Re: Latest diffs

["Christopher J. PeBenito" <cpebenito@tresys.com>]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]

On Tue, 2006-05-02 at 10:08 -0400, Daniel J Walsh wrote:
> Fix spelling error fs_donaudit_read_removable_files
> 
> Mono apps need to be able to dbus_chat with unconfined_t
> 
> Mount/automount command needs to be able to name_bind to ports range 
> 600-2023.  I have called this the rpc_port_type.  This
> makes bindrsvcport work.

Is it supposed to be 600-2023 or 600-1023?  The latter is what I see in
the patch.

> nfs needs to be able to export noxattrfs file systems and needs getattr 
> as well as search
> 
> If I copy a file off of a defined filesystem_type to an ext3 system, 
> restorecon is not able to relabel.  So need
> fs_relabel_all_filesystem_types. 

I would think that the objects should just be noxattrfs rather than all
filesystems, and it should just be relabelfrom.

> Allow amavis to use pyzor
> 
> cups needs to be able to create socket to itself.

This needs more investigation; we need to find out more about this
generic socket so we can add a specific class for it.

> Allow domains to connectto cyrus streams
> 
> Fixes for postfix to be able to list spool directory
> 
> Allow procmail to send mail and run pyzor

Why was corenet_tcp_connect_spamd_port(procmail_t) removed?

> Add pyzor domain.  (Needs more testing)
> 
> nfs talking to ldap needs rand and certs access
> 
> Fixes for spamd to use postgres and pyzor

Why does spamd_t need to rw unconfined_t semaphores?  I don't see
anything like this in the per-userdomain template.

> pam_console touches all sorts of tty devices.
> 
> More textrel_shlib_t fixes.
> 
> ifconfig needs to rw_net_sysctls for IPV6
> 
> James Antill patch to add xm support to xen


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


[-- Attachment #2: policy-20060411.patch --]
[-- Type: text/x-patch, Size: 40620 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.36/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.36/config/appconfig-strict-mls/default_type	2006-05-01 14:42:32.000000000 -0400
@@ -2,3 +2,4 @@
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.if serefpolicy-2.2.36/policy/modules/apps/cdrecord.if
--- nsaserefpolicy/policy/modules/apps/cdrecord.if	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/apps/cdrecord.if	2006-05-01 14:42:32.000000000 -0400
@@ -152,7 +152,7 @@
 		files_dontaudit_list_tmp($1_cdrecord_t)
 		files_dontaudit_list_home($1_cdrecord_t)
 		fs_dontaudit_list_removable($1_cdrecord_t)
-		fs_donaudit_read_removable_files($1_cdrecord_t)
+		fs_dontaudit_read_removable_files($1_cdrecord_t)
 		userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.2.36/policy/modules/apps/evolution.if
--- nsaserefpolicy/policy/modules/apps/evolution.if	2006-04-20 08:17:35.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/apps/evolution.if	2006-05-01 14:42:32.000000000 -0400
@@ -303,7 +303,7 @@
 		files_dontaudit_list_tmp($1_evolution_t)
 		files_dontaudit_list_home($1_evolution_t)
 		fs_dontaudit_list_removable($1_evolution_t)
-		fs_donaudit_read_removable_files($1_evolution_t)
+		fs_dontaudit_read_removable_files($1_evolution_t)
 		userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.36/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/apps/mono.te	2006-05-01 14:42:32.000000000 -0400
@@ -20,8 +20,9 @@
 ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
 	unconfined_domain_noaudit(mono_t)
-	role system_r types mono_t;
+	unconfined_dbus_chat(mono_t)
 
+	role system_r types mono_t;
 	init_dbus_chat_script(mono_t)
 
 	optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.2.36/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if	2006-03-24 11:15:44.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/apps/mozilla.if	2006-05-01 14:42:32.000000000 -0400
@@ -249,7 +249,7 @@
 		files_dontaudit_list_tmp($1_mozilla_t)
 		files_dontaudit_list_home($1_mozilla_t)
 		fs_dontaudit_list_removable($1_mozilla_t)
-		fs_donaudit_read_removable_files($1_mozilla_t)
+		fs_dontaudit_read_removable_files($1_mozilla_t)
 		userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
 		userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.2.36/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if	2006-03-24 11:15:44.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/apps/thunderbird.if	2006-05-01 14:42:32.000000000 -0400
@@ -216,7 +216,7 @@
 		files_dontaudit_list_home($1_thunderbird_t)
 
 		fs_dontaudit_list_removable($1_thunderbird_t)
-		fs_donaudit_read_removable_files($1_thunderbird_t)
+		fs_dontaudit_read_removable_files($1_thunderbird_t)
 
 		userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
 		userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2006-04-27 10:31:32.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in	2006-05-01 14:42:32.000000000 -0400
@@ -1259,3 +1259,78 @@
 
 	typeattribute $1 corenet_unconfined_type;
 ')
+
+
+########################################
+## <summary>
+##	Bind TCP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:tcp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind TCP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	allow $1 rpc_port_type:udp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to bind UDP sockets to all rpc ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-04-18 22:49:59.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in	2006-05-01 14:42:32.000000000 -0400
@@ -10,6 +10,7 @@
 attribute node_type;
 attribute port_type;
 attribute reserved_port_type;
+attribute rpc_port_type;
 
 attribute corenet_unconfined_type;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4	2006-01-16 13:55:42.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4	2006-05-01 14:42:32.000000000 -0400
@@ -46,7 +46,11 @@
 ') dnl end determine reserved capability depend
 
 define(`declare_ports',`dnl
-ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
+ifelse(eval($3 < 1024),1,`
+typeattribute $1 reserved_port_type;
+#bindresvport in glibc starts searching for reserved ports at 600
+ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+',`dnl')
 portcon $2 $3 gen_context(system_u:object_r:$1,$4)
 ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.36/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te	2006-04-20 08:17:36.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/domain.te	2006-05-01 14:42:32.000000000 -0400
@@ -96,6 +96,7 @@
 	# workaround until role dominance is fixed in
 	# the module compiler
 	role secadm_r types domain;
+	role auditadm_r types domain;
 	role sysadm_r types domain;
 	role user_r types domain;
 	role staff_r types domain;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.36/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-04-28 22:50:56.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/files.if	2006-05-01 14:42:32.000000000 -0400
@@ -1699,6 +1699,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.36/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-04-28 22:50:56.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/filesystem.if	2006-05-01 14:42:32.000000000 -0400
@@ -609,7 +609,7 @@
 		attribute noxattrfs;
 	')
 
-	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:dir search_dir_perms;
 	allow $1 noxattrfs:file r_file_perms;
 
 ')
@@ -629,7 +629,7 @@
 		attribute noxattrfs;
 	')
 
-	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:dir search_dir_perms;
 	allow $1 noxattrfs:lnk_file r_file_perms;
 ')
 
@@ -1277,7 +1277,7 @@
 
 ########################################
 ## <summary>
-##	Read files on a NFS filesystem.
+##	Write files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1491,7 +1491,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`fs_donaudit_read_removable_files',`
+interface(`fs_dontaudit_read_removable_files',`
 	gen_require(`
 		type removable_t;
 	')
@@ -3204,3 +3204,33 @@
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
+
+
+
+########################################
+## <summary>
+##	Relabel all filesystem_types on the filesystem,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain perfoming this action.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_all_filesystem_types',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	allow $1 { filesystem_type }:dir { r_dir_perms relabelfrom relabelto };
+	allow $1 { filesystem_type }:file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:lnk_file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:fifo_file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:sock_file { getattr relabelfrom relabelto };
+	allow $1 { filesystem_type }:blk_file { getattr relabelfrom };
+	allow $1 { filesystem_type }:chr_file { getattr relabelfrom };
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.36/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-05-01 14:39:06.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/kernel/kernel.te	2006-05-01 14:42:32.000000000 -0400
@@ -28,6 +28,7 @@
 
 ifdef(`enable_mls',`
 	role secadm_r;
+	role auditadm_r;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.36/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/amavis.te	2006-05-01 14:42:32.000000000 -0400
@@ -146,3 +146,7 @@
 	spamassassin_exec(amavis_t)
 	spamassassin_exec_client(amavis_t)
 ')
+
+optional_policy(`
+	pyzor_domtrans(amavis_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.36/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/automount.te	2006-05-01 14:42:32.000000000 -0400
@@ -86,6 +86,7 @@
 # Automount execs showmount when you browse /net.  This is required until
 # Someone writes a showmount policy
 corenet_tcp_bind_reserved_port(automount_t)
+corenet_tcp_bind_all_rpc_ports(automount_t)
 
 dev_read_sysfs(automount_t)
 # for SSP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.36/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/cups.te	2006-05-01 14:42:32.000000000 -0400
@@ -79,6 +79,7 @@
 allow cupsd_t self:process { setsched signal_perms };
 allow cupsd_t self:fifo_file rw_file_perms;
 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow cupsd_t self:socket create_socket_perms;
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-2.2.36/policy/modules/services/cyrus.if
--- nsaserefpolicy/policy/modules/services/cyrus.if	2006-02-10 17:05:19.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/cyrus.if	2006-05-01 14:42:32.000000000 -0400
@@ -20,3 +20,25 @@
 	allow $1 cyrus_var_lib_t:dir rw_dir_perms;
 	allow $1 cyrus_var_lib_t:file manage_file_perms;
 ')
+
+
+########################################
+## <summary>
+##	Connect to Cyrus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cyrus_stream_connect',`
+	gen_require(`
+		type cyrus_t, cyrus_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 cyrus_var_lib_t:dir search;
+	allow $1 cyrus_var_lib_t:sock_file write;
+	allow $1 cyrus_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.36/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-04-20 08:17:39.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/postfix.te	2006-05-01 14:42:32.000000000 -0400
@@ -181,6 +181,10 @@
 ')
 
 optional_policy(`
+	cyrus_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(postfix_master_t)
 ')
 
@@ -390,6 +394,7 @@
 allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
 allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
 
+postfix_list_spool(postfix_pickup_t)
 allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
 allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
@@ -430,6 +435,7 @@
 allow postfix_postdrop_t postfix_public_t:dir search;
 allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
 
+postfix_list_spool(postfix_postdrop_t)
 allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
 
@@ -538,6 +544,8 @@
 
 allow postfix_showq_t postfix_spool_t:file r_file_perms;
 
+postfix_list_spool(postfix_showq_t)
+
 allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
 allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.36/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/procmail.te	2006-05-01 14:42:32.000000000 -0400
@@ -95,16 +95,20 @@
 
 optional_policy(`
 	mta_read_config(procmail_t)
+	sendmail_domtrans(procmail_t)
 	sendmail_rw_tcp_sockets(procmail_t)
 	sendmail_rw_unix_stream_sockets(procmail_t)
 ')
 
 optional_policy(`
 	corenet_udp_bind_generic_port(procmail_t)
-	corenet_tcp_connect_spamd_port(procmail_t)
 
 	files_getattr_tmp_dirs(procmail_t)
 
 	spamassassin_exec(procmail_t)
 	spamassassin_exec_client(procmail_t)
 ')
+
+optional_policy(`
+	pyzor_domtrans(procmail_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.36/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/pyzor.fc	2006-05-01 14:42:32.000000000 -0400
@@ -0,0 +1,6 @@
+/etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
+/usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
+/var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.36/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/pyzor.if	2006-05-01 14:42:32.000000000 -0400
@@ -0,0 +1,46 @@
+## <summary>Pyzor mail delivery agent</summary>
+
+########################################
+## <summary>
+##	Execute pyzor with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_domtrans',`
+	gen_require(`
+		type pyzor_exec_t, pyzor_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domain_auto_trans($1,pyzor_exec_t,pyzor_t)
+
+	allow $1 pyzor_t:fd use;
+	allow pyzor_t $1:fd use;
+	allow pyzor_t $1:fifo_file rw_file_perms;
+	allow pyzor_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute pyzor in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pyzor_exec',`
+	gen_require(`
+		type pyzor_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1,pyzor_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.36/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/services/pyzor.te	2006-05-01 14:42:32.000000000 -0400
@@ -0,0 +1,109 @@
+policy_module(pyzor,1.1.0)
+
+type pyzord_t;
+type pyzord_exec_t;
+domain_type(pyzord_t)
+init_daemon_domain(pyzord_t,pyzord_exec_t)
+role system_r types pyzord_t;
+
+type pyzor_t;
+type pyzor_exec_t;
+domain_type(pyzor_t)
+domain_entry_file(pyzor_t,pyzor_exec_t)
+role system_r types pyzor_t;
+
+type pyzor_var_lib_t;
+files_type(pyzor_var_lib_t)
+
+type pyzor_etc_t;
+files_type(pyzor_etc_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pyzord_t self:udp_socket create_socket_perms;
+allow pyzord_t pyzor_port_t:udp_socket name_bind;
+
+allow pyzord_t pyzor_var_lib_t:file create_file_perms;
+allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
+files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
+
+allow pyzord_t pyzor_etc_t:file create_file_perms;
+allow pyzord_t pyzor_etc_t:dir r_dir_perms;
+
+allow pyzord_t pyzord_log_t:file create_file_perms;
+allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
+
+auth_use_nsswitch(pyzord_t)
+
+dev_read_urand(pyzord_t)
+
+can_exec(pyzord_t,pyzor_exec_t)
+
+corenet_raw_sendrecv_all_if(pyzord_t)
+corenet_udp_sendrecv_all_if(pyzord_t)
+corenet_udp_sendrecv_all_nodes(pyzord_t)
+corenet_raw_sendrecv_all_nodes(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
+corenet_non_ipsec_sendrecv(pyzord_t)
+corenet_udp_bind_all_nodes(pyzord_t)
+corecmd_exec_bin(pyzord_t)
+
+files_read_etc_files(pyzord_t)
+
+kernel_read_kernel_sysctls(pyzord_t)
+kernel_read_system_state(pyzord_t)
+
+libs_use_ld_so(pyzord_t)
+libs_use_shared_libs(pyzord_t)
+
+miscfiles_read_localization(pyzord_t)
+
+term_dontaudit_use_generic_ptys(pyzord_t)
+
+# only works until we define a different type for maildir
+userdom_priveleged_home_dir_manager(pyzord_t)
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
+userdom_dontaudit_search_staff_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
+
+optional_policy(`
+	logging_send_syslog_msg(pyzord_t)
+')
+
+optional_policy(`
+	nscd_socket_use(pyzord_t)
+')
+
+########################################
+# pyzor defs
+########################################
+
+auth_use_nsswitch(pyzor_t)
+
+files_read_etc_files(pyzor_t)
+
+libs_use_ld_so(pyzor_t)
+libs_use_shared_libs(pyzor_t)
+
+miscfiles_read_localization(pyzor_t)
+
+files_search_var_lib(pyzor_t)
+allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
+allow pyzor_t pyzor_var_lib_t:file r_file_perms;
+
+optional_policy(`
+	spamassassin_read_spamd_tmp_files(pyzor_t)
+')
+
+optional_policy(`
+	amavis_manage_lib_files(pyzor_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.36/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2006-04-18 22:50:00.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/rpc.te	2006-05-01 15:22:55.000000000 -0400
@@ -52,6 +52,9 @@
 corenet_udp_bind_generic_port(rpcd_t)
 corenet_udp_bind_reserved_port(rpcd_t)
 
+dev_read_urand(rpcd_t)
+dev_read_rand(rpcd_t)
+
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
@@ -61,6 +64,8 @@
 # cjp: this should really have its own type
 files_manage_mounttab(rpcd_t)
 
+miscfiles_read_certs(rpcd_t)
+
 seutil_dontaudit_search_config(rpcd_t)
 
 portmap_udp_chat(rpcd_t) 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.36/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-04-20 08:17:39.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/services/spamassassin.te	2006-05-01 14:42:32.000000000 -0400
@@ -128,6 +128,7 @@
 		userdom_manage_generic_user_home_content_files(spamd_t)
 		userdom_manage_generic_user_home_content_symlinks(spamd_t)
 	')
+	unconfined_rw_semaphores(spamd_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
@@ -143,6 +144,14 @@
 ')
 
 optional_policy(`
+        postgresql_stream_connect(spamd_t)
+');
+
+optional_policy(`
+	pyzor_domtrans(spamd_t)
+')
+
+optional_policy(`
 	amavis_manage_lib_files(spamd_t)
 ')
 
@@ -167,12 +176,4 @@
 	udev_read_db(spamd_t)
 ')
 
-ifdef(`TODO',`
-optional_policy(`
-# for bayes tokens
-allow spamd_t var_lib_t:dir { getattr search };
-allow spamd_t amavisd_lib_t:dir rw_dir_perms;
-allow spamd_t amavisd_lib_t:file create_file_perms;
-allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
-')
-') dnl end TODO
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.36/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-04-19 12:23:07.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/authlogin.te	2006-05-01 14:42:32.000000000 -0400
@@ -188,6 +188,8 @@
 storage_setattr_scsi_generic_dev(pam_console_t)
 
 term_use_console(pam_console_t)
+term_use_all_user_ttys(pam_console_t)
+term_use_all_user_ptys(pam_console_t)
 term_setattr_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.36/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-04-27 10:31:33.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/init.te	2006-05-01 14:42:32.000000000 -0400
@@ -348,6 +348,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.36/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-04-27 10:31:33.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/libraries.fc	2006-05-01 17:18:37.000000000 -0400
@@ -75,6 +75,7 @@
 
 /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ati-fglrx/.*\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -84,9 +85,9 @@
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/(local/)?lib(64)?/wine/.*\.so  	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 
 /usr/NX/lib/libXcomp.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -195,10 +196,12 @@
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.36/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te	2006-03-24 11:15:53.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/system/lvm.te	2006-05-01 14:42:32.000000000 -0400
@@ -205,9 +205,10 @@
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
-fs_donaudit_read_removable_files(lvm_t)
+fs_dontaudit_read_removable_files(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
+storage_dontaudit_read_removable_device(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>
 # depending on its version
 # LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.36/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-04-19 12:23:07.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/mount.te	2006-05-01 14:42:32.000000000 -0400
@@ -126,6 +126,8 @@
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
 	corenet_udp_bind_reserved_port(mount_t)
+	corenet_tcp_bind_all_rpc_ports(mount_t)
+	corenet_udp_bind_all_rpc_ports(mount_t)
 	corenet_tcp_connect_all_ports(mount_t)
 
 	fs_search_rpc(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.36/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/selinuxutil.te	2006-05-01 14:42:32.000000000 -0400
@@ -393,6 +393,8 @@
 userdom_use_all_users_fds(restorecon_t)
 
 files_relabel_all_files(restorecon_t)
+fs_relabel_all_filesystem_types(restorecon_t)
+
 files_list_all(restorecon_t)
 # this is to satisfy the assertion:
 auth_relabelto_shadow(restorecon_t)
@@ -427,6 +429,7 @@
 
 auth_relabel_all_files_except_shadow(restorecond_t )
 auth_read_all_files_except_shadow(restorecond_t)
+fs_relabel_all_filesystem_types(restorecond_t)
 
 kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
@@ -627,6 +630,7 @@
 files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
+fs_relabel_all_filesystem_types(setfiles_t)
 
 logging_send_syslog_msg(setfiles_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.36/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/sysnetwork.te	2006-05-01 14:42:32.000000000 -0400
@@ -286,6 +286,7 @@
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
 kernel_search_network_sysctl(ifconfig_t)
+kernel_rw_net_sysctls(ifconfig_t)
 
 corenet_rw_tun_tap_dev(ifconfig_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.36/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/unconfined.if	2006-05-01 14:42:32.000000000 -0400
@@ -381,6 +381,27 @@
 
 ########################################
 ## <summary>
+##	Send and receive messages from
+##	unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+	gen_require(`
+		type unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 unconfined_t:dbus send_msg;
+	allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Add an alias type to the unconfined domain.
 ## </summary>
 ## <desc>
@@ -410,3 +431,22 @@
 		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
 	')
 ')
+
+########################################
+## <summary>
+##	Communicate with  unconfined user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_semaphores',`
+	gen_require(`
+			type unconfined_t;
+	')
+
+	allow $1 unconfined_t:sem rw_sem_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.36/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-04-28 22:50:57.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/userdomain.te	2006-05-01 14:42:32.000000000 -0400
@@ -67,6 +67,7 @@
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
@@ -82,6 +83,7 @@
 
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@@ -105,9 +107,10 @@
 
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
+		allow auditadm_r system_r;
 		allow secadm_r user_r;
-		allow user_r secadm_r;
 		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
 	')
 
 	optional_policy(`
@@ -128,8 +131,19 @@
 
 	ifdef(`enable_mls',`
 		admin_user_template(secadm)
+		admin_user_template(auditadm)
+
+		role_change(staff,auditadm)
 		role_change(staff,secadm)
+
 		role_change(sysadm,secadm)
+		role_change(sysadm,auditadm)
+
+		role_change(auditadm,secadm)
+		role_change(auditadm,sysadm)
+
+		role_change(secadm,auditadm)
+		role_change(secadm,sysadm)
 	')
 
 	# this should be tunable_policy, but
@@ -179,10 +193,13 @@
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		files_relabel_all_files(secadm_t)
 		auth_relabel_shadow(secadm_t)
+
+		corecmd_exec_shell(auditadm_t)
+		logging_read_audit_log(auditadm_t)
+		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
 	', `
 		logging_read_audit_log(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
@@ -240,6 +257,7 @@
 
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
+			consoletype_exec(auditadm_t)
 		')
 	')
 
@@ -252,6 +270,7 @@
 
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
+			dmesg_exec(auditadm_t)
 		')
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.36/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc	2006-03-23 16:08:51.000000000 -0500
+++ serefpolicy-2.2.36/policy/modules/system/xen.fc	2006-05-01 14:42:32.000000000 -0400
@@ -14,3 +14,4 @@
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.36/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/xen.if	2006-05-01 14:42:32.000000000 -0400
@@ -47,13 +47,12 @@
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and write
-##	Xen unix domain stream sockets.
+##     Don't audit leaked file descriptor.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to don't audit.
-##	</summary>
+##     <summary>
+##     Domain to don't audit.
+##     </summary>
 ## </param>
 #
 interface(`xen_dontaudit_rw_unix_stream_sockets',`
@@ -84,3 +83,66 @@
 	allow $1 xenstored_var_run_t:sock_file { getattr write };
 	allow $1 xenstored_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Connect to xend over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_connect',`
+	gen_require(`
+		type xend_t, xend_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xend_var_run_t:dir search;
+	allow $1 xend_var_run_t:sock_file getattr;
+	allow $1 xend_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Write to xend over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_writeto',`
+	gen_require(`
+		type xend_var_run_t;
+	')
+
+	allow $1 xend_var_run_t:sock_file write;
+')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run xm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xm_domtrans',`
+	gen_requires(`
+		type xm_t, xm_exec_t;
+	')
+
+	domain_auto_trans($1,xm_exec_t,xm_t)
+
+	allow $1 xm_t:fd use;
+	allow xm_t $1:fd use;
+	allow xm_t:$1:fifo_file rw_file_perms;
+	allow xm_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.36/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-04-27 10:31:34.000000000 -0400
+++ serefpolicy-2.2.36/policy/modules/system/xen.te	2006-05-01 14:42:32.000000000 -0400
@@ -224,3 +224,55 @@
 miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)
+
+########################################
+#
+# Declarations
+#
+
+type xm_t;
+type xm_exec_t;
+domain_type(xm_t)
+init_daemon_domain(xm_t, xm_exec_t)
+
+########################################
+#
+# xm local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(xm_t)
+libs_use_ld_so(xm_t)
+libs_use_shared_libs(xm_t)
+miscfiles_read_localization(xm_t)
+# internal communication is often done using fifo and unix sockets.
+allow xm_t self:fifo_file { read write };
+allow xm_t self:unix_stream_socket create_stream_socket_perms;
+
+
+# james -- aujdit2allow
+
+corecmd_exec_bin(xm_t)
+corecmd_exec_sbin(xm_t)
+
+kernel_read_system_state(xm_t)
+kernel_read_kernel_sysctls(xm_t)
+kernel_read_xen_state(xm_t)
+kernel_write_xen_state(xm_t)
+term_use_all_terms(xm_t)
+
+dev_read_urand(xm_t)
+
+xen_append_log(xm_t)
+xen_connect(xm_t)
+xen_writeto(xm_t)
+
+xen_stream_connect_xenstore(xm_t)
+allow xm_t self:capability dac_override;
+
+
+# allow xm_t root_t:dir search;
+# Need to relabel files for xen
+auth_read_all_files_except_shadow(xm_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.36/policy/rolemap
--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.36/policy/rolemap	2006-05-01 14:42:32.000000000 -0400
@@ -15,5 +15,6 @@
 
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
+		auditadm_t auditadm auditadm_t
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.36/policy/users
--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.36/policy/users	2006-05-01 14:42:32.000000000 -0400
@@ -29,7 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -44,8 +44,8 @@
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')