diff --git a/policy-20070703.patch b/policy-20070703.patch
index 6c6c8ba..78596e1 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -4505,7 +4505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-12-04 22:17:10.000000000 -0500
@@ -343,8 +343,7 @@
########################################
@@ -5623,7 +5623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-12-04 08:45:26.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -5717,9 +5717,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
gen_require(`
attribute httpdcontent, httpd_script_domains;
- attribute httpd_exec_scripts;
+- type httpd_t, httpd_suexec_t, httpd_log_t;
+ attribute httpd_exec_scripts, httpd_user_content_type;
+ attribute httpd_user_script_exec_type;
- type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
')
apache_content_template($1)
@@ -5733,7 +5734,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
typeattribute httpd_$1_script_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
-@@ -345,12 +301,11 @@
+@@ -324,6 +280,7 @@
+ userdom_search_user_home_dirs($1,httpd_t)
+ userdom_search_user_home_dirs($1,httpd_suexec_t)
+ userdom_search_user_home_dirs($1,httpd_$1_script_t)
++ userdom_search_user_home_dirs($1,httpd_sys_script_t)
+ ')
+ ')
+
+@@ -345,12 +302,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
@@ -5750,7 +5759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -371,12 +326,12 @@
+@@ -371,12 +327,12 @@
#
template(`apache_read_user_content',`
gen_require(`
@@ -5767,7 +5776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -754,6 +709,7 @@
+@@ -754,6 +710,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -5775,7 +5784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -838,6 +794,10 @@
+@@ -838,6 +795,10 @@
type httpd_sys_script_t;
')
@@ -5786,7 +5795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
-@@ -925,7 +885,7 @@
+@@ -925,7 +886,7 @@
type httpd_squirrelmail_t;
')
@@ -5795,7 +5804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1005,6 +965,31 @@
+@@ -1005,6 +966,31 @@
########################################
##
@@ -5827,7 +5836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Search system script state directory.
##
##
-@@ -1056,3 +1041,138 @@
+@@ -1056,3 +1042,138 @@
allow httpd_t $1:process signal;
')
@@ -10652,6 +10661,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.0.8/policy/modules/services/openvpn.fc
+--- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/openvpn.fc 2007-12-04 11:28:30.000000000 -0500
+@@ -11,5 +11,5 @@
+ #
+ # /var
+ #
+-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
++/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
+ /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2007-12-02 21:15:34.000000000 -0500
@@ -13935,7 +13954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-12-04 15:52:53.000000000 -0500
@@ -116,8 +116,7 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
@@ -14059,13 +14078,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
-@@ -536,17 +533,15 @@
+@@ -536,17 +533,16 @@
template(`xserver_user_client_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+ type xdm_t, xdm_tmp_t, xdm_xserver_t;
++ type xdm_var_run_t;
')
- allow $2 self:shm create_shm_perms;
@@ -14083,10 +14103,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +550,51 @@
+@@ -555,25 +551,55 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
++ # consolekit needs this for fast user switching
++ allow $2 xdm_var_run_t:dir search_dir_perms;
++ allow $2 xdm_var_run_t:sock_file getattr;
++
+ corenet_tcp_connect_xserver_port($2)
+
# Allow connections to X server.
@@ -14143,7 +14167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
-@@ -626,6 +647,24 @@
+@@ -626,6 +652,24 @@
########################################
##
@@ -14168,7 +14192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
##
##
-@@ -659,6 +698,73 @@
+@@ -659,6 +703,73 @@
########################################
##
@@ -14242,7 +14266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
##
##
-@@ -927,6 +1033,7 @@
+@@ -927,6 +1038,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -14250,7 +14274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -987,6 +1094,37 @@
+@@ -987,6 +1099,37 @@
########################################
##
@@ -14288,7 +14312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -1136,7 +1274,7 @@
+@@ -1136,7 +1279,7 @@
type xdm_xserver_tmp_t;
')
@@ -14297,7 +14321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1325,3 +1463,82 @@
+@@ -1325,3 +1468,82 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -15120,7 +15144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-12-03 18:47:24.000000000 -0500
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -15171,7 +15195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
-@@ -111,6 +129,7 @@
+@@ -111,19 +129,12 @@
logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
@@ -15179,7 +15203,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
optional_policy(`
locallogin_use_fds(pam_t)
-@@ -149,6 +168,8 @@
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(pam_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(pam_t)
+-')
+-
+ ########################################
+ #
+ # PAM console local policy
+@@ -149,6 +160,8 @@
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
@@ -15188,7 +15225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
-@@ -159,6 +180,8 @@
+@@ -159,6 +172,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@@ -15197,7 +15234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -200,6 +223,7 @@
+@@ -200,6 +215,7 @@
fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
@@ -15205,7 +15242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
-@@ -236,7 +260,7 @@
+@@ -236,7 +252,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -15214,7 +15251,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -302,3 +326,28 @@
+@@ -256,6 +272,7 @@
+ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+ userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
+ userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
++userdom_unlink_unpriv_users_tmp_files(pam_t)
+
+ ########################################
+ #
+@@ -302,3 +319,28 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -18709,7 +18754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-04 22:17:40.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -18721,7 +18766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -45,65 +46,72 @@
+@@ -45,65 +46,73 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -18795,6 +18840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
+
++ files_list_mnt($1_usertype)
+ files_read_etc_files($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
@@ -18845,7 +18891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -114,6 +122,10 @@
+@@ -114,6 +123,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -18856,7 +18902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -184,7 +196,7 @@
+@@ -184,7 +197,7 @@
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -18865,7 +18911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
fs_read_nfs_named_sockets($1_t)
-@@ -195,7 +207,7 @@
+@@ -195,7 +208,7 @@
')
tunable_policy(`use_samba_home_dirs',`
@@ -18874,7 +18920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_read_cifs_files($1_t)
fs_read_cifs_symlinks($1_t)
fs_read_cifs_named_sockets($1_t)
-@@ -262,42 +274,42 @@
+@@ -262,42 +275,42 @@
# full control of the home directory
allow $1_t $1_home_t:file entrypoint;
@@ -18944,7 +18990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -315,14 +327,20 @@
+@@ -315,14 +328,20 @@
##
#
template(`userdom_exec_home_template',`
@@ -18970,7 +19016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -374,12 +392,12 @@
+@@ -374,12 +393,12 @@
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
@@ -18989,7 +19035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -395,7 +413,9 @@
+@@ -395,7 +414,9 @@
##
#
template(`userdom_exec_tmp_template',`
@@ -19000,7 +19046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -509,10 +529,6 @@
+@@ -509,10 +530,6 @@
##
#
template(`userdom_exec_generic_pgms_template',`
@@ -19011,7 +19057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_exec_bin($1_t)
')
-@@ -530,9 +546,6 @@
+@@ -530,9 +547,6 @@
##
#
template(`userdom_basic_networking_template',`
@@ -19021,7 +19067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-@@ -563,32 +576,29 @@
+@@ -563,32 +577,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -19075,7 +19121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -664,67 +674,39 @@
+@@ -664,67 +675,39 @@
attribute unpriv_userdomain;
')
@@ -19146,7 +19192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
-@@ -737,12 +719,6 @@
+@@ -737,12 +720,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -19159,7 +19205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -755,31 +731,14 @@
+@@ -755,31 +732,14 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@@ -19191,7 +19237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
-@@ -794,19 +753,12 @@
+@@ -794,19 +754,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@@ -19211,7 +19257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -821,11 +773,6 @@
+@@ -821,11 +774,6 @@
')
optional_policy(`
@@ -19223,7 +19269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
-@@ -834,20 +781,20 @@
+@@ -834,20 +782,20 @@
')
optional_policy(`
@@ -19249,7 +19295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -876,17 +823,17 @@
+@@ -876,17 +824,17 @@
')
optional_policy(`
@@ -19275,7 +19321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -900,16 +847,6 @@
+@@ -900,16 +848,6 @@
')
optional_policy(`
@@ -19292,7 +19338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
resmgr_stream_connect($1_t)
')
-@@ -919,11 +856,6 @@
+@@ -919,11 +857,6 @@
')
optional_policy(`
@@ -19304,7 +19350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
samba_stream_connect_winbind($1_t)
')
-@@ -954,21 +886,164 @@
+@@ -954,21 +887,164 @@
##
##
#
@@ -19475,7 +19521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1052,51 @@
+@@ -977,23 +1053,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -19538,7 +19584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,42 +1132,22 @@
+@@ -1029,42 +1133,22 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -19586,7 +19632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -1102,6 +1185,8 @@
+@@ -1102,6 +1186,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -19595,7 +19641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
# Declarations
-@@ -1127,7 +1212,7 @@
+@@ -1127,7 +1213,7 @@
# $1_t local policy
#
@@ -19604,7 +19650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1224,11 @@
+@@ -1139,7 +1225,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -19617,7 +19663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1277,6 +1366,7 @@
+@@ -1277,6 +1367,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -19625,7 +19671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1642,9 +1732,13 @@
+@@ -1642,9 +1733,13 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -19639,7 +19685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_type($2)
')
-@@ -1894,10 +1988,46 @@
+@@ -1894,10 +1989,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -19687,7 +19733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2994,6 +3124,25 @@
+@@ -2994,6 +3125,25 @@
########################################
##
@@ -19713,7 +19759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
-@@ -3078,7 +3227,7 @@
+@@ -3078,7 +3228,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -19722,7 +19768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4410,6 +4559,7 @@
+@@ -4410,6 +4560,7 @@
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
@@ -19730,7 +19776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4574,6 +4724,7 @@
+@@ -4574,6 +4725,7 @@
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
@@ -19738,7 +19784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4609,11 +4760,29 @@
+@@ -4609,11 +4761,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -19769,7 +19815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4633,6 +4802,14 @@
+@@ -4633,6 +4803,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -19784,7 +19830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5323,7 +5500,7 @@
+@@ -5323,7 +5501,7 @@
attribute user_tmpfile;
')
@@ -19793,7 +19839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5346,6 +5523,25 @@
+@@ -5346,6 +5524,25 @@
########################################
##
@@ -19819,7 +19865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Write all unprivileged users files in /tmp
##
##
-@@ -5529,6 +5725,24 @@
+@@ -5529,6 +5726,24 @@
########################################
##
@@ -19844,7 +19890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5559,3 +5773,403 @@
+@@ -5559,3 +5774,396 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -20031,13 +20077,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+template(`userdom_restricted_xwindows_user_template', `
+
+userdom_restricted_user_template($1)
-+# Should be optional but policy will not build because of compiler problems
-+# Must be before xwindows calls
-+#optional_policy(`
-+ gnome_per_role_template(xguest, xguest_t, xguest_r)
-+ gnome_exec_gconf(xguest_t)
-+#')
-+
+userdom_xwindows_client_template($1)
+
+logging_send_syslog_msg($1_usertype)
@@ -20696,12 +20735,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
+## Policy for guest user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-02 21:15:34.000000000 -0500
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-04 14:31:41.000000000 -0500
+@@ -0,0 +1,3 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
+userdom_restricted_user_template(gadmin)
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/logadm.fc 2007-12-02 21:15:34.000000000 -0500
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fd20e5b..57e95ca 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@ exit 0
%endif
%changelog
+* Tue Dec 4 2007 Dan Walsh 3.0.8-65
+- Allow httpd_sys_script_t to search users homedirs
+
* Sun Dec 2 2007 Dan Walsh 3.0.8-64
- Allow xdm to list all filesystem directories