From 0829d933ad0631d7cda1f0a2c89f70240652d6e3 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jul 25 2008 01:35:47 +0000
Subject: - Allow system_crond_t to restart init scripts

- Allow dnsmasq to bind to any udp port
- Change dhclient to be able to red networkmanager_var_run

---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 082e367..c7836c2 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -2006,7 +2006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te	2008-07-24 13:59:46.000000000 -0400
 @@ -0,0 +1,56 @@
 +
 +policy_module(kismet,1.0.0)
@@ -2035,7 +2035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
 +# kismet local policy
 +#
 +
-+allow kismet_t self:capability { net_admin setuid setgid };
++allow kismet_t self:capability { net_admin net_raw setuid setgid };
 +
 +corecmd_exec_bin(kismet_t)
 +
@@ -2142,8 +2142,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  init_domtrans_script(logrotate_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.3.1/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te	2008-07-15 14:02:51.000000000 -0400
-@@ -59,10 +59,9 @@
++++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te	2008-07-24 07:12:06.000000000 -0400
+@@ -54,15 +54,15 @@
+ domain_read_all_domains_state(logwatch_t)
+ 
+ files_list_var(logwatch_t)
++files_read_var_symlinks(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
  files_read_usr_files(logwatch_t)
  files_search_spool(logwatch_t)
  files_search_mnt(logwatch_t)
@@ -2156,7 +2162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  
  fs_getattr_all_fs(logwatch_t)
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
-@@ -88,9 +87,6 @@
+@@ -88,9 +88,6 @@
  
  sysnet_dns_name_resolve(logwatch_t)
  
@@ -2166,7 +2172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  mta_send_mail(logwatch_t)
  
  optional_policy(`
-@@ -132,4 +128,5 @@
+@@ -132,4 +129,5 @@
  
  optional_policy(`
  	samba_read_log(logwatch_t)
@@ -9175,7 +9181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.3.1/policy/modules/kernel/selinux.te
 --- nsaserefpolicy/policy/modules/kernel/selinux.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/selinux.te	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/selinux.te	2008-07-24 13:57:00.000000000 -0400
 @@ -10,6 +10,7 @@
  attribute can_setenforce;
  attribute can_setsecparam;
@@ -9184,18 +9190,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
  
  # 
  # security_t is the target type when checking
-@@ -22,6 +23,11 @@
+@@ -21,6 +22,12 @@
+ mls_trusted_object(security_t)
  sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
  genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
- 
++genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
++
 +type boolean_t, booleans_type;
 +fs_type(boolean_t)
 +mls_trusted_object(boolean_t)
 +#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
-+
+ 
  neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
  neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
- neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2008-06-12 23:38:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc	2008-07-15 14:02:51.000000000 -0400
@@ -12812,7 +12819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.3.1/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.te	2008-07-24 07:27:14.000000000 -0400
 @@ -12,14 +12,6 @@
  
  ## <desc>
@@ -12996,16 +13003,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  kernel_read_kernel_sysctls(system_crond_t)
  kernel_read_system_state(system_crond_t)
-@@ -323,7 +358,7 @@
+@@ -323,7 +358,8 @@
  init_read_utmp(system_crond_t)
  init_dontaudit_rw_utmp(system_crond_t)
  # prelink tells init to restart it self, we either need to allow or dontaudit
 -init_write_initctl(system_crond_t)
 +init_telinit(system_crond_t)
++init_spec_domtrans_script(system_crond_t)
  
  auth_use_nsswitch(system_crond_t)
  
-@@ -333,6 +368,7 @@
+@@ -333,6 +369,7 @@
  libs_exec_ld_so(system_crond_t)
  
  logging_read_generic_logs(system_crond_t)
@@ -13013,7 +13021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  logging_send_syslog_msg(system_crond_t)
  
  miscfiles_read_localization(system_crond_t)
-@@ -348,18 +384,6 @@
+@@ -348,18 +385,6 @@
  	')
  ')
  
@@ -13032,7 +13040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  optional_policy(`
  	# Needed for certwatch
  	apache_exec_modules(system_crond_t)
-@@ -383,6 +407,14 @@
+@@ -383,6 +408,14 @@
  ')
  
  optional_policy(`
@@ -13047,7 +13055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	mrtg_append_create_logs(system_crond_t)
  ')
  
-@@ -415,8 +447,7 @@
+@@ -415,8 +448,7 @@
  ')
  
  optional_policy(`
@@ -13057,7 +13065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -424,15 +455,12 @@
+@@ -424,15 +456,12 @@
  ')
  
  optional_policy(`
@@ -15132,7 +15140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.3.1/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.te	2008-07-24 06:51:59.000000000 -0400
 @@ -16,6 +16,9 @@
  type dnsmasq_var_run_t;
  files_pid_file(dnsmasq_var_run_t)
@@ -15161,6 +15169,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
  
  manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
+@@ -55,7 +58,7 @@
+ corenet_tcp_bind_all_nodes(dnsmasq_t)
+ corenet_udp_bind_all_nodes(dnsmasq_t)
+ corenet_tcp_bind_dns_port(dnsmasq_t)
+-corenet_udp_bind_dns_port(dnsmasq_t)
++corenet_udp_bind_all_ports(dnsmasq_t)
+ corenet_udp_bind_dhcpd_port(dnsmasq_t)
+ corenet_sendrecv_dns_server_packets(dnsmasq_t)
+ corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
 @@ -94,3 +97,7 @@
  optional_policy(`
  	udev_read_db(dnsmasq_t)
@@ -17909,15 +17926,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.3.1/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.fc	2008-07-15 14:02:52.000000000 -0400
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.3.1/policy/modules/services/mta.fc	2008-07-22 06:33:02.000000000 -0400
+@@ -11,9 +11,10 @@
  /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
  /usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 +/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-
++/usr/sbin/ssmtp		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
  
+ /var/qmail/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 @@ -22,6 +23,4 @@
  /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
@@ -18876,8 +18897,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-07-15 14:02:52.000000000 -0400
-@@ -1,7 +1,11 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-07-24 08:18:27.000000000 -0400
+@@ -1,7 +1,13 @@
  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -18887,12 +18908,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++
 +/var/log/wpa_supplicant\.log.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 +/etc/NetworkManager/dispatcher.d(/.*)	gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if	2008-07-15 14:02:52.000000000 -0400
-@@ -97,3 +97,40 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if	2008-07-24 08:11:29.000000000 -0400
+@@ -97,3 +97,58 @@
  	allow $1 NetworkManager_t:dbus send_msg;
  	allow NetworkManager_t $1:dbus send_msg;
  ')
@@ -18933,6 +18956,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +	init_script_domtrans_spec($1, NetworkManager_script_exec_t)
 +')
 +
++########################################
++## <summary>
++##	Read NetworkManager PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`networkmanager_read_pid_files',`
++	gen_require(`
++		type NetworkManager_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 NetworkManager_var_run_t:file read_file_perms;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-06-12 23:38:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te	2008-07-15 14:02:52.000000000 -0400
@@ -19088,7 +19129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 +/etc/rc.d/init.d/ypxfrd	--	gen_context(system_u:object_r:nis_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.3.1/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/nis.if	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/nis.if	2008-07-24 08:13:28.000000000 -0400
 @@ -28,7 +28,7 @@
  		type var_yp_t;
  	')
@@ -30057,7 +30098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 -
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-07-24 07:26:35.000000000 -0400
 @@ -211,6 +211,16 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -33614,7 +33655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te	2008-07-24 08:14:38.000000000 -0400
 @@ -20,6 +20,10 @@
  init_daemon_domain(dhcpc_t,dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -33684,18 +33725,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	optional_policy(`
  		networkmanager_dbus_chat(dhcpc_t)
  	')
-@@ -186,6 +199,10 @@
+@@ -186,6 +199,12 @@
  ')
  
  optional_policy(`
 +	networkmanager_domtrans(dhcpc_t)
++	networkmanager_read_pid_files(dhcpc_t)
 +')
 +
 +optional_policy(`
++	nis_script_domtrans(dhcpc_t)
  	nis_use_ypbind(dhcpc_t)
  	nis_signal_ypbind(dhcpc_t)
  	nis_read_ypbind_pid(dhcpc_t)
-@@ -202,9 +219,7 @@
+@@ -202,9 +221,7 @@
  ')
  
  optional_policy(`
@@ -33706,7 +33749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -215,6 +230,7 @@
+@@ -215,6 +232,7 @@
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -33714,7 +33757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -226,6 +242,10 @@
+@@ -226,6 +244,10 @@
  ')
  
  optional_policy(`
@@ -33725,7 +33768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	kernel_read_xen_state(dhcpc_t)
  	kernel_write_xen_state(dhcpc_t)
  	xen_append_log(dhcpc_t)
-@@ -239,7 +259,6 @@
+@@ -239,7 +261,6 @@
  
  allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -33733,7 +33776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  allow ifconfig_t self:fd use;
  allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -253,6 +272,7 @@
+@@ -253,6 +274,7 @@
  allow ifconfig_t self:sem create_sem_perms;
  allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
@@ -33741,7 +33784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -268,7 +288,10 @@
+@@ -268,7 +290,10 @@
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
  kernel_search_network_sysctl(ifconfig_t)
@@ -33752,7 +33795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
-@@ -279,8 +302,11 @@
+@@ -279,8 +304,11 @@
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
  
@@ -33764,7 +33807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  domain_use_interactive_fds(ifconfig_t)
  
-@@ -303,12 +329,16 @@
+@@ -303,12 +331,16 @@
  
  userdom_use_all_users_fds(ifconfig_t)
  
@@ -33782,7 +33825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -332,6 +362,14 @@
+@@ -332,6 +364,14 @@
  ')
  
  optional_policy(`
@@ -38395,7 +38438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-07-24 07:40:40.000000000 -0400
 @@ -0,0 +1,204 @@
 +
 +policy_module(virt,1.0.0)
@@ -38451,7 +38494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +#
 +# virtd local policy
 +#
-+allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
++allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace sys_resource };
 +allow virtd_t self:process { getsched sigkill signal execmem };
 +allow virtd_t self:fifo_file rw_file_perms;
 +allow virtd_t self:unix_stream_socket create_stream_socket_perms;
@@ -38906,8 +38949,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.3.1/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/guest.te	2008-07-15 14:02:52.000000000 -0400
-@@ -0,0 +1,21 @@
++++ serefpolicy-3.3.1/policy/modules/users/guest.te	2008-07-24 14:15:43.000000000 -0400
+@@ -0,0 +1,31 @@
 +policy_module(guest,1.0.1)
 +userdom_restricted_user_template(guest)
 +
@@ -38929,6 +38972,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
 +	dbus_chat_user_bus(xguest,xguest_mozilla_t)
 +	dbus_connectto_user_bus(xguest,xguest_mozilla_t)
 +')
++
++optional_policy(`
++	gen_require(`
++		type openoffice_exec_t;
++		type xguest_mozilla_t;
++		type xguest_openoffice_t;
++	')
++	
++	domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.3.1/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/users/logadm.fc	2008-07-15 14:02:52.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 77acb87..a7a0fa7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 79%{?dist}
+Release: 80%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,11 @@ exit 0
 %endif
 
 %changelog
+* Thu Jul 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-80
+- Allow system_crond_t to restart init scripts
+- Allow dnsmasq to bind to any udp port
+- Change dhclient to be able to red networkmanager_var_run
+
 * Thu Jul 17 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-79
 - Allow xguest to communicate with hal
 - allow mozilla to communicate with networkmanager