From 46b5649f901c62a7871ada9ab237626ea090e731 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Mar 09 2009 21:17:23 +0000
Subject: - Add pulseaudio context


---

diff --git a/modules-minimum.conf b/modules-minimum.conf
index ce9de57..4b896e4 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1273,6 +1273,13 @@ squid = module
 # 
 ssh = base
 
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+# 
+sssd = module
+
 # Layer: kernel
 # Module: storage
 #
diff --git a/modules-mls.conf b/modules-mls.conf
index 8919fa2..ac6f63d 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1266,6 +1266,13 @@ squid = module
 # 
 ssh = base
 
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+# 
+sssd = module
+
 # Layer: kernel
 # Module: storage
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index ce9de57..4b896e4 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1273,6 +1273,13 @@ squid = module
 # 
 ssh = base
 
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+# 
+sssd = module
+
 # Layer: kernel
 # Module: storage
 #
diff --git a/policy-20090105.patch b/policy-20090105.patch
index c94e06f..b226687 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -3553,8 +3553,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if	2009-03-08 08:48:02.000000000 -0400
-@@ -0,0 +1,85 @@
++++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if	2009-03-09 16:50:20.000000000 -0400
+@@ -0,0 +1,86 @@
 +
 +## <summary>policy for pulseaudio</summary>
 +
@@ -3631,19 +3631,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	ps_process_pattern($2, pulseaudio_t)
 +
 +	allow pulseaudio_t $2:process { signal signull };
++	allow $2 pulseaudio_t:process { signal signull };
 +	ps_process_pattern(pulseaudio_t, $2)
 +
 +	allow pulseaudio_t $2:unix_stream_socket connectto;
 +	allow $2 pulseaudio_t:unix_stream_socket connectto;
 +
-+	userdom_manage_home_role($1, $2)
-+	userdom_manage_tmp_role($1, $2)
-+	userdom_manage_tmpfs_role($1, $2)
++	userdom_manage_home_role($1, pulseaudio_t)
++	userdom_manage_tmp_role($1, pulseaudio_t)
++	userdom_manage_tmpfs_role($1, pulseaudio_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te	2009-03-08 08:48:02.000000000 -0400
-@@ -0,0 +1,82 @@
++++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te	2009-03-09 16:49:50.000000000 -0400
+@@ -0,0 +1,88 @@
 +policy_module(pulseaudio,1.0.0)
 +
 +########################################
@@ -3687,10 +3688,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_read_usr_files(pulseaudio_t)
 +
 +fs_rw_anon_inodefs_files(pulseaudio_t)
++fs_getattr_tmpfs(pulseaudio_t)
 +
 +term_use_all_user_ttys(pulseaudio_t)
 +term_use_all_user_ptys(pulseaudio_t)
 +
++auth_use_nsswitch(pulseaudio_t)
++
 +miscfiles_read_localization(pulseaudio_t)
 +
 +logging_send_syslog_msg(pulseaudio_t)
@@ -3718,6 +3722,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	xserver_common_app(pulseaudio_t)
++	xserver_read_xdm_pid(pulseaudio_t)
++	xserver_stream_connect(pulseaudio_t)
 +')
 +
 +tunable_policy(`pulseaudio_network',`
@@ -3726,6 +3732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#FALSE
 +')
 +
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.8/policy/modules/apps/qemu.fc
 --- nsaserefpolicy/policy/modules/apps/qemu.fc	2008-08-07 11:15:02.000000000 -0400
 +++ serefpolicy-3.6.8/policy/modules/apps/qemu.fc	2009-03-07 12:11:40.000000000 -0500
@@ -12684,7 +12691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.8/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/hal.if	2009-03-09 12:17:13.000000000 -0400
++++ serefpolicy-3.6.8/policy/modules/services/hal.if	2009-03-09 16:17:22.000000000 -0400
 @@ -20,6 +20,24 @@
  
  ########################################
@@ -12777,7 +12784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +interface(`hal_create_log',`
 +	gen_require(`
-+		type hald_logd_t;
++		type hald_log_t;
 +	')
 +
 +	# log files for hald
@@ -21256,6 +21263,328 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.8/policy/modules/services/sssd.fc
+--- nsaserefpolicy/policy/modules/services/sssd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/sssd.fc	2009-03-09 15:47:38.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/usr/sbin/sssd	--	gen_context(system_u:object_r:sssd_exec_t,s0)
++
++/etc/rc.d/init.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
++/var/run/sssd.pid		--	gen_context(system_u:object_r:sssd_var_run_t,s0)
++/var/lib/sss(/.*)?			gen_context(system_u:object_r:sssd_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.8/policy/modules/services/sssd.if
+--- nsaserefpolicy/policy/modules/services/sssd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/sssd.if	2009-03-09 15:49:56.000000000 -0400
+@@ -0,0 +1,249 @@
++
++## <summary>policy for sssd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run sssd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sssd_domtrans',`
++	gen_require(`
++		type sssd_t;
++                type sssd_exec_t;
++	')
++
++	domtrans_pattern($1,sssd_exec_t,sssd_t)
++')
++
++
++########################################
++## <summary>
++##	Execute sssd server in the sssd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`sssd_initrc_domtrans',`
++	gen_require(`
++		type sssd_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1,sssd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Read sssd PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_read_pid_files',`
++	gen_require(`
++		type sssd_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 sssd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Manage sssd var_run files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_manage_var_run',`
++	gen_require(`
++		type sssd_var_run_t;
++	')
++
++         manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
++         manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
++         manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
++')
++
++
++########################################
++## <summary>
++##	Search sssd lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_search_lib',`
++	gen_require(`
++		type sssd_var_lib_t;
++	')
++
++	allow $1 sssd_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read sssd lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_read_lib_files',`
++	gen_require(`
++		type sssd_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++        read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	sssd lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_manage_lib_files',`
++	gen_require(`
++		type sssd_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++        manage_files_pattern($1, sssd_var_lib_t,  sssd_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage sssd var_lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_manage_var_lib',`
++	gen_require(`
++		type sssd_var_lib_t;
++	')
++
++         manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
++         manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
++         manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	sssd over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_dbus_chat',`
++	gen_require(`
++		type sssd_t;
++		class dbus send_msg;
++	')
++
++	allow $1 sssd_t:dbus send_msg;
++	allow sssd_t $1:dbus send_msg;
++')
++
++
++########################################
++## <summary>
++##	Connect to sssd over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sssd_stream_connect',`
++	gen_require(`
++		type sssd_t, sssd_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 sssd_var_run_t:sock_file write;
++	allow $1 sssd_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an sssd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the sssd domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`sssd_admin',`
++	gen_require(`
++		type sssd_t;
++	')
++
++	allow $1 sssd_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, sssd_t, sssd_t)
++	        
++
++	gen_require(`
++		type sssd_initrc_exec_t;
++	')
++
++	# Allow sssd_t to restart the apache service
++	sssd_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 sssd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	sssd_manage_var_run($1)
++
++	sssd_manage_var_lib($1)
++
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.8/policy/modules/services/sssd.te
+--- nsaserefpolicy/policy/modules/services/sssd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/sssd.te	2009-03-09 15:47:36.000000000 -0400
+@@ -0,0 +1,55 @@
++policy_module(sssd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sssd_t;
++type sssd_exec_t;
++init_daemon_domain(sssd_t, sssd_exec_t)
++
++permissive sssd_t;
++
++type sssd_initrc_exec_t;
++init_script_file(sssd_initrc_exec_t)
++
++type sssd_var_run_t;
++files_pid_file(sssd_var_run_t)
++
++type sssd_var_lib_t;
++files_type(sssd_var_lib_t)
++
++########################################
++#
++# sssd local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(sssd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow sssd_t self:fifo_file rw_file_perms;
++allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++manage_dirs_pattern(sssd_t, sssd_var_run_t,  sssd_var_run_t)
++manage_files_pattern(sssd_t, sssd_var_run_t,  sssd_var_run_t)
++files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
++
++manage_dirs_pattern(sssd_t, sssd_var_lib_t,  sssd_var_lib_t)
++manage_files_pattern(sssd_t, sssd_var_lib_t,  sssd_var_lib_t)
++manage_sock_files_pattern(sssd_t, sssd_var_lib_t,  sssd_var_lib_t)
++files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
++
++corecmd_exec_bin(sssd_t)
++
++dev_read_urand(sssd_t)
++
++files_read_etc_files(sssd_t)
++
++miscfiles_read_localization(sssd_t)
++
++optional_policy(`
++	dbus_system_bus_client(sssd_t)
++	dbus_connect_system_bus(sssd_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.8/policy/modules/services/stunnel.fc
 --- nsaserefpolicy/policy/modules/services/stunnel.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.8/policy/modules/services/stunnel.fc	2009-03-07 12:11:40.000000000 -0500
@@ -22706,7 +23035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/services/xserver.te	2009-03-07 12:11:40.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/services/xserver.te	2009-03-09 16:07:15.000000000 -0400
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -23121,7 +23450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,6 +639,19 @@
+@@ -542,6 +639,23 @@
  ')
  
  optional_policy(`
@@ -23130,6 +23459,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	polkit_read_reload(xdm_t)
 +')
 +
++optional_policy(`
++	pulseaudio_role(system_r, xdm_t)
++')
++
 +# On crash gdm execs gdb to dump stack
 +optional_policy(`
 +	rpm_exec(xdm_t)
@@ -23141,7 +23474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +660,9 @@
+@@ -550,8 +664,9 @@
  ')
  
  optional_policy(`
@@ -23153,7 +23486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +671,6 @@
+@@ -560,7 +675,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -23161,7 +23494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +681,10 @@
+@@ -571,6 +685,10 @@
  ')
  
  optional_policy(`
@@ -23172,7 +23505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -587,7 +701,7 @@
+@@ -587,7 +705,7 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -23181,7 +23514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +716,11 @@
+@@ -602,9 +720,11 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -23193,7 +23526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
  
-@@ -622,7 +738,7 @@
+@@ -622,7 +742,7 @@
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
@@ -23202,7 +23535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +751,19 @@
+@@ -635,9 +755,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -23222,7 +23555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +806,14 @@
+@@ -680,9 +810,14 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -23237,7 +23570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +828,13 @@
+@@ -697,8 +832,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -23251,7 +23584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -720,6 +856,7 @@
+@@ -720,6 +860,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -23259,7 +23592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -742,7 +879,7 @@
+@@ -742,7 +883,7 @@
  ')
  
  ifdef(`enable_mls',`
@@ -23268,7 +23601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
  ')
  
-@@ -774,6 +911,10 @@
+@@ -774,6 +915,10 @@
  ')
  
  optional_policy(`
@@ -23279,7 +23612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rhgb_getpgid(xserver_t)
  	rhgb_signal(xserver_t)
  ')
-@@ -806,7 +947,7 @@
+@@ -806,7 +951,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -23288,7 +23621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +968,14 @@
+@@ -827,9 +972,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -23303,7 +23636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +990,14 @@
+@@ -844,11 +994,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -23319,7 +23652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -856,6 +1005,11 @@
+@@ -856,6 +1009,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -23331,7 +23664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Rules common to all X window domains
-@@ -881,6 +1035,8 @@
+@@ -881,6 +1039,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -23340,7 +23673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -905,6 +1061,8 @@
+@@ -905,6 +1065,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -23349,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1130,51 @@
+@@ -972,17 +1134,51 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -23559,7 +23892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/authlogin.if	2009-03-07 12:11:40.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/system/authlogin.if	2009-03-09 15:51:16.000000000 -0400
 @@ -43,20 +43,38 @@
  interface(`auth_login_pgm_domain',`
  	gen_require(`
@@ -23607,7 +23940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	init_rw_utmp($1)
  
-@@ -100,9 +119,38 @@
+@@ -100,11 +119,40 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -23627,9 +23960,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		optional_policy(`
 +			oddjob_dbus_chat($1)
 +			oddjob_domtrans_mkhomedir($1)
-+		')
-+	')
-+
+ 	')
+ ')
+ 
 +	optional_policy(`
 +		corecmd_exec_bin($1)
 +		storage_getattr_fixed_disk_dev($1)
@@ -23638,16 +23971,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	optional_policy(`
 +		nis_authenticate($1)
- 	')
++	')
 +
 +	optional_policy(`
 +		ssh_agent_exec($1)
 +		userdom_read_user_home_content_files($1)
 +	')
 +
- ')
- 
++')
++
  ########################################
+ ## <summary>
+ ##	Use the login program as an entry point program.
 @@ -197,8 +245,11 @@
  interface(`auth_domtrans_chk_passwd',`
  	gen_require(`
@@ -23780,15 +24115,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		nis_use_ypbind($1)
  	')
  
-@@ -1307,6 +1413,7 @@
+@@ -1305,8 +1411,13 @@
+ 	')
+ 
  	optional_policy(`
++		sssd_stream_connect($1)
++	')
++
++	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
 +		samba_dontaudit_write_var_files($1)
  	')
  ')
  
-@@ -1341,3 +1448,99 @@
+@@ -1341,3 +1452,99 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -27942,7 +28283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.8/policy/modules/system/userdomain.if	2009-03-07 12:36:20.000000000 -0500
++++ serefpolicy-3.6.8/policy/modules/system/userdomain.if	2009-03-09 16:06:34.000000000 -0400
 @@ -30,8 +30,9 @@
  	')