rpms/selinux-policy/devel policy-20080710.patch, 1.74, 1.75 selinux-policy.spec, 1.732, 1.733

[Daniel J Walsh]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22983

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
* Thu Oct 23 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-7
- Dontaudit domains trying to write to .xsession-errors


policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -r1.74 -r1.75
--- policy-20080710.patch	24 Oct 2008 12:14:54 -0000	1.74
+++ policy-20080710.patch	24 Oct 2008 13:41:09 -0000	1.75
@@ -6953,7 +6953,7 @@
  ##	all protocols (TCP, UDP, etc)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te	2008-10-21 11:21:45.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te	2008-10-24 08:28:13.000000000 -0400
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -6983,7 +6983,15 @@
  
  # create child processes in the domain
  allow domain self:process { fork sigchld };
-@@ -131,6 +141,9 @@
+@@ -113,6 +123,7 @@
+ optional_policy(`
+ 	xserver_dontaudit_use_xdm_fds(domain)
+ 	xserver_dontaudit_rw_xdm_pipes(domain)
++	xserver_dontaudit_rw_xdm_home_files(domain)
+ ')
+ 
+ ########################################
+@@ -131,6 +142,9 @@
  allow unconfined_domain_type domain:fd use;
  allow unconfined_domain_type domain:fifo_file rw_file_perms;
  
@@ -6993,7 +7001,7 @@
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -140,7 +153,7 @@
+@@ -140,7 +154,7 @@
  
  # For /proc/pid
  allow unconfined_domain_type domain:dir list_dir_perms;
@@ -7002,7 +7010,7 @@
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -148,3 +161,39 @@
+@@ -148,3 +162,39 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7063,7 +7071,7 @@
  /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/files.if	2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/files.if	2008-10-24 08:41:49.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -7076,7 +7084,32 @@
  	files_type($1)
  ')
  
-@@ -1303,6 +1308,24 @@
+@@ -1060,6 +1065,24 @@
+ ##	</summary>
+ ## </param>
+ #
++interface(`files_relabel_all_file_type_fs',`
++	gen_require(`
++		attribute file_type;
++	')
++
++	allow $1 file_type:filesystem { relabelfrom relabelto };
++')
++
++########################################
++## <summary>
++##	Relabel a filesystem to the type of a file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
+ interface(`files_relabelto_all_file_type_fs',`
+ 	gen_require(`
+ 		attribute file_type;
+@@ -1303,6 +1326,24 @@
  
  ########################################
  ## <summary>
@@ -7101,7 +7134,7 @@
  ##	Unmount a rootfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1889,6 +1912,26 @@
+@@ -1889,6 +1930,26 @@
  
  ########################################
  ## <summary>
@@ -7128,7 +7161,7 @@
  ##	Do not audit attempts to write generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2224,6 +2267,49 @@
+@@ -2224,6 +2285,49 @@
  
  ########################################
  ## <summary>
@@ -7178,7 +7211,7 @@
  ##	Do not audit attempts to search directories on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
-@@ -2744,6 +2830,24 @@
+@@ -2744,6 +2848,24 @@
  
  ########################################
  ## <summary>
@@ -7203,7 +7236,7 @@
  ##	Create, read, write, and delete symbolic links in /mnt.
  ## </summary>
  ## <param name="domain">
-@@ -3394,6 +3498,8 @@
+@@ -3394,6 +3516,8 @@
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -7212,7 +7245,7 @@
  ')
  
  ########################################
-@@ -3471,6 +3577,47 @@
+@@ -3471,6 +3595,47 @@
  
  ########################################
  ## <summary>
@@ -7260,7 +7293,7 @@
  ##	Get the attributes of files in /usr.
  ## </summary>
  ## <param name="domain">
-@@ -3547,6 +3694,24 @@
+@@ -3547,6 +3712,24 @@
  
  ########################################
  ## <summary>
@@ -7285,7 +7318,7 @@
  ##	Relabel a file to the type used in /usr.
  ## </summary>
  ## <param name="domain">
-@@ -4433,6 +4598,25 @@
+@@ -4433,6 +4616,25 @@
  
  ########################################
  ## <summary>
@@ -7311,7 +7344,7 @@
  ##	Read and write generic process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -4761,12 +4945,14 @@
+@@ -4761,12 +4963,14 @@
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
  
@@ -7327,7 +7360,7 @@
  	')
  ')
  
-@@ -4787,3 +4973,71 @@
+@@ -4787,3 +4991,71 @@
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -7894,7 +7927,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-14 11:58:07.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2008-10-24 08:34:16.000000000 -0400
 @@ -21,7 +21,6 @@
  
  # Use xattrs for the following filesystem types.
@@ -7915,15 +7948,16 @@
  type eventpollfs_t;
  fs_type(eventpollfs_t)
  # change to task SID 20060628
-@@ -141,6 +145,7 @@
+@@ -141,6 +145,8 @@
  fs_noxattr_type(vmblock_t)
  files_mountpoint(vmblock_t)
  genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
 +genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
++genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
  
  type vxfs_t;
  fs_noxattr_type(vxfs_t)
-@@ -241,6 +246,7 @@
+@@ -241,6 +247,7 @@
  genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -12391,7 +12425,7 @@
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cron.if	2008-10-23 17:00:09.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/cron.if	2008-10-24 08:57:55.000000000 -0400
 @@ -35,39 +35,24 @@
  #
  template(`cron_per_role_template',`
@@ -12744,7 +12778,7 @@
 +
 +########################################
 +## <summary>
-+##	Manage lib files used by cron
++##	Manage pid files used by cron
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -12752,13 +12786,13 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`cron_manage_lib_files',`
++interface(`cron_manage_pid_files',`
 +	gen_require(`
-+		type crond_var_lib_t;
++		type crond_var_run_t;
 +	')
 +
 +
-+	manage_files_pattern($1, crond_var_lib_t,  crond_var_lib_t)
++	manage_files_pattern($1, crond_var_run_t,  crond_var_run_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2008-08-07 11:15:11.000000000 -0400
@@ -13652,7 +13686,7 @@
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dbus.if	2008-10-17 17:55:07.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/dbus.if	2008-10-24 09:08:08.000000000 -0400
 @@ -53,19 +53,19 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -13881,7 +13915,7 @@
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -366,3 +440,99 @@
+@@ -366,3 +440,120 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -13936,6 +13970,9 @@
 +	dbus_system_bus_client_template($1, $1)
 +	dbus_connect_system_bus($1)
 +
++	ifdef(`hide_broken_symptoms', `
++		dbus_dontaudit_rw_system_selinux_socket($1)
++	');
 +')
 +
 +########################################
@@ -13981,6 +14018,24 @@
 +
 +	dontaudit $2 dbusd_userbus:unix_stream_socket connectto;
 +')
++
++########################################
++## <summary>
++##	dontaudit attempts to use system_dbus_t selinux_socket
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dbus_dontaudit_rw_system_selinux_socket',`
++	gen_require(`
++		type system_dbusd_t;
++	')
++
++	dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2008-10-16 17:21:16.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/dbus.te	2008-10-17 17:54:43.000000000 -0400
@@ -14622,7 +14677,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te	2008-10-23 16:59:49.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te	2008-10-24 08:57:28.000000000 -0400
 @@ -10,6 +10,9 @@
  type dnsmasq_exec_t;
  init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
@@ -14682,7 +14737,7 @@
  
  optional_policy(`
 -	nis_use_ypbind(dnsmasq_t)
-+	cron_manage_lib_files(crond_var_lib_t)
++	cron_manage_pid_files(dnsmasq_t)
  ')
  
  optional_policy(`
@@ -17899,7 +17954,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te
 --- nsaserefpolicy/policy/modules/services/pads.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/pads.te	2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/pads.te	2008-10-24 08:49:04.000000000 -0400
 @@ -0,0 +1,68 @@
 +
 +policy_module(pads, 0.0.1) 
@@ -17940,7 +17995,7 @@
 +allow pads_t pads_var_run_t:file manage_file_perms;
 +files_pid_filetrans(pads_t, pads_var_run_t, file)
 +
-+corecmd_search_sbin(pads_t)
++corecmd_search_bin(pads_t)
 +
 +corenet_all_recvfrom_unlabeled(pads_t)
 +corenet_all_recvfrom_netlabel(pads_t)
@@ -19691,7 +19746,7 @@
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/prelude.te	2008-10-23 14:47:03.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/prelude.te	2008-10-24 09:28:30.000000000 -0400
 @@ -13,25 +13,57 @@
  type prelude_spool_t;
  files_type(prelude_spool_t)
@@ -19785,6 +19840,15 @@
  
  auth_use_nsswitch(prelude_t)
  
+@@ -89,7 +132,7 @@
+ #
+ # prelude_audisp local policy
+ #
+-
++allow prelude_audisp_t self:capability dac_override;
+ allow prelude_audisp_t self:fifo_file rw_file_perms;
+ allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+ allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
 @@ -110,6 +153,7 @@
  corenet_tcp_sendrecv_all_if(prelude_audisp_t)
  corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
@@ -19793,7 +19857,7 @@
  
  dev_read_rand(prelude_audisp_t)
  dev_read_urand(prelude_audisp_t)
-@@ -117,15 +161,143 @@
+@@ -117,15 +161,139 @@
  # Init script handling
  domain_use_interactive_fds(prelude_audisp_t)
  
@@ -19817,7 +19881,6 @@
 +#
 +
 +allow prelude_correlator_t self:capability dac_override;
-+
 +allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
 +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
 +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
@@ -19827,7 +19890,7 @@
 +
 +prelude_manage_spool(prelude_correlator_t)
 +
-+corecmd_search_sbin(prelude_correlator_t)
++corecmd_search_bin(prelude_correlator_t)
 +
 +corenet_all_recvfrom_unlabeled(prelude_correlator_t)
 +corenet_all_recvfrom_netlabel(prelude_correlator_t)
@@ -19844,8 +19907,6 @@
 +files_read_usr_files(prelude_correlator_t)
 +files_search_spool(prelude_correlator_t)
 +
-+kernel_read_sysctl(prelude_correlator_t)
-+
 +libs_use_ld_so(prelude_correlator_t)
 +libs_use_shared_libs(prelude_correlator_t)
 +
@@ -19910,8 +19971,7 @@
 +
 +fs_list_inotifyfs(prelude_lml_t)
 +fs_read_anon_inodefs_files(prelude_lml_t)
-+
-+kernel_read_sysctl(prelude_lml_t)
++fs_rw_anon_inodefs_files(prelude_lml_t)
 +
 +auth_use_nsswitch(prelude_lml_t)
 +
@@ -19937,12 +19997,15 @@
  ########################################
  #
  # prewikka_cgi Declarations
-@@ -134,6 +306,17 @@
+@@ -134,6 +302,20 @@
  optional_policy(`
  	apache_content_template(prewikka)
  	files_read_etc_files(httpd_prewikka_script_t)
 +	files_search_tmp(httpd_prewikka_script_t)
 +
++	kernel_read_sysctl(httpd_prewikka_script_t)
++	kernel_search_network_sysctl(httpd_prewikka_script_t)
++
 +	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
 +
 +	corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
@@ -23701,6 +23764,18 @@
  files_read_var_files(tftpd_t)
  files_read_var_symlinks(tftpd_t)
  files_search_var(tftpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.13/policy/modules/services/tor.te
+--- nsaserefpolicy/policy/modules/services/tor.te	2008-10-16 17:21:16.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/tor.te	2008-10-24 08:19:01.000000000 -0400
+@@ -34,7 +34,7 @@
+ # tor local policy
+ #
+ 
+-allow tor_t self:capability { setgid setuid };
++allow tor_t self:capability { setgid setuid sys_tty_config };
+ allow tor_t self:fifo_file rw_fifo_file_perms;
+ allow tor_t self:unix_stream_socket create_stream_socket_perms;
+ allow tor_t self:netlink_route_socket r_netlink_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/virt.fc	2008-10-17 10:31:27.000000000 -0400
@@ -24039,7 +24114,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-10-23 17:14:25.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2008-10-24 08:25:44.000000000 -0400
 @@ -16,6 +16,7 @@
  	gen_require(`
  		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26652,7 +26727,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/init.te	2008-10-20 14:36:54.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/init.te	2008-10-24 08:50:27.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart,false)
@@ -26755,7 +26830,15 @@
  
  can_exec(initrc_t,initrc_tmp_t)
  allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -276,7 +305,7 @@
+@@ -253,6 +282,7 @@
+ kernel_dontaudit_getattr_message_if(initrc_t)
+ 
+ files_read_kernel_symbol_table(initrc_t)
++files_exec_etc_files(initrc_t)
+ 
+ corenet_all_recvfrom_unlabeled(initrc_t)
+ corenet_all_recvfrom_netlabel(initrc_t)
+@@ -276,7 +306,7 @@
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
@@ -26764,7 +26847,7 @@
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -330,7 +359,7 @@
+@@ -330,7 +360,7 @@
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -26773,7 +26856,7 @@
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -371,6 +400,7 @@
+@@ -371,6 +401,7 @@
  libs_use_shared_libs(initrc_t)
  libs_exec_lib_files(initrc_t)
  
@@ -26781,7 +26864,7 @@
  logging_send_syslog_msg(initrc_t)
  logging_manage_generic_logs(initrc_t)
  logging_read_all_logs(initrc_t)
-@@ -503,6 +533,7 @@
+@@ -503,6 +534,7 @@
  	optional_policy(`
  		#for /etc/rc.d/init.d/nfs to create /etc/exports
  		rpc_write_exports(initrc_t)
@@ -26789,7 +26872,7 @@
  	')
  
  	optional_policy(`
-@@ -521,6 +552,31 @@
+@@ -521,6 +553,31 @@
  	')
  ')
  
@@ -26821,18 +26904,7 @@
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -536,6 +592,10 @@
- ')
- 
- optional_policy(`
-+	automount_exec_config(initrc_t)
-+')
-+
-+optional_policy(`
- 	bind_read_config(initrc_t)
- 
- 	# for chmod in start script
-@@ -575,6 +635,10 @@
+@@ -575,6 +632,10 @@
  	dbus_read_config(initrc_t)
  
  	optional_policy(`
@@ -26843,7 +26915,7 @@
  		networkmanager_dbus_chat(initrc_t)
  	')
  ')
-@@ -660,12 +724,6 @@
+@@ -660,12 +721,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -26856,7 +26928,7 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -726,6 +784,9 @@
+@@ -726,6 +781,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -26866,7 +26938,7 @@
  ')
  
  optional_policy(`
-@@ -738,10 +799,12 @@
+@@ -738,10 +796,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -26879,7 +26951,7 @@
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -759,6 +822,11 @@
+@@ -759,6 +819,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -26891,7 +26963,7 @@
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -773,6 +841,10 @@
+@@ -773,6 +838,10 @@
  ')
  
  optional_policy(`
@@ -26902,7 +26974,7 @@
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -795,3 +867,11 @@
+@@ -795,3 +864,11 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -27753,7 +27825,7 @@
  		samba_run_smbmount($1, $2, $3)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te	2008-10-20 11:20:42.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/mount.te	2008-10-24 08:40:39.000000000 -0400
 @@ -18,17 +18,18 @@
  init_system_domain(mount_t,mount_exec_t)
  role system_r types mount_t;
@@ -27835,6 +27907,15 @@
  
  files_search_all(mount_t)
  files_read_etc_files(mount_t)
+@@ -87,7 +98,7 @@
+ files_mounton_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
+ # These rules need to be generalized.  Only admin, initrc should have it:
+-files_relabelto_all_file_type_fs(mount_t)
++files_relabel_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+ files_unmount_all_file_type_fs(mount_t)
+ # for when /etc/mtab loses its type
 @@ -100,6 +111,8 @@
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
@@ -33169,15 +33250,14 @@
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel
 --- nsaserefpolicy/support/Makefile.devel	2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.5.13/support/Makefile.devel	2008-10-24 08:13:54.000000000 -0400
-@@ -181,8 +181,8 @@
++++ serefpolicy-3.5.13/support/Makefile.devel	2008-10-24 09:40:08.000000000 -0400
+@@ -181,8 +181,7 @@
  tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
  	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
  	@test -d $(@D) || mkdir -p $(@D)
 -	$(call peruser-expansion,$(basename $(@F)),$@.role)
 -	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+#	$(call peruser-expansion,$(basename $(@F)),$@.role)
-+#	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
  	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
  
  tmp/%.mod.fc: $(m4support) %.fc


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.732
retrieving revision 1.733
diff -u -r1.732 -r1.733
--- selinux-policy.spec	24 Oct 2008 12:14:54 -0000	1.732
+++ selinux-policy.spec	24 Oct 2008 13:41:09 -0000	1.733
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@
 %endif
 
 %changelog
+* Thu Oct 23 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-7
+- Dontaudit domains trying to write to .xsession-errors
+
 * Thu Oct 23 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-6
 - Allow nsplugin to look at autofs_t directory