From 29efc2cf7328915488bf2f9e93877f10ba112943 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Apr 22 2008 20:06:57 +0000
Subject: - Bump for release


---

diff --git a/booleans-strict.conf b/booleans-strict.conf
deleted file mode 100644
index 041473b..0000000
--- a/booleans-strict.conf
+++ /dev/null
@@ -1,228 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-allow_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-allow_execstack = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-allow_gssd_read_tmp = false
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-allow_saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow sysadm to ptrace all processes
-# 
-allow_ptrace = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-# Allow ftp to read and write files in the user home directories
-# 
-ftp_home_dir = false
-
-# Allow ftpd to run directly without inetd
-# 
-ftpd_is_daemon = true
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = false
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = false
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = false
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = false
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow ssh to run from inetd instead of as a daemon.
-# 
-run_ssh_inetd = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Allow ssh logins as sysadm_r:sysadm_t
-# 
-ssh_sysadm_login = false
-
-# Configure stunnel to be a standalone daemon orinetd service.
-# 
-stunnel_is_daemon = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = false
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# Allow gpg executable stack
-# 
-allow_gpg_execstack = false
-
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-# Allow users to connect to mysql
-# 
-allow_user_mysql_connect = false
-
-# Allow system cron jobs to relabel filesystemfor restoring file contexts.
-# 
-cron_can_relabel = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-# 
-read_untrusted_content = true
-
-# Allow user spamassassin clients to use the network.
-# 
-spamassassin_can_network = false
-
-# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
-# 
-staff_read_sysadm_file = false
-
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-# Allow users to control network interfaces(also needs USERCTL=true)
-# 
-user_net_control = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-# Allow users to rw usb devices
-# 
-user_rw_usb = false
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-# 
-write_untrusted_content = true
-
-spamd_enable_home_dirs = false
-
-# Allow login domains to polyinstatiate directories
-# 
-allow_polyinstantiation = false
-
-# Allow sysadm to ptrace all processes
-# 
-allow_ptrace = false
-
-## Control users use of ping and traceroute
-user_ping = true
-
-# Allow unlabeled packets to flow
-# 
-allow_unlabeled_packets = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
diff --git a/modules-strict.conf b/modules-strict.conf
deleted file mode 100644
index 071f6fb..0000000
--- a/modules-strict.conf
+++ /dev/null
@@ -1,1408 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from  being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module.  "module" will be compiled
-# as individual loadable modules.
-#
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: mcs
-# Required in base
-#
-# Multicategory security policy
-# 
-mcs = base
-
-# Layer: kernel
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,
-# and unlabeled processes and objects.
-# 
-kernel = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Layer: kernel
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-# 
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-# 
-corenetwork = base
-
-# Layer: kernel
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: admin
-# Module: prelink
-#
-# Prelink ELF shared library mappings.
-# 
-prelink = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-# 
-acct = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-# 
-rpm = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-# 
-readahead = module
-
-# Layer: admin
-# Module: kudzu
-#
-# Hardware detection and configuration tools
-# 
-kudzu = module
-
-# Layer: admin
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = base
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-# 
-updfstab = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = base
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-# 
-alsa = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-# 
-vpn = module
-
-# Layer: admin
-# Module: portage
-#
-# Portage Package Management System. The primary package management and
-# distribution system for Gentoo.
-# 
-portage = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: apt
-#
-# APT advanced package toll.
-# 
-apt = off
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-# 
-anaconda = module
-
-# Layer: admin
-# Module: dpkg
-#
-# Policy for the Debian package manager.
-# 
-dpkg = off
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-# 
-amanda = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-# 
-logrotate = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-# 
-ddcprobe = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-# 
-quota = module
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-# 
-consoletype = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state
-# 
-vbetool = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-# 
-usbmodules = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-# 
-firstboot = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-# 
-certwatch = module
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-# 
-tmpreaper = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-# 
-mrtg = module
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-# 
-dmidecode = module
-
-# Layer: admin
-# Module: logwatch
-#
-# System log analyzer and reporter
-# 
-logwatch = module
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Layer: apps
-# Module: evolution
-#
-# Evolution email client
-# 
-evolution = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-# 
-mozilla = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-# 
-irc = module
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-# 
-lockdev = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-# 
-usernetctl = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-# 
-gpg = module
-
-# Layer: apps
-# Module: thunderbird
-#
-# Thunderbird email client
-# 
-thunderbird = module
-
-# Layer: apps
-# Module: wine
-#
-# Wine Is Not an Emulator.  Run Windows programs in Linux.
-# 
-wine = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-# 
-loadkeys = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-# 
-screen = module
-
-# Layer: apps
-# Module: calamaris
-#
-# Squid log analysis
-# 
-calamaris = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-# 
-tvtime = module
-
-# Layer: apps
-# Module: java
-#
-# Java virtual machine
-# 
-java = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-# 
-uml = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-# 
-cdrecord = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Mplayer media player and encoder
-# 
-mplayer = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-# 
-webalizer = module
-
-# Layer: apps
-# Module: ethereal
-#
-# Ethereal packet capture tool.
-# 
-ethereal = module
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-# 
-userhelper = module
-
-# Layer: apps
-# Module: games
-#
-# Games
-# 
-games = module
-
-# Layer: apps
-# Module: mono
-#
-# Run .NET server and client applications on Linux.
-# 
-mono = module
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-# 
-slocate = module
-
-# Layer: system
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = base
-
-# Layer: system
-# Module: xen
-#
-# Xen hypervisor
-# 
-xen = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = base
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = base
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-# 
-daemontools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = base
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = base
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = base
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = base
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = base
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-# 
-pcmcia = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = base
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = base
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-# 
-raid = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = base
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = base
-
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-# 
-hotplug = base
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = base
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = base
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = base
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = base
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-# 
-nis = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-# 
-distcc = module
-
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-# 
-tor = module
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-# 
-rshd = module
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-# 
-cpucontrol = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-# 
-bind = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-# 
-cipe = module
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-# 
-canna = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-# 
-i18n_input = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-# 
-uucp = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-# 
-sasl = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-# 
-pegasus = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-# 
-cron = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-# 
-sendmail = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs for UNIX and
-# name  Service  Switch  daemon for resolving names
-# from Windows NT servers.
-# 
-samba = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-# 
-dbus = module
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS
-# 
-howl = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-# 
-timidity = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-# 
-openct = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-# 
-snmp = module
-
-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-# 
-publicfile = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-# 
-roundup = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-# 
-remotelogin = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-# 
-telnet = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-# 
-irqbalance = module
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-# 
-mailman = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-# 
-dbskk = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-# 
-ldap = module
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-# 
-tftp = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-# 
-portmap = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-# 
-arpwatch = module
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-# 
-dovecot = module
-
-# Layer: services
-# Module: amavis
-#
-# Daemon that interfaces mail transfer agents and content
-# checkers, such as virus scanners.
-# 
-amavis = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-# 
-cups = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-# 
-networkmanager = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-# 
-inn = module
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-# 
-sysstat = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-# 
-comsat = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-# 
-squid = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-# 
-zebra = module
-
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server
-# 
-xfs = module
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-# 
-ktalk = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-# 
-procmail = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-# 
-lpd = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-# 
-cyrus = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-# 
-rdisc = module
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-# 
-nscd = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-# 
-ppp = module
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-# 
-smartmon = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-# 
-ftp = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-# 
-gpm = module
-
-# Layer: services
-# Module: audioentropy
-#
-# Generate entropy from audio input
-# 
-audioentropy = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-# 
-mta = base
-
-# Layer: services
-# Module: rhgb
-#
-# Red Hat Graphical Boot
-# 
-rhgb = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-# 
-postfix = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-# 
-fetchmail = module
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-# 
-ntp = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-# 
-bluetooth = module
-
-# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer
-# 
-hal = module
-
-# Layer: services
-# Module: consolekit
-#
-# ConsoleKit is a system daemon for tracking what users are logged
-# 
-consolekit = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-# 
-avahi = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-# 
-rpc = module
-
-# Layer: services
-# Module: xserver
-#
-# X Windows Server
-# 
-xserver = module
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-# 
-apache = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-# 
-slrnpull = module
-
-# Layer: services
-# Module: clamav
-#
-# ClamAV Virus Scanner
-# 
-clamav = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-# 
-rsync = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-# 
-rwho = module
-
-# Layer: services
-# Module: djbdns
-#
-# small and secure DNS daemon
-# 
-djbdns = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-# 
-automount = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-# 
-kerberos = module
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-# 
-dhcp = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-# 
-inetd = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-# 
-mysql = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-# 
-dictd = module
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-# 
-finger = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-# 
-radius = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-# 
-spamassassin = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-# 
-radvd = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-# 
-apm = module
-
-
-# Layer: system
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = base
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-# 
-tcpd = module
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-# 
-stunnel = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-# 
-privoxy = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-# 
-cvs = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-# 
-rlogin = module
-
-# Layer: system
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = base
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-# 
-openvpn = base
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-# 
-setroubleshoot = base
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-# 
-nagios = module
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: system
-# Module: tzdata
-#
-# Policy for tzdata-update
-# 
-tzdata = base
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-# 
-gnome = module
-
-# Layer: services
-# Module: qmail
-#
-# Policy for sendmail.
-# 
-qmail = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-# 
-fail2ban = module
-
-# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-# 
-pyzor = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-# 
-ricci = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-# 
-amtu = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: system
-# Module: fusermount
-#
-#  File System in Userspace (FUSE) utilities
-# 
-fusermount = base
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-# 
-w3c = module
-
-# Layer: service
-# Module: openct
-# 
-# Middleware framework for smart card terminals
-#
-openct = module
-
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 331d796..66030ba 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -31398,7 +31398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-22 14:42:13.232490000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-22 15:47:48.878576000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -33834,7 +33834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		fs_dontaudit_read_nfs_files($1)
 +	')
 +
-+	tunable_policy(`use_cifs_home_dirs',`
++	tunable_policy(`use_samba_home_dirs',`
 +		fs_dontaudit_read_cifs_files($1)
 +	')
 +')
@@ -33898,7 +33898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5554,13 +5910,50 @@
+@@ -5554,12 +5910,49 @@
  ##	</summary>
  ## </param>
  #
@@ -33910,7 +33910,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
 -	read_files_pattern($1,userdomain,userdomain)
--	kernel_search_proc($1)
 +	allow $1 user_ttynode:chr_file rw_term_perms;
 +')
 +
@@ -33949,10 +33948,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	')
 +
 +	ps_process_pattern($1,userdomain)
-+	kernel_search_proc($1)
+ 	kernel_search_proc($1)
  ')
  
- ########################################
 @@ -5674,6 +6067,42 @@
  
  ########################################
diff --git a/policy-init.patch b/policy-init.patch
deleted file mode 100644
index c78ab07..0000000
--- a/policy-init.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up serefpolicy-3.3.1/policy/modules/services/rhgb.te.foo serefpolicy-3.3.1/policy/modules/services/rhgb.te
---- serefpolicy-3.3.1/policy/modules/services/rhgb.te.foo	2008-03-11 17:50:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rhgb.te	2008-03-11 17:50:18.000000000 -0400
-@@ -92,6 +92,7 @@ term_use_ptmx(rhgb_t)
- term_getattr_pty_fs(rhgb_t)
- 
- init_write_initctl(rhgb_t)
-+init_chat(rhgb_t)
- 
- libs_use_ld_so(rhgb_t)
- libs_use_shared_libs(rhgb_t)
diff --git a/policy-udev_tbl.patch b/policy-udev_tbl.patch
deleted file mode 100644
index b0f26f3..0000000
--- a/policy-udev_tbl.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- serefpolicy-2.5.9/policy/modules/system/udev.fc.udev_tbl	2007-03-20 09:36:50.000000000 -0400
-+++ serefpolicy-2.5.9/policy/modules/system/udev.fc	2007-03-22 06:36:55.000000000 -0400
-@@ -1,6 +1,6 @@
- # udev
- 
--/dev/\.udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
-+/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
- 
diff --git a/securetty_types-strict b/securetty_types-strict
deleted file mode 100644
index fe7ce17..0000000
--- a/securetty_types-strict
+++ /dev/null
@@ -1,3 +0,0 @@
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a2c409d..ff08933 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 36%{?dist}
+Release: 38%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -303,6 +303,8 @@ exit 0
 
 
 %triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
+. /etc/selinux/config
+[ "${SELINUXTYPE}" != "targeted" ] && exit 0
 setsebool -P use_nfs_home_dirs=1
 semanage user -l | grep -s unconfined_u 
 if [ $? -eq 0 ]; then
@@ -311,9 +313,9 @@ else
    semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
 fi
 seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
-[ $seuser == "system_u" ]   && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 __default__
+[ "$seuser" != "unconfined_u" ]  && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 __default__
 seuser=`semanage login -l | grep root | awk '{ print $2 }'`
-[ $seuser == "system_u" ]   && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 root
+[ "$seuser" == "system_u" ] && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 root
 restorecon -R /root /etc/selinux/targeted 2> /dev/null
 semodule -r qmail 2> /dev/null
 exit 0
@@ -383,6 +385,12 @@ exit 0
 %endif
 
 %changelog
+* Tue Apr 22 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-38
+- Bump for release
+
+* Fri Apr 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-37
+- Lots of fixes for confined domains on NFS_t homedir
+
 * Mon Apr 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-36
 - dontaudit mrtg reading /proc
 - Allow iscsi to signal itself
diff --git a/setrans-strict.conf b/setrans-strict.conf
deleted file mode 100644
index 9b46bbd..0000000
--- a/setrans-strict.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh
diff --git a/seusers-strict b/seusers-strict
deleted file mode 100644
index 4494f87..0000000
--- a/seusers-strict
+++ /dev/null
@@ -1,3 +0,0 @@
-system_u:system_u:s0-s0:c0.c1023
-root:root:s0-s0:c0.c1023
-__default__:user_u:s0
diff --git a/users_extra-strict b/users_extra-strict
deleted file mode 100644
index 28799f4..0000000
--- a/users_extra-strict
+++ /dev/null
@@ -1,4 +0,0 @@
-user root prefix staff;
-user staff_u prefix staff;
-user user_u prefix user;
-user sysadm_u prefix sysadm;
diff --git a/xm.patch b/xm.patch
deleted file mode 100644
index b55f010..0000000
--- a/xm.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-diff -ru serefpolicy-2.2.35-orig/policy/modules/system/xen.fc serefpolicy-2.2.35/policy/modules/system/xen.fc
---- serefpolicy-2.2.35-orig/policy/modules/system/xen.fc	2006-04-24 20:14:54.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/xen.fc	2006-04-25 11:01:03.000000000 -0400
-@@ -14,3 +14,4 @@
- /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
- /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
- /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
-+/usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
---- serefpolicy-2.2.35-orig/policy/modules/system/xen.if	2006-04-25 10:27:36.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/xen.if	2006-04-25 11:03:07.000000000 -0400
-@@ -83,3 +83,66 @@
- 	allow $1 xenstored_var_run_t:sock_file { getattr write };
- 	allow $1 xenstored_t:unix_stream_socket connectto;
- ')
-+
-+########################################
-+## <summary>
-+##	Connect to xend over an unix stream socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`xen_connect',`
-+	gen_require(`
-+		type xend_t, xend_var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	allow $1 xend_var_run_t:dir search;
-+	allow $1 xend_var_run_t:sock_file getattr;
-+	allow $1 xend_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+##	Write to xend over an unix stream socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`xen_writeto',`
-+	gen_require(`
-+		type xend_var_run_t;
-+	')
-+
-+	allow $1 xend_var_run_t:sock_file write;
-+')
-+
-+
-+########################################
-+## <summary>
-+##	Execute a domain transition to run xm.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`xm_domtrans',`
-+	gen_requires(`
-+		type xm_t, xm_exec_t;
-+	')
-+
-+	domain_auto_trans($1,xm_exec_t,xm_t)
-+
-+	allow $1 xm_t:fd use;
-+	allow xm_t $1:fd use;
-+	allow xm_t:$1:fifo_file rw_file_perms;
-+	allow xm_t $1:process sigchld;
-+')
-Only in serefpolicy-2.2.35/policy/modules/system: xen.if~
---- serefpolicy-2.2.35-orig/policy/modules/system/xen.te	2006-04-25 10:27:36.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/xen.te	2006-04-25 11:01:03.000000000 -0400
-@@ -224,3 +224,55 @@
- miscfiles_read_localization(xenstored_t)
- 
- xen_append_log(xenstored_t)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type xm_t;
-+type xm_exec_t;
-+domain_type(xm_t)
-+init_daemon_domain(xm_t, xm_exec_t)
-+
-+########################################
-+#
-+# xm local policy
-+#
-+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
-+
-+# Some common macros (you might be able to remove some)
-+files_read_etc_files(xm_t)
-+libs_use_ld_so(xm_t)
-+libs_use_shared_libs(xm_t)
-+miscfiles_read_localization(xm_t)
-+# internal communication is often done using fifo and unix sockets.
-+allow xm_t self:fifo_file { read write };
-+allow xm_t self:unix_stream_socket create_stream_socket_perms;
-+
-+
-+# james -- aujdit2allow
-+
-+corecmd_exec_bin(xm_t)
-+corecmd_exec_sbin(xm_t)
-+
-+kernel_read_system_state(xm_t)
-+kernel_read_kernel_sysctls(xm_t)
-+kernel_read_xen_state(xm_t)
-+kernel_write_xen_state(xm_t)
-+term_use_all_terms(xm_t)
-+
-+dev_read_urand(xm_t)
-+
-+xen_append_log(xm_t)
-+xen_connect(xm_t)
-+xen_writeto(xm_t)
-+
-+xen_stream_connect_xenstore(xm_t)
-+allow xm_t self:capability dac_override;
-+
-+
-+# allow xm_t root_t:dir search;
-+# Need to relabel files for xen
-+auth_read_all_files_except_shadow(xm_t)
-+