rpms/selinux-policy/devel policy-20090105.patch, 1.31, 1.32 selinux-policy.spec, 1.782, 1.783

[Daniel J Walsh]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4300

Modified Files:
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Wed Feb 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-2
- More fixes for devicekit


policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- policy-20090105.patch	4 Feb 2009 04:02:16 -0000	1.31
+++ policy-20090105.patch	4 Feb 2009 16:14:05 -0000	1.32
@@ -4253,7 +4253,7 @@
 +corecmd_executable_file(wm_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.4/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/corecommands.fc	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/kernel/corecommands.fc	2009-02-04 08:37:02.000000000 -0500
 @@ -58,6 +58,8 @@
  
  /etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
@@ -4308,7 +4308,7 @@
 +
 +/usr/lib/oracle/xe/apps(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 +
-+/usr/lib(64)?/pm-utils/sleep.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/pm-utils(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 +
 +/usr/lib/wicd/monitor.py 	-- 	gen_context(system_u:object_r:bin_t, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.4/policy/modules/kernel/corecommands.if
@@ -5191,7 +5191,7 @@
  type power_device_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.4/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/domain.if	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/kernel/domain.if	2009-02-04 10:42:48.000000000 -0500
 @@ -1247,18 +1247,34 @@
  ##	</summary>
  ## </param>
@@ -5230,9 +5230,34 @@
  ##	Allow specified type to receive labeled
  ##	networking packets from all domains, over
  ##	all protocols (TCP, UDP, etc)
+@@ -1279,6 +1295,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Polyinstatiated access to domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`domain_poly',`
++	gen_require(`
++		attribute polydomain;
++	')
++
++	typeattribute $1 polydomain;
++')
++
++########################################
++## <summary>
+ ##	Unconfined access to domains.
+ ## </summary>
+ ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.4/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/domain.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/kernel/domain.te	2009-02-04 10:30:24.000000000 -0500
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -5247,7 +5272,16 @@
  
  # Mark process types as domains
  attribute domain;
-@@ -80,6 +87,8 @@
+@@ -15,6 +22,8 @@
+ # Domains that are unconfined
+ attribute unconfined_domain_type;
+ 
++attribute polydomain;
++
+ # Domains that can mmap low memory.
+ attribute mmap_low_domain_type;
+ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+@@ -80,6 +89,8 @@
  allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
  allow domain self:file rw_file_perms;
  kernel_read_proc_symlinks(domain)
@@ -5256,7 +5290,7 @@
  # Every domain gets the key ring, so we should default
  # to no one allowed to look at it; afs kernel support creates
  # a keyring
-@@ -106,6 +115,10 @@
+@@ -106,6 +117,10 @@
  ')
  
  optional_policy(`
@@ -5267,7 +5301,7 @@
  	libs_use_ld_so(domain)
  	libs_use_shared_libs(domain)
  ')
-@@ -118,6 +131,7 @@
+@@ -118,6 +133,7 @@
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -5275,7 +5309,7 @@
  ')
  
  ########################################
-@@ -136,6 +150,9 @@
+@@ -136,6 +152,9 @@
  allow unconfined_domain_type domain:fd use;
  allow unconfined_domain_type domain:fifo_file rw_file_perms;
  
@@ -5285,7 +5319,7 @@
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -145,7 +162,7 @@
+@@ -145,7 +164,7 @@
  
  # For /proc/pid
  allow unconfined_domain_type domain:dir list_dir_perms;
@@ -5294,7 +5328,7 @@
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -153,3 +170,34 @@
+@@ -153,3 +172,42 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5329,6 +5363,14 @@
 +
 +# broken kernel
 +dontaudit can_change_object_identity can_change_object_identity:key link;
++
++tunable_policy(`allow_polyinstantiation',`
++	files_polyinstantiate_all(polydomain)
++	userdom_manage_user_home_content_dirs(polydomain)
++	userdom_manage_user_home_content_files(polydomain)
++	userdom_relabelto_user_home_dirs(polydomain)
++	userdom_relabelto_user_home_files(polydomain)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.4/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2009-01-05 15:39:38.000000000 -0500
 +++ serefpolicy-3.6.4/policy/modules/kernel/files.fc	2009-02-03 22:57:29.000000000 -0500
@@ -5360,7 +5402,7 @@
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.4/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/kernel/files.if	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/kernel/files.if	2009-02-04 10:53:13.000000000 -0500
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -5554,7 +5596,16 @@
  ')
  
  ########################################
-@@ -4895,12 +5008,14 @@
+@@ -4873,7 +4986,7 @@
+ 	selinux_compute_member($1)
+ 
+ 	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin };
++	allow $1 self:capability { chown fsetid sys_admin fowner };
+ 
+ 	# Need to give access to the directories to be polyinstantiated
+ 	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+@@ -4895,12 +5008,15 @@
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
  
@@ -5563,6 +5614,7 @@
 +
  	ifdef(`distro_redhat',`
  		# namespace.init
++		files_search_tmp($1)
  		files_search_home($1)
  		corecmd_exec_bin($1)
  		seutil_domtrans_setfiles($1)
@@ -5570,7 +5622,7 @@
  	')
  ')
  
-@@ -4921,3 +5036,95 @@
+@@ -4921,3 +5037,95 @@
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -9495,7 +9547,7 @@
  /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.4/policy/modules/services/apm.te
 --- nsaserefpolicy/policy/modules/services/apm.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/apm.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/apm.te	2009-02-04 08:40:10.000000000 -0500
 @@ -181,7 +181,7 @@
  ')
  
@@ -10772,7 +10824,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.4/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/cron.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/cron.te	2009-02-04 10:53:15.000000000 -0500
 @@ -38,6 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -10897,13 +10949,11 @@
  
  ifdef(`distro_debian',`
  	# pam_limits is used
-@@ -227,21 +251,45 @@
+@@ -227,21 +251,43 @@
  	')
  ')
  
 +tunable_policy(`allow_polyinstantiation',`
-+	allow crond_t self:capability fowner;
-+	files_search_tmp(crond_t)
 +	files_polyinstantiate_all(crond_t)
 +')
 +
@@ -10944,7 +10994,7 @@
  ')
  
  optional_policy(`
-@@ -283,7 +331,14 @@
+@@ -283,7 +329,14 @@
  allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
  files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
  
@@ -10959,7 +11009,7 @@
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
  # not directly executed, crond must ensure that
-@@ -314,9 +369,13 @@
+@@ -314,9 +367,13 @@
  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
  files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
  
@@ -10974,7 +11024,7 @@
  
  kernel_read_kernel_sysctls(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +429,8 @@
+@@ -370,7 +427,8 @@
  init_read_utmp(system_cronjob_t)
  init_dontaudit_rw_utmp(system_cronjob_t)
  # prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10984,7 +11034,7 @@
  
  auth_use_nsswitch(system_cronjob_t)
  
-@@ -378,6 +438,7 @@
+@@ -378,6 +436,7 @@
  libs_exec_ld_so(system_cronjob_t)
  
  logging_read_generic_logs(system_cronjob_t)
@@ -10992,7 +11042,7 @@
  logging_send_syslog_msg(system_cronjob_t)
  
  miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +479,10 @@
+@@ -418,6 +477,10 @@
  ')
  
  optional_policy(`
@@ -11003,7 +11053,7 @@
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -428,11 +493,20 @@
+@@ -428,11 +491,20 @@
  ')
  
  optional_policy(`
@@ -11024,7 +11074,7 @@
  ')
  
  optional_policy(`
-@@ -447,6 +521,7 @@
+@@ -447,6 +519,7 @@
  	prelink_read_cache(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_delete_cache(system_cronjob_t)
@@ -11032,7 +11082,7 @@
  ')
  
  optional_policy(`
-@@ -460,8 +535,7 @@
+@@ -460,8 +533,7 @@
  ')
  
  optional_policy(`
@@ -11042,7 +11092,7 @@
  ')
  
  optional_policy(`
-@@ -469,24 +543,17 @@
+@@ -469,24 +541,17 @@
  ')
  
  optional_policy(`
@@ -11070,7 +11120,7 @@
  allow cronjob_t self:process { signal_perms setsched };
  allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +637,9 @@
+@@ -570,6 +635,9 @@
  userdom_manage_user_home_content_sockets(cronjob_t)
  #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
  
@@ -12232,8 +12282,8 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.4/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te	2009-02-03 22:57:29.000000000 -0500
-@@ -0,0 +1,114 @@
++++ serefpolicy-3.6.4/policy/modules/services/devicekit.te	2009-02-04 08:40:38.000000000 -0500
+@@ -0,0 +1,125 @@
 +policy_module(devicekit,1.0.0)
 +
 +########################################
@@ -12290,15 +12340,22 @@
 +
 +consoletype_exec(devicekit_power_t)
 +
++domain_read_all_domains_state(devicekit_power_t)
++
++kernel_read_system_state(devicekit_power_t)
++kernel_rw_hotplug_sysctls(devicekit_power_t)
++
 +dev_rw_generic_usb_dev(devicekit_power_t)
 +dev_rw_netcontrol(devicekit_power_t)
 +dev_rw_sysfs(devicekit_power_t)
 +
 +files_read_etc_files(devicekit_power_t)
-+files_read_usr_files(devicekit_t)
++files_read_usr_files(devicekit_power_t)
 +
 +fs_list_inotifyfs(devicekit_power_t)
 +
++term_use_all_terms(devicekit_power_t)
++
 +auth_use_nsswitch(devicekit_power_t)
 +
 +miscfiles_read_localization(devicekit_power_t)
@@ -12346,6 +12403,10 @@
 +')
 +
 +optional_policy(`
++	fstools_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
 +	vbetool_domtrans(devicekit_power_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.4/policy/modules/services/dhcp.if
@@ -17371,7 +17432,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.4/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/polkit.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/polkit.te	2009-02-04 09:00:48.000000000 -0500
 @@ -0,0 +1,237 @@
 +policy_module(polkit_auth, 1.0.0)
 +
@@ -17513,7 +17574,7 @@
 +')
 +
 +optional_policy(`
-+	xserver_dontaudit_write_log(polkit_auth_t)
++	xserver_xdm_append_log(polkit_auth_t)
 +')
 +
 +########################################
@@ -18801,7 +18862,7 @@
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.4/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/prelude.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/prelude.te	2009-02-04 08:49:43.000000000 -0500
 @@ -13,25 +13,57 @@
  type prelude_spool_t;
  files_type(prelude_spool_t)
@@ -18871,7 +18932,7 @@
  corecmd_search_bin(prelude_t)
  
  corenet_all_recvfrom_unlabeled(prelude_t)
-@@ -56,15 +91,23 @@
+@@ -56,15 +91,24 @@
  corenet_tcp_sendrecv_generic_if(prelude_t)
  corenet_tcp_sendrecv_generic_node(prelude_t)
  corenet_tcp_bind_generic_node(prelude_t)
@@ -18888,6 +18949,7 @@
  domain_use_interactive_fds(prelude_t)
  
  files_read_etc_files(prelude_t)
++files_read_etc_runtime_files(prelude_t)
  files_read_usr_files(prelude_t)
 +files_search_tmp(prelude_t)
 +
@@ -18895,7 +18957,7 @@
  
  auth_use_nsswitch(prelude_t)
  
-@@ -86,7 +129,7 @@
+@@ -86,7 +130,7 @@
  #
  # prelude_audisp local policy
  #
@@ -18904,7 +18966,7 @@
  allow prelude_audisp_t self:fifo_file rw_file_perms;
  allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
  allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -107,6 +150,7 @@
+@@ -107,6 +151,7 @@
  corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
  corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
  corenet_tcp_bind_generic_node(prelude_audisp_t)
@@ -18912,7 +18974,7 @@
  
  dev_read_rand(prelude_audisp_t)
  dev_read_urand(prelude_audisp_t)
-@@ -114,12 +158,134 @@
+@@ -114,12 +159,134 @@
  # Init script handling
  domain_use_interactive_fds(prelude_audisp_t)
  
@@ -19047,7 +19109,7 @@
  ########################################
  #
  # prewikka_cgi Declarations
-@@ -128,6 +294,20 @@
+@@ -128,6 +295,20 @@
  optional_policy(`
  	apache_content_template(prewikka)
  	files_read_etc_files(httpd_prewikka_script_t)
@@ -22720,7 +22782,7 @@
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.4/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/xserver.fc	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/xserver.fc	2009-02-04 08:58:37.000000000 -0500
 @@ -3,12 +3,16 @@
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -22768,8 +22830,9 @@
 +/var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
  
 -/var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/gdm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
 +/var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
- /var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
@@ -22789,7 +22852,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.4/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/xserver.if	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/xserver.if	2009-02-04 10:10:19.000000000 -0500
 @@ -90,7 +90,7 @@
  	allow $2 xauth_home_t:file manage_file_perms;
  	allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -22995,7 +23058,35 @@
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1018,10 +1063,11 @@
+@@ -872,6 +917,27 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow append the xdm
++##	log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit
++##	</summary>
++## </param>
++#
++interface(`xserver_xdm_append_log',`
++	gen_require(`
++		type xdm_log_t;
++		attribute xdmhomewriter;
++	')
++
++	typeattribute $1 xdmhomewriter;
++	append_files_pattern($1, xdm_log_t, xdm_log_t)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to write the X server
+ ##	log files.
+ ## </summary>
+@@ -1018,10 +1084,11 @@
  #
  interface(`xserver_domtrans',`
  	gen_require(`
@@ -23008,7 +23099,7 @@
  	domtrans_pattern($1, xserver_exec_t, xserver_t)
  ')
  
-@@ -1159,6 +1205,275 @@
+@@ -1159,6 +1226,275 @@
  
  ########################################
  ## <summary>
@@ -23284,7 +23375,7 @@
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain complete control over the
  ##	display.
-@@ -1172,7 +1487,99 @@
+@@ -1172,7 +1508,99 @@
  interface(`xserver_unconfined',`
  	gen_require(`
  		attribute xserver_unconfined_type;
@@ -23386,7 +23477,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/xserver.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/xserver.te	2009-02-04 10:49:48.000000000 -0500
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -23401,7 +23492,15 @@
  ## Allow xdm logins as sysadm
  ## </p>
  ## </desc>
-@@ -65,14 +72,14 @@
+@@ -46,6 +53,7 @@
+ ## </desc>
+ gen_tunable(xserver_object_manager, false)
+ 
++attribute xdmhomewriter;
+ attribute input_xevent_type;
+ attribute xserver_unconfined_type;
+ attribute x_domain;
+@@ -65,14 +73,14 @@
  
  type iceauth_t;
  type iceauth_exec_t;
@@ -23418,7 +23517,7 @@
  files_poly_member(iceauth_home_t)
  userdom_user_home_content(iceauth_home_t)
  
-@@ -112,17 +119,17 @@
+@@ -112,17 +120,17 @@
  typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
  
  type user_fonts_t;
@@ -23440,7 +23539,7 @@
  typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
  userdom_user_home_content(user_fonts_config_t)
  
-@@ -134,18 +141,18 @@
+@@ -134,18 +142,18 @@
  type xauth_t;
  type xauth_exec_t;
  typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
@@ -23462,7 +23561,7 @@
  typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
  files_tmp_file(xauth_tmp_t)
  ubac_constrained(xauth_tmp_t)
-@@ -166,7 +173,10 @@
+@@ -166,7 +174,10 @@
  files_lock_file(xdm_lock_t)
  
  type xdm_rw_etc_t;
@@ -23474,7 +23573,7 @@
  
  type xdm_var_lib_t;
  files_type(xdm_var_lib_t)
-@@ -174,6 +184,12 @@
+@@ -174,6 +185,12 @@
  type xdm_var_run_t;
  files_pid_file(xdm_var_run_t)
  
@@ -23487,17 +23586,20 @@
  type xdm_tmp_t;
  files_tmp_file(xdm_tmp_t)
  typealias xdm_tmp_t alias ice_tmp_t;
-@@ -181,6 +197,9 @@
+@@ -181,6 +198,12 @@
  type xdm_tmpfs_t;
  files_tmpfs_file(xdm_tmpfs_t)
  
 +type xdm_home_t;
 +userdom_user_home_content(xdm_home_t)
 +
++type xdm_log_t;
++logging_log_file(xdm_log_t)
++
  # type for /var/lib/xkb
  type xkb_var_lib_t;
  files_type(xkb_var_lib_t)
-@@ -189,7 +208,7 @@
+@@ -189,7 +212,7 @@
  type xserver_t;
  type xserver_exec_t;
  typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
@@ -23506,7 +23608,7 @@
  xserver_object_types_template(xdm)
  xserver_common_x_domain_template(xdm,xdm_t)
  init_system_domain(xserver_t, xserver_exec_t)
-@@ -197,12 +216,12 @@
+@@ -197,12 +220,12 @@
  
  type xserver_tmp_t;
  typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
@@ -23521,7 +23623,7 @@
  typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
  files_tmpfs_file(xserver_tmpfs_t)
  ubac_constrained(xserver_tmpfs_t)
-@@ -250,19 +269,21 @@
+@@ -250,19 +273,21 @@
  # Xauth local policy
  #
  
@@ -23546,7 +23648,7 @@
  domain_use_interactive_fds(xauth_t)
  
  files_read_etc_files(xauth_t)
-@@ -300,13 +321,14 @@
+@@ -300,13 +325,14 @@
  # XDM Local policy
  #
  
@@ -23564,7 +23666,7 @@
  allow xdm_t self:tcp_socket create_stream_socket_perms;
  allow xdm_t self:udp_socket create_socket_perms;
  allow xdm_t self:socket create_socket_perms;
-@@ -314,6 +336,11 @@
+@@ -314,6 +340,11 @@
  allow xdm_t self:key { search link write };
  
  allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -23576,7 +23678,7 @@
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -329,6 +356,8 @@
+@@ -329,6 +360,8 @@
  manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
  files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -23585,7 +23687,7 @@
  
  manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -336,15 +365,30 @@
+@@ -336,15 +369,30 @@
  manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
  fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -23618,7 +23720,7 @@
  
  allow xdm_t xserver_t:process signal;
  allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +402,7 @@
+@@ -358,6 +406,7 @@
  allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
  
  allow xdm_t xserver_t:shm rw_shm_perms;
@@ -23626,7 +23728,23 @@
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
-@@ -389,11 +434,13 @@
+@@ -366,10 +415,14 @@
+ delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
+ delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
+ 
++manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++logging_log_filetrans(xdm_t, xdm_log_t, file)
++
+ manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
+ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+ manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+-logging_log_filetrans(xdm_t, xserver_log_t, file)
+ 
+ kernel_read_system_state(xdm_t)
+ kernel_read_kernel_sysctls(xdm_t)
+@@ -389,11 +442,13 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -23640,7 +23758,7 @@
  dev_read_rand(xdm_t)
  dev_read_sysfs(xdm_t)
  dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +448,7 @@
+@@ -401,6 +456,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -23648,7 +23766,7 @@
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -413,14 +461,17 @@
+@@ -413,14 +469,17 @@
  dev_setattr_video_dev(xdm_t)
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
@@ -23668,7 +23786,7 @@
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -431,9 +482,13 @@
+@@ -431,9 +490,13 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -23682,7 +23800,7 @@
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +497,7 @@
+@@ -442,6 +505,7 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23690,7 +23808,7 @@
  
  term_setattr_console(xdm_t)
  term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +506,7 @@
+@@ -450,6 +514,7 @@
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -23698,7 +23816,7 @@
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -460,10 +517,10 @@
+@@ -460,10 +525,10 @@
  
  logging_read_generic_logs(xdm_t)
  
@@ -23711,7 +23829,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -504,10 +561,12 @@
+@@ -504,10 +569,12 @@
  
  optional_policy(`
  	alsa_domtrans(xdm_t)
@@ -23724,7 +23842,7 @@
  ')
  
  optional_policy(`
-@@ -515,12 +574,41 @@
+@@ -515,12 +582,41 @@
  ')
  
  optional_policy(`
@@ -23766,7 +23884,7 @@
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,6 +630,19 @@
+@@ -542,6 +638,19 @@
  ')
  
  optional_policy(`
@@ -23786,7 +23904,7 @@
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +651,9 @@
+@@ -550,8 +659,9 @@
  ')
  
  optional_policy(`
@@ -23798,7 +23916,7 @@
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +662,6 @@
+@@ -560,7 +670,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -23806,7 +23924,7 @@
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +672,10 @@
+@@ -571,6 +680,10 @@
  ')
  
  optional_policy(`
@@ -23817,7 +23935,7 @@
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -587,7 +692,7 @@
+@@ -587,7 +700,7 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -23826,7 +23944,7 @@
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +707,11 @@
+@@ -602,9 +715,11 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -23838,7 +23956,7 @@
  
  allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
  
-@@ -622,7 +729,7 @@
+@@ -622,7 +737,7 @@
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
@@ -23847,7 +23965,7 @@
  
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,6 +742,15 @@
+@@ -635,9 +750,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -23863,7 +23981,11 @@
  # Create files in /var/log with the xserver_log_t type.
  manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
  logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -680,9 +796,14 @@
++manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
+ 
+ kernel_read_system_state(xserver_t)
+ kernel_read_device_sysctls(xserver_t)
+@@ -680,9 +805,14 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -23878,7 +24000,7 @@
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +818,13 @@
+@@ -697,8 +827,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -23892,7 +24014,7 @@
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -720,6 +846,7 @@
+@@ -720,6 +855,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -23900,7 +24022,7 @@
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -742,7 +869,7 @@
+@@ -742,7 +878,7 @@
  ')
  
  ifdef(`enable_mls',`
@@ -23909,7 +24031,7 @@
  	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
  ')
  
-@@ -774,6 +901,10 @@
+@@ -774,6 +910,10 @@
  ')
  
  optional_policy(`
@@ -23920,7 +24042,7 @@
  	rhgb_getpgid(xserver_t)
  	rhgb_signal(xserver_t)
  ')
-@@ -806,7 +937,7 @@
+@@ -806,7 +946,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -23929,7 +24051,7 @@
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +958,14 @@
+@@ -827,9 +967,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -23944,7 +24066,7 @@
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +980,14 @@
+@@ -844,11 +989,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -23960,7 +24082,7 @@
  ')
  
  optional_policy(`
-@@ -856,6 +995,11 @@
+@@ -856,6 +1004,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -23972,7 +24094,7 @@
  ########################################
  #
  # Rules common to all X window domains
-@@ -881,6 +1025,8 @@
+@@ -881,6 +1034,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -23981,7 +24103,7 @@
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -905,6 +1051,8 @@
+@@ -905,6 +1060,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -23990,10 +24112,17 @@
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,6 +1120,37 @@
+@@ -972,13 +1129,35 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
+-ifdef(`TODO',`
+-tunable_policy(`allow_polyinstantiation',`
+-# xdm needs access for linking .X11-unix to poly /tmp
+-allow xdm_t polymember:dir { add_name remove_name write };
+-allow xdm_t polymember:lnk_file { create unlink };
+-# xdm needs access for copying .Xauthority into new home
+-allow xdm_t polymember:file { create getattr write };
 +allow xserver_unconfined_type self:x_drawable all_x_drawable_perms;
 +allow xserver_unconfined_type self:x_screen all_x_screen_perms;
 +allow xserver_unconfined_type self:x_gc all_x_gc_perms;
@@ -24023,12 +24152,10 @@
 +
 +tunable_policy(`allow_xserver_execmem',`
 +	allow xserver_t self:process { execheap execmem execstack };
-+')
-+
- ifdef(`TODO',`
- tunable_policy(`allow_polyinstantiation',`
- # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1165,12 @@
+ ')
+ 
+ #
+@@ -986,3 +1165,21 @@
  #
  allow xdm_t user_home_type:file unlink;
  ') dnl end TODO
@@ -24041,6 +24168,15 @@
 +tunable_policy(`allow_execstack',`
 +	allow xdm_t self:process { execstack execmem };
 +')
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_append_nfs_files(xdmhomewriter)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_append_cifs_files(xdmhomewriter)
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.4/policy/modules/services/zosremote.fc
 --- nsaserefpolicy/policy/modules/services/zosremote.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.4/policy/modules/services/zosremote.fc	2009-02-03 22:57:29.000000000 -0500
@@ -24181,8 +24317,8 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.4/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if	2009-02-03 22:57:29.000000000 -0500
-@@ -43,6 +43,7 @@
++++ serefpolicy-3.6.4/policy/modules/system/authlogin.if	2009-02-04 10:32:13.000000000 -0500
+@@ -43,20 +43,38 @@
  interface(`auth_login_pgm_domain',`
  	gen_require(`
  		type var_auth_t;
@@ -24190,7 +24326,10 @@
  	')
  
  	domain_type($1)
-@@ -51,12 +52,27 @@
++	domain_poly($1)
++
+ 	domain_subj_id_change_exemption($1)
+ 	domain_role_change_exemption($1)
  	domain_obj_id_change_exemption($1)
  	role system_r types $1;
  
@@ -24218,7 +24357,7 @@
  	# for SSP/ProPolice
  	dev_read_urand($1)
  	# for fingerprint readers
-@@ -90,6 +106,7 @@
+@@ -90,6 +108,7 @@
  	auth_rw_faillog($1)
  	auth_exec_pam($1)
  	auth_use_nsswitch($1)
@@ -24226,10 +24365,12 @@
  
  	init_rw_utmp($1)
  
-@@ -100,8 +117,44 @@
+@@ -100,9 +119,38 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
+-	tunable_policy(`allow_polyinstantiation',`
+-		files_polyinstantiate_all($1)
 +	userdom_set_rlimitnh($1)
 +	userdom_read_user_home_content_symlinks($1)
 +	userdom_delete_user_tmp_files($1)
@@ -24255,23 +24396,17 @@
 +
 +	optional_policy(`
 +		nis_authenticate($1)
-+	')
+ 	')
 +
 +	optional_policy(`
 +		ssh_agent_exec($1)
 +		userdom_read_user_home_content_files($1)
 +	')
 +
- 	tunable_policy(`allow_polyinstantiation',`
- 		files_polyinstantiate_all($1)
-+		userdom_manage_user_home_content_dirs($1)
-+		userdom_manage_user_home_content_files($1)
-+		userdom_relabelto_user_home_dirs($1)
-+		userdom_relabelto_user_home_files($1)
- 	')
  ')
  
-@@ -197,8 +250,11 @@
+ ########################################
+@@ -197,8 +245,11 @@
  interface(`auth_domtrans_chk_passwd',`
  	gen_require(`
  		type chkpwd_t, chkpwd_exec_t, shadow_t;
@@ -24283,7 +24418,7 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
  
-@@ -207,19 +263,16 @@
+@@ -207,19 +258,16 @@
  	dev_read_rand($1)
  	dev_read_urand($1)
  
@@ -24308,7 +24443,7 @@
  	')
  
  	optional_policy(`
-@@ -230,6 +283,29 @@
+@@ -230,6 +278,29 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -24338,7 +24473,7 @@
  ')
  
  ########################################
-@@ -254,6 +330,7 @@
+@@ -254,6 +325,7 @@
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -24346,7 +24481,7 @@
  ')
  
  ########################################
-@@ -650,7 +727,7 @@
+@@ -650,7 +722,7 @@
  
  ########################################
  ## <summary>
@@ -24355,7 +24490,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1031,6 +1108,32 @@
+@@ -1031,6 +1103,32 @@
  
  ########################################
  ## <summary>
@@ -24388,7 +24523,7 @@
  ##	Manage all files on the filesystem, except
  ##	the shadow passwords and listed exceptions.
  ## </summary>
-@@ -1297,6 +1400,10 @@
+@@ -1297,6 +1395,10 @@
  	')
  
  	optional_policy(`
@@ -24399,7 +24534,7 @@
  		nis_use_ypbind($1)
  	')
  
-@@ -1307,6 +1414,7 @@
+@@ -1307,6 +1409,7 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
@@ -24407,7 +24542,7 @@
  	')
  ')
  
-@@ -1341,3 +1449,99 @@
+@@ -1341,3 +1444,99 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -24509,7 +24644,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.4/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/authlogin.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/authlogin.te	2009-02-04 10:29:49.000000000 -0500
 @@ -12,7 +12,7 @@
  
  type chkpwd_t, can_read_shadow_passwords;
@@ -26461,16 +26596,24 @@
  fs_dontaudit_list_tmpfs(mdadm_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.4/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.6.4/policy/modules/system/selinuxutil.fc	2009-02-03 22:57:29.000000000 -0500
-@@ -6,7 +6,7 @@
++++ serefpolicy-3.6.4/policy/modules/system/selinuxutil.fc	2009-02-04 11:12:45.000000000 -0500
+@@ -6,13 +6,13 @@
  /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
  /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
 -/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
 +/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
  /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
- /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+-/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+-/etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,s0)
+ 
+ #
+ # /root
 @@ -38,7 +38,7 @@
  /usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
  /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -28401,7 +28544,7 @@
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if	2009-02-04 10:39:52.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -28562,27 +28705,51 @@
  ')
  
  #######################################
-@@ -174,9 +194,6 @@
- 		fs_read_nfs_symlinks($2)
- 		fs_read_nfs_named_sockets($2)
- 		fs_read_nfs_named_pipes($2)
+@@ -147,6 +167,7 @@
+ interface(`userdom_ro_home_role',`
+ 	gen_require(`
+ 		type user_home_t, user_home_dir_t;
++		attribute userhomereader;
+ 	')
+ 
+ 	role $1 types { user_home_t user_home_dir_t };
+@@ -157,6 +178,7 @@
+ 	#
+ 
+ 	type_member $2 user_home_dir_t:dir user_home_dir_t;
++	typeattribute $2 userhomereader;
+ 
+ 	# read-only home directory
+ 	allow $2 user_home_dir_t:dir list_dir_perms;
+@@ -168,27 +190,6 @@
+ 	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ 	files_list_home($2)
+ 
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_list_nfs($2)
+-		fs_read_nfs_files($2)
+-		fs_read_nfs_symlinks($2)
+-		fs_read_nfs_named_sockets($2)
+-		fs_read_nfs_named_pipes($2)
 -	',`
 -		fs_dontaudit_list_nfs($2)
 -		fs_dontaudit_read_nfs_files($2)
- 	')
- 
- 	tunable_policy(`use_samba_home_dirs',`
-@@ -185,9 +202,6 @@
- 		fs_read_cifs_symlinks($2)
- 		fs_read_cifs_named_sockets($2)
- 		fs_read_cifs_named_pipes($2)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_list_cifs($2)
+-		fs_read_cifs_files($2)
+-		fs_read_cifs_symlinks($2)
+-		fs_read_cifs_named_sockets($2)
+-		fs_read_cifs_named_pipes($2)
 -	',`
 -		fs_dontaudit_list_cifs($2)
 -		fs_dontaudit_read_cifs_files($2)
- 	')
+-	')
  ')
  
-@@ -220,9 +234,10 @@
+ #######################################
+@@ -220,9 +221,10 @@
  interface(`userdom_manage_home_role',`
  	gen_require(`
  		type user_home_t, user_home_dir_t;
@@ -28594,7 +28761,7 @@
  
  	##############################
  	#
-@@ -232,17 +247,20 @@
+@@ -232,17 +234,20 @@
  	type_member $2 user_home_dir_t:dir user_home_dir_t;
  
  	# full control of the home directory
@@ -28625,12 +28792,12 @@
  	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
  	files_list_home($2)
  
-@@ -250,25 +268,23 @@
+@@ -250,25 +255,23 @@
  	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
  
  	tunable_policy(`use_nfs_home_dirs',`
-+		fs_mount_nfs($2)
-+		fs_mounton_nfs($2)
++	fs_mount_nfs($2)
++	fs_mounton_nfs($2)
  		fs_manage_nfs_dirs($2)
  		fs_manage_nfs_files($2)
  		fs_manage_nfs_symlinks($2)
@@ -28642,8 +28809,8 @@
  	')
  
  	tunable_policy(`use_samba_home_dirs',`
-+		fs_mount_cifs($2)
-+		fs_mounton_cifs($2)
++	fs_mount_cifs($2)
++	fs_mounton_cifs($2)
  		fs_manage_cifs_dirs($2)
  		fs_manage_cifs_files($2)
  		fs_manage_cifs_symlinks($2)
@@ -28655,7 +28822,7 @@
  	')
  ')
  
-@@ -303,6 +319,7 @@
+@@ -303,6 +306,7 @@
  	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
  	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
  	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -28663,7 +28830,7 @@
  ')
  
  #######################################
-@@ -368,46 +385,41 @@
+@@ -368,46 +372,41 @@
  
  #######################################
  ## <summary>
@@ -28685,12 +28852,10 @@
 -	gen_require(`
 -		type $1_t;
 -	')
-+interface(`userdom_basic_networking',`
- 
+-
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
 -	allow $1_t self:udp_socket create_socket_perms;
-+	allow $1 self:tcp_socket create_stream_socket_perms;
-+	allow $1 self:udp_socket create_socket_perms;
++interface(`userdom_basic_networking',`
  
 -	corenet_all_recvfrom_unlabeled($1_t)
 -	corenet_all_recvfrom_netlabel($1_t)
@@ -28702,7 +28867,9 @@
 -	corenet_udp_sendrecv_all_ports($1_t)
 -	corenet_tcp_connect_all_ports($1_t)
 -	corenet_sendrecv_all_client_packets($1_t)
--
++	allow $1 self:tcp_socket create_stream_socket_perms;
++	allow $1 self:udp_socket create_socket_perms;
+ 
 -	corenet_all_recvfrom_labeled($1_t, $1_t)
 +	corenet_all_recvfrom_unlabeled($1)
 +	corenet_all_recvfrom_netlabel($1)
@@ -28730,7 +28897,7 @@
  ')
  
  #######################################
-@@ -420,34 +432,41 @@
+@@ -420,34 +419,41 @@
  ##	is the prefix for user_t).
  ##	</summary>
  ## </param>
@@ -28790,7 +28957,7 @@
  ')
  
  #######################################
-@@ -497,11 +516,7 @@
+@@ -497,11 +503,7 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -28803,7 +28970,7 @@
  
  	##############################
  	#
-@@ -512,189 +527,198 @@
+@@ -512,189 +514,198 @@
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
@@ -28821,26 +28988,26 @@
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
+-
+-	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
  
--	corecmd_exec_bin($1_t)
+-	corenet_udp_bind_generic_node($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	corenet_udp_bind_generic_node($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	corenet_udp_bind_generic_node($1_t)
--	corenet_udp_bind_generic_port($1_t)
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
--	dev_read_rand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
--
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -29044,16 +29211,16 @@
 -			postgresql_stream_connect($1_t)
 -			postgresql_tcp_connect($1_t)
 +			postgresql_stream_connect($1_usertype)
++		')
  		')
++
++	optional_policy(`
++		# to allow monitoring of pcmcia status
++		pcmcia_read_pid($1_usertype)
  	')
  
  	optional_policy(`
 -		resmgr_stream_connect($1_t)
-+		# to allow monitoring of pcmcia status
-+		pcmcia_read_pid($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		pcscd_read_pub_files($1_usertype)
 +		pcscd_stream_connect($1_usertype)
  	')
@@ -29083,22 +29250,22 @@
  ')
  
  #######################################
-@@ -722,15 +746,29 @@
+@@ -722,15 +733,29 @@
  
  	userdom_base_user_template($1)
  
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_change_password_template($1)
-+
-+	userdom_manage_home_role($1_r, $1_usertype)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
-+	userdom_manage_tmp_role($1_r, $1_usertype)
-+	userdom_manage_tmpfs_role($1_r, $1_usertype)
++	userdom_manage_home_role($1_r, $1_usertype)
  
 -	userdom_exec_user_tmp_files($1_t)
 -	userdom_exec_user_home_content_files($1_t)
++	userdom_manage_tmp_role($1_r, $1_usertype)
++	userdom_manage_tmpfs_role($1_r, $1_usertype)
++
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
 +
@@ -29119,7 +29286,7 @@
  
  	##############################
  	#
-@@ -746,70 +784,72 @@
+@@ -746,70 +771,72 @@
  
  	allow $1_t self:context contains;
  
@@ -29225,7 +29392,7 @@
  	')
  ')
  
-@@ -846,6 +886,28 @@
+@@ -846,6 +873,28 @@
  	# Local policy
  	#
  
@@ -29254,7 +29421,7 @@
  	optional_policy(`
  		loadkeys_run($1_t,$1_r)
  	')
-@@ -876,7 +938,7 @@
+@@ -876,7 +925,7 @@
  
  	userdom_restricted_user_template($1)
  
@@ -29263,18 +29430,18 @@
  
  	##############################
  	#
-@@ -884,14 +946,19 @@
+@@ -884,14 +933,19 @@
  	#
  
  	auth_role($1_r, $1_t)
 -	auth_search_pam_console_data($1_t)
 +	auth_search_pam_console_data($1_usertype)
-+
-+	xserver_role($1_r, $1_t)
-+	xserver_communicate($1_usertype, $1_usertype)
  
 -	dev_read_sound($1_t)
 -	dev_write_sound($1_t)
++	xserver_role($1_r, $1_t)
++	xserver_communicate($1_usertype, $1_usertype)
++
 +	dev_read_sound($1_usertype)
 +	dev_write_sound($1_usertype)
  	# gnome keyring wants to read this.
@@ -29288,7 +29455,7 @@
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +966,28 @@
+@@ -899,28 +953,28 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
@@ -29325,7 +29492,7 @@
  	')
  ')
  
-@@ -931,8 +998,7 @@
+@@ -931,8 +985,7 @@
  ## </summary>
  ## <desc>
  ##	<p>
@@ -29335,7 +29502,7 @@
  ##	</p>
  ##	<p>
  ##	This template creates a user domain, types, and
-@@ -954,8 +1020,8 @@
+@@ -954,8 +1007,8 @@
  	# Declarations
  	#
  
@@ -29345,7 +29512,7 @@
  	userdom_common_user_template($1)
  
  	##############################
-@@ -964,11 +1030,12 @@
+@@ -964,11 +1017,12 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -29360,7 +29527,7 @@
  	# cjp: why?
  	files_read_kernel_symbol_table($1_t)
  
-@@ -986,37 +1053,47 @@
+@@ -986,37 +1040,47 @@
  		')
  	')
  
@@ -29411,17 +29578,17 @@
 +
 +	optional_policy(`
 +		mount_run($1_t, $1_r)
-+	')
+ 	')
 +
 +	# Run pppd in pppd_t by default for user
 +	optional_policy(`
 +		ppp_run_cond($1_t, $1_r)
- 	')
++	')
 +
  ')
  
  #######################################
-@@ -1050,7 +1127,7 @@
+@@ -1050,7 +1114,7 @@
  #
  template(`userdom_admin_user_template',`
  	gen_require(`
@@ -29430,7 +29597,7 @@
  	')
  
  	##############################
-@@ -1059,8 +1136,7 @@
+@@ -1059,8 +1123,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -29440,7 +29607,7 @@
  
  	domain_obj_id_change_exemption($1_t)
  	role system_r types $1_t;
-@@ -1083,7 +1159,8 @@
+@@ -1083,7 +1146,8 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -29450,7 +29617,7 @@
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1099,6 +1176,7 @@
+@@ -1099,6 +1163,7 @@
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -29458,7 +29625,7 @@
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1106,8 +1184,6 @@
+@@ -1106,8 +1171,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -29467,7 +29634,7 @@
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1238,6 @@
+@@ -1162,20 +1225,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -29488,7 +29655,7 @@
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1221,6 +1283,7 @@
+@@ -1221,6 +1270,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -29496,7 +29663,7 @@
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1286,11 +1349,15 @@
+@@ -1286,11 +1336,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -29512,7 +29679,7 @@
  ')
  
  ########################################
-@@ -1387,7 +1454,7 @@
+@@ -1387,7 +1441,7 @@
  
  ########################################
  ## <summary>
@@ -29521,7 +29688,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1420,6 +1487,14 @@
+@@ -1420,6 +1474,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -29536,7 +29703,7 @@
  ')
  
  ########################################
-@@ -1435,9 +1510,11 @@
+@@ -1435,9 +1497,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -29548,7 +29715,7 @@
  ')
  
  ########################################
-@@ -1494,6 +1571,25 @@
+@@ -1494,6 +1558,25 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -29574,7 +29741,7 @@
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1547,9 +1643,9 @@
+@@ -1547,9 +1630,9 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -29586,7 +29753,7 @@
  ')
  
  ########################################
-@@ -1568,6 +1664,8 @@
+@@ -1568,6 +1651,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -29595,7 +29762,7 @@
  ')
  
  ########################################
-@@ -1643,6 +1741,7 @@
+@@ -1643,6 +1728,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -29603,7 +29770,7 @@
  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
  	files_search_home($1)
  ')
-@@ -1741,6 +1840,62 @@
+@@ -1741,6 +1827,62 @@
  
  ########################################
  ## <summary>
@@ -29666,7 +29833,7 @@
  ##	Execute user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1757,14 +1912,6 @@
+@@ -1757,14 +1899,6 @@
  
  	files_search_home($1)
  	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -29681,7 +29848,7 @@
  ')
  
  ########################################
-@@ -1787,6 +1934,46 @@
+@@ -1787,6 +1921,46 @@
  
  ########################################
  ## <summary>
@@ -29728,7 +29895,15 @@
  ##	Create, read, write, and delete files
  ##	in a user home subdirectory.
  ## </summary>
-@@ -1921,7 +2108,7 @@
+@@ -1799,6 +1973,7 @@
+ interface(`userdom_manage_user_home_content_files',`
+ 	gen_require(`
+ 		type user_home_dir_t, user_home_t;
++		attribute userhomewriter;
+ 	')
+ 
+ 	manage_files_pattern($1, user_home_t, user_home_t)
+@@ -1921,7 +2096,7 @@
  
  ########################################
  ## <summary>
@@ -29737,7 +29912,7 @@
  ##	with an automatic type transition to
  ##	a specified private type.
  ## </summary>
-@@ -1941,34 +2128,64 @@
+@@ -1941,28 +2116,58 @@
  ##	</summary>
  ## </param>
  #
@@ -29766,18 +29941,18 @@
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <param name="object_class">
 +## <param name="private_type">
 +##	<summary>
 +##	The type of the object to create.
 +##	</summary>
 +## </param>
- ## <param name="object_class">
- ##	<summary>
- ##	The class of the object to be created.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_user_home_dir_filetrans_user_home_content',`
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++#
 +interface(`userdom_user_home_content_filetrans',`
 +	gen_require(`
 +		type user_home_dir_t, user_home_t;
@@ -29800,16 +29975,10 @@
 +##	</summary>
 +## </param>
 +## <param name="object_class">
-+##	<summary>
-+##	The class of the object to be created.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_user_home_dir_filetrans_user_home_content',`
- 	gen_require(`
- 		type user_home_dir_t, user_home_t;
- 	')
-@@ -2819,6 +3036,24 @@
+ ##	<summary>
+ ##	The class of the object to be created.
+ ##	</summary>
+@@ -2819,6 +3024,24 @@
  
  ########################################
  ## <summary>
@@ -29834,7 +30003,7 @@
  ##	Do not audit attempts to use user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -2851,6 +3086,7 @@
+@@ -2851,6 +3074,7 @@
  	')
  
  	read_files_pattern($1,userdomain,userdomain)
@@ -29842,7 +30011,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -2965,6 +3201,24 @@
+@@ -2965,6 +3189,24 @@
  
  ########################################
  ## <summary>
@@ -29867,7 +30036,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -2981,3 +3235,313 @@
+@@ -2981,3 +3223,313 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -30183,7 +30352,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.4/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.te	2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/userdomain.te	2009-02-04 10:39:31.000000000 -0500
 @@ -8,13 +8,6 @@
  
  ## <desc>
@@ -30212,7 +30381,13 @@
  ## Allow user to r/w files on filesystems
  ## that do not have extended attributes (FAT, CDROM, FLOPPY)
  ## </p>
-@@ -55,8 +41,14 @@
+@@ -52,11 +38,20 @@
+ # all user domains
+ attribute userdomain;
+ 
++attribute userhomereader;
++attribute userhomewriter;
++
  # unprivileged user domains
  attribute unpriv_userdomain;
  
@@ -30229,7 +30404,7 @@
  
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
-@@ -70,6 +62,7 @@
+@@ -70,6 +65,7 @@
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -30237,7 +30412,7 @@
  userdom_user_home_content(user_home_t)
  fs_associate_tmpfs(user_home_t)
  files_associate_tmp(user_home_t)
-@@ -95,3 +88,7 @@
+@@ -95,3 +91,23 @@
  type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
  dev_node(user_tty_device_t)
  ubac_constrained(user_tty_device_t)
@@ -30245,6 +30420,22 @@
 +tunable_policy(`allow_console_login',`
 +	term_use_console(userdomain)
 +')
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_list_nfs(userhomereader)
++	fs_read_nfs_files(userhomereader)
++	fs_read_nfs_symlinks(userhomereader)
++	fs_read_nfs_named_sockets(userhomereader)
++	fs_read_nfs_named_pipes(userhomereader)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_list_cifs(userhomereader)
++	fs_read_cifs_files(userhomereader)
++	fs_read_cifs_symlinks(userhomereader)
++	fs_read_cifs_named_sockets(userhomereader)
++	fs_read_cifs_named_pipes(userhomereader)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.4/policy/modules/system/xen.fc
 --- nsaserefpolicy/policy/modules/system/xen.fc	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.4/policy/modules/system/xen.fc	2009-02-03 22:57:29.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.782
retrieving revision 1.783
diff -u -r1.782 -r1.783
--- selinux-policy.spec	4 Feb 2009 04:02:17 -0000	1.782
+++ selinux-policy.spec	4 Feb 2009 16:14:06 -0000	1.783
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@
 %endif
 
 %changelog
+* Wed Feb 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-2
+- More fixes for devicekit
+
 * Tue Feb 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-1
 - Upgrade to latest upstream