  
  	domain_mmap_low($1_xserver_t)
 +	domain_read_all_domains_state($1_xserver_t)
++	domain_dontaudit_ptrace_all_domains($1_xserver_t)
  
  	files_read_etc_files($1_xserver_t)
  	files_read_etc_runtime_files($1_xserver_t)
-@@ -140,12 +143,16 @@
+@@ -140,12 +144,16 @@
  	fs_getattr_xattr_fs($1_xserver_t)
  	fs_search_nfs($1_xserver_t)
  	fs_search_auto_mountpoints($1_xserver_t)
@@ -10834,7 +10874,7 @@
  	term_setattr_unallocated_ttys($1_xserver_t)
  	term_use_unallocated_ttys($1_xserver_t)
  
-@@ -232,39 +239,26 @@
+@@ -232,39 +240,26 @@
  	# Declarations
  	#
  
@@ -10881,7 +10921,7 @@
  	##############################
  	#
  	# $1_xserver_t Local policy
-@@ -272,12 +266,15 @@
+@@ -272,12 +267,15 @@
  
  	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
  
@@ -10898,7 +10938,7 @@
  
  	manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
  	manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -307,6 +304,7 @@
+@@ -307,6 +305,7 @@
  	userdom_use_user_ttys($1,$1_xserver_t)
  	userdom_setattr_user_ttys($1,$1_xserver_t)
  	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -10906,7 +10946,7 @@
  
  	xserver_use_user_fonts($1,$1_xserver_t)
  	xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -330,12 +328,12 @@
+@@ -330,12 +329,12 @@
  	allow $1_xauth_t self:process signal;
  	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -10924,7 +10964,7 @@
  
  	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
  
-@@ -344,12 +342,6 @@
+@@ -344,12 +343,6 @@
  	# allow ps to show xauth
  	ps_process_pattern($2,$1_xauth_t)
  
@@ -10937,7 +10977,7 @@
  	domain_use_interactive_fds($1_xauth_t)
  
  	files_read_etc_files($1_xauth_t)
-@@ -378,6 +370,14 @@
+@@ -378,6 +371,14 @@
  	')
  
  	optional_policy(`
@@ -10952,7 +10992,7 @@
  		ssh_sigchld($1_xauth_t)
  		ssh_read_pipes($1_xauth_t)
  		ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
-@@ -390,16 +390,16 @@
+@@ -390,16 +391,16 @@
  
  	domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
  
@@ -10974,7 +11014,7 @@
  
  	fs_search_auto_mountpoints($1_iceauth_t)
  
-@@ -523,17 +523,16 @@
+@@ -523,17 +524,16 @@
  template(`xserver_user_client_template',`
  
  	gen_require(`
@@ -10999,7 +11039,7 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -542,25 +541,55 @@
+@@ -542,25 +542,55 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -11063,7 +11103,7 @@
  	')
  ')
  
-@@ -613,6 +642,24 @@
+@@ -613,6 +643,24 @@
  
  ########################################
  ## <summary>
@@ -11088,7 +11128,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -646,6 +693,73 @@
+@@ -646,6 +694,73 @@
  
  ########################################
  ## <summary>
@@ -11162,7 +11202,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -671,10 +785,10 @@
+@@ -671,10 +786,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -11175,7 +11215,7 @@
  ')
  
  ########################################
-@@ -760,7 +874,7 @@
+@@ -760,7 +875,7 @@
  		type xconsole_device_t;
  	')
  
@@ -11184,7 +11224,7 @@
  ')
  
  ########################################
-@@ -860,6 +974,25 @@
+@@ -860,6 +975,25 @@
  
  ########################################
  ## <summary>
@@ -11210,7 +11250,7 @@
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -914,6 +1047,7 @@
+@@ -914,6 +1048,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -11218,7 +11258,7 @@
  ')
  
  ########################################
-@@ -974,6 +1108,37 @@
+@@ -974,6 +1109,37 @@
  
  ########################################
  ## <summary>
@@ -11256,7 +11296,7 @@
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1123,7 +1288,7 @@
+@@ -1123,7 +1289,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -11265,7 +11305,7 @@
  ')
  
  ########################################
-@@ -1312,3 +1477,45 @@
+@@ -1312,3 +1478,45 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -14503,7 +14543,7 @@
 +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.3/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc	2007-12-06 16:37:24.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc	2007-12-11 16:44:50.000000000 -0500
 @@ -1,4 +1,5 @@
 -HOME_DIR	-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
 -HOME_DIR/.+		gen_context(system_u:object_r:ROLE_home_t,s0)
@@ -14513,10 +14553,10 @@
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 +/tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
-+/root(/.*)	 	gen_context(system_u:object_r:admin_home_t,s0)
++/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if	2007-12-10 23:50:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/userdomain.if	2007-12-11 17:06:47.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
@@ -16020,7 +16060,7 @@
  ')
  
  ########################################
-@@ -4283,11 +4334,11 @@
+@@ -4283,16 +4334,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -16034,20 +16074,44 @@
  ')
  
  ########################################
-@@ -4303,10 +4354,10 @@
+ ## <summary>
+-##	Do not audit attempts to append to the staff
++##	Do not audit attempts to append to the 
+ ##	users home directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -4301,12 +4352,27 @@
+ ##	</summary>
+ ## </param>
  #
- interface(`userdom_dontaudit_append_staff_home_content_files',`
+-interface(`userdom_dontaudit_append_staff_home_content_files',`
++interface(`userdom_dontaudit_append_unpriv_home_content_files',`
  	gen_require(`
 -		type staff_home_t;
 +		type user_home_t;
  	')
  
 -	dontaudit $1 staff_home_t:file append;
-+	dontaudit $1 user_home_t:file append;
++	dontaudit $1 user_home_t:file append_file_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to append to the staff
++##	users home directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_append_staff_home_content_files',`
++	userdom_dontaudit_append_unpriv_home_content_files($1)
  ')
  
  ########################################
-@@ -4321,13 +4372,13 @@
+@@ -4321,13 +4387,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -16065,7 +16129,7 @@
  ')
  
  ########################################
-@@ -4525,10 +4576,10 @@
+@@ -4525,10 +4591,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -16078,7 +16142,7 @@
  ')
  
  ########################################
-@@ -4545,10 +4596,10 @@
+@@ -4545,10 +4611,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -16091,7 +16155,7 @@
  ')
  
  ########################################
-@@ -4563,10 +4614,10 @@
+@@ -4563,10 +4629,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -16104,7 +16168,7 @@
  ')
  
  ########################################
-@@ -4582,10 +4633,10 @@
+@@ -4582,10 +4648,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -16117,7 +16181,7 @@
  ')
  
  ########################################
-@@ -4600,10 +4651,10 @@
+@@ -4600,10 +4666,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -16130,7 +16194,7 @@
  ')
  
  ########################################
-@@ -4619,10 +4670,10 @@
+@@ -4619,10 +4685,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -16143,7 +16207,7 @@
  ')
  
  ########################################
-@@ -4638,12 +4689,11 @@
+@@ -4638,12 +4704,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -16159,7 +16223,7 @@
  ')
  
  ########################################
-@@ -4670,10 +4720,10 @@
+@@ -4670,10 +4735,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -16172,7 +16236,7 @@
  ')
  
  ########################################
-@@ -4688,10 +4738,10 @@
+@@ -4688,10 +4753,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -16185,7 +16249,7 @@
  ')
  
  ########################################
-@@ -4706,13 +4756,13 @@
+@@ -4706,13 +4771,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -16203,41 +16267,61 @@
  ')
  
  ########################################
-@@ -4748,11 +4798,29 @@
+@@ -4748,16 +4813,15 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
+-		attribute home_dir_type;
 +		attribute user_home_dir_type;
-+	')
-+
-+	files_list_home($1)
+ 	')
+ 
+ 	files_list_home($1)
+-	allow $1 home_dir_type:dir search_dir_perms;
 +	allow $1 user_home_dir_type:dir search_dir_perms;
-+')
-+########################################
-+## <summary>
+ ')
+-
+ ########################################
+ ## <summary>
+-##	List all users home directories.
 +##	Read all users home directories symlinks.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4765,18 +4829,18 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_list_all_users_home_dirs',`
 +interface(`userdom_read_all_users_home_dirs_symlinks',`
-+	gen_require(`
+ 	gen_require(`
  		attribute home_dir_type;
  	')
  
  	files_list_home($1)
--	allow $1 home_dir_type:dir search_dir_perms;
+-	allow $1 home_dir_type:dir list_dir_perms;
 +	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
  ')
  
  ########################################
-@@ -4772,6 +4840,14 @@
- 
- 	files_list_home($1)
- 	allow $1 home_dir_type:dir list_dir_perms;
+ ## <summary>
+-##	Search all users home directories.
++##	List all users home directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4784,9 +4848,36 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_search_all_users_home_content',`
++interface(`userdom_list_all_users_home_dirs',`
+ 	gen_require(`
+-		attribute home_dir_type, home_type;
++		attribute home_dir_type;
++	')
++
++	files_list_home($1)
++	allow $1 home_dir_type:dir list_dir_perms;
 +
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_list_nfs(crond_t)
@@ -16246,10 +16330,25 @@
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_list_cifs(crond_t)
 +	')
- ')
++')
++
++########################################
++## <summary>
++##	Search all users home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_search_all_users_home_content',`
++	gen_require(`
++		attribute home_dir_type, home_type;
+ 	')
  
- ########################################
-@@ -5109,7 +5185,7 @@
+ 	files_list_home($1)
+@@ -5109,7 +5200,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -16258,29 +16357,25 @@
  	')
  
  	files_search_home($1)
-@@ -5298,8 +5374,8 @@
+@@ -5298,6 +5389,49 @@
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories in
--##	unprivileged users home directories.
 +##	append all unprivileged users home directory
 +##	files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5307,13 +5383,56 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_unpriv_users_home_content_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`userdom_append_unpriv_users_home_content_files',`
- 	gen_require(`
- 		attribute user_home_dir_type, user_home_type;
- 	')
- 
- 	files_search_home($1)
--	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
++	gen_require(`
++		attribute user_home_dir_type, user_home_type;
++	')
++
++	files_search_home($1)
 +	allow $1 user_home_type:dir list_dir_perms;
 +	append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
 +')
@@ -16309,26 +16404,10 @@
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete directories in
-+##	unprivileged users home directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_manage_unpriv_users_home_content_dirs',`
-+	gen_require(`
-+		attribute user_home_dir_type, user_home_type;
-+	')
-+
-+	files_search_home($1)
-+	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
- ')
- 
- ########################################
-@@ -5503,6 +5622,24 @@
+ ##	Create, read, write, and delete directories in
+ ##	unprivileged users home directories.
+ ## </summary>
+@@ -5503,6 +5637,24 @@
  
  ########################################
  ## <summary>
@@ -16353,7 +16432,7 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5668,6 +5805,24 @@
+@@ -5668,6 +5820,24 @@
  
  ########################################
  ## <summary>
@@ -16378,7 +16457,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5698,3 +5853,277 @@
+@@ -5698,3 +5868,277 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.565
retrieving revision 1.566
diff -u -r1.565 -r1.566
--- selinux-policy.spec	11 Dec 2007 06:04:49 -0000	1.565
+++ selinux-policy.spec	12 Dec 2007 14:53:07 -0000	1.566
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -379,6 +379,10 @@
 %endif
 
 %changelog
+* Tue Dec 11 2007 Dan Walsh <dwalsh at redhat.com> 3.2.3-2
+- Fixes for polkit
+- Allow xserver to ptrace
+
 * Tue Dec 11 2007 Dan Walsh <dwalsh at redhat.com> 3.2.3-1
 - Add polkit policy
 - Symplify userdom context, remove automatic per_role changes


