From b40e71f972d6c4ce3ac2eefd3878adf59e6b648a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 09 2008 03:10:15 +0000
Subject: - Allow rsync to fownee and fsetid


---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 9e00af7..08e3b96 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -26478,7 +26478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te	2008-10-08 17:01:58.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te	2008-10-08 23:00:59.000000000 -0400
 @@ -17,6 +17,13 @@
  
  ## <desc>
@@ -26664,8 +26664,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
 +tunable_policy(`samba_create_home_dirs',`
 +	allow smbd_t self:capability chown;
-+	unprivuser_create_home_dir(smbd_t)
-+	unprivuser_home_filetrans_home_dir(smbd_t)
++	userdom_create_generic_home_dir_files(smbd_t)
++	userdom_home_filetrans_generic_user_home_dir(smbd_t)
 +')
 +
  tunable_policy(`samba_export_all_ro',`
@@ -37902,7 +37902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-10-03 11:04:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-10-08 23:00:48.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -39203,7 +39203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2038,11 +2070,48 @@
+@@ -2038,11 +2070,67 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -39251,10 +39251,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	')
 +
 +	dontaudit $2 user_home_dir_t:file create;
++')
++
++########################################
++## <summary>
++##	Create generic user home directories
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_create_generic_home_dir_files',`
++	gen_require(`
++		type user_home_dir_t;
++	')
++
++	files_search_home($1)
++	allow $1 user_home_dir_t:dir create_dir_perms;
  ')
  
  ########################################
-@@ -2074,10 +2143,10 @@
+@@ -2074,10 +2162,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -39267,7 +39286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2107,11 +2176,11 @@
+@@ -2107,11 +2195,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -39281,7 +39300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2141,11 +2210,11 @@
+@@ -2141,11 +2229,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -39296,7 +39315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2175,10 +2244,14 @@
+@@ -2175,10 +2263,14 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -39313,7 +39332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2208,11 +2281,11 @@
+@@ -2208,11 +2300,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -39327,7 +39346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2242,11 +2315,11 @@
+@@ -2242,11 +2334,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -39341,7 +39360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2276,10 +2349,10 @@
+@@ -2276,10 +2368,10 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -39354,7 +39373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2311,12 +2384,12 @@
+@@ -2311,12 +2403,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -39370,7 +39389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2348,10 +2421,10 @@
+@@ -2348,10 +2440,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -39383,7 +39402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2383,12 +2456,12 @@
+@@ -2383,12 +2475,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -39399,7 +39418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2420,12 +2493,12 @@
+@@ -2420,12 +2512,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -39415,7 +39434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2457,12 +2530,12 @@
+@@ -2457,12 +2549,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -39431,7 +39450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2507,11 +2580,11 @@
+@@ -2507,11 +2599,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -39445,7 +39464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2556,11 +2629,11 @@
+@@ -2556,11 +2648,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -39459,7 +39478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2600,11 +2673,11 @@
+@@ -2600,11 +2692,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -39473,7 +39492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2634,11 +2707,11 @@
+@@ -2634,11 +2726,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -39487,7 +39506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2668,11 +2741,11 @@
+@@ -2668,11 +2760,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -39501,7 +39520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2704,10 +2777,10 @@
+@@ -2704,10 +2796,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -39514,7 +39533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2739,10 +2812,10 @@
+@@ -2739,10 +2831,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -39527,7 +39546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2772,12 +2845,12 @@
+@@ -2772,12 +2864,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -39543,7 +39562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2809,20 +2882,20 @@
+@@ -2809,20 +2901,20 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -39568,7 +39587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	temporary files.
  ##	</p>
  ##	<p>
-@@ -2842,21 +2915,23 @@
+@@ -2842,21 +2934,23 @@
  ##	</summary>
  ## </param>
  #
@@ -39597,7 +39616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	</p>
  ##	<p>
  ##	This is a templated interface, and should only
-@@ -2871,65 +2946,136 @@
+@@ -2871,35 +2965,106 @@
  ## </param>
  ## <param name="domain">
  ##	<summary>
@@ -39635,42 +39654,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -##	be called from a per-userdomain template.
 -##	</p>
 -## </desc>
--## <param name="userdomain_prefix">
--##	<summary>
--##	The prefix of the user domain (e.g., user
--##	is the prefix for user_t).
--##	</summary>
--## </param>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--template(`userdom_dontaudit_manage_user_tmp_files',`
++##	</summary>
++## </param>
++#
 +interface(`userdom_unlink_unpriv_users_tmp_files',`
- 	gen_require(`
--		type $1_tmp_t;
++	gen_require(`
 +		attribute user_tmpfile;
- 	')
- 
--	dontaudit $2 $1_tmp_t:file manage_file_perms;
++	')
++
 +	files_delete_tmp_dir_entry($1)
 +	allow $1 user_tmpfile:file unlink;
- ')
- 
- ########################################
- ## <summary>
--##	Read user
--##	temporary symbolic links.
++')
++
++########################################
++## <summary>
 +##	Connect to unpriviledged users over an unix stream socket.
- ## </summary>
--## <desc>
--##	<p>
--##	Read user
--##	temporary symbolic links.
--##	</p>
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -39736,40 +39738,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	be called from a per-userdomain template.
 +##	</p>
 +## </desc>
-+## <param name="userdomain_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+template(`userdom_dontaudit_manage_user_tmp_files',`
-+	gen_require(`
+ ## <param name="userdomain_prefix">
+ ##	<summary>
+ ##	The prefix of the user domain (e.g., user
+@@ -2914,10 +3079,10 @@
+ #
+ template(`userdom_dontaudit_manage_user_tmp_files',`
+ 	gen_require(`
+-		type $1_tmp_t;
 +		type user_tmp_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $2 $1_tmp_t:file manage_file_perms;
 +	dontaudit $2 user_tmp_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read user
-+##	temporary symbolic links.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Read user
-+##	temporary symbolic links.
-+##	</p>
- ##	<p>
- ##	This is a templated interface, and should only
- ##	be called from a per-userdomain template.
-@@ -2949,12 +3095,12 @@
+ ')
+ 
+ ########################################
+@@ -2949,12 +3114,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -39785,7 +39770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2986,11 +3132,11 @@
+@@ -2986,11 +3151,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -39799,7 +39784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3022,11 +3168,11 @@
+@@ -3022,11 +3187,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -39813,7 +39798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3058,11 +3204,11 @@
+@@ -3058,11 +3223,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -39827,7 +39812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3094,11 +3240,11 @@
+@@ -3094,11 +3259,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -39841,7 +39826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3130,11 +3276,11 @@
+@@ -3130,11 +3295,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -39855,7 +39840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3179,10 +3325,10 @@
+@@ -3179,10 +3344,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -39868,7 +39853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($2)
  ')
  
-@@ -3223,10 +3369,10 @@
+@@ -3223,10 +3388,10 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -39881,7 +39866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3254,6 +3400,42 @@
+@@ -3254,6 +3419,42 @@
  ##	</summary>
  ## </param>
  #
@@ -39924,7 +39909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
  		type $1_tmpfs_t;
-@@ -3267,6 +3449,42 @@
+@@ -3267,6 +3468,42 @@
  
  ########################################
  ## <summary>
@@ -39967,7 +39952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	List users untrusted directories.
  ## </summary>
  ## <desc>
-@@ -3962,6 +4180,24 @@
+@@ -3962,6 +4199,24 @@
  
  ########################################
  ## <summary>
@@ -39992,7 +39977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Manage unpriviledged user SysV shared
  ##	memory segments.
  ## </summary>
-@@ -4231,11 +4467,11 @@
+@@ -4231,11 +4486,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -40006,7 +39991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4251,10 +4487,10 @@
+@@ -4251,10 +4506,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -40019,7 +40004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4270,11 +4506,11 @@
+@@ -4270,11 +4525,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -40033,7 +40018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4289,16 +4525,16 @@
+@@ -4289,16 +4544,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -40053,7 +40038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4543,54 @@
+@@ -4307,12 +4562,54 @@
  ##	</summary>
  ## </param>
  #
@@ -40111,7 +40096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4327,13 +4605,13 @@
+@@ -4327,13 +4624,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -40129,7 +40114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4531,10 +4809,10 @@
+@@ -4531,10 +4828,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -40142,7 +40127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4551,10 +4829,10 @@
+@@ -4551,10 +4848,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -40155,7 +40140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4569,10 +4847,10 @@
+@@ -4569,10 +4866,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -40168,7 +40153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4588,10 +4866,10 @@
+@@ -4588,10 +4885,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -40181,7 +40166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4606,10 +4884,10 @@
+@@ -4606,10 +4903,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -40194,7 +40179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4625,10 +4903,10 @@
+@@ -4625,10 +4922,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -40207,7 +40192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4644,12 +4922,29 @@
+@@ -4644,12 +4941,29 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -40241,7 +40226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4676,10 +4971,10 @@
+@@ -4676,10 +4990,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -40254,7 +40239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4694,10 +4989,10 @@
+@@ -4694,10 +5008,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -40267,7 +40252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4712,13 +5007,13 @@
+@@ -4712,13 +5026,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -40285,99 +40270,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4754,16 +5049,16 @@
+@@ -4754,11 +5068,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
--		attribute home_dir_type;
 +		attribute user_home_dir_type;
- 	')
- 
- 	files_list_home($1)
--	allow $1 home_dir_type:dir search_dir_perms;
-+	allow $1 user_home_dir_type:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	List all users home directories.
-+##	Read all users home directories symlinks.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4771,18 +5066,18 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_list_all_users_home_dirs',`
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
- 	gen_require(`
- 		attribute home_dir_type;
- 	')
- 
- 	files_list_home($1)
--	allow $1 home_dir_type:dir list_dir_perms;
-+	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Search all users home directories.
-+##	Read all users home directories symlinks.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4790,31 +5085,79 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_search_all_users_home_content',`
-+interface(`userdom_read_all_users_home_content_symlinks',`
- 	gen_require(`
--		attribute home_dir_type, home_type;
-+		type user_home_t;
- 	')
- 
- 	files_list_home($1)
--	allow $1 { home_dir_type home_type }:dir search_dir_perms;
-+	allow $1 user_home_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to search all users home directories.
-+##	List all users home directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_search_all_users_home_content',`
-+interface(`userdom_list_all_users_home_dirs',`
- 	gen_require(`
--		attribute home_dir_type, home_type;
-+		attribute home_dir_type;
- 	')
- 
--	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
-+	files_list_home($1)
-+	allow $1 home_dir_type:dir list_dir_perms;
-+
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_list_nfs($1)
 +	')
 +
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_list_cifs($1)
-+	')
++	files_list_home($1)
++	allow $1 user_home_dir_type:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Search all users home directories.
++##	Read all users home directories symlinks.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -40385,49 +40291,74 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_search_all_users_home_content',`
++interface(`userdom_read_all_users_home_dirs_symlinks',`
 +	gen_require(`
-+		attribute home_dir_type, home_type;
-+	')
-+
-+	files_list_home($1)
-+	allow $1 { home_dir_type home_type }:dir search_dir_perms;
+ 		attribute home_dir_type;
+ 	')
+ 
+ 	files_list_home($1)
+-	allow $1 home_dir_type:dir search_dir_perms;
++	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to search all users home directories.
++##	Read all users home directories symlinks.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_search_all_users_home_content',`
++interface(`userdom_read_all_users_home_content_symlinks',`
 +	gen_require(`
-+		attribute home_dir_type, home_type;
++		type user_home_t;
 +	')
 +
-+	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++	files_list_home($1)
++	allow $1 user_home_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4778,6 +5130,14 @@
+ 
+ 	files_list_home($1)
+ 	allow $1 home_dir_type:dir list_dir_perms;
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_list_nfs($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_list_cifs($1)
++	')
+ ')
+ 
+ ########################################
+@@ -4815,6 +5175,8 @@
+ 	')
+ 
+ 	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
 +	fs_dontaudit_list_nfs($1)
 +	fs_dontaudit_list_cifs($1)
  ')
  
  ########################################
-@@ -4839,6 +5182,26 @@
+@@ -4839,7 +5201,7 @@
  
  ########################################
  ## <summary>
+-##	Create, read, write, and delete all directories
 +##	delete all directories
-+##	in all users home directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	in all users home directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4848,7 +5210,27 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_manage_all_users_home_content_dirs',`
 +interface(`userdom_delete_all_users_home_content_dirs',`
 +	gen_require(`
 +		attribute home_type;
@@ -40439,10 +40370,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete all directories
- ##	in all users home directories.
- ## </summary>
-@@ -4859,6 +5222,25 @@
++##	Create, read, write, and delete all directories
++##	in all users home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_all_users_home_content_dirs',`
+ 	gen_require(`
+ 		attribute home_type;
+ 	')
+@@ -4859,6 +5241,25 @@
  
  ########################################
  ## <summary>
@@ -40468,7 +40409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5261,26 @@
+@@ -4879,6 +5280,26 @@
  
  ########################################
  ## <summary>
@@ -40495,7 +40436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5517,7 @@
+@@ -5115,7 +5536,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -40504,7 +40445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5706,63 @@
+@@ -5304,6 +5725,63 @@
  
  ########################################
  ## <summary>
@@ -40568,7 +40509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,6 +5968,43 @@
+@@ -5509,6 +5987,43 @@
  
  ########################################
  ## <summary>
@@ -40612,7 +40553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5559,7 +6055,7 @@
+@@ -5559,7 +6074,7 @@
  		attribute userdomain;
  	')
  
@@ -40621,7 +40562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -5674,6 +6170,42 @@
+@@ -5674,6 +6189,42 @@
  
  ########################################
  ## <summary>
@@ -40664,7 +40605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6236,408 @@
+@@ -5704,3 +6255,408 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 51c7d5d..74bc830 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 99%{?dist}
+Release: 100%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Oct 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-100
+- Allow rsync to fownee and fsetid
+
 * Mon Oct 6 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-99
 - Fix file contexts