From 494f21a05ae8c02488380fd4110b6caddd8b4f63 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jun 24 2009 13:11:58 +0000
Subject: - Fix up xguest policy


---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index 199a810..6581e79 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -836,6 +836,13 @@ mount = base
 # 
 mozilla = module
 
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
 # Layer: apps
 # Module: nsplugin
 #
diff --git a/policy-20090521.patch b/policy-20090521.patch
index 20fb652..7200fb8 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -268,6 +268,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	ssh_rw_pipes(gitosis_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
+--- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te	2009-06-24 08:36:16.000000000 -0400
+@@ -145,6 +145,7 @@
+ userdom_manage_user_tmp_dirs(mozilla_t)
+ userdom_manage_user_tmp_files(mozilla_t)
+ userdom_manage_user_tmp_sockets(mozilla_t)
++userdom_use_user_ptys(mozilla_t)
+ 
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
 --- nsaserefpolicy/policy/modules/apps/qemu.fc	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc	2009-06-08 13:49:44.000000000 -0400
@@ -295,16 +306,483 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
+--- nsaserefpolicy/policy/modules/apps/sandbox.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if	2009-06-24 08:54:41.000000000 -0400
+@@ -3,73 +3,143 @@
+ 
+ ########################################
+ ## <summary>
+-##	Execute a domain transition to run sandbox.
++##	Execute sandbox in the sandbox domain, and
++##	allow the specified role the sandbox domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-##	Domain allowed to transition.
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
+ ## </summary>
+ ## </param>
+ #
+-interface(`sandbox_domtrans',`
++interface(`sandbox_transition',`
+ 	gen_require(`
+-		type sandbox_t;
+-                type sandbox_exec_t;
++		type sandbox_xserver_t;
++		attribute sandbox_domain;
+ 	')
+ 
+-	domtrans_pattern($1,sandbox_exec_t,sandbox_t)
++	allow $1 sandbox_domain:process transition;
++	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++	role $2 types sandbox_domain;
++	role $2 types sandbox_xserver_t;
+ ')
+ 
+-
+ ########################################
+ ## <summary>
+-##	Execute sandbox in the sandbox domain, and
+-##	allow the specified role the sandbox domain.
++##	Creates types and rules for a basic
++##	qemu process domain.
+ ## </summary>
+-## <param name="domain">
++## <param name="prefix">
+ ##	<summary>
+-##	Domain allowed access
+-##	</summary>
+-## </param>
+-## <param name="role">
+-##	<summary>
+-##	The role to be allowed the sandbox domain.
++##	Prefix for the domain.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`sandbox_run',`
++template(`sandbox_domain_template',`
++
+ 	gen_require(`
+-		type sandbox_t;
++		attribute sandbox_domain;
+ 	')
+ 
+-	sandbox_domtrans($1)
+-	role $2 types sandbox_t;
++	type $1_t, sandbox_domain;
++	domain_type($1_t)
++
++	type $1_file_t;
++	files_type($1_file_t)
++
++	can_exec($1_t, $1_file_t)
++	manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
++	manage_files_pattern($1_t, $1_file_t, $1_file_t)
++	manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
++	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
++	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Role access for sandbox
++##	Creates types and rules for a basic
++##	qemu process domain.
+ ## </summary>
+-## <param name="role">
++## <param name="prefix">
+ ##	<summary>
+-##	Role allowed access
++##	Prefix for the domain.
+ ##	</summary>
+ ## </param>
++#
++template(`sandbox_x_domain_template',`
++	gen_require(`
++		type xserver_exec_t;
++		type sandbox_xserver_t;
++		attribute sandbox_domain, sandbox_x_domain;
++	')
++
++	sandbox_domain_template($1)
++
++	
++	typeattribute $1_t sandbox_x_domain;
++
++	# window manager
++	miscfiles_setattr_fonts($1_t)
++	allow $1_t self:capability setuid;
++
++	type $1_client_t, sandbox_x_domain, sandbox_domain;
++	domain_type($1_client_t)
++
++	type $1_client_tmpfs_t;
++	files_tmpfs_file($1_client_tmpfs_t)
++
++	allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
++	term_create_pty($1_client_t,sandbox_devpts_t)
++
++	manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
++	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
++	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
++
++	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
++	allow $1_t sandbox_xserver_t:process sigkill;
++
++	domtrans_pattern($1_t, $1_file_t, $1_client_t)
++	domain_entry_file($1_client_t,  $1_file_t)
++
++	manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
++	manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
++	manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
++	allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
++	ps_process_pattern(sandbox_xserver_t, $1_client_t)
++	ps_process_pattern(sandbox_xserver_t, $1_t)
++	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
++	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
++
++	can_exec($1_client_t, $1_file_t)
++	manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
++	manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
++	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
++	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
++	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
++
++#	permissive $1_client_t;
++')
++
++########################################
++## <summary>
++##	allow domain to read, 
++##	write sandbox_xserver tmp files
++## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	User domain for the role
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`sandbox_role',`
++interface(`sandbox_rw_xserver_tmpfs_files',`
+ 	gen_require(`
+-              type sandbox_t;
++		type sandbox_xserver_tmpfs_t;
+ 	')
+ 
+-	role $2 types sandbox_t;
+-
+-	sandbox_domtrans($1)
+-
+-	ps_process_pattern($2, sandbox_t)
+-	allow $2 sandbox_t:process signal;
++	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2009-05-22 10:14:07.000000000 -0400
-@@ -38,3 +38,6 @@
- miscfiles_read_localization(sandbox_t)
++++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2009-06-24 08:54:41.000000000 -0400
+@@ -1,18 +1,84 @@
+ policy_module(sandbox,1.0.0)
++dbus_stub()
++attribute sandbox_domain;
++attribute sandbox_x_domain;
+ 
+ ########################################
+ #
+ # Declarations
+ #
+ 
+-type sandbox_t;
+-type sandbox_exec_t;
+-application_domain(sandbox_t, sandbox_exec_t)
+-init_daemon_domain(sandbox_t, sandbox_exec_t)
+-role system_r types sandbox_t;
++sandbox_domain_template(sandbox)
++sandbox_x_domain_template(sandbox_x)
++sandbox_x_domain_template(sandbox_web)
++sandbox_x_domain_template(sandbox_net)
+ 
+-type sandbox_file_t;
+-files_type(sandbox_file_t)
++type sandbox_xserver_t;
++domain_type(sandbox_xserver_t)
++xserver_common_app(sandbox_xserver_t)
++permissive sandbox_xserver_t;
++
++type sandbox_xserver_tmpfs_t;
++files_tmpfs_file(sandbox_xserver_tmpfs_t)
++
++type sandbox_devpts_t;
++term_pty(sandbox_devpts_t)
++files_type(sandbox_devpts_t)
++
++########################################
++#
++# sandbox xserver policy
++#
++allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
++allow sandbox_xserver_t self:shm create_shm_perms;
++allow sandbox_xserver_t self:tcp_socket create_socket_perms;
++
++manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++
++corecmd_exec_bin(sandbox_xserver_t)
++corecmd_exec_shell(sandbox_xserver_t)
++
++corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
++corenet_all_recvfrom_netlabel(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
++corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
++corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
++corenet_tcp_bind_generic_node(sandbox_xserver_t)
++corenet_tcp_bind_xserver_port(sandbox_xserver_t)
++corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
++corenet_sendrecv_all_client_packets(sandbox_xserver_t)
++
++files_read_etc_files(sandbox_xserver_t)
++files_read_usr_files(sandbox_xserver_t)
++files_search_home(sandbox_xserver_t)
++fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
++
++miscfiles_read_fonts(sandbox_xserver_t)
++miscfiles_read_localization(sandbox_xserver_t)
++
++kernel_read_system_state(sandbox_xserver_t)
++
++auth_use_nsswitch(sandbox_xserver_t)
++
++userdom_use_user_terminals(sandbox_xserver_t)
++
++xserver_entry_type(sandbox_xserver_t)
++
++optional_policy(`
++	dbus_system_bus_client(sandbox_xserver_t)
++
++	optional_policy(`
++		hal_dbus_chat(sandbox_xserver_t)
++	')
++')
  
- userdom_use_user_ptys(sandbox_t)
+ ########################################
+ #
+@@ -20,21 +86,189 @@
+ #
+ 
+ ## internal communication is often done using fifo and unix sockets.
+-allow sandbox_t self:fifo_file rw_file_perms;
+-allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_domain self:fifo_file rw_file_perms;
++allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
++
++files_rw_all_inherited_files(sandbox_domain)
++files_entrypoint_all_files(sandbox_domain)
++
++miscfiles_read_localization(sandbox_domain)
++
++kernel_dontaudit_read_system_state(sandbox_domain)
++corecmd_exec_all_executables(sandbox_domain)
++
++
++########################################
++#
++# sandbox_x_domain local policy
++#
++allow sandbox_x_domain self:process { signal_perms getsched setpgid };
++allow sandbox_x_domain self:shm create_shm_perms;
++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
++allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
++allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++dev_read_urand(sandbox_x_domain)
++dev_dontaudit_read_rand(sandbox_x_domain)
++
++files_read_etc_files(sandbox_x_domain)
++files_read_usr_files(sandbox_x_domain)
++files_read_usr_symlinks(sandbox_x_domain)
++
++fs_getattr_tmpfs(sandbox_x_domain)
++fs_getattr_xattr_fs(sandbox_x_domain)
++
++auth_dontaudit_read_login_records(sandbox_x_domain)
++
++init_read_utmp(sandbox_x_domain)
++
++term_getattr_pty_fs(sandbox_x_domain)
++term_use_ptmx(sandbox_x_domain)
++
++logging_send_syslog_msg(sandbox_x_domain)
++
++miscfiles_read_fonts(sandbox_x_domain)
++
++optional_policy(`
++	gnome_read_gconf_config(sandbox_x_domain)
++')
++
++optional_policy(`
++	cups_stream_connect(sandbox_x_domain)
++	cups_read_rw_config(sandbox_x_domain)
++')
++
++########################################
++#
++# sandbox_x_client_t local policy
++#
++allow sandbox_x_client_t self:tcp_socket create_socket_perms;
++allow sandbox_x_client_t self:udp_socket create_socket_perms;
++allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
++allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
++
++dev_read_rand(sandbox_x_client_t)
++
++corenet_tcp_connect_ipp_port(sandbox_x_client_t)
 +
-+kernel_dontaudit_read_system_state(sandbox_t)
-+corecmd_exec_all_executables(sandbox_t)
++auth_use_nsswitch(sandbox_x_client_t)
++
++dbus_system_bus_client(sandbox_x_client_t)
++dbus_read_config(sandbox_x_client_t)
++selinux_get_fs_mount(sandbox_x_client_t)
++selinux_validate_context(sandbox_x_client_t)
++selinux_compute_access_vector(sandbox_x_client_t)
++selinux_compute_create_context(sandbox_x_client_t)
++selinux_compute_relabel_context(sandbox_x_client_t)
++selinux_compute_user_contexts(sandbox_x_client_t)
++seutil_read_default_contexts(sandbox_x_client_t)
++
++optional_policy(`
++	hal_dbus_chat(sandbox_x_client_t)
++')
++
++########################################
++#
++# sandbox_web_client_t local policy
++#
++allow sandbox_web_client_t self:capability { setuid setgid };
++allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
++allow sandbox_web_client_t self:process setsched;
++
++allow sandbox_web_client_t self:tcp_socket create_socket_perms;
++allow sandbox_web_client_t self:udp_socket create_socket_perms;
++allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
++allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
++
++dev_read_rand(sandbox_web_client_t)
++
++# Browse the web, connect to printer
++corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
++corenet_all_recvfrom_netlabel(sandbox_web_client_t)
++corenet_tcp_sendrecv_generic_if(sandbox_web_client_t)
++corenet_raw_sendrecv_generic_if(sandbox_web_client_t)
++corenet_tcp_sendrecv_generic_node(sandbox_web_client_t)
++corenet_raw_sendrecv_generic_node(sandbox_web_client_t)
++corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
++corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
++corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
++corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_http_port(sandbox_web_client_t)
++corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
++corenet_tcp_connect_ftp_port(sandbox_web_client_t)
++corenet_tcp_connect_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_generic_port(sandbox_web_client_t)
++corenet_sendrecv_http_client_packets(sandbox_web_client_t)
++corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
++corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
++corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
++corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
++# Should not need other ports
++corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
++corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
++
++auth_use_nsswitch(sandbox_web_client_t)
++
++dbus_system_bus_client(sandbox_web_client_t)
++dbus_read_config(sandbox_web_client_t)
++selinux_get_fs_mount(sandbox_web_client_t)
++selinux_validate_context(sandbox_web_client_t)
++selinux_compute_access_vector(sandbox_web_client_t)
++selinux_compute_create_context(sandbox_web_client_t)
++selinux_compute_relabel_context(sandbox_web_client_t)
++selinux_compute_user_contexts(sandbox_web_client_t)
++seutil_read_default_contexts(sandbox_web_client_t)
++
++optional_policy(`
++	nsplugin_read_rw_files(sandbox_web_client_t)
++	nsplugin_rw_exec(sandbox_web_client_t)
++')
++
++optional_policy(`
++	hal_dbus_chat(sandbox_web_client_t)
++')
++
++########################################
++#
++# sandbox_net_client_t local policy
++#
++allow sandbox_net_client_t self:tcp_socket create_socket_perms;
++allow sandbox_net_client_t self:udp_socket create_socket_perms;
++allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
++allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
++
++dev_read_rand(sandbox_net_client_t)
+ 
+-manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
+-manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
+-manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
+-manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
+-manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
++corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
++corenet_all_recvfrom_netlabel(sandbox_net_client_t)
++corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
++corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
++corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
++corenet_tcp_connect_all_ports(sandbox_net_client_t)
++corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+ 
+-files_rw_all_inherited_files(sandbox_t)
+-files_entrypoint_all_files(sandbox_t)
++auth_use_nsswitch(sandbox_net_client_t)
+ 
+-libs_use_ld_so(sandbox_t)
+-libs_use_shared_libs(sandbox_t)
++dbus_system_bus_client(sandbox_net_client_t)
++dbus_read_config(sandbox_net_client_t)
++selinux_get_fs_mount(sandbox_net_client_t)
++selinux_validate_context(sandbox_net_client_t)
++selinux_compute_access_vector(sandbox_net_client_t)
++selinux_compute_create_context(sandbox_net_client_t)
++selinux_compute_relabel_context(sandbox_net_client_t)
++selinux_compute_user_contexts(sandbox_net_client_t)
++seutil_read_default_contexts(sandbox_net_client_t)
+ 
+-miscfiles_read_localization(sandbox_t)
++optional_policy(`
++	nsplugin_read_rw_files(sandbox_web_client_t)
++	nsplugin_rw_exec(sandbox_web_client_t)
++')
+ 
+-userdom_use_user_ptys(sandbox_t)
++optional_policy(`
++	hal_dbus_chat(sandbox_net_client_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-04-07 15:54:49.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc	2009-05-26 08:07:56.000000000 -0400
@@ -613,7 +1091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-22 17:34:22.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-23 17:00:28.000000000 -0400
 @@ -91,6 +91,9 @@
  kernel_read_proc_symlinks(domain)
  kernel_read_crypto_sysctls(domain)
@@ -676,6 +1154,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+@@ -186,6 +209,7 @@
+ ifdef(`hide_broken_symptoms',`
+ 	fs_list_inotifyfs(domain)
+ 	allow domain domain:key { link search };
++	dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
+ ')
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-06-15 08:32:29.000000000 -0400
@@ -1121,12 +1607,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te	2009-06-15 15:00:15.000000000 -0400
-@@ -287,6 +287,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.te	2009-06-23 16:51:54.000000000 -0400
+@@ -287,6 +287,11 @@
  
  manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
  manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
++
++manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
++manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
++files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
  corecmd_exec_bin(kpropd_t)
  
@@ -1182,6 +1672,217 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  mysql_read_config(mysqld_safe_t)
  mysql_search_pid_files(mysqld_safe_t)
  mysql_write_log(mysqld_safe_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.12/policy/modules/services/nslcd.fc
+--- nsaserefpolicy/policy/modules/services/nslcd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/nslcd.fc	2009-06-24 09:04:03.000000000 -0400
+@@ -0,0 +1,4 @@
++/usr/sbin/nslcd	--	gen_context(system_u:object_r:nslcd_exec_t,s0)
++/etc/nss-ldapd.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
++/etc/rc\.d/init\.d/nslcd	--	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
++/var/run/nslcd(/.*)?			gen_context(system_u:object_r:nslcd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.12/policy/modules/services/nslcd.if
+--- nsaserefpolicy/policy/modules/services/nslcd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/nslcd.if	2009-06-24 09:04:03.000000000 -0400
+@@ -0,0 +1,145 @@
++
++## <summary>policy for nslcd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run nslcd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`nslcd_domtrans',`
++	gen_require(`
++		type nslcd_t;
++                type nslcd_exec_t;
++	')
++
++	domtrans_pattern($1,nslcd_exec_t,nslcd_t)
++')
++
++
++########################################
++## <summary>
++##	Execute nslcd server in the nslcd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`nslcd_initrc_domtrans',`
++	gen_require(`
++		type nslcd_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1,nslcd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Read nslcd PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`nslcd_read_pid_files',`
++	gen_require(`
++		type nslcd_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 nslcd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Manage nslcd var_run files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`nslcd_manage_var_run',`
++	gen_require(`
++		type nslcd_var_run_t;
++	')
++
++         manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++         manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++         manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an nslcd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the nslcd domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`nslcd_admin',`
++	gen_require(`
++		type nslcd_t;
++	')
++
++	allow $1 nslcd_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, nslcd_t, nslcd_t)
++	allow $1 nslcd_conf_t:file read_file_perms;
++
++	gen_require(`
++		type nslcd_initrc_exec_t;
++	')
++
++	# Allow nslcd_t to restart the apache service
++	nslcd_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 nslcd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	nslcd_manage_var_run($1)
++')
++
++
++########################################
++## <summary>
++##	Connect to nslcd over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`nslcd_use',`
++	gen_require(`
++		type nslcd_t, var_run_t, nslcd_var_run_t;
++	')
++
++#	list_dirs_pattern($1, var_run_t, nslcd_var_run_t)
++	write_sock_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
++	allow $1 nslcd_t:unix_stream_socket connectto;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.12/policy/modules/services/nslcd.te
+--- nsaserefpolicy/policy/modules/services/nslcd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/nslcd.te	2009-06-24 09:04:03.000000000 -0400
+@@ -0,0 +1,50 @@
++policy_module(nslcd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type nslcd_t;
++type nslcd_exec_t;
++init_daemon_domain(nslcd_t, nslcd_exec_t)
++
++#permissive nslcd_t;
++
++type nslcd_initrc_exec_t;
++init_script_file(nslcd_initrc_exec_t)
++
++type nslcd_var_run_t;
++files_pid_file(nslcd_var_run_t)
++
++type nslcd_conf_t;
++files_type(nslcd_conf_t)
++allow nslcd_t nslcd_conf_t:file read_file_perms;
++
++########################################
++#
++# nslcd local policy
++#
++
++allow nslcd_t self:capability { setgid setuid dac_override };
++
++# Init script handling
++domain_use_interactive_fds(nslcd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow nslcd_t self:sock_file rw_file_perms;
++allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
++allow nslcd_t self:process signal;
++
++files_read_etc_files(nslcd_t)
++
++miscfiles_read_localization(nslcd_t)
++
++manage_dirs_pattern(nslcd_t, nslcd_var_run_t,  nslcd_var_run_t)
++manage_files_pattern(nslcd_t, nslcd_var_run_t,  nslcd_var_run_t)
++files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir })
++allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms;
++
++auth_use_nsswitch(nslcd_t)
++
++logging_send_syslog_msg(nslcd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2009-04-07 15:54:45.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/pcscd.te	2009-06-16 09:51:56.000000000 -0400
@@ -1214,6 +1915,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
  /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if
+--- nsaserefpolicy/policy/modules/services/polkit.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/polkit.if	2009-06-24 08:28:38.000000000 -0400
+@@ -217,6 +217,7 @@
+ 	polkit_run_grant($2, $1)
+ 	polkit_read_lib($2)
+ 	polkit_read_reload($2)
++	polkit_dbus_chat($2)
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/postfix.if	2009-06-03 08:38:18.000000000 -0400
@@ -1479,10 +2191,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xen_rw_image_files(svirt_t)
  ')
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc
+--- nsaserefpolicy/policy/modules/services/xserver.fc	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.fc	2009-06-24 08:58:23.000000000 -0400
+@@ -62,6 +62,7 @@
+ /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+ /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
+ /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+ ifdef(`distro_debian', `
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.if	2009-06-24 08:57:49.000000000 -0400
+@@ -861,6 +861,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Make an X executable an entrypoint for the specified domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The domain for which the shell is an entrypoint.
++##	</summary>
++## </param>
++#
++interface(`xserver_entry_type',`
++	gen_require(`
++		type xserver_exec_t;
++	')
++
++	domain_entry_file($1, xserver_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Execute an X session in the target domain.  This
+ ##	is an explicit transition, requiring the
+ ##	caller to use setexeccon().
+@@ -1411,6 +1429,7 @@
+ 	xserver_read_xdm_tmp_files($1)
+ 	xserver_xdm_stream_connect($1)
+ 	xserver_setattr_xdm_tmp_dirs($1)
++	xserver_read_xdm_pid($1)
+ 
+ 	allow $1 xdm_t:x_client { getattr destroy };
+ 	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-06-12 13:40:09.000000000 -0400
-@@ -530,6 +530,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-06-24 08:58:07.000000000 -0400
+@@ -370,8 +370,9 @@
+ manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+ manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
++
+ fs_getattr_all_fs(xdm_t)
+-fs_search_inotifyfs(xdm_t)
++fs_list_inotifyfs(xdm_t)
+ fs_read_noxattr_fs_files(xdm_t)
+ 
+ manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+@@ -530,6 +531,7 @@
  miscfiles_read_localization(xdm_t)
  miscfiles_read_fonts(xdm_t)
  miscfiles_manage_localization(xdm_t)
@@ -1490,7 +2260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -538,6 +539,7 @@
+@@ -538,6 +540,7 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -1498,10 +2268,56 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_manage_user_tmp_sockets(xdm_t)
  userdom_manage_tmpfs_role(system_r, xdm_t)
  
+@@ -839,7 +842,6 @@
+ fs_search_nfs(xserver_t)
+ fs_search_auto_mountpoints(xserver_t)
+ fs_search_ramfs(xserver_t)
+-fs_list_inotifyfs(xdm_t)
+ fs_rw_tmpfs_files(xserver_t)
+ 
+ mls_xwin_read_to_clearance(xserver_t)
+@@ -931,6 +933,10 @@
+ ')
+ 
+ optional_policy(`
++	sandbox_rw_xserver_tmpfs_files(xserver_t)
++')
++
++optional_policy(`
+ 	unconfined_domain(xserver_t)
+ 	unconfined_domtrans(xserver_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc
+--- nsaserefpolicy/policy/modules/system/authlogin.fc	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc	2009-06-24 09:01:03.000000000 -0400
+@@ -24,6 +24,8 @@
+ /usr/sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+ 
++/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
++
+ /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
+ 
+ /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+@@ -44,4 +46,3 @@
+ /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+ 
+-/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-06-15 15:31:05.000000000 -0400
-@@ -77,6 +77,8 @@
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-06-24 09:00:52.000000000 -0400
+@@ -42,8 +42,7 @@
+ #
+ interface(`auth_login_pgm_domain',`
+ 	gen_require(`
+-		type var_auth_t;
+-		type auth_cache_t;
++		type var_auth_t, auth_cache_t;
+ 	')
+ 
+ 	domain_type($1)
+@@ -77,6 +76,8 @@
  
  	# for SSP/ProPolice
  	dev_read_urand($1)
@@ -1510,7 +2326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# for fingerprint readers
  	dev_rw_input_dev($1)
  	dev_rw_generic_usb_dev($1)
-@@ -147,6 +149,11 @@
+@@ -143,6 +144,11 @@
  	')
  
  	optional_policy(`
@@ -1519,9 +2335,351 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +
 +	optional_policy(`
- 		nis_authenticate($1)
+ 		fprintd_dbus_chat($1)
  	')
  
+@@ -238,6 +244,96 @@
+ 
+ ########################################
+ ## <summary>
++##	Search authentication cache
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_search_cache',`
++	gen_require(`
++		type auth_cache_t;
++	')
++
++	allow $1  auth_cache_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Read authentication cache
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_read_cache',`
++	gen_require(`
++		type auth_cache_t;
++	')
++
++	read_files_pattern($1, auth_cache_t,  auth_cache_t)
++')
++
++########################################
++## <summary>
++##	Read/Write authentication cache
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_rw_cache',`
++	gen_require(`
++		type auth_cache_t;
++	')
++
++	rw_files_pattern($1, auth_cache_t,  auth_cache_t)
++')
++
++########################################
++## <summary>
++##	Manage authentication cache
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_manage_cache',`
++	gen_require(`
++		type auth_cache_t;
++	')
++
++	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
++')
++
++#######################################
++## <summary>
++##	Automatic transition from cache_t to cache.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_var_filetrans_cache',`
++	gen_require(`
++		type auth_cache_t;
++	')
++
++	files_var_filetrans($1,auth_cache_t,{ file dir } )
++')
++
++########################################
++## <summary>
+ ##	Run unix_chkpwd to check a password.
+ ## </summary>
+ ## <param name="domain">
+@@ -726,7 +822,7 @@
+ 
+ ########################################
+ ## <summary>
+-##	Send signal to pam process
++##	Send generic signals to pam processes.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1258,6 +1354,25 @@
+ 
+ ########################################
+ ## <summary>
++##	dontaudit read login records files (/var/log/wtmp).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`auth_dontaudit_read_login_records',`
++	gen_require(`
++		type wtmp_t;
++	')
++
++	dontaudit $1 wtmp_t:file read_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to write to
+ ##	login records files.
+ ## </summary>
+@@ -1415,6 +1530,10 @@
+ 	')
+ 
+ 	optional_policy(`
++		nslcd_use($1)
++	')
++
++	optional_policy(`
+ 		sssd_stream_connect($1)
+ 	')
+ 
+@@ -1456,99 +1575,3 @@
+ 	typeattribute $1 can_write_shadow_passwords;
+ 	typeattribute $1 can_relabelto_shadow_passwords;
+ ')
+-
+-########################################
+-## <summary>
+-##	Search authentication cache
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`auth_search_cache',`
+-	gen_require(`
+-		type auth_cache_t;
+-	')
+-
+-	allow $1  auth_cache_t:dir search_dir_perms;
+-')
+-
+-########################################
+-## <summary>
+-##	Read authentication cache
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`auth_read_cache',`
+-	gen_require(`
+-		type auth_cache_t;
+-	')
+-
+-	read_files_pattern($1, auth_cache_t,  auth_cache_t)
+-')
+-
+-########################################
+-## <summary>
+-##	Read/Write authentication cache
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`auth_rw_cache',`
+-	gen_require(`
+-		type auth_cache_t;
+-	')
+-
+-	rw_files_pattern($1, auth_cache_t,  auth_cache_t)
+-')
+-########################################
+-## <summary>
+-##	Manage authentication cache
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`auth_manage_cache',`
+-	gen_require(`
+-		type auth_cache_t;
+-	')
+-
+-	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
+-')
+-
+-#######################################
+-## <summary>
+-##	Automatic transition from cache_t to cache.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`auth_filetrans_cache',`
+-	gen_require(`
+-		type auth_cache_t;
+-	')
+-
+-	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
+-	manage_dirs_pattern($1, auth_cache_t,  auth_cache_t)
+-	files_var_filetrans($1,auth_cache_t,{ file dir } )
+-')
+-
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te	2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.te	2009-06-24 09:01:40.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(authlogin, 2.0.0)
++policy_module(authlogin, 2.0.2)
+ 
+ ########################################
+ #
+@@ -10,9 +10,12 @@
+ attribute can_write_shadow_passwords;
+ attribute can_relabelto_shadow_passwords;
+ 
++type auth_cache_t;
++logging_log_file(auth_cache_t)
++
+ type chkpwd_t, can_read_shadow_passwords;
+ type chkpwd_exec_t;
+-typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t };
++typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+ typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
+ application_domain(chkpwd_t, chkpwd_exec_t)
+ role system_r types chkpwd_t;
+@@ -57,15 +60,13 @@
+ type updpwd_exec_t;
+ domain_type(updpwd_t)
+ domain_entry_file(updpwd_t,updpwd_exec_t)
++domain_obj_id_change_exemption(updpwd_t)
+ role system_r types updpwd_t;
+ 
+ type utempter_t;
+ type utempter_exec_t;
+ application_domain(utempter_t,utempter_exec_t)
+ 
+-type auth_cache_t;
+-logging_log_file(auth_cache_t)
+-
+ #
+ # var_auth_t is the type of /var/lib/auth, usually
+ # used for auth data in pam_able
+@@ -180,11 +181,6 @@
+ 
+ logging_send_syslog_msg(pam_t)
+ 
+-userdom_write_user_tmp_files(pam_t)
+-userdom_delete_user_tmp_files(pam_t)
+-userdom_dontaudit_read_user_home_content_files(pam_t)
+-userdom_dontaudit_write_user_home_content_files(pam_t)
+-
+ ifdef(`distro_ubuntu',`
+ 	optional_policy(`
+ 		unconfined_domain(pam_t)
+@@ -200,7 +196,7 @@
+ # PAM console local policy
+ #
+ 
+-allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid };
++allow pam_console_t self:capability { chown fowner fsetid };
+ dontaudit pam_console_t self:capability sys_tty_config;
+ 
+ allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
+@@ -218,8 +214,6 @@
+ dev_read_sysfs(pam_console_t)
+ dev_getattr_apm_bios_dev(pam_console_t)
+ dev_setattr_apm_bios_dev(pam_console_t)
+-dev_getattr_cpu_dev(pam_console_t)
+-dev_setattr_cpu_dev(pam_console_t)
+ dev_getattr_dri_dev(pam_console_t)
+ dev_setattr_dri_dev(pam_console_t)
+ dev_getattr_input_dev(pam_console_t)
+@@ -244,10 +238,6 @@
+ dev_setattr_video_dev(pam_console_t)
+ dev_getattr_xserver_misc_dev(pam_console_t)
+ dev_setattr_xserver_misc_dev(pam_console_t)
+-
+-dev_getattr_all_chr_files(pam_console_t)
+-dev_setattr_all_chr_files(pam_console_t)
+-
+ dev_read_urand(pam_console_t)
+ 
+ mls_file_read_all_levels(pam_console_t)
+@@ -329,6 +319,7 @@
+ # updpwd local policy
+ #
+ 
++allow updpwd_t self:capability { chown dac_override };
+ allow updpwd_t self:process setfscreate;
+ allow updpwd_t self:fifo_file rw_fifo_file_perms;
+ allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -336,6 +327,8 @@
+ 
+ kernel_read_system_state(updpwd_t)
+ 
++dev_read_urand(updpwd_t)
++
+ files_manage_etc_files(updpwd_t)
+ 
+ term_dontaudit_use_console(updpwd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/system/init.fc	2009-05-26 09:15:52.000000000 -0400
@@ -1778,8 +2936,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-06-01 08:19:34.000000000 -0400
-@@ -1880,7 +1880,7 @@
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-06-24 08:30:23.000000000 -0400
+@@ -627,12 +627,6 @@
+ 		')
+ 
+ 		optional_policy(`
+-			devicekit_dbus_chat($1_usertype)
+-			devicekit_power_dbus_chat($1_usertype)
+-			devicekit_disk_dbus_chat($1_usertype)
+-		')
+-
+-		optional_policy(`
+ 			evolution_dbus_chat($1_usertype)
+ 			evolution_alarm_dbus_chat($1_usertype)
+ 	')
+@@ -968,6 +962,16 @@
+ 	')
+ 
+ 		optional_policy(`
++		devicekit_dbus_chat($1_usertype)
++		devicekit_power_dbus_chat($1_usertype)
++		devicekit_disk_dbus_chat($1_usertype)
++	')
++
++	optional_policy(`
++		gnomeclock_dbus_chat($1_usertype)
++	')
++
++	optional_policy(`
+ 		gnome_manage_config($1_usertype)
+ 		gnome_manage_gconf_home_files($1_usertype)
+ 		gnome_read_gconf_config($1_usertype)
+@@ -1880,7 +1884,7 @@
  		type user_home_t;
  	')
  
@@ -1788,6 +2976,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
+@@ -3317,10 +3321,6 @@
+   seutil_run_newrole($1_t, $1_r)
+ 
+   optional_policy(`
+-	gnomeclock_dbus_chat($1_t)
+-  ')
+-
+-  optional_policy(`
+ 	kerneloops_dbus_chat($1_t)
+   ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
 --- nsaserefpolicy/policy/modules/system/virtual.te	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/system/virtual.te	2009-06-12 14:53:26.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dacc158..0b4512c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 57%{?dist}
+Release: 59%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,12 @@ exit 0
 %endif
 
 %changelog
+* Wed Jun 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-59
+- Fix up xguest policy
+
+* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-58
+- Allow kpropd to create tmp files
+
 * Sat Jun 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-57
 - Allow mysqld_safe to manage db files
 - Allow udev_t to read/write anon_inodefs