[selinux-policy/f16] - Policy update should not modify local contexts

[Miroslav Grepl]

commit 84fb84f8b1c5594a20c8a6d7b0e618e0c440be45
Author: Miroslav <mgrepl at redhat.com>
Date:   Fri Oct 21 15:38:03 2011 +0200

    - Policy update should not modify local contexts

 policy-F16.patch    |  399 ++++++++++++++++++++++++++++++++++++++-------------
 selinux-policy.spec |    3 +
 2 files changed, 301 insertions(+), 101 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 01d3a37..1d7ce0d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -322,10 +322,18 @@ index 63ef90e..a535b31 100644
  ')
  
 diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..c94911d 100644
+index 1392679..e75873a 100644
 --- a/policy/modules/admin/alsa.if
 +++ b/policy/modules/admin/alsa.if
-@@ -206,3 +206,21 @@ interface(`alsa_read_lib',`
+@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
+ 
+ 	userdom_search_user_home_dirs($1)
+ 	allow $1 alsa_home_t:file manage_file_perms;
++	alsa_filetrans_home_content(unpriv_userdomain)
+ ')
+ 
+ ########################################
+@@ -206,3 +207,47 @@ interface(`alsa_read_lib',`
  	files_search_var_lib($1)
  	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
  ')
@@ -340,12 +348,38 @@ index 1392679..c94911d 100644
 +##	</summary>
 +## </param>
 +#
++interface(`alsa_filetrans_home_content',`
++	gen_require(`
++		type alsa_home_t;
++	')
++
++	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
++')
++
++########################################
++## <summary>
++##	Transition to alsa named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`alsa_filetrans_named_content',`
 +	gen_require(`
 +		type alsa_home_t;
++		type alsa_etc_rw_t;
++		type alsa_var_lib_t;
 +	')
 +
 +	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
++	files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
++	files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++	files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
++	files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
++	files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++	files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
 +')
 diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
 index e3e0701..3fd0282 100644
@@ -3658,7 +3692,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..2aa37b4 100644
+index 975af1a..634c47a 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3669,23 +3703,38 @@ index 975af1a..2aa37b4 100644
  		attribute sudodomain;
  	')
  
-@@ -47,6 +48,15 @@ template(`sudo_role_template',`
+@@ -47,26 +48,11 @@ template(`sudo_role_template',`
  	ubac_constrained($1_sudo_t)
  	role $2 types $1_sudo_t;
  
+-	##############################
+-	#
+-	# Local Policy
+-	#
 +	type $1_sudo_tmp_t;
 +	files_tmp_file($1_sudo_tmp_t)
-+
+ 
+-	# Use capabilities.
+-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+-	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-	allow $1_sudo_t self:process { setexec setrlimit };
+-	allow $1_sudo_t self:fd use;
+-	allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
+-	allow $1_sudo_t self:shm create_shm_perms;
+-	allow $1_sudo_t self:sem create_sem_perms;
+-	allow $1_sudo_t self:msgq create_msgq_perms;
+-	allow $1_sudo_t self:msg { send receive };
+-	allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+-	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+-	allow $1_sudo_t self:unix_dgram_socket sendto;
+-	allow $1_sudo_t self:unix_stream_socket connectto;
+-	allow $1_sudo_t self:key manage_key_perms;
 +	allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
 +	files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
-+
-+	manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
-+	manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
-+
- 	##############################
- 	#
- 	# Local Policy
-@@ -76,6 +86,11 @@ template(`sudo_role_template',`
+ 
+ 	allow $1_sudo_t $3:key search;
+ 
+@@ -76,88 +62,19 @@ template(`sudo_role_template',`
  	# By default, revert to the calling domain when a shell is executed.
  	corecmd_shell_domtrans($1_sudo_t, $3)
  	corecmd_bin_domtrans($1_sudo_t, $3)
@@ -3697,50 +3746,90 @@ index 975af1a..2aa37b4 100644
  	allow $3 $1_sudo_t:fd use;
  	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
  	allow $3 $1_sudo_t:process signal_perms;
-@@ -113,12 +128,15 @@ template(`sudo_role_template',`
- 	term_getattr_pty_fs($1_sudo_t)
- 	term_relabel_all_ttys($1_sudo_t)
- 	term_relabel_all_ptys($1_sudo_t)
-+	term_getattr_pty_fs($1_sudo_t)
  
+-	kernel_read_kernel_sysctls($1_sudo_t)
+-	kernel_read_system_state($1_sudo_t)
+-	kernel_link_key($1_sudo_t)
+-
+-	corecmd_read_bin_symlinks($1_sudo_t)
+-	corecmd_exec_all_executables($1_sudo_t)
+-
+-	dev_getattr_fs($1_sudo_t)
+-	dev_read_urand($1_sudo_t)
+-	dev_rw_generic_usb_dev($1_sudo_t)
+-	dev_read_sysfs($1_sudo_t)
+-
+-	domain_use_interactive_fds($1_sudo_t)
+-	domain_sigchld_interactive_fds($1_sudo_t)
+-	domain_getattr_all_entry_files($1_sudo_t)
+-
+-	files_read_etc_files($1_sudo_t)
+-	files_read_var_files($1_sudo_t)
+-	files_read_usr_symlinks($1_sudo_t)
+-	files_getattr_usr_files($1_sudo_t)
+-	# for some PAM modules and for cwd
+-	files_dontaudit_search_home($1_sudo_t)
+-	files_list_tmp($1_sudo_t)
+-
+-	fs_search_auto_mountpoints($1_sudo_t)
+-	fs_getattr_xattr_fs($1_sudo_t)
+-
+-	selinux_validate_context($1_sudo_t)
+-	selinux_compute_relabel_context($1_sudo_t)
+-
+-	term_getattr_pty_fs($1_sudo_t)
+-	term_relabel_all_ttys($1_sudo_t)
+-	term_relabel_all_ptys($1_sudo_t)
+-
  	auth_run_chk_passwd($1_sudo_t, $2)
- 	# sudo stores a token in the pam_pid directory
- 	auth_manage_pam_pid($1_sudo_t)
+-	# sudo stores a token in the pam_pid directory
+-	auth_manage_pam_pid($1_sudo_t)
  	auth_use_nsswitch($1_sudo_t)
  
-+	application_signal($1_sudo_t)
-+
- 	init_rw_utmp($1_sudo_t)
- 
- 	logging_send_audit_msgs($1_sudo_t)
-@@ -126,7 +144,7 @@ template(`sudo_role_template',`
- 
- 	miscfiles_read_localization($1_sudo_t)
- 
+-	init_rw_utmp($1_sudo_t)
+-
+-	logging_send_audit_msgs($1_sudo_t)
+-	logging_send_syslog_msg($1_sudo_t)
+-
+-	miscfiles_read_localization($1_sudo_t)
+-
 -	seutil_search_default_contexts($1_sudo_t)
-+	seutil_read_default_contexts($1_sudo_t)
- 	seutil_libselinux_linked($1_sudo_t)
- 
- 	userdom_spec_domtrans_all_users($1_sudo_t)
-@@ -135,12 +153,13 @@ template(`sudo_role_template',`
- 	userdom_manage_user_tmp_files($1_sudo_t)
- 	userdom_manage_user_tmp_symlinks($1_sudo_t)
- 	userdom_use_user_terminals($1_sudo_t)
-+	userdom_signal_all_users($1_sudo_t)
- 	# for some PAM modules and for cwd
+-	seutil_libselinux_linked($1_sudo_t)
+-
+-	userdom_spec_domtrans_all_users($1_sudo_t)
+-	userdom_manage_user_home_content_files($1_sudo_t)
+-	userdom_manage_user_home_content_symlinks($1_sudo_t)
+-	userdom_manage_user_tmp_files($1_sudo_t)
+-	userdom_manage_user_tmp_symlinks($1_sudo_t)
+-	userdom_use_user_terminals($1_sudo_t)
+-	# for some PAM modules and for cwd
 -	userdom_dontaudit_search_user_home_content($1_sudo_t)
-+	userdom_search_user_home_content($1_sudo_t)
-+	userdom_search_admin_dir($1_sudo_t)
-+	userdom_manage_all_users_keys($1_sudo_t)
- 
+-
 -	ifdef(`hide_broken_symptoms', `
 -		dontaudit $1_sudo_t $3:socket_class_set { read write };
 -	')
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_manage_nfs_files($1_sudo_t)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_manage_cifs_files($1_sudo_t)
+-	')
+-
+-	optional_policy(`
+-		dbus_system_bus_client($1_sudo_t)
+-	')
+-
+-	optional_policy(`
+-		fprintd_dbus_chat($1_sudo_t)
+-	')
+-
 +	mta_role($2, $1_sudo_t)
+ ')
  
- 	tunable_policy(`use_nfs_home_dirs',`
- 		fs_manage_nfs_files($1_sudo_t)
-@@ -177,3 +196,22 @@ interface(`sudo_sigchld',`
+ ########################################
+@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
  
  	allow $1 sudodomain:process sigchld;
  ')
@@ -3764,10 +3853,10 @@ index 975af1a..2aa37b4 100644
 +	can_exec($1, sudo_exec_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..3443ba2 100644
+index 2731fa1..22beabf 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,7 @@ attribute sudodomain;
+@@ -7,3 +7,110 @@ attribute sudodomain;
  
  type sudo_exec_t;
  application_executable_file(sudo_exec_t)
@@ -3775,6 +3864,109 @@ index 2731fa1..3443ba2 100644
 +type sudo_db_t;
 +files_type(sudo_db_t)
 +
++manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
++manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
++
++##############################
++#
++# Local Policy
++#
++
++# Use capabilities.
++allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
++allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow sudodomain self:process { setexec setrlimit };
++allow sudodomain self:fd use;
++allow sudodomain self:fifo_file rw_fifo_file_perms;
++allow sudodomain self:shm create_shm_perms;
++allow sudodomain self:sem create_sem_perms;
++allow sudodomain self:msgq create_msgq_perms;
++allow sudodomain self:msg { send receive };
++allow sudodomain self:unix_dgram_socket create_socket_perms;
++allow sudodomain self:unix_stream_socket create_stream_socket_perms;
++allow sudodomain self:unix_dgram_socket sendto;
++allow sudodomain self:unix_stream_socket connectto;
++allow sudodomain self:key manage_key_perms;
++
++kernel_read_kernel_sysctls(sudodomain)
++kernel_read_system_state(sudodomain)
++kernel_link_key(sudodomain)
++
++corecmd_read_bin_symlinks(sudodomain)
++corecmd_exec_all_executables(sudodomain)
++
++dev_getattr_fs(sudodomain)
++dev_read_urand(sudodomain)
++dev_rw_generic_usb_dev(sudodomain)
++dev_read_sysfs(sudodomain)
++
++domain_use_interactive_fds(sudodomain)
++domain_sigchld_interactive_fds(sudodomain)
++domain_getattr_all_entry_files(sudodomain)
++
++files_read_etc_files(sudodomain)
++files_read_var_files(sudodomain)
++files_read_usr_symlinks(sudodomain)
++files_getattr_usr_files(sudodomain)
++# for some PAM modules and for cwd
++files_dontaudit_search_home(sudodomain)
++files_list_tmp(sudodomain)
++
++fs_search_auto_mountpoints(sudodomain)
++fs_getattr_xattr_fs(sudodomain)
++
++selinux_validate_context(sudodomain)
++selinux_compute_relabel_context(sudodomain)
++
++term_getattr_pty_fs(sudodomain)
++term_relabel_all_ttys(sudodomain)
++term_relabel_all_ptys(sudodomain)
++term_getattr_pty_fs(sudodomain)
++
++#auth_run_chk_passwd(sudodomain)
++# sudo stores a token in the pam_pid directory
++auth_manage_pam_pid(sudodomain)
++#auth_use_nsswitch(sudodomain)
++
++application_signal(sudodomain)
++
++init_rw_utmp(sudodomain)
++
++logging_send_audit_msgs(sudodomain)
++logging_send_syslog_msg(sudodomain)
++
++miscfiles_read_localization(sudodomain)
++
++seutil_read_default_contexts(sudodomain)
++seutil_libselinux_linked(sudodomain)
++
++userdom_spec_domtrans_all_users(sudodomain)
++userdom_manage_user_home_content_files(sudodomain)
++userdom_manage_user_home_content_symlinks(sudodomain)
++userdom_manage_user_tmp_files(sudodomain)
++userdom_manage_user_tmp_symlinks(sudodomain)
++userdom_use_user_terminals(sudodomain)
++userdom_signal_all_users(sudodomain)
++# for some PAM modules and for cwd
++userdom_search_user_home_content(sudodomain)
++userdom_search_admin_dir(sudodomain)
++userdom_manage_all_users_keys(sudodomain)
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_manage_nfs_files(sudodomain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_manage_cifs_files(sudodomain)
++')
++
++optional_policy(`
++	dbus_system_bus_client(sudodomain)
++')
++
++optional_policy(`
++	fprintd_dbus_chat(sudodomain)
++')
 diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
 index d5aaf0e..6b16aef 100644
 --- a/policy/modules/admin/sxid.te
@@ -4136,7 +4328,7 @@ index 81fb26f..66cf96c 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..772a68e 100644
+index 441cf22..cd9d876 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4147,7 +4339,7 @@ index 441cf22..772a68e 100644
  
  selinux_get_fs_mount(chfn_t)
  selinux_validate_context(chfn_t)
-@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t)
+@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t)
  selinux_compute_relabel_context(chfn_t)
  selinux_compute_user_contexts(chfn_t)
  
@@ -4155,6 +4347,7 @@ index 441cf22..772a68e 100644
 -term_use_all_ptys(chfn_t)
 +term_use_all_inherited_ttys(chfn_t)
 +term_use_all_inherited_ptys(chfn_t)
++term_getattr_all_ptys(chfn_t)
  
  fs_getattr_xattr_fs(chfn_t)
  fs_search_auto_mountpoints(chfn_t)
@@ -4170,7 +4363,7 @@ index 441cf22..772a68e 100644
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(chfn_t)
-@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t)
+@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(chfn_t)
@@ -4178,7 +4371,7 @@ index 441cf22..772a68e 100644
  
  miscfiles_read_localization(chfn_t)
  
-@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
  # on user home dir
  userdom_dontaudit_search_user_home_content(chfn_t)
  
@@ -4189,17 +4382,18 @@ index 441cf22..772a68e 100644
  ########################################
  #
  # Crack local policy
-@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
  selinux_compute_relabel_context(groupadd_t)
  selinux_compute_user_contexts(groupadd_t)
  
 -term_use_all_ttys(groupadd_t)
 -term_use_all_ptys(groupadd_t)
 +term_use_all_inherited_terms(groupadd_t)
++term_getattr_all_ptys(groupadd_t)
  
  init_use_fds(groupadd_t)
  init_read_utmp(groupadd_t)
-@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t)
  
  # for SSP
  dev_read_urand(passwd_t)
@@ -4207,13 +4401,14 @@ index 441cf22..772a68e 100644
  
  fs_getattr_xattr_fs(passwd_t)
  fs_search_auto_mountpoints(passwd_t)
-@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t)
  selinux_compute_relabel_context(passwd_t)
  selinux_compute_user_contexts(passwd_t)
  
 -term_use_all_ttys(passwd_t)
 -term_use_all_ptys(passwd_t)
 +term_use_all_inherited_terms(passwd_t)
++term_getattr_all_ptys(passwd_t)
  
 -auth_domtrans_chk_passwd(passwd_t)
  auth_manage_shadow(passwd_t)
@@ -4230,7 +4425,7 @@ index 441cf22..772a68e 100644
  
  domain_use_interactive_fds(passwd_t)
  
-@@ -311,6 +317,8 @@ files_search_var(passwd_t)
+@@ -311,6 +320,8 @@ files_search_var(passwd_t)
  files_dontaudit_search_pids(passwd_t)
  files_relabel_etc_files(passwd_t)
  
@@ -4239,7 +4434,7 @@ index 441cf22..772a68e 100644
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t)
  
  seutil_dontaudit_search_config(passwd_t)
  
@@ -4248,7 +4443,7 @@ index 441cf22..772a68e 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -4256,17 +4451,18 @@ index 441cf22..772a68e 100644
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
 -term_use_all_ttys(sysadm_passwd_t)
 -term_use_all_ptys(sysadm_passwd_t)
 +term_use_all_inherited_terms(sysadm_passwd_t)
++term_getattr_all_ptys(sysadm_passwd_t)
  
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +434,7 @@ optional_policy(`
+@@ -426,7 +438,7 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -4275,7 +4471,7 @@ index 441cf22..772a68e 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -4288,7 +4484,7 @@ index 441cf22..772a68e 100644
  
  files_manage_etc_files(useradd_t)
  files_search_var_lib(useradd_t)
-@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
  fs_getattr_xattr_fs(useradd_t)
  
  mls_file_upgrade(useradd_t)
@@ -4296,17 +4492,18 @@ index 441cf22..772a68e 100644
  
  # Allow access to context for shadow file
  selinux_get_fs_mount(useradd_t)
-@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
  selinux_compute_relabel_context(useradd_t)
  selinux_compute_user_contexts(useradd_t)
  
 -term_use_all_ttys(useradd_t)
 -term_use_all_ptys(useradd_t)
 +term_use_all_inherited_terms(useradd_t)
++term_getattr_all_ptys(useradd_t)
  
  auth_domtrans_chk_passwd(useradd_t)
  auth_rw_lastlog(useradd_t)
-@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -20755,10 +20952,10 @@ index 2be17d2..2c588ca 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..f3980e0 100644
+index e14b961..f2aac71 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,48 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
  #
  # Local policy
  #
@@ -20802,12 +20999,16 @@ index e14b961..f3980e0 100644
 +userdom_manage_tmp_role(sysadm_r, sysadm_t)
 +
 +optional_policy(`
++	alsa_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
 +	ssh_filetrans_admin_home_content(sysadm_t)
 +')
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -55,6 +83,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +87,7 @@ ifndef(`enable_mls',`
  	logging_manage_audit_log(sysadm_t)
  	logging_manage_audit_config(sysadm_t)
  	logging_run_auditctl(sysadm_t, sysadm_r)
@@ -20815,7 +21016,7 @@ index e14b961..f3980e0 100644
  ')
  
  tunable_policy(`allow_ptrace',`
-@@ -67,9 +96,9 @@ optional_policy(`
+@@ -67,9 +100,9 @@ optional_policy(`
  
  optional_policy(`
  	apache_run_helper(sysadm_t, sysadm_r)
@@ -20826,7 +21027,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -98,6 +127,10 @@ optional_policy(`
+@@ -98,6 +131,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20837,7 +21038,7 @@ index e14b961..f3980e0 100644
  	certwatch_run(sysadm_t, sysadm_r)
  ')
  
-@@ -110,11 +143,19 @@ optional_policy(`
+@@ -110,11 +147,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20858,7 +21059,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -128,6 +169,10 @@ optional_policy(`
+@@ -128,6 +173,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20869,7 +21070,7 @@ index e14b961..f3980e0 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -163,6 +208,13 @@ optional_policy(`
+@@ -163,6 +212,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -20883,7 +21084,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -170,15 +222,20 @@ optional_policy(`
+@@ -170,15 +226,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20907,7 +21108,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -198,22 +255,19 @@ optional_policy(`
+@@ -198,22 +259,19 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -20935,7 +21136,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -225,25 +279,47 @@ optional_policy(`
+@@ -225,25 +283,47 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20983,7 +21184,7 @@ index e14b961..f3980e0 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
  ')
-@@ -253,19 +329,19 @@ optional_policy(`
+@@ -253,19 +333,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21007,7 +21208,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -274,10 +350,7 @@ optional_policy(`
+@@ -274,10 +354,7 @@ optional_policy(`
  
  optional_policy(`
  	rpm_run(sysadm_t, sysadm_r)
@@ -21019,7 +21220,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -302,12 +375,18 @@ optional_policy(`
+@@ -302,12 +379,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21039,7 +21240,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -332,7 +411,10 @@ optional_policy(`
+@@ -332,7 +415,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21051,7 +21252,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -343,19 +425,15 @@ optional_policy(`
+@@ -343,19 +429,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21073,7 +21274,7 @@ index e14b961..f3980e0 100644
  ')
  
  optional_policy(`
-@@ -367,45 +445,45 @@ optional_policy(`
+@@ -367,45 +449,45 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21130,7 +21331,7 @@ index e14b961..f3980e0 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -418,10 +496,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +500,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21141,7 +21342,7 @@ index e14b961..f3980e0 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  	')
  
-@@ -439,6 +513,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +517,7 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		gnome_role(sysadm_r, sysadm_t)
@@ -21149,7 +21350,7 @@ index e14b961..f3980e0 100644
  	')
  
  	optional_policy(`
-@@ -446,11 +521,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +525,66 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21172,8 +21373,9 @@ index e14b961..f3980e0 100644
 +
 +	optional_policy(`
 +		mplayer_role(sysadm_r, sysadm_t)
-+	')
-+
+ 	')
+-')
+ 
 +	optional_policy(`
 +		pyzor_role(sysadm_r, sysadm_t)
 +	')
@@ -21212,9 +21414,8 @@ index e14b961..f3980e0 100644
 +
 +	optional_policy(`
 +		wireshark_role(sysadm_r, sysadm_t)
- 	')
--')
- 
++	')
++
 +	optional_policy(`
 +		xserver_role(sysadm_r, sysadm_t)
 +	')
@@ -21928,10 +22129,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..8d7dde1
+index 0000000..50c38f9
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,498 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -22159,11 +22360,7 @@ index 0000000..8d7dde1
 +')
 +
 +optional_policy(`
-+	ada_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+	alsa_run(unconfined_t, unconfined_r)
++	alsa_filetrans_named_content(unconfined_t)
 +')
 +
 +optional_policy(`
@@ -73110,10 +73307,10 @@ index 0000000..79c358c
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1449552
+index 0000000..a84b8e7
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,370 @@
+@@ -0,0 +1,371 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -73267,6 +73464,7 @@ index 0000000..1449552
 +
 +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
 +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
 +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
 +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
 +
@@ -78167,7 +78365,7 @@ index 4b2878a..34d01ef 100644
 +   allow $1 unpriv_userdomain:sem rw_sem_perms;
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..04d748b 100644
+index 9b4a930..d6c3860 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -78220,7 +78418,7 @@ index 9b4a930..04d748b 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -78283,7 +78481,6 @@ index 9b4a930..04d748b 100644
 +	alsa_read_rw_config(unpriv_userdomain)
 +	alsa_manage_home_files(unpriv_userdomain)
 +	alsa_relabel_home_files(unpriv_userdomain)
-+	alsa_filetrans_named_content(unpriv_userdomain)
 +')
 +
 +optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1b7761b..e930d1d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Oct 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-46
+- Policy update should not modify local contexts
+
 * Thu Oct 20 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-45.1
 - Allow systemd_passwd to talk to sock_files in systemd_passwd_var_run_t directories