diff --git a/policy-20081111.patch b/policy-20081111.patch
index d143105..1b87b2a 100644
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
@@ -264,6 +264,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
.SH SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpolicy-3.6.1/policy/constraints
+--- nsaserefpolicy/policy/constraints 2008-11-18 18:57:21.000000000 -0500
++++ serefpolicy-3.6.1/policy/constraints 2008-12-08 14:26:15.000000000 -0500
+@@ -99,7 +99,7 @@
+ constrain process { transition noatsecure siginh rlimitinh }
+ (
+ r1 == r2
+- or ( t1 == can_change_process_identity and t2 == process_user_target )
++ or ( t1 == can_change_process_role and t2 == process_user_target )
+ or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+ or ( t1 == can_system_change and u2 == system_u )
+ or ( t1 == process_uncond_exempt )
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.1/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400
+++ serefpolicy-3.6.1/policy/flask/access_vectors 2008-11-25 09:45:43.000000000 -0500
@@ -379,7 +391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(kismet_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.1/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/admin/logrotate.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/admin/logrotate.te 2008-12-08 15:22:19.000000000 -0500
@@ -116,7 +116,7 @@
seutil_dontaudit_read_config(logrotate_t)
@@ -389,6 +401,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_use_unpriv_users_fds(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
+@@ -187,5 +187,6 @@
+ ')
+
+ optional_policy(`
++ squid_exec(logrotate_t)
+ squid_signal(logrotate_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.1/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-11-11 16:13:49.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/admin/logwatch.te 2008-11-25 09:45:43.000000000 -0500
@@ -1082,7 +1101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
java_domtrans_unconfined(rpm_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.1/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-05 14:31:30.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/admin/sudo.if 2008-12-08 13:08:28.000000000 -0500
@@ -51,7 +51,7 @@
#
@@ -1146,7 +1165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
-@@ -114,6 +120,30 @@
+@@ -114,6 +120,31 @@
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
@@ -1163,6 +1182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
++ userdom_manage_all_users_keys($1_sudo_t)
+
+ domain_role_change_exemption($1_sudo_t)
+ userdom_spec_domtrans_all_users($1_sudo_t)
@@ -2233,12 +2253,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.1/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.fc 2008-11-25 09:45:43.000000000 -0500
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.6.1/policy/modules/apps/nsplugin.fc 2008-12-08 16:24:57.000000000 -0500
+@@ -0,0 +1,12 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
@@ -3939,7 +3960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-11-12 09:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-03 08:59:59.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-08 15:25:19.000000000 -0500
@@ -65,10 +65,12 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4036,12 +4057,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -171,13 +192,16 @@
+@@ -171,14 +192,17 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
-+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
++network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
@@ -4049,11 +4070,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(vnc, tcp,5900,s0)
network_port(wccp, udp,2048,s0)
+-network_port(whois, tcp,43,s0, udp,43,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
- network_port(whois, tcp,43,s0, udp,43,s0)
++network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
+ network_port(xfs, tcp,7100,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.1/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400
+++ serefpolicy-3.6.1/policy/modules/kernel/devices.fc 2008-11-25 09:45:43.000000000 -0500
@@ -8018,7 +8041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-04 14:56:42.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-08 16:47:30.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -8175,11 +8198,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +386,11 @@
+@@ -335,12 +386,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_list_inotifyfs(httpd_t)
++fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -8190,7 +8214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -358,6 +408,10 @@
+@@ -358,6 +409,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -8201,7 +8225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_read_lib_files(httpd_t)
-@@ -372,18 +426,33 @@
+@@ -372,18 +427,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -8239,7 +8263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -391,20 +460,54 @@
+@@ -391,20 +461,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -8295,7 +8319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -415,20 +518,28 @@
+@@ -415,20 +519,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -8328,7 +8352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -459,8 +570,13 @@
+@@ -459,8 +571,13 @@
')
optional_policy(`
@@ -8344,7 +8368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -472,18 +588,13 @@
+@@ -472,18 +589,13 @@
')
optional_policy(`
@@ -8364,7 +8388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -493,6 +604,12 @@
+@@ -493,6 +605,12 @@
openca_kill(httpd_t)
')
@@ -8377,7 +8401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -500,6 +617,7 @@
+@@ -500,6 +618,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -8385,7 +8409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -508,6 +626,7 @@
+@@ -508,6 +627,7 @@
')
optional_policy(`
@@ -8393,7 +8417,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +654,22 @@
+@@ -535,6 +655,22 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -8416,7 +8440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -564,20 +699,25 @@
+@@ -564,20 +700,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -8448,7 +8472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -595,12 +735,14 @@
+@@ -595,23 +736,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -8464,8 +8488,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -609,9 +751,7 @@
+ dev_read_urand(httpd_suexec_t)
+
++fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
@@ -8475,7 +8501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -641,12 +781,25 @@
+@@ -641,12 +783,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -8504,7 +8530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -655,6 +808,12 @@
+@@ -655,6 +810,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -8517,7 +8543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,15 +831,14 @@
+@@ -672,15 +833,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -8536,7 +8562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +857,22 @@
+@@ -699,12 +859,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -8548,6 +8574,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_sys_script_t)
++fs_read_iso9660_files(httpd_sys_script_t)
++
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
@@ -8561,7 +8589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +880,35 @@
+@@ -712,6 +884,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -8597,7 +8625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +921,10 @@
+@@ -724,6 +925,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -8608,7 +8636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -735,6 +936,8 @@
+@@ -735,6 +940,8 @@
# httpd_rotatelogs local policy
#
@@ -8617,7 +8645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -762,3 +965,66 @@
+@@ -762,3 +969,66 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
@@ -8793,6 +8821,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.1/policy/modules/services/bind.fc
+--- nsaserefpolicy/policy/modules/services/bind.fc 2008-11-11 16:13:45.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/bind.fc 2008-12-08 11:44:38.000000000 -0500
+@@ -1,17 +1,22 @@
+ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++
+ /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+
+ /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+ /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
++/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+
+ /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+
+ /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+ /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+ /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+
+ ifdef(`distro_debian',`
+ /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.1/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/bind.if 2008-11-25 09:45:43.000000000 -0500
@@ -12286,13 +12340,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Init script handling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.1/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/ldap.te 2008-11-25 09:45:43.000000000 -0500
-@@ -117,7 +117,7 @@
++++ serefpolicy-3.6.1/policy/modules/services/ldap.te 2008-12-08 14:32:23.000000000 -0500
+@@ -117,7 +117,11 @@
userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
- kerberos_use(slapd_t)
+ kerberos_keytab_template(slapd, slapd_t)
++')
++
++optional_policy(`
++ sasl_connect(slapd_t)
')
optional_policy(`
@@ -18201,7 +18259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-11-25 09:45:43.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-08 15:15:10.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -18255,7 +18313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
-
+allow samba_net_t self:capability { dac_read_search dac_override };
-+allow samba_net_t self:process getsched;
++allow samba_net_t self:process { getsched setsched };
allow samba_net_t self:unix_dgram_socket create_socket_perms;
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
allow samba_net_t self:udp_socket create_socket_perms;
@@ -18281,7 +18339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(samba_net_t)
-@@ -197,8 +213,10 @@
+@@ -197,8 +213,14 @@
miscfiles_read_localization(samba_net_t)
@@ -18290,10 +18348,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_use_user_terminals(samba_net_t)
-userdom_dontaudit_search_user_home_dirs(samba_net_t)
+userdom_list_user_home_dirs(samba_net_t)
++
++optional_policy(`
++ pcscd_read_pub_files(samba_net_t)
++')
optional_policy(`
kerberos_use(samba_net_t)
-@@ -208,7 +226,7 @@
+@@ -208,7 +230,7 @@
#
# smbd Local policy
#
@@ -18302,7 +18364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -226,10 +244,8 @@
+@@ -226,10 +248,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -18314,7 +18376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -239,6 +255,7 @@
+@@ -239,6 +259,7 @@
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -18322,7 +18384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -256,7 +273,7 @@
+@@ -256,7 +277,7 @@
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
@@ -18331,7 +18393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -321,6 +338,10 @@
+@@ -321,6 +342,10 @@
userdom_use_unpriv_users_fds(smbd_t)
userdom_dontaudit_search_user_home_dirs(smbd_t)
@@ -18342,28 +18404,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -350,8 +371,20 @@
+@@ -350,8 +375,20 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
+ fs_manage_nfs_symlinks(smbd_t)
+ fs_manage_nfs_named_pipes(smbd_t)
+ fs_manage_nfs_named_sockets(smbd_t)
-+')
-+
+ ')
+
+# Support Samba sharing of ntfs/fusefs mount points
+tunable_policy(`samba_share_fusefs',`
+ fs_manage_fusefs_dirs(smbd_t)
+ fs_manage_fusefs_files(smbd_t)
+',`
+ fs_search_fusefs_dirs(smbd_t)
- ')
-
++')
++
+
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -359,6 +392,16 @@
+@@ -359,6 +396,16 @@
optional_policy(`
kerberos_use(smbd_t)
@@ -18380,7 +18442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -381,8 +424,10 @@
+@@ -381,8 +428,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@@ -18391,7 +18453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -454,6 +499,7 @@
+@@ -454,6 +503,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -18399,7 +18461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -553,19 +599,33 @@
+@@ -553,19 +603,33 @@
userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@@ -18436,7 +18498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -585,6 +645,9 @@
+@@ -585,6 +649,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -18446,7 +18508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -609,15 +672,18 @@
+@@ -609,15 +676,18 @@
dev_read_urand(swat_t)
@@ -18465,7 +18527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -635,6 +701,17 @@
+@@ -635,6 +705,17 @@
kerberos_use(swat_t)
')
@@ -18483,16 +18545,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Winbind local policy
-@@ -683,6 +760,8 @@
+@@ -642,7 +723,7 @@
+
+ allow winbind_t self:capability { dac_override ipc_lock setuid };
+ dontaudit winbind_t self:capability sys_tty_config;
+-allow winbind_t self:process signal_perms;
++allow winbind_t self:process { signal_perms getsched };
+ allow winbind_t self:fifo_file rw_fifo_file_perms;
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
+ allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+@@ -683,9 +764,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+corecmd_exec_bin(winbind_t)
+
kernel_read_kernel_sysctls(winbind_t)
- kernel_list_proc(winbind_t)
- kernel_read_proc_symlinks(winbind_t)
-@@ -768,8 +847,13 @@
+-kernel_list_proc(winbind_t)
+-kernel_read_proc_symlinks(winbind_t)
++kernel_read_system_state(winbind_t)
+
+ corenet_all_recvfrom_unlabeled(winbind_t)
+ corenet_all_recvfrom_netlabel(winbind_t)
+@@ -713,6 +795,7 @@
+ domain_use_interactive_fds(winbind_t)
+
+ files_read_etc_files(winbind_t)
++files_read_usr_symlinks(winbind_t)
+
+ logging_send_syslog_msg(winbind_t)
+
+@@ -768,8 +851,13 @@
userdom_use_user_terminals(winbind_helper_t)
optional_policy(`
@@ -18506,7 +18589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -778,6 +862,16 @@
+@@ -778,6 +866,16 @@
#
optional_policy(`
@@ -18523,7 +18606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -788,9 +882,43 @@
+@@ -788,9 +886,43 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -19636,6 +19719,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.1/policy/modules/services/squid.if
+--- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/services/squid.if 2008-12-08 15:22:33.000000000 -0500
+@@ -21,6 +21,25 @@
+
+ ########################################
+ ##
++## Execute squid
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`squid_exec',`
++ gen_require(`
++ type squid_exec_t;
++ ')
++
++ can_exec($1, squid_exec_t)
++')
++
++
++########################################
++##
+ ## Send generic signals to squid.
+ ##
+ ##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.1/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/squid.te 2008-11-25 09:45:43.000000000 -0500
@@ -21640,7 +21752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-04 14:13:34.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-08 15:05:18.000000000 -0500
@@ -43,6 +43,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -21726,7 +21838,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -207,19 +256,16 @@
+@@ -197,8 +246,11 @@
+ interface(`auth_domtrans_chk_passwd',`
+ gen_require(`
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
++ type auth_cache_t;
+ ')
+
++ allow $1 auth_cache_t:dir search_dir_perms;
++
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+
+@@ -207,19 +259,16 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -21751,7 +21875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -230,6 +276,29 @@
+@@ -230,6 +279,29 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -21781,7 +21905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -254,6 +323,7 @@
+@@ -254,6 +326,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -21789,7 +21913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1031,6 +1101,32 @@
+@@ -1031,6 +1104,32 @@
########################################
##
@@ -21822,7 +21946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
-@@ -1297,6 +1393,10 @@
+@@ -1297,6 +1396,10 @@
')
optional_policy(`
@@ -21833,7 +21957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nis_use_ypbind($1)
')
-@@ -1307,6 +1407,7 @@
+@@ -1307,6 +1410,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -21841,13 +21965,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1341,3 +1442,61 @@
+@@ -1341,3 +1445,80 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
+
+########################################
+##
++## Search authentication cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`auth_search_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ allow $1 auth_cache_t:dir search_dir_perms;
++')
++
++########################################
++##
+## Read/Write authentication cache
+##
+##
@@ -22667,6 +22810,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.1/policy/modules/system/iptables.fc
+--- nsaserefpolicy/policy/modules/system/iptables.fc 2008-08-07 11:15:12.000000000 -0400
++++ serefpolicy-3.6.1/policy/modules/system/iptables.fc 2008-12-08 16:37:20.000000000 -0500
+@@ -6,3 +6,4 @@
+ /usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.1/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/iptables.te 2008-12-04 08:58:18.000000000 -0500
diff --git a/selinux-policy.spec b/selinux-policy.spec
index eb9f115..f065114 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@ exit 0
%endif
%changelog
+* Mon Dec 8 2008 Dan Walsh 3.6.1-8
+- Fix sudo setting of user keys
+
* Thu Dec 4 2008 Dan Walsh 3.6.1-7
- Allow iptables to talk to terminals
- Fixes for policy kit