From e26fef9ac3f51291f5fc5d4d8b519420ecbb4a04 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jan 15 2008 20:43:04 +0000
Subject: - Allow setroubleshoot to read policy config and send audit messages


---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index c56ba8e..4ebe095 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -141,6 +141,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.5/M
  endef
  
  # create-base-per-role-tmpl modulenames,outputfile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.2.5/man/man8/httpd_selinux.8
+--- nsaserefpolicy/man/man8/httpd_selinux.8	2007-10-12 08:56:10.000000000 -0400
++++ serefpolicy-3.2.5/man/man8/httpd_selinux.8	2008-01-15 09:08:57.000000000 -0500
+@@ -93,6 +93,11 @@
+ .EE
+ 
+ .PP
++httpd can be configured to turn on sending email. By default http is not allowed to send mail.  This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack.  I certain situations, you may want http modules to send mail.  You can turn on the httpd_send_mail boolean.
++
++.EX
++setsebool -P httpd_can_sendmail 1
++.PP
+ httpd can be configured to turn off internal scripting (PHP).  PHP and other
+ loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.5/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2007-08-11 06:22:29.000000000 -0400
 +++ serefpolicy-3.2.5/policy/flask/access_vectors	2007-12-19 05:38:08.000000000 -0500
@@ -10050,6 +10065,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  	logrotate_exec(ntpd_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.2.5/policy/modules/services/nx.fc
+--- nsaserefpolicy/policy/modules/services/nx.fc	2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/nx.fc	2008-01-15 13:47:19.000000000 -0500
+@@ -1,3 +1,5 @@
++
++/usr/libexec/nx/nxserver	--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+ /opt/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+ 
+ /opt/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/oddjob.te	2008-01-04 12:24:30.000000000 -0500
@@ -12013,9 +12037,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  
 -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
 -') dnl end TODO
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2007-09-04 15:22:23.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if	2008-01-15 12:19:51.000000000 -0500
+@@ -16,8 +16,8 @@
+ 	')
+ 
+ 	files_search_pids($1)
+-	allow $1 setroubleshoot_var_run_t:sock_file write;
+-	allow $1 setroubleshootd_t:unix_stream_socket connectto;
++	stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshoot_t)
++	allow $1 setroubleshoot_var_run_t:sock_file read;
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te	2008-01-08 06:17:24.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te	2008-01-15 11:09:44.000000000 -0500
 @@ -27,8 +27,8 @@
  # setroubleshootd local policy
  #
@@ -12056,7 +12094,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  
  fs_getattr_all_dirs(setroubleshootd_t)
  fs_getattr_all_files(setroubleshootd_t)
-@@ -110,6 +116,7 @@
+@@ -97,11 +103,13 @@
+ 
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+ 
++logging_send_audit_msgs(setroubleshootd_t)
+ logging_send_syslog_msg(setroubleshootd_t)
+ logging_stream_connect_auditd(setroubleshootd_t)
+ 
+ seutil_read_config(setroubleshootd_t)
+ seutil_read_file_contexts(setroubleshootd_t)
++seutil_read_bin_policy(setroubleshootd_t)
+ 
+ sysnet_read_config(setroubleshootd_t)
+ 
+@@ -110,6 +118,7 @@
  optional_policy(`
  	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
  	dbus_connect_system_bus(setroubleshootd_t)
@@ -12158,14 +12210,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc	2008-01-14 11:58:23.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc	2008-01-15 14:51:50.000000000 -0500
 @@ -1,4 +1,4 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:user_spamassassin_home_t,s0)
  
  /usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
  /usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
-@@ -9,8 +9,12 @@
+@@ -6,11 +6,16 @@
+ /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+ 
+ /usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/sbin/spamass-milter --	gen_context(system_u:object_r:spamd_exec_t,s0)
  
  /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
  
@@ -15147,7 +15203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/init.te	2008-01-08 13:52:56.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/init.te	2008-01-15 09:55:44.000000000 -0500
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -15322,7 +15378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
 +# Cron jobs used to start and stop services
 +optional_policy(`
-+	cron_read_pipes(daemon)
++	cron_rw_pipes(daemon)
 +')
 +
  optional_policy(`
@@ -17486,7 +17542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-14 09:58:38.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-15 11:58:29.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
@@ -18318,7 +18374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	This template creates a user domain, types, and
  ##	rules for the user's tty, pty, home directories,
  ##	tmp, and tmpfs files.
-@@ -1187,12 +1165,11 @@
+@@ -1187,22 +1165,17 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -18333,7 +18389,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1278,8 +1255,6 @@
+ 	optional_policy(`
+ 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ 	')
+-
+-	optional_policy(`
+-		setroubleshoot_stream_connect($1_t)
+-	')
+ ')
+ 
+ #######################################
+@@ -1278,8 +1251,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -18342,7 +18408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1416,6 +1391,7 @@
+@@ -1416,6 +1387,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -18350,7 +18416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1781,10 +1757,14 @@
+@@ -1781,10 +1753,14 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -18366,7 +18432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1880,11 +1860,11 @@
+@@ -1880,11 +1856,11 @@
  #
  template(`userdom_search_user_home_dirs',`
  	gen_require(`
@@ -18380,7 +18446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1914,11 +1894,11 @@
+@@ -1914,11 +1890,11 @@
  #
  template(`userdom_list_user_home_dirs',`
  	gen_require(`
@@ -18394,7 +18460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1962,12 +1942,12 @@
+@@ -1962,12 +1938,12 @@
  #
  template(`userdom_user_home_domtrans',`
  	gen_require(`
@@ -18410,7 +18476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1997,10 +1977,10 @@
+@@ -1997,10 +1973,10 @@
  #
  template(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
@@ -18423,7 +18489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2032,11 +2012,47 @@
+@@ -2032,11 +2008,47 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -18473,7 +18539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2068,10 +2084,10 @@
+@@ -2068,10 +2080,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -18486,7 +18552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2101,11 +2117,11 @@
+@@ -2101,11 +2113,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -18500,7 +18566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2135,11 +2151,11 @@
+@@ -2135,11 +2147,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -18515,7 +18581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2169,10 +2185,10 @@
+@@ -2169,10 +2181,10 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -18528,7 +18594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2202,11 +2218,11 @@
+@@ -2202,11 +2214,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -18542,7 +18608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2236,11 +2252,11 @@
+@@ -2236,11 +2248,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -18556,7 +18622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2270,10 +2286,10 @@
+@@ -2270,10 +2282,10 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -18569,7 +18635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2305,12 +2321,12 @@
+@@ -2305,12 +2317,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -18585,7 +18651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2342,10 +2358,10 @@
+@@ -2342,10 +2354,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -18598,7 +18664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2377,12 +2393,12 @@
+@@ -2377,12 +2389,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -18614,7 +18680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2414,12 +2430,12 @@
+@@ -2414,12 +2426,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -18630,7 +18696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2451,12 +2467,12 @@
+@@ -2451,12 +2463,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -18646,7 +18712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2501,11 +2517,11 @@
+@@ -2501,11 +2513,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -18660,7 +18726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2550,11 +2566,11 @@
+@@ -2550,11 +2562,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -18674,7 +18740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2594,11 +2610,11 @@
+@@ -2594,11 +2606,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -18688,7 +18754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2628,11 +2644,11 @@
+@@ -2628,11 +2640,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -18702,7 +18768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2662,11 +2678,11 @@
+@@ -2662,11 +2674,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -18716,7 +18782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2698,10 +2714,10 @@
+@@ -2698,10 +2710,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -18729,7 +18795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2733,10 +2749,10 @@
+@@ -2733,10 +2745,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -18742,7 +18808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2766,12 +2782,12 @@
+@@ -2766,12 +2778,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -18758,7 +18824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2803,10 +2819,10 @@
+@@ -2803,10 +2815,10 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -18771,7 +18837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2838,10 +2854,48 @@
+@@ -2838,10 +2850,48 @@
  #
  template(`userdom_dontaudit_append_user_tmp_files',`
  	gen_require(`
@@ -18822,7 +18888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2871,12 +2925,12 @@
+@@ -2871,12 +2921,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -18838,7 +18904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2908,10 +2962,10 @@
+@@ -2908,10 +2958,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -18851,7 +18917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2943,12 +2997,12 @@
+@@ -2943,12 +2993,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -18867,7 +18933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2980,11 +3034,11 @@
+@@ -2980,11 +3030,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -18881,7 +18947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3016,11 +3070,11 @@
+@@ -3016,11 +3066,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -18895,7 +18961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3052,11 +3106,11 @@
+@@ -3052,11 +3102,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -18909,7 +18975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3088,11 +3142,11 @@
+@@ -3088,11 +3138,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -18923,7 +18989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3124,11 +3178,11 @@
+@@ -3124,11 +3174,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -18937,7 +19003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3173,10 +3227,10 @@
+@@ -3173,10 +3223,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -18950,7 +19016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($2)
  ')
  
-@@ -3217,10 +3271,10 @@
+@@ -3217,10 +3267,10 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -18963,7 +19029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3248,6 +3302,42 @@
+@@ -3248,6 +3298,42 @@
  ##	</summary>
  ## </param>
  #
@@ -19006,7 +19072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
  		type $1_tmpfs_t;
-@@ -4225,11 +4315,11 @@
+@@ -4225,11 +4311,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -19020,7 +19086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4245,10 +4335,10 @@
+@@ -4245,10 +4331,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -19033,7 +19099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4264,11 +4354,11 @@
+@@ -4264,11 +4350,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -19047,7 +19113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4283,16 +4373,16 @@
+@@ -4283,16 +4369,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -19067,7 +19133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4301,12 +4391,27 @@
+@@ -4301,12 +4387,27 @@
  ##	</summary>
  ## </param>
  #
@@ -19098,7 +19164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4321,13 +4426,13 @@
+@@ -4321,13 +4422,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -19116,7 +19182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4525,10 +4630,10 @@
+@@ -4525,10 +4626,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -19129,7 +19195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4545,10 +4650,10 @@
+@@ -4545,10 +4646,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -19142,7 +19208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4563,10 +4668,10 @@
+@@ -4563,10 +4664,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -19155,7 +19221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4582,10 +4687,10 @@
+@@ -4582,10 +4683,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -19168,7 +19234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4600,10 +4705,10 @@
+@@ -4600,10 +4701,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -19181,7 +19247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4619,10 +4724,10 @@
+@@ -4619,10 +4720,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -19194,7 +19260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4638,12 +4743,11 @@
+@@ -4638,12 +4739,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -19210,7 +19276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4670,10 +4774,10 @@
+@@ -4670,10 +4770,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -19223,7 +19289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4688,10 +4792,10 @@
+@@ -4688,10 +4788,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -19236,7 +19302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4706,13 +4810,13 @@
+@@ -4706,13 +4806,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -19254,7 +19320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4748,11 +4852,48 @@
+@@ -4748,11 +4848,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -19264,6 +19330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	files_list_home($1)
 +	allow $1 user_home_dir_type:dir search_dir_perms;
 +')
++
 +########################################
 +## <summary>
 +##	Read all users home directories symlinks.
@@ -19304,7 +19371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4772,6 +4913,14 @@
+@@ -4772,6 +4910,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -19319,7 +19386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5109,7 +5258,7 @@
+@@ -5109,7 +5255,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -19328,7 +19395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5298,6 +5447,49 @@
+@@ -5298,6 +5444,49 @@
  
  ########################################
  ## <summary>
@@ -19378,7 +19445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5503,6 +5695,42 @@
+@@ -5503,6 +5692,42 @@
  
  ########################################
  ## <summary>
@@ -19421,7 +19488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5668,6 +5896,42 @@
+@@ -5668,6 +5893,42 @@
  
  ########################################
  ## <summary>
@@ -19464,7 +19531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5698,3 +5962,277 @@
+@@ -5698,3 +5959,277 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -20499,8 +20566,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-08 05:06:18.000000000 -0500
-@@ -0,0 +1,34 @@
++++ serefpolicy-3.2.5/policy/modules/users/staff.te	2008-01-15 11:59:03.000000000 -0500
+@@ -0,0 +1,38 @@
 +policy_module(staff,1.0.1)
 +userdom_unpriv_user_template(staff)
 +
@@ -20519,6 +20586,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
 +seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
 +
 +optional_policy(`
++	gpg_per_role_template(staff, staff_usertype, staff_r)
++')
++
++optional_policy(`
 +	java_per_role_template(staff, staff_t, staff_r)
 +')
 +
@@ -20527,7 +20598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
 +')
 +
 +optional_policy(`
-+	gpg_per_role_template(staff, staff_usertype, staff_r)
++	setroubleshoot_stream_connect(staff_t)
 +')
 +
 +optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f7271e5..5adc73d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-13
+- Allow setroubleshoot to read policy config and send audit messages
+
 * Mon Jan 14 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-12
 - Allow users to execute all files in homedir, if boolean set
 - Allow mount to read samba config