From 25d586808dc61b8505c339a4e03a7c37ba587c7c Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Sep 10 2007 22:02:06 +0000
Subject: - Allow newalias/sendmail dac_override

- Allow bind to bind to all udp ports

---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3ced518..16ec8ba 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1505,3 +1505,12 @@ logadm = module
 # Minimally prived root role for managing apache
 # 
 webadm = module
+
+#
+# Layer: services
+# Module: exim
+#
+# exim mail server 
+# 
+exim = module
+
diff --git a/policy-20070703.patch b/policy-20070703.patch
index d196d98..5ea282a 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -495,12 +495,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.7/policy/modules/admin/dmidecode.te
 --- nsaserefpolicy/policy/modules/admin/dmidecode.te	2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/dmidecode.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/admin/dmidecode.te	2007-09-07 17:05:59.000000000 -0400
 @@ -20,6 +20,7 @@
  
  # Allow dmidecode to read /dev/mem
  dev_read_raw_memory(dmidecode_t)
-+dev_search_sysfs(dmidecode_t)
++dev_read_sysfs(dmidecode_t)
  
  mls_file_read_all_levels(dmidecode_t)
  
@@ -2745,7 +2745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.7/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/files.if	2007-09-10 16:27:16.000000000 -0400
 @@ -343,8 +343,7 @@
  
  ########################################
@@ -2830,7 +2830,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -3323,6 +3359,42 @@
+@@ -3107,6 +3143,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Manage temporary directories in /tmp.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_tmp_dirs',`
++	gen_require(`
++		type tmp_t;
++	')
++
++	manage_dirs_pattern($1,tmp_t,tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -3323,6 +3377,42 @@
  
  ########################################
  ## <summary>
@@ -2873,7 +2898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Get the attributes of files in /usr.
  ## </summary>
  ## <param name="domain">
-@@ -3381,7 +3453,7 @@
+@@ -3381,7 +3471,7 @@
  
  ########################################
  ## <summary>
@@ -2882,7 +2907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3389,17 +3461,17 @@
+@@ -3389,17 +3479,17 @@
  ##	</summary>
  ## </param>
  #
@@ -2903,7 +2928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3407,12 +3479,12 @@
+@@ -3407,12 +3497,12 @@
  ##	</summary>
  ## </param>
  #
@@ -2918,7 +2943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -4043,7 +4115,7 @@
+@@ -4043,7 +4133,7 @@
  		type var_t, var_lock_t;
  	')
  
@@ -2927,7 +2952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -4560,6 +4632,8 @@
+@@ -4560,6 +4650,8 @@
  	# Need to give access to /selinux/member
  	selinux_compute_member($1)
  
@@ -2936,7 +2961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  	# Need sys_admin capability for mounting
  	allow $1 self:capability { chown fsetid sys_admin };
  
-@@ -4582,6 +4656,11 @@
+@@ -4582,6 +4674,11 @@
  	# Default type for mountpoints
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
@@ -2948,7 +2973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -4619,3 +4698,28 @@
+@@ -4619,3 +4716,28 @@
  
  	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
  ')
@@ -3171,6 +3196,99 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file { getattr read };
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.7/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc	2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.fc	2007-09-10 15:52:30.000000000 -0400
+@@ -52,7 +52,7 @@
+ 
+ /dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ 
+-/dev/fuse		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/fuse		-c	gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
+ /dev/floppy/[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
+ 
+ /dev/i2o/hd[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.7/policy/modules/kernel/storage.if
+--- nsaserefpolicy/policy/modules/kernel/storage.if	2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.if	2007-09-10 15:54:45.000000000 -0400
+@@ -673,3 +673,61 @@
+ 
+ 	typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++## <summary>
++##	Allow the caller to get the attributes
++##	of device nodes of fuse devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`storage_getattr_fuse_dev',`
++	gen_require(`
++		type fuse_device_t;
++	')
++
++	dev_list_all_dev_nodes($1)
++	allow $1 fuse_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++##	read or write fuse device interfaces.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`storage_rw_fuse',`
++	gen_require(`
++		type fuse_device_t;
++	')
++
++	allow $1 fuse_device_t:chr_file rw_file_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read or write
++##	fuse device interfaces.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`storage_dontaudit_rw_fuse',`
++	gen_require(`
++		type fuse_device_t;
++	')
++
++	dontaudit $1 fuse_device_t:chr_file rw_file_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.0.7/policy/modules/kernel/storage.te
+--- nsaserefpolicy/policy/modules/kernel/storage.te	2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.te	2007-09-10 15:38:30.000000000 -0400
+@@ -23,6 +23,12 @@
+ neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
+ 
+ #
++# fuse_device_t is the type of /dev/fuse
++#
++type fuse_device_t;
++dev_node(fuse_device_t)
++
++#
+ # scsi_generic_device_t is the type of /dev/sg*
+ # it gives access to ALL SCSI devices (both fixed and removable)
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.7/policy/modules/kernel/terminal.fc
 --- nsaserefpolicy/policy/modules/kernel/terminal.fc	2007-05-29 14:10:48.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/kernel/terminal.fc	2007-09-06 15:43:06.000000000 -0400
@@ -3664,7 +3782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.7/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/apache.te	2007-09-10 15:07:38.000000000 -0400
 @@ -30,6 +30,13 @@
  
  ## <desc>
@@ -3884,7 +4002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	calamaris_read_www_files(httpd_t)
  ')
  
-@@ -442,6 +536,13 @@
+@@ -442,8 +536,15 @@
  ')
  
  optional_policy(`
@@ -3896,8 +4014,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 +optional_policy(`
  	kerberos_use(httpd_t)
- 	kerberos_read_kdc_config(httpd_t)
+-	kerberos_read_kdc_config(httpd_t)
++	kerberos_read_keytab(httpd_t)
  ')
+ 
+ optional_policy(`
 @@ -461,7 +562,6 @@
  
  optional_policy(`
@@ -4174,7 +4295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.7/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apcupsd.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/apcupsd.te	2007-09-10 10:56:09.000000000 -0400
 @@ -16,6 +16,9 @@
  type apcupsd_log_t;
  logging_log_file(apcupsd_log_t)
@@ -4233,11 +4354,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
  
  libs_use_ld_so(apcupsd_t)
  libs_use_shared_libs(apcupsd_t)
-@@ -62,3 +82,41 @@
+@@ -62,3 +82,43 @@
  logging_send_syslog_msg(apcupsd_t)
  
  miscfiles_read_localization(apcupsd_t)
 +
++sysnet_dns_name_resolve(apcupsd_t)
++
 +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
 +term_use_unallocated_ttys(apcupsd_t)
 +
@@ -4362,7 +4485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 +/var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.7/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/bind.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/bind.te	2007-09-10 11:12:34.000000000 -0400
 @@ -66,7 +66,6 @@
  allow named_t self:unix_dgram_socket create_socket_perms;
  allow named_t self:tcp_socket create_stream_socket_perms;
@@ -4380,7 +4503,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
  # read zone files
  allow named_t named_zone_t:dir list_dir_perms;
  read_files_pattern(named_t,named_zone_t,named_zone_t)
-@@ -175,6 +176,10 @@
+@@ -119,6 +120,7 @@
+ corenet_sendrecv_dns_client_packets(named_t)
+ corenet_sendrecv_rndc_server_packets(named_t)
+ corenet_sendrecv_rndc_client_packets(named_t)
++corenet_udp_bind_all_unreserved_ports(named_t)
+ 
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+@@ -175,6 +177,10 @@
  ')
  
  optional_policy(`
@@ -4391,7 +4522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
  	# this seems like fds that arent being
  	# closed.  these should probably be
  	# dontaudits instead.
-@@ -184,14 +189,6 @@
+@@ -184,14 +190,6 @@
  ')
  
  optional_policy(`
@@ -4406,7 +4537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
  	seutil_sigchld_newrole(named_t)
  ')
  
-@@ -232,6 +229,7 @@
+@@ -232,6 +230,7 @@
  corenet_tcp_sendrecv_all_nodes(ndc_t)
  corenet_tcp_sendrecv_all_ports(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
@@ -5576,18 +5707,475 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +files_read_etc_files(dovecot_deliver_t)
 +files_read_etc_runtime_files(dovecot_deliver_t)
 +
-+libs_use_ld_so(dovecot_deliver_t)
-+libs_use_shared_libs(dovecot_deliver_t)
++libs_use_ld_so(dovecot_deliver_t)
++libs_use_shared_libs(dovecot_deliver_t)
++
++miscfiles_read_localization(dovecot_deliver_t)
++
++optional_policy(`
++	mta_manage_spool(dovecot_deliver_t)
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.7/policy/modules/services/exim.fc
+--- nsaserefpolicy/policy/modules/services/exim.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.7/policy/modules/services/exim.fc	2007-09-10 12:01:03.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/usr/sbin/exim	--	gen_context(system_u:object_r:exim_exec_t,s0)
++/etc/rc.d/init.d/exim	--	gen_context(system_u:object_r:exim_script_exec_t,s0)
++/var/run/exim.pid		--	gen_context(system_u:object_r:exim_var_run_t,s0)
++/var/log/exim(/.*)?			gen_context(system_u:object_r:exim_log_t,s0)
++/var/spool/exim(/.*)?			gen_context(system_u:object_r:exim_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.7/policy/modules/services/exim.if
+--- nsaserefpolicy/policy/modules/services/exim.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.7/policy/modules/services/exim.if	2007-09-10 12:01:03.000000000 -0400
+@@ -0,0 +1,330 @@
++
++## <summary>policy for exim</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run exim.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`exim_domtrans',`
++	gen_require(`
++		type exim_t;
++                type exim_exec_t;
++	')
++
++	domain_auto_trans($1,exim_exec_t,exim_t)
++
++	allow exim_t $1:fd use;
++	allow exim_t $1:fifo_file rw_file_perms;
++	allow exim_t $1:process sigchld;
++')
++
++
++########################################
++## <summary>
++##	Execute exim server in the exim domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`exim_script_domtrans',`
++	gen_require(`
++		type exim_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,exim_script_exec_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read, 
++##	exim tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`exim_dontaudit_read_tmp_files',`
++	gen_require(`
++		type exim_tmp_t;
++	')
++
++	dontaudit $1 exim_tmp_t:file r_file_perms;
++')
++
++########################################
++## <summary>
++##	Allow domain to read, exim tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`exim_read_tmp_files',`
++	gen_require(`
++		type exim_tmp_t;
++	')
++
++	allow $1 exim_tmp_t:file r_file_perms;
++')
++
++########################################
++## <summary>
++##	Allow domain to manage exim tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`exim_manage_tmp',`
++	gen_require(`
++		type exim_tmp_t;
++	')
++
++         manage_dir_perms($1,exim_tmp_t,exim_tmp_t)
++         manage_file_perms($1,exim_tmp_t,exim_tmp_t)
++         manage_lnk_file_perms($1,exim_tmp_t,exim_tmp_t)
++')
++
++########################################
++## <summary>
++##	Read exim PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_read_pid_files',`
++	gen_require(`
++		type exim_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 exim_var_run_t:file r_file_perms;
++')
++
++########################################
++## <summary>
++##	Manage exim var_run files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_manage_var_run',`
++	gen_require(`
++		type exim_var_run_t;
++	')
++
++         manage_dir_perms($1,exim_var_run_t,exim_var_run_t)
++         manage_file_perms($1,exim_var_run_t,exim_var_run_t)
++         manage_lnk_file_perms($1,exim_var_run_t,exim_var_run_t)
++')
++
++
++########################################
++## <summary>
++##	Allow the specified domain to read exim's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_read_log',`
++	gen_require(`
++		type exim_log_t;
++	')
++
++	logging_search_logs($1)
++	allow $1 exim_log_t:dir r_dir_perms;
++	allow $1 exim_log_t:file { read getattr lock };
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to append
++##	exim log files.
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed to transition.
++## 	</summary>
++## </param>
++#
++interface(`exim_append_log',`
++	gen_require(`
++		type var_log_t, exim_log_t;
++	')
++
++	logging_search_logs($1)
++	allow $1 exim_log_t:dir r_dir_perms;
++	allow $1 exim_log_t:file { getattr append };
++')
++
++########################################
++## <summary>
++##	Allow domain to manage exim log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`exim_manage_log',`
++	gen_require(`
++		type exim_log_t;
++	')
++
++         manage_dir_perms($1,exim_log_t,exim_log_t)
++         manage_file_perms($1,exim_log_t,exim_log_t)
++         manage_lnk_file_perms($1,exim_log_t,exim_log_t)
++')
++
++########################################
++## <summary>
++##	Search exim spool directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_search_spool',`
++	gen_require(`
++		type exim_spool_t;
++	')
++
++	allow $1 exim_spool_t:dir search_dir_perms;
++	files_search_spool($1)
++')
++
++########################################
++## <summary>
++##	Read exim spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_read_spool_files',`
++	gen_require(`
++		type exim_spool_t;
++	')
++
++	allow $1 exim_spool_t:file r_file_perms;
++	allow $1 exim_spool_t:dir list_dir_perms;
++	files_search_spool($1)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	exim spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`exim_manage_spool_files',`
++	gen_require(`
++		type exim_spool_t;
++	')
++
++	allow $1 exim_spool_t:file manage_file_perms;
++	allow $1 exim_spool_t:dir rw_dir_perms;
++	files_search_spool($1)
++')
++
++########################################
++## <summary>
++##	Allow domain to manage exim spool files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`exim_manage_spool',`
++	gen_require(`
++		type exim_spool_t;
++	')
++
++         manage_dir_perms($1,exim_spool_t,exim_spool_t)
++         manage_file_perms($1,exim_spool_t,exim_spool_t)
++         manage_lnk_file_perms($1,exim_spool_t,exim_spool_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate an exim environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the exim domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the terminal allow the dmidecode domain to use.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_admin',`
++	gen_require(`
++		type exim_t;
++	')
++
++	allow $1 exim_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, exim_t, exim_t)
++	        
++
++	# Allow $1 to restart the apache service
++	exim_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 exim_script_exec_t system_r;
++	allow $2 system_r;
++
++	exim_manage_tmp($1)
++
++	exim_manage_var_run($1)
++
++	exim_manage_log($1)
++
++	exim_manage_spool($1)
++
++')
+Binary files nsaserefpolicy/policy/modules/services/exim.pp and serefpolicy-3.0.7/policy/modules/services/exim.pp differ
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.7/policy/modules/services/exim.te
+--- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.7/policy/modules/services/exim.te	2007-09-10 15:45:46.000000000 -0400
+@@ -0,0 +1,108 @@
++policy_module(exim,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type exim_t;
++type exim_exec_t;
++domain_type(exim_t)
++init_daemon_domain(exim_t, exim_exec_t)
++
++type exim_script_exec_t;
++init_script_type(exim_script_exec_t)
++
++type exim_tmp_t;
++files_tmp_file(exim_tmp_t)
++
++type exim_var_run_t;
++files_pid_file(exim_var_run_t)
++
++type exim_log_t;
++logging_log_file(exim_log_t)
++
++type exim_spool_t;
++files_type(exim_spool_t)
++
++########################################
++#
++# exim local policy
++#
++
++allow exim_t self:capability { dac_override dac_read_search setuid setgid };
++
++## internal communication is often done using fifo and unix sockets.
++allow exim_t self:fifo_file rw_file_perms;
++allow exim_t self:unix_stream_socket create_stream_socket_perms;
++
++allow exim_t exim_tmp_t:file manage_file_perms;
++allow exim_t exim_tmp_t:dir create_dir_perms;
++files_tmp_filetrans(exim_t,exim_tmp_t, { file dir })
++
++allow exim_t exim_var_run_t:file manage_file_perms;
++allow exim_t exim_var_run_t:dir manage_dir_perms;
++files_pid_filetrans(exim_t,exim_var_run_t, { file dir })
++
++allow exim_t exim_log_t:file manage_file_perms;
++allow exim_t exim_log_t:dir { rw_dir_perms setattr };
++logging_log_filetrans(exim_t,exim_log_t,{ file dir })
++
++allow exim_t exim_spool_t:dir manage_dir_perms;
++allow exim_t exim_spool_t:file manage_file_perms;
++allow exim_t exim_spool_t:sock_file create_file_perms;
++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++
++auth_use_nsswitch(exim_t)
++
++can_exec(exim_t,exim_exec_t)
++
++# Init script handling
++domain_use_interactive_fds(exim_t)
++
++files_read_etc_files(exim_t)
++
++sysnet_dns_name_resolve(exim_t)
++corenet_all_recvfrom_unlabeled(exim_t)
++
++allow exim_t self:tcp_socket create_stream_socket_perms;
++corenet_tcp_sendrecv_all_if(exim_t)
++corenet_tcp_sendrecv_all_nodes(exim_t)
++corenet_tcp_sendrecv_all_ports(exim_t)
++corenet_tcp_bind_all_nodes(exim_t)
++corenet_tcp_bind_smtp_port(exim_t)
++corenet_tcp_bind_amavisd_send_port(exim_t)
++corenet_tcp_connect_auth_port(exim_t)
++corenet_tcp_connect_inetd_child_port(exim_t)
++
++corecmd_search_bin(exim_t)
++
++libs_use_ld_so(exim_t)
++libs_use_shared_libs(exim_t)
++logging_send_syslog_msg(exim_t)
++
++miscfiles_read_localization(exim_t)
++
++kernel_read_kernel_sysctls(exim_t)
++
++mta_mailclient(exim_exec_t)
++mta_read_aliases(exim_t)
++mta_rw_spool(exim_t)
++
++userdom_dontaudit_search_sysadm_home_dirs(exim_t)
++userdom_dontaudit_search_generic_user_home_dirs(exim_t)
 +
-+miscfiles_read_localization(dovecot_deliver_t)
++bool exim_read_user_files false;
++bool exim_manage_user_files false;
 +
-+optional_policy(`
-+	mta_manage_spool(dovecot_deliver_t)
- ')
++if (exim_read_user_files) {
++   userdom_read_unpriv_users_home_content_files(exim_t)
++   userdom_read_unpriv_users_tmp_files(exim_t)
++}
++
++if (exim_manage_user_files) {
++   userdom_manage_unpriv_users_home_content_dirs(exim_t)
++   userdom_read_unpriv_users_tmp_files(exim_t)
++   userdom_write_unpriv_users_tmp_files(exim_t)
++}
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.7/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ftp.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/ftp.te	2007-09-10 14:54:57.000000000 -0400
 @@ -88,6 +88,7 @@
  allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
  allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -5629,6 +6217,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+@@ -252,7 +264,9 @@
+ ')
+ 
+ optional_policy(`
++	kerberos_use(ftpd_t)
+ 	kerberos_read_keytab(ftpd_t)
++	kerberos_manage_host_rcache(ftpd_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.7/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-05-30 11:47:29.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/hal.fc	2007-09-06 15:43:06.000000000 -0400
@@ -5863,8 +6461,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +dev_rw_input_dev(hald_keymap_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.7/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/inetd.te	2007-09-06 15:43:06.000000000 -0400
-@@ -80,16 +80,21 @@
++++ serefpolicy-3.0.7/policy/modules/services/inetd.te	2007-09-10 16:31:50.000000000 -0400
+@@ -53,6 +53,8 @@
+ allow inetd_t inetd_var_run_t:file manage_file_perms;
+ files_pid_filetrans(inetd_t,inetd_var_run_t,file)
+ 
++auth_search_key(inetd_t)
++
+ kernel_read_kernel_sysctls(inetd_t)
+ kernel_list_proc(inetd_t)
+ kernel_read_proc_symlinks(inetd_t)
+@@ -80,16 +82,21 @@
  corenet_udp_bind_comsat_port(inetd_t)
  corenet_tcp_bind_dbskkd_port(inetd_t)
  corenet_udp_bind_dbskkd_port(inetd_t)
@@ -5886,7 +6493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
  corenet_udp_bind_tftp_port(inetd_t)
  corenet_tcp_bind_ssh_port(inetd_t)
  
-@@ -135,14 +140,19 @@
+@@ -135,14 +142,19 @@
  mls_fd_use_all_levels(inetd_t)
  mls_fd_share_all_levels(inetd_t)
  mls_socket_read_to_clearance(inetd_t)
@@ -5907,7 +6514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
  optional_policy(`
  	amanda_search_lib(inetd_t)
  ')
-@@ -172,6 +182,9 @@
+@@ -172,6 +184,9 @@
  # for identd
  allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  allow inetd_child_t self:capability { setuid setgid };
@@ -5917,7 +6524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
  files_search_home(inetd_child_t)
  
  manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -214,13 +227,10 @@
+@@ -214,13 +229,10 @@
  ')
  
  optional_policy(`
@@ -5933,9 +6540,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
  	unconfined_domain(inetd_child_t)
 +	inetd_service_domain(inetd_child_t,bin_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.0.7/policy/modules/services/kerberos.fc
+--- nsaserefpolicy/policy/modules/services/kerberos.fc	2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/kerberos.fc	2007-09-10 14:42:55.000000000 -0400
+@@ -16,3 +16,4 @@
+ 
+ /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
+ /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
++/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.7/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/kerberos.if	2007-09-10 17:37:40.000000000 -0400
 @@ -42,6 +42,10 @@
  	dontaudit $1 krb5_conf_t:file write;
  	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@@ -5947,10 +6562,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  	tunable_policy(`allow_kerberos',`
  		allow $1 self:tcp_socket create_socket_perms;
+@@ -172,3 +176,25 @@
+ 	allow $1 krb5kdc_conf_t:file read_file_perms;
+ 
+ ')
++
++########################################
++## <summary>
++##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`kerberos_manage_host_rcache',`
++	gen_require(`
++		type krb5_host_rcache_t;
++	')
++
++	files_search_tmp($1)
++	allow $1 self:process setfscreate;
++	seutil_read_file_contexts($1)
++	allow $1 krb5_host_rcache_t:file manage_file_perms;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te	2007-09-07 10:31:47.000000000 -0400
-@@ -62,7 +62,7 @@
++++ serefpolicy-3.0.7/policy/modules/services/kerberos.te	2007-09-10 14:42:59.000000000 -0400
+@@ -54,6 +54,9 @@
+ type krb5kdc_var_run_t;
+ files_pid_file(krb5kdc_var_run_t)
+ 
++type krb5_host_rcache_t;
++files_tmp_file(krb5_host_rcache_t)
++
+ ########################################
+ #
+ # kadmind local policy
+@@ -62,7 +65,7 @@
  # Use capabilities. Surplus capabilities may be allowed.
  allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
  dontaudit kadmind_t self:capability sys_tty_config;
@@ -5959,7 +6610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
  allow kadmind_t self:unix_dgram_socket { connect create write };
  allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -91,6 +91,7 @@
+@@ -91,6 +94,7 @@
  kernel_read_kernel_sysctls(kadmind_t)
  kernel_list_proc(kadmind_t)
  kernel_read_proc_symlinks(kadmind_t)
@@ -5967,7 +6618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  corenet_all_recvfrom_unlabeled(kadmind_t)
  corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +119,9 @@
+@@ -118,6 +122,9 @@
  domain_use_interactive_fds(kadmind_t)
  
  files_read_etc_files(kadmind_t)
@@ -5977,7 +6628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  libs_use_ld_so(kadmind_t)
  libs_use_shared_libs(kadmind_t)
-@@ -127,6 +131,7 @@
+@@ -127,6 +134,7 @@
  miscfiles_read_localization(kadmind_t)
  
  sysnet_read_config(kadmind_t)
@@ -5985,7 +6636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
  userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +142,7 @@
+@@ -137,6 +145,7 @@
  
  optional_policy(`
  	seutil_sigchld_newrole(kadmind_t)
@@ -5993,7 +6644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  ')
  
  optional_policy(`
-@@ -151,7 +157,7 @@
+@@ -151,7 +160,7 @@
  # Use capabilities. Surplus capabilities may be allowed.
  allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
  dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -6002,7 +6653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
  allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
  allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -223,6 +229,7 @@
+@@ -223,6 +232,7 @@
  miscfiles_read_localization(krb5kdc_t)
  
  sysnet_read_config(krb5kdc_t)
@@ -6010,7 +6661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
  userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,6 +240,7 @@
+@@ -233,6 +243,7 @@
  
  optional_policy(`
  	seutil_sigchld_newrole(krb5kdc_t)
@@ -6169,7 +6820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.7/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mta.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/mta.if	2007-09-10 15:34:04.000000000 -0400
 @@ -226,6 +226,15 @@
  	tunable_policy(`use_samba_home_dirs',`
  		fs_manage_cifs_files($1_mail_t)
@@ -6186,7 +6837,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	')
  
  	optional_policy(`
-@@ -392,6 +401,7 @@
+@@ -314,6 +323,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Make the specified type usable for a mta_send_mail.
++## </summary>
++## <param name="type">
++##	<summary>
++##	Type to be used as a mail client.
++##	</summary>
++## </param>
++#
++interface(`mta_mailclient',`
++	gen_require(`
++		attribute mailclient_exec_type;
++	')
++
++	typeattribute $1 mailclient_exec_type;
++')
++
++########################################
++## <summary>
+ ##	Modified mailserver interface for
+ ##	sendmail daemon use.
+ ## </summary>
+@@ -392,6 +419,7 @@
  	allow $1 mail_spool_t:dir list_dir_perms;
  	create_files_pattern($1,mail_spool_t,mail_spool_t)
  	read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -6194,7 +6870,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  	read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  
-@@ -595,6 +605,25 @@
+@@ -447,11 +475,12 @@
+ interface(`mta_send_mail',`
+ 	gen_require(`
+ 		attribute mta_user_agent;
+-		type system_mail_t, sendmail_exec_t;
++		type system_mail_t;
++		attribute mailclient_exec_type;
+ 	')
+ 
+-	allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+-	domain_auto_trans($1, sendmail_exec_t, system_mail_t)
++	allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
++	domain_auto_trans($1, mailclient_exec_type, system_mail_t)
+ 
+ 	allow $1 system_mail_t:fd use;
+ 	allow system_mail_t $1:fd use;
+@@ -461,6 +490,7 @@
+ 	allow mta_user_agent $1:fd use;
+ 	allow mta_user_agent $1:process sigchld;
+ 	allow mta_user_agent $1:fifo_file { read write };
++
+ ')
+ 
+ ########################################
+@@ -595,6 +625,25 @@
  	files_search_etc($1)
  	allow $1 etc_aliases_t:file { rw_file_perms setattr };
  ')
@@ -6222,8 +6922,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.7/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mta.te	2007-09-06 15:43:06.000000000 -0400
-@@ -44,6 +44,7 @@
++++ serefpolicy-3.0.7/policy/modules/services/mta.te	2007-09-10 15:33:31.000000000 -0400
+@@ -6,6 +6,7 @@
+ # Declarations
+ #
+ 
++attribute mailclient_exec_type;
+ attribute mta_user_agent;
+ attribute mailserver_delivery;
+ attribute mailserver_domain;
+@@ -27,6 +28,7 @@
+ 
+ type sendmail_exec_t;
+ application_executable_file(sendmail_exec_t)
++mta_mailclient(sendmail_exec_t)
+ 
+ mta_base_mail_template(system)
+ role system_r types system_mail_t;
+@@ -44,6 +46,7 @@
  kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
  
@@ -6231,7 +6947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  dev_read_rand(system_mail_t)
  dev_read_urand(system_mail_t)
  
-@@ -51,16 +52,46 @@
+@@ -51,16 +54,46 @@
  
  userdom_use_sysadm_terms(system_mail_t)
  userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
@@ -6278,7 +6994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -73,6 +104,7 @@
+@@ -73,6 +106,7 @@
  
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
@@ -7725,7 +8441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.7/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rlogin.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/rlogin.te	2007-09-10 17:48:31.000000000 -0400
 @@ -65,6 +65,7 @@
  fs_search_auto_mountpoints(rlogind_t)
  
@@ -7734,6 +8450,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
  auth_rw_login_records(rlogind_t)
  auth_use_nsswitch(rlogind_t)
  
+@@ -82,7 +83,7 @@
+ 
+ miscfiles_read_localization(rlogind_t)
+ 
+-seutil_dontaudit_search_config(rlogind_t)
++seutil_read_config(rlogind_t)
+ 
+ sysnet_read_config(rlogind_t)
+ 
+@@ -93,7 +94,9 @@
+ remotelogin_domtrans(rlogind_t)
+ 
+ optional_policy(`
++	kerberos_use(rlogind_t)
+ 	kerberos_read_keytab(rlogind_t)
++	kerberos_manage_host_rcache(rlogind_t)
+ ')
+ 
+ ifdef(`TODO',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.7/policy/modules/services/rpcbind.te
 --- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/rpcbind.te	2007-09-06 15:43:06.000000000 -0400
@@ -7850,8 +8585,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.7/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rshd.te	2007-09-06 15:43:06.000000000 -0400
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.0.7/policy/modules/services/rshd.te	2007-09-10 16:54:18.000000000 -0400
+@@ -11,15 +11,17 @@
  domain_subj_id_change_exemption(rshd_t)
  domain_role_change_exemption(rshd_t)
  role system_r types rshd_t;
@@ -7859,7 +8594,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
  
  ########################################
  #
-@@ -33,6 +34,8 @@
+ # Local policy
+ #
+-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+ allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
++allow rshd_t self:key {search  write link};
+ 
+ kernel_read_kernel_sysctls(rshd_t)
+ 
+@@ -33,6 +35,8 @@
  corenet_udp_sendrecv_all_ports(rshd_t)
  corenet_tcp_bind_all_nodes(rshd_t)
  corenet_tcp_bind_rsh_port(rshd_t)
@@ -7868,23 +8614,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
  corenet_sendrecv_rsh_server_packets(rshd_t)
  
  dev_read_urand(rshd_t)
-@@ -44,7 +47,9 @@
+@@ -44,26 +48,31 @@
  selinux_compute_relabel_context(rshd_t)
  selinux_compute_user_contexts(rshd_t)
  
 +auth_use_nsswitch(rshd_t)
  auth_domtrans_chk_passwd(rshd_t)
 +auth_domtrans_upd_passwd_chk(rshd_t)
++auth_search_key(rshd_t)
++auth_write_login_records(rshd_t)
  
  corecmd_read_bin_symlinks(rshd_t)
  
-@@ -85,6 +90,5 @@
+ files_list_home(rshd_t)
+ files_read_etc_files(rshd_t)
+-files_search_tmp(rshd_t)
++files_manage_generic_tmp_dirs(rshd_t)
++
++init_rw_utmp(rshd_t)
+ 
+ libs_use_ld_so(rshd_t)
+ libs_use_shared_libs(rshd_t)
+ 
+ logging_send_syslog_msg(rshd_t)
++logging_search_logs(rshd_t)
+ 
+ miscfiles_read_localization(rshd_t)
+ 
+ seutil_read_config(rshd_t)
+ seutil_read_default_contexts(rshd_t)
+ 
+-sysnet_read_config(rshd_t)
+-
+ userdom_search_all_users_home_content(rshd_t)
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -78,13 +87,12 @@
+ 
+ optional_policy(`
+ 	kerberos_use(rshd_t)
++	kerberos_read_keytab(rshd_t)
++	kerberos_manage_host_rcache(rshd_t)
  ')
  
  optional_policy(`
+-	nscd_socket_use(rshd_t)
+-')
+-
+-optional_policy(`
 -	unconfined_domain(rshd_t)
  	unconfined_shell_domtrans(rshd_t)
++	unconfined_signal(rshd_t)
  ')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.7/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/rsync.te	2007-09-06 15:43:06.000000000 -0400
@@ -7986,8 +8768,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho
  corenet_all_recvfrom_unlabeled(rwho_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.7/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.fc	2007-09-06 15:43:06.000000000 -0400
-@@ -30,6 +30,8 @@
++++ serefpolicy-3.0.7/policy/modules/services/samba.fc	2007-09-10 14:04:38.000000000 -0400
+@@ -15,6 +15,7 @@
+ /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+ /usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+ /usr/bin/smbmnt			--	gen_context(system_u:object_r:smbmount_exec_t,s0)
++/usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+ /usr/sbin/swat			--	gen_context(system_u:object_r:swat_exec_t,s0)
+ 
+ /usr/sbin/nmbd			--	gen_context(system_u:object_r:nmbd_exec_t,s0)
+@@ -30,6 +31,8 @@
  /var/lib/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
  /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
  
@@ -7998,7 +8788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.7/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/samba.if	2007-09-10 14:06:00.000000000 -0400
 @@ -349,6 +349,7 @@
  	files_search_var($1)
  	files_search_var_lib($1)
@@ -8007,7 +8797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
  
  ########################################
-@@ -493,3 +494,52 @@
+@@ -493,3 +494,102 @@
  	allow $1 samba_var_t:dir search_dir_perms;
  	stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
  ')
@@ -8060,10 +8850,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +	read_files_pattern($1, samba_share_t, samba_share_t)
 +')
 +
++########################################
++## <summary>
++##	Execute a domain transition to run smbcontrol.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`samba_domtrans_smbcontrol',`
++	gen_require(`
++		type smbcontrol_t;
++                type smbcontrol_exec_t;
++	')
++
++	domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
++')
++
++
++########################################
++## <summary>
++##	Execute smbcontrol in the smbcontrol domain, and
++##	allow the specified role the smbcontrol domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the smbcontrol domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the role's terminal.
++##	</summary>
++## </param>
++#
++interface(`samba_run_smbcontrol',`
++	gen_require(`
++		type smbcontrol_t;
++	')
++
++	samba_domtrans_smbcontrol($1)
++	role $2 types smbcontrol_t;
++	dontaudit smbcontrol_t $3:chr_file rw_term_perms;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.7/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.te	2007-09-06 15:43:06.000000000 -0400
-@@ -190,6 +190,8 @@
++++ serefpolicy-3.0.7/policy/modules/services/samba.te	2007-09-10 14:03:09.000000000 -0400
+@@ -137,6 +137,11 @@
+ type winbind_var_run_t;
+ files_pid_file(winbind_var_run_t)
+ 
++type smbcontrol_t;
++type smbcontrol_exec_t;
++application_domain(smbcontrol_t, smbcontrol_exec_t)
++role system_r types smbcontrol_t;
++
+ ########################################
+ #
+ # Samba net local policy
+@@ -190,6 +195,8 @@
  
  miscfiles_read_localization(samba_net_t) 
  
@@ -8072,7 +8924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  sysnet_read_config(samba_net_t)
  sysnet_use_ldap(samba_net_t)
  
-@@ -226,8 +228,8 @@
+@@ -226,8 +233,8 @@
  
  allow smbd_t samba_etc_t:file { rw_file_perms setattr };
  
@@ -8083,7 +8935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow smbd_t samba_log_t:dir setattr;
  dontaudit smbd_t samba_log_t:dir remove_name;
  
-@@ -298,6 +300,7 @@
+@@ -298,6 +305,7 @@
  
  auth_use_nsswitch(smbd_t)
  auth_domtrans_chk_passwd(smbd_t)
@@ -8091,7 +8943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(smbd_t)
  domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -350,6 +353,14 @@
+@@ -350,6 +358,14 @@
  ')
  
  optional_policy(`
@@ -8106,7 +8958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	cups_read_rw_config(smbd_t)
  	cups_stream_connect(smbd_t)
  ')
-@@ -533,6 +544,7 @@
+@@ -533,6 +549,7 @@
  storage_raw_write_fixed_disk(smbmount_t)
  
  term_list_ptys(smbmount_t)
@@ -8114,7 +8966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  corecmd_list_bin(smbmount_t)
  
-@@ -556,6 +568,11 @@
+@@ -556,6 +573,11 @@
  sysnet_read_config(smbmount_t)
  
  userdom_use_all_users_fds(smbmount_t)
@@ -8126,7 +8978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  optional_policy(`
  	nis_use_ypbind(smbmount_t)
-@@ -570,15 +587,18 @@
+@@ -570,15 +592,18 @@
  # SWAT Local policy
  #
  
@@ -8148,7 +9000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
  
-@@ -597,7 +617,9 @@
+@@ -597,7 +622,9 @@
  manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
  files_pid_filetrans(swat_t,swat_var_run_t,file)
  
@@ -8159,7 +9011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -622,17 +644,20 @@
+@@ -622,17 +649,20 @@
  
  dev_read_urand(swat_t)
  
@@ -8180,7 +9032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
-@@ -660,6 +685,24 @@
+@@ -660,6 +690,24 @@
  	nscd_socket_use(swat_t)
  ')
  
@@ -8205,7 +9057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # Winbind local policy
-@@ -672,7 +715,6 @@
+@@ -672,7 +720,6 @@
  allow winbind_t self:fifo_file { read write };
  allow winbind_t self:unix_dgram_socket create_socket_perms;
  allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -8213,7 +9065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow winbind_t self:tcp_socket create_stream_socket_perms;
  allow winbind_t self:udp_socket create_socket_perms;
  
-@@ -709,6 +751,8 @@
+@@ -709,6 +756,8 @@
  manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
  files_pid_filetrans(winbind_t,winbind_var_run_t,file)
  
@@ -8222,7 +9074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_read_kernel_sysctls(winbind_t)
  kernel_list_proc(winbind_t)
  kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +777,9 @@
+@@ -733,7 +782,9 @@
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
  
@@ -8232,7 +9084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(winbind_t)
  
-@@ -746,9 +792,6 @@
+@@ -746,9 +797,6 @@
  
  miscfiles_read_localization(winbind_t)
  
@@ -8242,7 +9094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  userdom_dontaudit_use_unpriv_user_fds(winbind_t)
  userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
  userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +801,6 @@
+@@ -758,10 +806,6 @@
  ')
  
  optional_policy(`
@@ -8253,7 +9105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	seutil_sigchld_newrole(winbind_t)
  ')
  
-@@ -804,6 +843,7 @@
+@@ -804,6 +848,7 @@
  optional_policy(`
  	squid_read_log(winbind_helper_t)
  	squid_append_log(winbind_helper_t)
@@ -8261,6 +9113,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
  
  ########################################
+@@ -828,3 +873,36 @@
+ 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+ 	')
+ ')
++
++########################################
++#
++# smbcontrol local policy
++#
++
++## internal communication is often done using fifo and unix sockets.
++allow smbcontrol_t self:fifo_file rw_file_perms;
++allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(smbcontrol_t)
++
++libs_use_ld_so(smbcontrol_t)
++libs_use_shared_libs(smbcontrol_t)
++
++miscfiles_read_localization(smbcontrol_t)
++
++files_search_var_lib(smbcontrol_t)
++samba_read_config(smbcontrol_t)
++samba_rw_var_files(smbcontrol_t)
++samba_search_var(smbcontrol_t)
++samba_read_winbind_pid(smbcontrol_t)
++
++allow smbcontrol_t smbd_t:process signal;
++allow smbd_t smbcontrol_t:process { signal signull };
++
++allow nmbd_t smbcontrol_t:process signal;
++allow smbcontrol_t nmbd_t:process { signal signull };
++
++allow smbcontrol_t winbind_t:process { signal signull };
++allow winbind_t smbcontrol_t:process signal;
++
++allow smbcontrol_t nmbd_var_run_t:file { read lock };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.7/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/sasl.te	2007-09-06 15:43:06.000000000 -0400
@@ -8274,8 +9163,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
  domain_use_interactive_fds(saslauthd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.7/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/sendmail.if	2007-09-06 15:43:06.000000000 -0400
-@@ -131,3 +131,51 @@
++++ serefpolicy-3.0.7/policy/modules/services/sendmail.if	2007-09-10 16:44:21.000000000 -0400
+@@ -131,3 +131,102 @@
  
  	logging_log_filetrans($1,sendmail_log_t,file)
  ')
@@ -8327,10 +9216,78 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +	role $2 types sendmail_t;
 +	allow sendmail_t $3:chr_file rw_term_perms;
 +')
++
++########################################
++## <summary>
++##	Execute sendmail in the unconfined sendmail domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sendmail_domtrans_unconfined',`
++	gen_require(`
++		type unconfined_sendmail_t, sendmail_exec_t;
++	')
++
++	domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t)
++')
++
++########################################
++## <summary>
++##	Execute sendmail in the unconfined sendmail domain, and
++##	allow the specified role the unconfined sendmail domain,
++##	and use the caller's terminal.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the unconfined sendmail domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the terminal allow the unconfined sendmail domain to use.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`sendmail_run_unconfined',`
++	gen_require(`
++		type unconfined_sendmail_t;
++	')
++
++	sendmail_domtrans_unconfined($1)
++	role $2 types unconfined_sendmail_t;
++	allow unconfined_sendmail_t $3:chr_file rw_file_perms;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.7/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/sendmail.te	2007-09-06 15:43:06.000000000 -0400
-@@ -32,7 +32,6 @@
++++ serefpolicy-3.0.7/policy/modules/services/sendmail.te	2007-09-10 16:39:01.000000000 -0400
+@@ -20,19 +20,22 @@
+ mta_mailserver_delivery(sendmail_t)
+ mta_mailserver_sender(sendmail_t)
+ 
++type unconfined_sendmail_t;
++application_domain(unconfined_sendmail_t,sendmail_exec_t)
++role system_r types unconfined_sendmail_t;
++
+ ########################################
+ #
+ # Sendmail local policy
+ #
+ 
+-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
++allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+ allow sendmail_t self:process signal;
+ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
  allow sendmail_t self:unix_dgram_socket create_socket_perms;
  allow sendmail_t self:tcp_socket create_stream_socket_perms;
  allow sendmail_t self:udp_socket create_socket_perms;
@@ -8338,7 +9295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  
  allow sendmail_t sendmail_log_t:dir setattr;
  manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
-@@ -49,6 +48,8 @@
+@@ -49,6 +52,8 @@
  # for piping mail to a command
  kernel_read_system_state(sendmail_t)
  
@@ -8347,7 +9304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  corenet_all_recvfrom_unlabeled(sendmail_t)
  corenet_all_recvfrom_netlabel(sendmail_t)
  corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -91,32 +92,27 @@
+@@ -91,32 +96,27 @@
  
  logging_send_syslog_msg(sendmail_t)
  
@@ -8385,7 +9342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  ')
  
  optional_policy(`
-@@ -130,6 +126,10 @@
+@@ -130,6 +130,10 @@
  ')
  
  optional_policy(`
@@ -8396,6 +9353,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  	seutil_sigchld_newrole(sendmail_t)
  ')
  
+@@ -155,3 +159,14 @@
+ 
+ dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+ ') dnl end TODO
++
++########################################
++#
++# Unconfined mount local policy
++#
++
++optional_policy(`
++	mta_etc_filetrans_aliases(unconfined_sendmail_t)
++	unconfined_domain(unconfined_sendmail_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.7/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.if	2007-09-06 15:43:06.000000000 -0400
@@ -8798,7 +9770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.7/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ssh.if	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/ssh.if	2007-09-10 17:53:16.000000000 -0400
 @@ -202,6 +202,7 @@
  #
  template(`ssh_per_role_template',`
@@ -8807,7 +9779,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  		type ssh_agent_exec_t, ssh_keysign_exec_t;
  	')
  
-@@ -708,3 +709,42 @@
+@@ -520,6 +521,7 @@
+ 
+ 	optional_policy(`
+ 		kerberos_use($1_t)
++		kerberos_manage_host_rcache($1_t)
+ 	')
+ 
+ 	optional_policy(`
+@@ -708,3 +710,42 @@
  
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')
@@ -8922,6 +9902,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
 +
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.7/policy/modules/services/telnet.te
+--- nsaserefpolicy/policy/modules/services/telnet.te	2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/telnet.te	2007-09-10 17:54:44.000000000 -0400
+@@ -32,7 +32,6 @@
+ allow telnetd_t self:udp_socket create_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow telnetd_t self:capability { setuid setgid };
+ 
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+@@ -62,10 +61,12 @@
+ 
+ fs_getattr_xattr_fs(telnetd_t)
+ 
++auth_use_nsswitch(telnetd_t)
+ auth_rw_login_records(telnetd_t)
+ 
+ corecmd_search_bin(telnetd_t)
+ 
++files_read_usr_files(telnetd_t)
+ files_read_etc_files(telnetd_t)
+ files_read_etc_runtime_files(telnetd_t)
+ # for identd; cjp: this should probably only be inetd_child rules?
+@@ -80,9 +81,7 @@
+ 
+ miscfiles_read_localization(telnetd_t)
+ 
+-seutil_dontaudit_search_config(telnetd_t)
+-
+-sysnet_read_config(telnetd_t)
++seutil_read_config(telnetd_t)
+ 
+ remotelogin_domtrans(telnetd_t)
+ 
+@@ -90,17 +89,16 @@
+ optional_policy(`
+ 	kerberos_use(telnetd_t)
+ 	kerberos_read_keytab(telnetd_t)
++	kerberos_manage_host_rcache(telnetd_t)
+ ')
+ 
+-optional_policy(`
+-	nis_use_ypbind(telnetd_t)
++tunable_policy(`use_nfs_home_dirs',`
++	fs_manage_nfs_dirs(telnetd_t)
++	fs_manage_nfs_files(telnetd_t)
+ ')
+ 
+-optional_policy(`
+-	nscd_socket_use(telnetd_t)
++tunable_policy(`use_samba_home_dirs',`
++	fs_manage_cifs_dirs(telnetd_t)
++	fs_manage_cifs_files(telnetd_t)
+ ')
+ 
+-ifdef(`TODO',`
+-# Allow krb5 telnetd to use fork and open /dev/tty for use
+-allow telnetd_t userpty_type:chr_file setattr;
+-')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.7/policy/modules/services/tftp.te
 --- nsaserefpolicy/policy/modules/services/tftp.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/tftp.te	2007-09-06 15:43:06.000000000 -0400
@@ -9997,7 +11037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.7/policy/modules/system/brctl.te
 --- nsaserefpolicy/policy/modules/system/brctl.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/brctl.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/brctl.te	2007-09-10 08:59:32.000000000 -0400
 @@ -0,0 +1,51 @@
 +policy_module(brctl,1.0.0)
 +
@@ -10180,8 +11220,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
 \ No newline at end of file
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-3.0.7/policy/modules/system/fusermount.te
 --- nsaserefpolicy/policy/modules/system/fusermount.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/fusermount.te	2007-09-06 15:43:06.000000000 -0400
-@@ -0,0 +1,44 @@
++++ serefpolicy-3.0.7/policy/modules/system/fusermount.te	2007-09-10 15:56:07.000000000 -0400
+@@ -0,0 +1,45 @@
 +policy_module(fusermount,1.0.0)
 +
 +########################################
@@ -10217,6 +11257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
 +
 +storage_raw_read_fixed_disk(fusermount_t)
 +storage_raw_write_fixed_disk(fusermount_t)
++storage_rw_fuse(fusermount_t)
 +
 +optional_policy(`
 +	hal_write_log(fusermount_t)
@@ -11455,7 +12496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
  /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.7/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/modutils.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/modutils.te	2007-09-10 08:58:37.000000000 -0400
 @@ -42,7 +42,7 @@
  # insmod local policy
  #
@@ -11564,7 +12605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.7/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/mount.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/mount.te	2007-09-10 16:38:20.000000000 -0400
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -11628,7 +12669,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  dev_getattr_all_blk_files(mount_t)
  dev_list_all_dev_nodes(mount_t)
-@@ -101,6 +110,8 @@
+@@ -63,6 +72,7 @@
+ storage_raw_write_fixed_disk(mount_t)
+ storage_raw_read_removable_device(mount_t)
+ storage_raw_write_removable_device(mount_t)
++storage_rw_fuse(mount_t)
+ 
+ fs_getattr_xattr_fs(mount_t)
+ fs_getattr_cifs(mount_t)
+@@ -101,6 +111,8 @@
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -11637,7 +12686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  libs_use_ld_so(mount_t)
  libs_use_shared_libs(mount_t)
-@@ -127,10 +138,15 @@
+@@ -127,10 +139,15 @@
  	')
  ')
  
@@ -11654,7 +12703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -159,13 +175,8 @@
+@@ -159,13 +176,8 @@
  
  	fs_search_rpc(mount_t)
  
@@ -11668,7 +12717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -189,10 +200,6 @@
+@@ -189,10 +201,6 @@
  	samba_domtrans_smbmount(mount_t)
  ')
  
@@ -11679,7 +12728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ########################################
  #
  # Unconfined mount local policy
-@@ -201,4 +208,29 @@
+@@ -201,4 +209,29 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -11993,7 +13042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.7/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.te	2007-09-10 14:35:10.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(selinuxutil,1.6.2)
@@ -12110,7 +13159,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  dev_read_urand(semanage_t)
  
-@@ -465,6 +479,8 @@
+@@ -452,6 +466,7 @@
+ files_read_etc_runtime_files(semanage_t)
+ files_read_usr_files(semanage_t)
+ files_list_pids(semanage_t)
++fs_list_inotifyfs(semanage_t)
+ 
+ mls_file_write_all_levels(semanage_t)
+ mls_file_read_all_levels(semanage_t)
+@@ -465,6 +480,8 @@
  
  # Running genhomedircon requires this for finding all users
  auth_use_nsswitch(semanage_t)
@@ -12119,7 +13176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  libs_use_ld_so(semanage_t)
  libs_use_shared_libs(semanage_t)
-@@ -488,6 +504,17 @@
+@@ -488,6 +505,17 @@
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
@@ -12137,7 +13194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -515,6 +542,8 @@
+@@ -515,6 +543,8 @@
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
  
@@ -12146,7 +13203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  kernel_read_system_state(setfiles_t)
  kernel_relabelfrom_unlabeled_dirs(setfiles_t)
  kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -531,6 +560,7 @@
+@@ -531,6 +561,7 @@
  
  fs_getattr_xattr_fs(setfiles_t)
  fs_list_all(setfiles_t)
@@ -12154,7 +13211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  fs_search_auto_mountpoints(setfiles_t)
  fs_relabelfrom_noxattr_fs(setfiles_t)
  
-@@ -586,6 +616,10 @@
+@@ -586,6 +617,10 @@
  
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
@@ -12527,7 +13584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.7/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/unconfined.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/unconfined.te	2007-09-10 16:37:23.000000000 -0400
 @@ -5,28 +5,36 @@
  #
  # Declarations
@@ -12598,17 +13655,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  optional_policy(`
 -	ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
--	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
--	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
--	# this is disallowed usage:
--	unconfined_domain(httpd_unconfined_script_t)
 +	ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
+-	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+-	# this is disallowed usage:
+-	unconfined_domain(httpd_unconfined_script_t)
+-')
+-
+-optional_policy(`
 -	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
@@ -12653,7 +13710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -155,22 +153,12 @@
+@@ -155,32 +153,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -12678,18 +13735,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -180,9 +168,10 @@
+ 	samba_per_role_template(unconfined)
+ 	samba_run_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ 	samba_run_winbind_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++	samba_run_smbcontrol(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
  optional_policy(`
 -	spamassassin_per_role_template(unconfined,unconfined_t,unconfined_r)
-+	sendmail_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++	sendmail_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  ')
  
-+
  optional_policy(`
- 	sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- 	sysnet_dbus_chat_dhcpc(unconfined_t)
 @@ -205,11 +194,12 @@
  ')
  
@@ -13825,7 +14882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.7/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.te	2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.te	2007-09-10 14:07:37.000000000 -0400
 @@ -74,6 +74,9 @@
  # users home directory contents
  attribute home_type;
@@ -13908,7 +14965,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	netutils_run(sysadm_t,sysadm_r,admin_terminal)
  	netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
  	netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
-@@ -447,11 +448,15 @@
+@@ -443,15 +444,20 @@
+ 
+ optional_policy(`
+ 	samba_run_net(sysadm_t,sysadm_r,admin_terminal)
++	samba_run_smbcontrol(sysadm_t,sysadm_r,admin_terminal)
+ 	samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
  ')
  
  optional_policy(`
@@ -13924,7 +14986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	', `
  		userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
  	')
-@@ -494,3 +499,7 @@
+@@ -494,3 +500,7 @@
  optional_policy(`
  	yam_run(sysadm_t,sysadm_r,admin_terminal)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8afa942..b589906 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,10 @@ exit 0
 %endif
 
 %changelog
+* Mon Sep 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-8
+- Allow newalias/sendmail dac_override
+- Allow bind to bind to all udp ports
+
 * Fri Sep 7 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-7
 - Turn off direct transition