From 9185bf2fee405215d1b2d42e70f600d737f51401 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 13 2007 14:15:08 +0000
Subject: - Pass the UNK_PERMS param to makefile

- Fix gdm location

---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index fecee28..5b9a984 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -2763,6 +2763,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
  	auth_manage_pam_pid($1_userhelper_t)
  	auth_manage_var_auth($1_userhelper_t)
  	auth_search_pam_console_data($1_userhelper_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.8/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-09-12 10:34:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.fc	2007-10-12 08:22:18.000000000 -0400
+@@ -30,10 +30,12 @@
+ /usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+ /usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
++/usr/lib/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ 
+ /usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+ /usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
++/usr/lib64/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ 
+ ifdef(`distro_gentoo',`
+ /opt/vmware/workstation/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2007-09-12 10:34:49.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/apps/vmware.te	2007-10-03 11:10:24.000000000 -0400
@@ -3609,7 +3625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-10 16:06:13.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-10-12 11:58:32.000000000 -0400
 @@ -271,45 +271,6 @@
  
  ########################################
@@ -4117,7 +4133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.if	2007-10-12 09:25:42.000000000 -0400
 @@ -18,10 +18,6 @@
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -7433,16 +7449,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mailman.te	2007-10-03 11:10:24.000000000 -0400
-@@ -55,6 +55,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/mailman.te	2007-10-12 09:27:35.000000000 -0400
+@@ -55,6 +55,8 @@
  	apache_use_fds(mailman_cgi_t)
  	apache_dontaudit_append_log(mailman_cgi_t)
  	apache_search_sys_script_state(mailman_cgi_t)
 +	apache_read_config(mailman_cgi_t)
++	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
  
  	optional_policy(`
  		nscd_socket_use(mailman_cgi_t)
-@@ -96,6 +97,7 @@
+@@ -96,6 +98,7 @@
  kernel_read_proc_symlinks(mailman_queue_t)
  
  auth_domtrans_chk_passwd(mailman_queue_t)
@@ -8616,7 +8633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2007-10-12 09:13:21.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -8656,7 +8673,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix master process local policy
-@@ -164,10 +182,9 @@
+@@ -93,6 +111,7 @@
+ allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_master_t self:udp_socket create_socket_perms;
++allow postfix_master_t self:process setrlimit;
+ 
+ allow postfix_master_t postfix_etc_t:file rw_file_perms;
+ 
+@@ -164,10 +183,11 @@
  # postfix does a "find" on startup for some reason - keep it quiet
  seutil_dontaudit_search_config(postfix_master_t)
  
@@ -8664,11 +8689,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 -
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
++mta_getattr_spool(postfix_master_t)
++
 +term_dontaudit_search_ptys(postfix_master_t)
  
  optional_policy(`
  	cyrus_stream_connect(postfix_master_t)
-@@ -179,7 +196,11 @@
+@@ -179,7 +199,11 @@
  ')
  
  optional_policy(`
@@ -8681,7 +8708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  ###########################################################
-@@ -263,6 +284,8 @@
+@@ -263,6 +287,8 @@
  
  files_read_etc_files(postfix_local_t)
  
@@ -8690,7 +8717,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
-@@ -336,8 +359,6 @@
+@@ -275,6 +301,7 @@
+ optional_policy(`
+ #	for postalias
+ 	mailman_manage_data_files(postfix_local_t)
++	mailman_append_log(postfix_local_t)
+ ')
+ 
+ optional_policy(`
+@@ -336,8 +363,6 @@
  
  seutil_read_config(postfix_map_t)
  
@@ -8699,7 +8734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  tunable_policy(`read_default_t',`
  	files_list_default(postfix_map_t)
  	files_read_default_files(postfix_map_t)
-@@ -377,7 +398,7 @@
+@@ -377,7 +402,7 @@
  # Postfix pipe local policy
  #
  
@@ -8708,7 +8743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
  
-@@ -386,6 +407,10 @@
+@@ -386,6 +411,10 @@
  rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
  
  optional_policy(`
@@ -8719,7 +8754,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	procmail_domtrans(postfix_pipe_t)
  ')
  
-@@ -418,14 +443,17 @@
+@@ -394,6 +423,10 @@
+ ')
+ 
+ optional_policy(`
++	mta_manage_spool(postfix_pipe_t)
++')
++
++optional_policy(`
+ 	uucp_domtrans_uux(postfix_pipe_t)
+ ')
+ 
+@@ -418,14 +451,17 @@
  term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
  
@@ -8739,7 +8785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  optional_policy(`
  	ppp_use_fds(postfix_postqueue_t)
  	ppp_sigchld(postfix_postqueue_t)
-@@ -454,8 +482,6 @@
+@@ -454,8 +490,6 @@
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
  
@@ -8748,7 +8794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix qmgr local policy
-@@ -498,15 +524,11 @@
+@@ -498,15 +532,11 @@
  term_use_all_user_ptys(postfix_showq_t)
  term_use_all_user_ttys(postfix_showq_t)
  
@@ -8764,7 +8810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  # connect to master process
  stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
  
-@@ -514,6 +536,8 @@
+@@ -514,6 +544,8 @@
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -8773,7 +8819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  optional_policy(`
  	cyrus_stream_connect(postfix_smtp_t)
  ')
-@@ -538,9 +562,45 @@
+@@ -538,9 +570,45 @@
  mta_read_aliases(postfix_smtpd_t)
  
  optional_policy(`
@@ -10831,7 +10877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
  dev_read_sysfs(xfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc	2007-10-08 13:25:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.fc	2007-10-13 10:12:41.000000000 -0400
 @@ -32,11 +32,6 @@
  /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -10844,7 +10890,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  #
  # /opt
  #
-@@ -92,13 +87,16 @@
+@@ -59,6 +54,7 @@
+ 
+ /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/gdm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth		--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+ /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -92,13 +88,16 @@
  /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
  
@@ -15135,7 +15189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-11 16:34:44.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-10-12 11:59:04.000000000 -0400
 @@ -29,8 +29,9 @@
  	')
  
@@ -15730,7 +15784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -954,21 +886,165 @@
+@@ -954,21 +886,167 @@
  ##	</summary>
  ## </param>
  #
@@ -15823,6 +15877,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	fs_search_auto_mountpoints($1_usertype)
 +	fs_list_inotifyfs($1_usertype)
 +
++	fs_rw_anon_inodefs_files($1_usertype)
++
 +	# Stop warnings about access to /dev/console
 +	init_dontaudit_rw_utmp($1_usertype)
 +	init_dontaudit_use_fds($1_usertype)
@@ -15902,7 +15958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1053,51 @@
+@@ -977,23 +1055,51 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -15965,31 +16021,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,20 +1133,12 @@
+@@ -1029,15 +1135,7 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
-+		corenet_tcp_bind_all_unreserved_ports($1_t)
- 	')
- 
- 	optional_policy(`
--		kerberos_use($1_t)
 -	')
 -
 -	optional_policy(`
--		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+-		kerberos_use($1_t)
 -	')
 -
 -	optional_policy(`
--		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
--		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+-		loadkeys_run($1_t,$1_r,$1_tty_device_t)
++		corenet_tcp_bind_all_unreserved_ports($1_t)
  	')
  
- 	# Run pppd in pppd_t by default for user
-@@ -1054,17 +1150,6 @@
+ 	optional_policy(`
+@@ -1054,17 +1152,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -16007,7 +16056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1102,6 +1187,8 @@
+@@ -1102,6 +1189,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -16016,7 +16065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1214,7 @@
+@@ -1127,7 +1216,7 @@
  	# $1_t local policy
  	#
  
@@ -16025,7 +16074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,7 +1226,11 @@
+@@ -1139,7 +1228,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -16038,7 +16087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1642,9 +1733,13 @@
+@@ -1642,9 +1735,13 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -16052,7 +16101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_type($2)
  ')
  
-@@ -1894,10 +1989,46 @@
+@@ -1894,10 +1991,46 @@
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
  		type $1_home_dir_t, $1_home_t;
@@ -16100,7 +16149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3078,7 +3209,7 @@
+@@ -3078,7 +3211,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -16109,7 +16158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4609,11 +4740,29 @@
+@@ -4609,11 +4742,29 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -16140,7 +16189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4633,6 +4782,14 @@
+@@ -4633,6 +4784,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -16155,7 +16204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5323,7 +5480,7 @@
+@@ -5323,7 +5482,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -16164,7 +16213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5559,3 +5716,380 @@
+@@ -5559,3 +5718,380 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -16932,8 +16981,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-10-03 11:10:25.000000000 -0400
-@@ -0,0 +1,9 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te	2007-10-12 12:03:20.000000000 -0400
+@@ -0,0 +1,13 @@
 +policy_module(guest,1.0.0)
 +userdom_unpriv_login_user(guest)
 +userdom_unpriv_login_user(gadmin)
@@ -16943,6 +16992,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
 +optional_policy(`
 +	hal_dbus_chat(xguest_t)
 +')
++
++optional_policy(`
++	bluetooth_dbus_chat(xguest_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/policy/modules/users/logadm.fc	2007-10-03 11:10:25.000000000 -0400
@@ -17103,21 +17156,53 @@ Binary files nsaserefpolicy/ru/samba_selinux.8.gz and serefpolicy-3.0.8/ru/samba
 Binary files nsaserefpolicy/ru/ypbind_selinux.8.gz and serefpolicy-3.0.8/ru/ypbind_selinux.8.gz differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
 --- nsaserefpolicy/Rules.modular	2007-05-25 09:09:10.000000000 -0400
-+++ serefpolicy-3.0.8/Rules.modular	2007-10-03 11:10:25.000000000 -0400
-@@ -219,6 +219,16 @@
- 
- ########################################
++++ serefpolicy-3.0.8/Rules.modular	2007-10-12 08:57:13.000000000 -0400
+@@ -96,6 +96,9 @@
+ 	@test -d $(builddir) || mkdir -p $(builddir)
+ 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+ 
++ifneq "$(UNK_PERMS)" ""
++$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
++endif
+ $(base_mod): $(base_conf)
+ 	@echo "Compiling $(NAME) base module"
+ 	$(verbose) $(CHECKMODULE) $^ -o $@
+@@ -144,6 +147,7 @@
+ 
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
++	$(verbose) echo "" > $@
+ 	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.0.8/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic	2007-05-25 09:09:10.000000000 -0400
++++ serefpolicy-3.0.8/Rules.monolithic	2007-10-12 08:57:21.000000000 -0400
+@@ -63,6 +63,9 @@
  #
-+# Validate File Contexts
-+#
-+validatefc: $(base_pkg) $(base_fc) 
-+	@echo "Validating file context."
-+	$(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
-+	$(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
-+	@echo "Success."
-+
-+########################################
-+#
- # Clean the sources
+ # Build a binary policy locally
+ #
++ifneq "$(UNK_PERMS)" ""
++$(polver): CHECKPOLICY += -U $(UNK_PERMS)
++endif
+ $(polver): $(policy_conf)
+ 	@echo "Compiling $(NAME) $(polver)"
+ ifneq ($(pv),$(kv))
+@@ -76,6 +79,9 @@
+ #
+ # Install a binary policy
  #
- clean:
++ifneq "$(UNK_PERMS)" ""
++$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
++endif
+ $(loadpath): $(policy_conf)
+ 	@mkdir -p $(policypath)
+ 	@echo "Compiling and installing $(NAME) $(loadpath)"
+@@ -127,6 +133,7 @@
+ 	@echo "divert" >> $@
+ 
+ $(tmpdir)/rolemap.conf: $(rolemap)
++	$(verbose) echo "" > $@
+ 	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bbb387d..2aa72ec 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -77,8 +77,8 @@ SELinux Policy development package
 exit 0
 
 %define setupCmds() \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024  conf \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024  conf \
 cp -f $RPM_SOURCE_DIR/modules-%1.conf  ./policy/modules.conf \
 cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
 
@@ -86,10 +86,10 @@ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
 awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
 
 %define installCmds() \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
+make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
 #%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \
@@ -192,24 +192,24 @@ make clean
 %if %{BUILD_TARGETED}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds targeted mcs n y
-%installCmds targeted mcs n y
+%setupCmds targeted mcs n y allow
+%installCmds targeted mcs n y allow
 %endif
 
 %if %{BUILD_MLS}
 # Build mls policy
-%setupCmds mls mls n y
-%installCmds mls mls n y 
+%setupCmds mls mls n y deny
+%installCmds mls mls n y deny
 %endif
 
 %if %{BUILD_OLPC}
 # Build targeted policy
 # Commented out because only targeted ref policy currently builds
-%setupCmds olpc mcs n y
-%installCmds olpc mcs n y
+%setupCmds olpc mcs n y allow
+%installCmds olpc mcs n y allow
 %endif
 
-make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@@ -371,6 +371,10 @@ exit 0
 %endif
 
 %changelog
+* Fri Oct 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-22
+- Pass the UNK_PERMS param to makefile
+- Fix gdm location
+
 * Wed Oct 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-21
 - Make alsa work