diff --git a/policy-20080710.patch b/policy-20080710.patch
index 34cabdb..5834d81 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -14730,7 +14730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/dbus.if 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/dbus.if 2008-09-23 15:34:03.000000000 -0400
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -14748,7 +14748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type $1_dbusd_tmp_t;
files_tmp_file($1_dbusd_tmp_t)
-@@ -84,14 +83,18 @@
+@@ -84,14 +83,19 @@
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
@@ -14760,6 +14760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
++ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
# SE-DBus specific permissions
- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@@ -14771,7 +14772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-@@ -102,10 +105,9 @@
+@@ -102,10 +106,9 @@
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
@@ -14784,7 +14785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -115,8 +117,8 @@
+@@ -115,8 +118,8 @@
kernel_read_kernel_sysctls($1_dbusd_t)
corecmd_list_bin($1_dbusd_t)
@@ -14794,7 +14795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
-@@ -139,6 +141,7 @@
+@@ -139,6 +142,7 @@
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
@@ -14802,7 +14803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
-@@ -161,12 +164,24 @@
+@@ -161,12 +165,24 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
@@ -14828,7 +14829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`read_default_t',`
files_list_default($1_dbusd_t)
files_read_default_files($1_dbusd_t)
-@@ -180,8 +195,15 @@
+@@ -180,9 +196,17 @@
')
optional_policy(`
@@ -14842,9 +14843,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_dontaudit_xdm_lib_search($1_dbusd_t)
+ xserver_rw_xdm_home_files($1_dbusd_t)
')
++
')
-@@ -207,14 +229,12 @@
+ #######################################
+@@ -207,14 +231,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -14862,7 +14865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
-@@ -223,6 +243,10 @@
+@@ -223,6 +245,10 @@
files_search_pids($2)
stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($2)
@@ -14873,7 +14876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -251,18 +275,16 @@
+@@ -251,18 +277,16 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
@@ -14894,7 +14897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -292,6 +314,55 @@
+@@ -292,6 +316,55 @@
########################################
##
@@ -14950,7 +14953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read dbus configuration.
##
##
-@@ -366,3 +437,75 @@
+@@ -366,3 +439,75 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -15028,7 +15031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/dbus.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/dbus.te 2008-09-23 15:32:31.000000000 -0400
@@ -9,9 +9,10 @@
#
# Delcarations
@@ -15115,6 +15118,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
++ consolekit_dbus_chat(system_dbusd_t)
++')
++
++optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
@@ -15136,10 +15143,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+optional_policy(`
-+ consolekit_dbus_chat(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
@@ -19515,7 +19518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if 2008-09-23 11:18:34.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@@ -19543,13 +19546,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-22 09:09:30.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-23 16:02:33.000000000 -0400
@@ -29,9 +29,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@@ -21909,7 +21912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/ppp.if 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/ppp.if 2008-09-23 15:53:43.000000000 -0400
@@ -310,6 +310,24 @@
########################################
@@ -26773,7 +26776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/squid.te 2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/squid.te 2008-09-23 15:23:35.000000000 -0400
@@ -31,12 +31,15 @@
type squid_var_run_t;
files_pid_file(squid_var_run_t)
@@ -26829,7 +26832,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(squid_t)
libs_use_shared_libs(squid_t)
-@@ -149,11 +158,7 @@
+@@ -146,14 +155,11 @@
+
+ tunable_policy(`squid_connect_any',`
+ corenet_tcp_connect_all_ports(squid_t)
++ corenet_tcp_bind_all_ports(squid_t)
')
optional_policy(`
@@ -26842,7 +26849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -168,7 +173,12 @@
+@@ -168,7 +174,12 @@
udev_read_db(squid_t)
')
@@ -30107,7 +30114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2008-09-12 10:48:05.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/init.if 2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/init.if 2008-09-23 11:15:16.000000000 -0400
@@ -278,6 +278,27 @@
kernel_dontaudit_use_fds($1)
')
@@ -30320,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-09-12 10:48:05.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/init.te 2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/init.te 2008-09-23 15:44:50.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart,false)
@@ -30393,7 +30400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nscd_socket_use(init_t)
')
-@@ -204,7 +230,7 @@
+@@ -204,9 +230,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30401,8 +30408,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
++allow initrc_t self:key { search };
-@@ -219,7 +245,8 @@
+ # Allow IPC with self
+ allow initrc_t self:unix_dgram_socket create_socket_perms;
+@@ -219,7 +246,8 @@
term_create_pty(initrc_t,initrc_devpts_t)
# Going to single user mode
@@ -30412,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t, init_script_file_type)
-@@ -232,6 +259,7 @@
+@@ -232,6 +260,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
@@ -30420,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t,initrc_tmp_t)
allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -276,7 +304,7 @@
+@@ -276,7 +305,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@@ -30429,7 +30439,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -521,6 +549,31 @@
+@@ -371,6 +400,7 @@
+ libs_use_shared_libs(initrc_t)
+ libs_exec_lib_files(initrc_t)
+
++logging_send_audit_msgs(initrc_t)
+ logging_send_syslog_msg(initrc_t)
+ logging_manage_generic_logs(initrc_t)
+ logging_read_all_logs(initrc_t)
+@@ -521,6 +551,31 @@
')
')
@@ -30461,7 +30479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +632,10 @@
+@@ -579,6 +634,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -30472,7 +30490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -664,12 +721,6 @@
+@@ -664,12 +723,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -30485,7 +30503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -730,6 +781,9 @@
+@@ -730,6 +783,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -30495,7 +30513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -742,10 +796,12 @@
+@@ -742,10 +798,12 @@
squid_manage_logs(initrc_t)
')
@@ -30508,7 +30526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -763,6 +819,11 @@
+@@ -763,6 +821,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -30520,7 +30538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_domain(initrc_t)
-@@ -777,6 +838,10 @@
+@@ -777,6 +840,10 @@
')
optional_policy(`
@@ -30531,7 +30549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -799,3 +864,11 @@
+@@ -799,3 +866,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -32469,8 +32487,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc 2008-09-17 08:49:09.000000000 -0400
-@@ -57,3 +57,5 @@
++++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc 2008-09-23 14:00:14.000000000 -0400
+@@ -11,6 +11,7 @@
+ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+@@ -57,3 +58,5 @@
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5710f44..737ca5d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.8
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@ exit 0
%endif
%changelog
+* Tue Sep 23 2008 Dan Walsh 3.5.8-7
+- Allow confined users to login with dbus
+
* Mon Sep 22 2008 Dan Walsh 3.5.8-6
- Fix transition to nsplugin