diff --git a/policy-20070703.patch b/policy-20070703.patch
index fef70c1..757b51e 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -3643,7 +3643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-31 09:43:13.000000000 -0400
@@ -20,6 +20,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -3652,7 +3652,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
-@@ -98,6 +99,7 @@
+@@ -30,6 +31,7 @@
+ /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
++/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh)
+ /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+@@ -98,6 +100,7 @@
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -3662,7 +3670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-10-31 09:46:00.000000000 -0400
@@ -1306,6 +1306,44 @@
########################################
@@ -3708,6 +3716,102 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read input event devices (/dev/input).
##
##
+@@ -1623,6 +1661,78 @@
+
+ ########################################
+ ##
++## Get the attributes of the kvm devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_kvm_dev',`
++ gen_require(`
++ type device_t, kvm_device_t;
++ ')
++
++ getattr_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++##
++## Set the attributes of the kvm devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_kvm_dev',`
++ gen_require(`
++ type device_t, kvm_device_t;
++ ')
++
++ setattr_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++##
++## Read the kvm devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_kvm',`
++ gen_require(`
++ type device_t, kvm_device_t;
++ ')
++
++ read_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++##
++## Read and write to kvm devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_kvm',`
++ gen_require(`
++ type device_t, kvm_device_t;
++ ')
++
++ rw_chr_files_pattern($1,device_t,kvm_device_t)
++')
++
++########################################
++##
+ ## Get the attributes of miscellaneous devices.
+ ##
+ ##
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.0.8/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-22 13:21:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.te 2007-10-31 09:43:37.000000000 -0400
+@@ -72,6 +72,13 @@
+ dev_node(kmsg_device_t)
+
+ #
++# kvm_device_t is the type of
++# /dev/kvm
++#
++type kvm_device_t;
++dev_node(kvm_device_t)
++
++#
+ # Type for /dev/mapper/control
+ #
+ type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-10-30 19:48:13.000000000 -0400
@@ -8543,7 +8647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-31 07:35:43.000000000 -0400
@@ -142,6 +142,12 @@
sendmail_create_log($1_mail_t)
')
@@ -8606,7 +8710,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -447,20 +481,18 @@
+@@ -436,6 +470,24 @@
+
+ ########################################
+ ##
++## Make the specified type readable for a system_mail_t
++##
++##
++##
++## Type to be used as a mail client.
++##
++##
++#
++interface(`mta_mailcontent',`
++ gen_require(`
++ attribute mailcontent_type;
++ ')
++
++ typeattribute $1 mailcontent_type;
++')
++
++########################################
++##
+ ## Send mail from the system.
+ ##
+ ##
+@@ -447,20 +499,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -8633,7 +8762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -595,6 +627,25 @@
+@@ -595,6 +645,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
@@ -8661,16 +8790,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-29 23:59:29.000000000 -0400
-@@ -6,6 +6,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-31 07:35:09.000000000 -0400
+@@ -6,6 +6,8 @@
# Declarations
#
++attribute mailcontent_type;
+attribute mailclient_exec_type;
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
-@@ -27,6 +28,7 @@
+@@ -27,6 +29,7 @@
type sendmail_exec_t;
application_executable_file(sendmail_exec_t)
@@ -8678,7 +8808,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -44,23 +46,33 @@
+@@ -40,27 +43,38 @@
+ allow system_mail_t self:capability { dac_override };
+
+ read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
++read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
+
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
@@ -8712,7 +8847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -73,6 +85,7 @@
+@@ -73,6 +87,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -11670,6 +11805,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
seutil_sigchld_newrole(soundd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-10-31 09:26:27.000000000 -0400
+@@ -81,7 +81,7 @@
+
+ # var/lib files for spamd
+ allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+-read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
++manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
+
+ manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-10-29 23:59:29.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7c614d7..0b91670 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 42%{?dist}
+Release: 43%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,9 @@ exit 0
%endif
%changelog
+* Tue Oct 30 2007 Dan Walsh 3.0.8-43
+- Add type definition for /dev/kvm
+
* Tue Oct 30 2007 Dan Walsh 3.0.8-42
- Make tcbdomain
- Allow domain domain:fd use