Do not drop capability bounding set in seunshare, this allows sandbox to

run setuid apps. Cleanup policy generation template Pass dpi settings to sandbox
2011-06-13 13:46:07 -04:00 · 2011-06-13 13:46:07 -04:00 · de46aea469
parent fe90fcfea9
commit de46aea469
2 changed files with 175 additions and 144 deletions
--- a/policycoreutils-gui.patch
+++ b/policycoreutils-gui.patch
@ -5910,7 +5910,7 @@ diff -up policycoreutils-2.0.86/gui/polgen.gladep.gui policycoreutils-2.0.86/gui
 +</glade-project>
 diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/polgengui.py
 --- policycoreutils-2.0.86/gui/polgengui.py.gui	2011-04-12 10:52:07.513644322 -0400
-+++ policycoreutils-2.0.86/gui/polgengui.py	2011-04-12 10:52:07.514644337 -0400
+++ policycoreutils-2.0.86/gui/polgengui.py	2011-05-23 17:04:16.377786536 -0400
@@ -0,0 +1,750 @@
 +#!/usr/bin/python -Es
 +#
@ -5918,7 +5918,7 @@ diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/
 +#
 +# Dan Walsh <dwalsh@redhat.com>
 +#
-+# Copyright 2007, 2008, 2009 Red Hat, Inc.
+# Copyright (C) 2007-2011 Red Hat 
 +#
 +# This program is free software; you can redistribute it and/or modify
 +# it under the terms of the GNU General Public License as published by
@ -6664,11 +6664,11 @@ diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/
 +    app.stand_alone()
 diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/polgen.py
 --- policycoreutils-2.0.86/gui/polgen.py.gui	2011-04-12 10:52:07.516644368 -0400
-+++ policycoreutils-2.0.86/gui/polgen.py	2011-04-12 10:52:07.517644384 -0400
+++ policycoreutils-2.0.86/gui/polgen.py	2011-05-23 17:04:04.539689964 -0400
@@ -0,0 +1,1346 @@
 +#!/usr/bin/python -Es
 +#
-+# Copyright (C) 2007-2010 Red Hat 
+# Copyright (C) 2007-2011 Red Hat 
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -12111,9 +12111,9 @@ diff -up policycoreutils-2.0.86/gui/system-config-selinux.py.gui policycoreutils
 +    app.stand_alone()
 diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0.86/gui/templates/boolean.py
 --- policycoreutils-2.0.86/gui/templates/boolean.py.gui	2011-04-12 10:52:07.543644784 -0400
-+++ policycoreutils-2.0.86/gui/templates/boolean.py	2011-04-29 11:47:41.684099468 -0400
+++ policycoreutils-2.0.86/gui/templates/boolean.py	2011-05-23 16:59:42.369598714 -0400
@@ -0,0 +1,40 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -12138,11 +12138,11 @@ diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0
 +
 +te_boolean="""
 +## <desc>
-+## <p>
+##	<p>
-+## DESCRIPTION
+##	DESCRIPTION
-+## </p>
+##	</p>
 +## </desc>
-+gen_tunable(BOOLEAN,false)
+gen_tunable(BOOLEAN, false)
 +"""
 +
 +te_rules="""
@ -12155,9 +12155,9 @@ diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0
 +
 diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.86/gui/templates/etc_rw.py
 --- policycoreutils-2.0.86/gui/templates/etc_rw.py.gui	2011-04-12 10:52:07.546644829 -0400
-+++ policycoreutils-2.0.86/gui/templates/etc_rw.py	2011-04-29 11:47:41.684099468 -0400
+++ policycoreutils-2.0.86/gui/templates/etc_rw.py	2011-05-23 16:59:53.369684469 -0400
@@ -0,0 +1,112 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -12227,14 +12227,14 @@ diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.
 +		type TEMPLATETYPE_etc_rw_t;
 +	')
 +
-+	allow $1 TEMPLATETYPE_etc_rw_t:file r_file_perms;
+	allow $1 TEMPLATETYPE_etc_rw_t:file read_file_perms;
 +	allow $1 TEMPLATETYPE_etc_rw_t:dir list_dir_perms;
 +	files_search_etc($1)
 +')
 +
 +########################################
 +## <summary>
-+##    Manage TEMPLATETYPE conf files.
+##	Manage TEMPLATETYPE conf files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -12247,14 +12247,14 @@ diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.
 +		type TEMPLATETYPE_etc_rw_t;
 +	')
 +
-+        manage_files_pattern($1, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t)
+	manage_files_pattern($1, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t)
 +	files_search_etc($1)
 +')
 +
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_etc_rw_t;"""
+	type TEMPLATETYPE_etc_rw_t;"""
 +
 +if_admin_rules="""
 +	files_search_etc($1)
@ -12271,9 +12271,9 @@ diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-2.0.86/gui/templates/executable.py
 --- policycoreutils-2.0.86/gui/templates/executable.py.gui	2011-04-12 10:52:07.548644859 -0400
-+++ policycoreutils-2.0.86/gui/templates/executable.py	2011-04-29 11:53:01.953579440 -0400
+++ policycoreutils-2.0.86/gui/templates/executable.py	2011-05-23 17:03:10.575251921 -0400
-@@ -0,0 +1,448 @@
+@@ -0,0 +1,451 @@
-+# Copyright (C) 2007-2009 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -12296,7 +12296,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +#
 +########################### Type Enforcement File #############################
 +te_daemon_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -12316,7 +12316,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +"""
 +
 +te_dbusd_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -12331,7 +12331,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +"""
 +
 +te_inetd_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -12346,7 +12346,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +"""
 +
 +te_userapp_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -12362,7 +12362,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +"""
 +
 +te_sandbox_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -12377,7 +12377,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +"""
 +
 +te_cgi_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -12446,8 +12446,8 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +
 +te_manage_krb5_rcache_rules="""
 +optional_policy(`
-+        kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t)
+	kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t)
-+        kerberos_manage_host_rcache(TEMPLATETYPE_t)
+	kerberos_manage_host_rcache(TEMPLATETYPE_t)
 +')
 +"""
 +
@ -12492,7 +12492,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +## </summary>
 +## <param name=\"domain\">
 +## <summary>
-+##	Domain allowed access.
+##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
@ -12501,7 +12501,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
 +	')
 +
-+        corecmd_search_bin($1)
+	corecmd_search_bin($1)
 +	domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
 +')
 +
@ -12515,7 +12515,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access
+##	Domain allowed to transition
 +##	</summary>
 +## </param>
 +## <param name="role">
@ -12550,7 +12550,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +#
 +interface(`TEMPLATETYPE_role',`
 +	gen_require(`
-+              type TEMPLATETYPE_t;
+		type TEMPLATETYPE_t;
 +	')
 +
 +	role $1 types TEMPLATETYPE_t;
@ -12571,7 +12571,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access
+##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +## <param name="role">
@ -12639,6 +12639,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +
 +	init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t)
 +')
 +
 +"""
 +
 +if_dbus_rules="""
@ -12662,6 +12663,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +	allow $1 TEMPLATETYPE_t:dbus send_msg;
 +	allow TEMPLATETYPE_t $1:dbus send_msg;
 +')
 +
 +"""
 +
 +if_begin_admin="""
@ -12694,7 +12696,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +"""
 +
 +if_initscript_admin_types="""
-+		type TEMPLATETYPE_initrc_exec_t;"""
+	type TEMPLATETYPE_initrc_exec_t;"""
 +
 +if_initscript_admin="""
 +	TEMPLATETYPE_initrc_domtrans($1)
@ -12705,6 +12707,7 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +
 +if_end_admin="""
 +')
 +
 +"""
 +
 +########################### File Context ##################################
@ -12723,10 +12726,10 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/__init__.py.gui policycoreutils-2.0.86/gui/templates/__init__.py
 --- policycoreutils-2.0.86/gui/templates/__init__.py.gui	2011-04-12 10:52:07.549644874 -0400
-+++ policycoreutils-2.0.86/gui/templates/__init__.py	2011-04-29 11:47:41.685099475 -0400
+++ policycoreutils-2.0.86/gui/templates/__init__.py	2011-05-23 17:02:40.424008790 -0400
@@ -0,0 +1,18 @@
 +#
-+# Copyright (C) 2007 Red Hat, Inc.
+# Copyright (C) 2007-2011 Red Hat
 +#
 +# This program is free software; you can redistribute it and/or modify
 +# it under the terms of the GNU General Public License as published by
@ -12745,8 +12748,30 @@ diff -up policycoreutils-2.0.86/gui/templates/__init__.py.gui policycoreutils-2.
 +
 diff -up policycoreutils-2.0.86/gui/templates/network.py.gui policycoreutils-2.0.86/gui/templates/network.py
 --- policycoreutils-2.0.86/gui/templates/network.py.gui	2011-04-12 10:52:07.556644982 -0400
-+++ policycoreutils-2.0.86/gui/templates/network.py	2011-04-29 11:47:41.686099482 -0400
+++ policycoreutils-2.0.86/gui/templates/network.py	2011-05-23 17:03:09.237241107 -0400
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,102 @@
 +# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of the GNU General Public License as
 +#    published by the Free Software Foundation; either version 2 of
 +#    the License, or (at your option) any later version.
 +#
 +#    This program is distributed in the hope that it will be useful,
 +#    but WITHOUT ANY WARRANTY; without even the implied warranty of
 +#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +#    GNU General Public License for more details.
 +#
 +#    You should have received a copy of the GNU General Public License
 +#    along with this program; if not, write to the Free Software
 +#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
 +#                                        02111-1307  USA
 +#
 +#
 +########################### Type Enforcement File #############################
 +te_port_types="""
 +type TEMPLATETYPE_port_t;
 +corenet_port(TEMPLATETYPE_port_t)
@ -12829,9 +12854,9 @@ diff -up policycoreutils-2.0.86/gui/templates/network.py.gui policycoreutils-2.0
 +
 diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/gui/templates/rw.py
 --- policycoreutils-2.0.86/gui/templates/rw.py.gui	2011-04-12 10:52:07.557644997 -0400
-+++ policycoreutils-2.0.86/gui/templates/rw.py	2011-04-29 11:47:41.686099482 -0400
+++ policycoreutils-2.0.86/gui/templates/rw.py	2011-05-23 16:59:48.308644991 -0400
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,129 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -12900,7 +12925,7 @@ diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/g
 +		type TEMPLATETYPE_rw_t;
 +	')
 +
-+	allow $1 TEMPLATETYPE_rw_t:file r_file_perms;
+	allow $1 TEMPLATETYPE_rw_t:file read_file_perms;
 +	allow $1 TEMPLATETYPE_rw_t:dir list_dir_perms;
 +	files_search_rw($1)
 +')
@ -12920,7 +12945,7 @@ diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/g
 +		type TEMPLATETYPE_rw_t;
 +	')
 +
-+         manage_files_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
+	manage_files_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
 +')
 +
 +########################################
@ -12939,20 +12964,19 @@ diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/g
 +		type TEMPLATETYPE_rw_t;
 +	')
 +
-+         manage_dirs_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
+	manage_dirs_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
 +')
 +
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_rw_t;"""
+	type TEMPLATETYPE_rw_t;"""
 +
 +if_admin_rules="""
 +	files_search_etc($1)
 +	admin_pattern($1, TEMPLATETYPE_rw_t)
 +"""
 +
 +
 +########################### File Context ##################################
 +fc_file="""
 +FILENAME		--	gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
@ -12963,9 +12987,9 @@ diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/g
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0.86/gui/templates/script.py
 --- policycoreutils-2.0.86/gui/templates/script.py.gui	2011-04-12 10:52:07.558645012 -0400
-+++ policycoreutils-2.0.86/gui/templates/script.py	2011-04-29 11:47:41.686099482 -0400
+++ policycoreutils-2.0.86/gui/templates/script.py	2011-05-23 17:02:13.796795073 -0400
@@ -0,0 +1,126 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13071,9 +13095,9 @@ diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0.
 +TEMPLATETYPE_r:TEMPLATETYPE_t:s0	TEMPLATETYPE_r:TEMPLATETYPE_t
 +system_r:crond_t		TEMPLATETYPE_r:TEMPLATETYPE_t
 +system_r:initrc_su_t		TEMPLATETYPE_r:TEMPLATETYPE_t
-+system_r:local_login_t	        TEMPLATETYPE_r:TEMPLATETYPE_t
+system_r:local_login_t		TEMPLATETYPE_r:TEMPLATETYPE_t
-+system_r:remote_login_t  	TEMPLATETYPE_r:TEMPLATETYPE_t
+system_r:remote_login_t		TEMPLATETYPE_r:TEMPLATETYPE_t
-+system_r:sshd_t 		TEMPLATETYPE_r:TEMPLATETYPE_t
+system_r:sshd_t			TEMPLATETYPE_r:TEMPLATETYPE_t
 +_EOF
 +fi
 +"""
@ -13084,18 +13108,18 @@ diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0.
 +TEMPLATETYPE_r:TEMPLATETYPE_t	TEMPLATETYPE_r:TEMPLATETYPE_t
 +system_r:crond_t		TEMPLATETYPE_r:TEMPLATETYPE_t
 +system_r:initrc_su_t		TEMPLATETYPE_r:TEMPLATETYPE_t
-+system_r:local_login_t	        TEMPLATETYPE_r:TEMPLATETYPE_t
+system_r:local_login_t		TEMPLATETYPE_r:TEMPLATETYPE_t
-+system_r:remote_login_t	        TEMPLATETYPE_r:TEMPLATETYPE_t
+system_r:remote_login_t		TEMPLATETYPE_r:TEMPLATETYPE_t
-+system_r:sshd_t		        TEMPLATETYPE_r:TEMPLATETYPE_t
+system_r:sshd_t				TEMPLATETYPE_r:TEMPLATETYPE_t
-+system_r:xdm_t	 	        TEMPLATETYPE_r:TEMPLATETYPE_t
+system_r:xdm_t				TEMPLATETYPE_r:TEMPLATETYPE_t
 +_EOF
 +fi
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/semodule.py.gui policycoreutils-2.0.86/gui/templates/semodule.py
 --- policycoreutils-2.0.86/gui/templates/semodule.py.gui	2011-04-12 10:52:07.560645042 -0400
-+++ policycoreutils-2.0.86/gui/templates/semodule.py	2011-04-29 11:47:41.687099489 -0400
+++ policycoreutils-2.0.86/gui/templates/semodule.py	2011-05-23 17:02:07.466744404 -0400
@@ -0,0 +1,41 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13138,9 +13162,9 @@ diff -up policycoreutils-2.0.86/gui/templates/semodule.py.gui policycoreutils-2.
 +
 diff -up policycoreutils-2.0.86/gui/templates/tmp.py.gui policycoreutils-2.0.86/gui/templates/tmp.py
 --- policycoreutils-2.0.86/gui/templates/tmp.py.gui	2011-04-12 10:52:07.561645058 -0400
-+++ policycoreutils-2.0.86/gui/templates/tmp.py	2011-04-29 11:47:41.687099489 -0400
+++ policycoreutils-2.0.86/gui/templates/tmp.py	2011-05-23 17:01:55.736650663 -0400
@@ -0,0 +1,102 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13228,25 +13252,25 @@ diff -up policycoreutils-2.0.86/gui/templates/tmp.py.gui policycoreutils-2.0.86/
 +		type TEMPLATETYPE_tmp_t;
 +	')
 +
-+  	files_search_tmp($1)
+	files_search_tmp($1)
-+        manage_dirs_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
+	manage_dirs_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
-+        manage_files_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
+	manage_files_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
-+        manage_lnk_files_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
+	manage_lnk_files_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
 +')
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_tmp_t;"""
+	type TEMPLATETYPE_tmp_t;"""
 +
 +if_admin_rules="""
-+  	files_search_tmp($1)
+	files_search_tmp($1)
 +	admin_pattern($1, TEMPLATETYPE_tmp_t)
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86/gui/templates/user.py
 --- policycoreutils-2.0.86/gui/templates/user.py.gui	2011-04-12 10:52:07.562645074 -0400
-+++ policycoreutils-2.0.86/gui/templates/user.py	2011-04-29 11:47:41.687099489 -0400
+++ policycoreutils-2.0.86/gui/templates/user.py	2011-05-23 17:01:46.816579501 -0400
-@@ -0,0 +1,205 @@
+@@ -0,0 +1,204 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13270,7 +13294,7 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
 +########################### Type Enforcement File #############################
 +
 +te_login_user_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -13281,7 +13305,7 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
 +"""
 +
 +te_admin_user_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -13292,7 +13316,7 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
 +"""
 +
 +te_min_login_user_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -13303,7 +13327,7 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
 +"""
 +
 +te_x_login_user_types="""\
-+policy_module(TEMPLATETYPE,1.0.0)
+policy_module(TEMPLATETYPE, 1.0.0)
 +
 +########################################
 +#
@ -13314,18 +13338,17 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
 +"""
 +
 +te_existing_user_types="""\
-+policy_module(myTEMPLATETYPE,1.0.0)
+policy_module(myTEMPLATETYPE, 1.0.0)
 +
 +gen_require(`
-+      type TEMPLATETYPE_t, TEMPLATETYPE_devpts_t;
+	type TEMPLATETYPE_t, TEMPLATETYPE_devpts_t;
-+      role TEMPLATETYPE_r;
+	role TEMPLATETYPE_r;
 +')
 +
 +"""
 +
 +te_root_user_types="""\
-+
+policy_module(TEMPLATETYPE, 1.0.0)
 +policy_module(TEMPLATETYPE,1.0.0)
 +
 +########################################
 +#
@ -13407,20 +13430,20 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
 +bool TEMPLATETYPE_manage_user_files false;
 +
 +if (TEMPLATETYPE_read_user_files) {
-+   userdom_read_user_home_content_files(TEMPLATETYPE_t)
+	userdom_read_user_home_content_files(TEMPLATETYPE_t)
-+   userdom_read_user_tmp_files(TEMPLATETYPE_t)
+	userdom_read_user_tmp_files(TEMPLATETYPE_t)
 +}
 +
 +if (TEMPLATETYPE_manage_user_files) {
-+   userdom_manage_user_home_content(TEMPLATETYPE_t)
+	userdom_manage_user_home_content(TEMPLATETYPE_t)
-+   userdom_manage_user_tmp_files(TEMPLATETYPE_t)
+	userdom_manage_user_tmp_files(TEMPLATETYPE_t)
 +}
 +
 +"""
 +
 +te_admin_trans_rules="""
 +gen_require(`
-+     role USER_r;
+	role USER_r;
 +')
 +
 +allow USER_r TEMPLATETYPE_r;
@ -13453,9 +13476,9 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2.0.86/gui/templates/var_cache.py
 --- policycoreutils-2.0.86/gui/templates/var_cache.py.gui	2011-04-12 10:52:07.566645136 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_cache.py	2011-04-29 11:47:41.688099497 -0400
+++ policycoreutils-2.0.86/gui/templates/var_cache.py	2011-05-23 17:01:38.793515591 -0400
@@ -0,0 +1,132 @@
-+# Copyright (C) 2010 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13527,7 +13550,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2
 +	')
 +
 +	files_search_var($1)
-+        read_files_pattern($1, TEMPLATETYPE_cache_t TEMPLATETYPE_cache_t)
+	read_files_pattern($1, TEMPLATETYPE_cache_t TEMPLATETYPE_cache_t)
 +')
 +
 +########################################
@ -13547,7 +13570,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2
 +	')
 +
 +	files_search_var($1)
-+        manage_files_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
+	manage_files_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
 +')
 +
 +########################################
@ -13566,13 +13589,13 @@ diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2
 +	')
 +
 +	files_search_var($1)
-+        manage_dirs_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
+	manage_dirs_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
 +')
 +
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_cache_t;"""
+	type TEMPLATETYPE_cache_t;"""
 +
 +if_admin_rules="""
 +	files_search_var($1)
@ -13589,9 +13612,9 @@ diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0.86/gui/templates/var_lib.py
 --- policycoreutils-2.0.86/gui/templates/var_lib.py.gui	2011-04-12 10:52:07.567645151 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_lib.py	2011-04-29 11:47:41.688099497 -0400
+++ policycoreutils-2.0.86/gui/templates/var_lib.py	2011-05-23 17:01:31.516457701 -0400
@@ -0,0 +1,160 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13622,7 +13645,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0
 +te_rules="""
 +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
 +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
-+files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, { dir file } )
+files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, { dir file })
 +"""
 +
 +te_stream_rules="""\
@ -13668,7 +13691,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0
 +	')
 +
 +	files_search_var_lib($1)
-+        read_files_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
+	read_files_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
 +')
 +
 +########################################
@ -13687,7 +13710,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0
 +	')
 +
 +	files_search_var_lib($1)
-+        manage_files_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
+	manage_files_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
 +')
 +
 +########################################
@ -13706,7 +13729,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0
 +	')
 +
 +	files_search_var_lib($1)
-+        manage_dirs_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
+	manage_dirs_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
 +')
 +
 +"""
@ -13727,12 +13750,12 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0
 +		type TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t;
 +	')
 +
-+        stream_connect_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
+	stream_connect_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
 +')
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_var_lib_t;"""
+	type TEMPLATETYPE_var_lib_t;"""
 +
 +if_admin_rules="""
 +	files_search_var_lib($1)
@ -13753,9 +13776,9 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0.86/gui/templates/var_log.py
 --- policycoreutils-2.0.86/gui/templates/var_log.py.gui	2011-04-12 10:52:07.568645166 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_log.py	2011-04-29 11:47:41.688099497 -0400
+++ policycoreutils-2.0.86/gui/templates/var_log.py	2011-05-23 17:01:22.948389639 -0400
@@ -0,0 +1,114 @@
-+# Copyright (C) 2007,2010 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13787,7 +13810,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
 +te_rules="""
 +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
 +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
-+logging_log_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_log_t, { dir file } )
+logging_log_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_log_t, { dir file })
 +"""
 +
 +########################### Interface File #############################
@ -13809,7 +13832,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
 +	')
 +
 +	logging_search_logs($1)
-+        read_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
+	read_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
 +')
 +
 +########################################
@ -13817,9 +13840,9 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
 +##	Append to TEMPLATETYPE log files.
 +## </summary>
 +## <param name="domain">
-+## 	<summary>
+##	<summary>
-+##	Domain allowed to transition.
+##	Domain allowed access.
-+## 	</summary>
+##	</summary>
 +## </param>
 +#
 +interface(`TEMPLATETYPE_append_log',`
@ -13828,7 +13851,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
 +	')
 +
 +	logging_search_logs($1)
-+        append_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
+	append_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
 +')
 +
 +########################################
@ -13837,7 +13860,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
+##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
@ -13847,14 +13870,14 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
 +	')
 +
 +	logging_search_logs($1)
-+        manage_dirs_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
+	manage_dirs_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
-+        manage_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
+	manage_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
-+        manage_lnk_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
+	manage_lnk_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
 +')
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_log_t;"""
+	type TEMPLATETYPE_log_t;"""
 +
 +if_admin_rules="""
 +	logging_search_logs($1)
@ -13871,9 +13894,9 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0.86/gui/templates/var_run.py
 --- policycoreutils-2.0.86/gui/templates/var_run.py.gui	2011-04-12 10:52:07.569645181 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_run.py	2011-04-29 11:47:41.689099505 -0400
+++ policycoreutils-2.0.86/gui/templates/var_run.py	2011-05-23 17:01:11.639299961 -0400
@@ -0,0 +1,101 @@
-+# Copyright (C) 2007,2010 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -13951,12 +13974,12 @@ diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0
 +	')
 +
 +	files_search_pids($1)
-+        stream_connect_pattern($1, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t)
+	stream_connect_pattern($1, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_t)
 +')
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_var_run_t;"""
+	type TEMPLATETYPE_var_run_t;"""
 +
 +if_admin_rules="""
 +	files_search_pids($1)
@ -13976,9 +13999,9 @@ diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0
 +"""
 diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py
 --- policycoreutils-2.0.86/gui/templates/var_spool.py.gui	2011-04-12 10:52:07.573645242 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_spool.py	2011-04-29 11:47:41.689099505 -0400
+++ policycoreutils-2.0.86/gui/templates/var_spool.py	2011-05-25 16:09:23.350352658 -0400
@@ -0,0 +1,131 @@
-+# Copyright (C) 2007 Red Hat 
+# Copyright (C) 2007-2011 Red Hat
 +# see file 'COPYING' for use and warranty information
 +#
 +# policygentool is a tool for the initial generation of SELinux policy
@ -14050,7 +14073,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2
 +	')
 +
 +	files_search_spool($1)
-+	read_files_pattern($1, TEMPLATETYPE_spool_t TEMPLATETYPE_spool_t)
+	read_files_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
 +')
 +
 +########################################
@ -14094,7 +14117,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2
 +"""
 +
 +if_admin_types="""
-+                type TEMPLATETYPE_spool_t;"""
+	type TEMPLATETYPE_spool_t;"""
 +
 +if_admin_rules="""
 +	files_search_spool($1)
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.86
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -25,6 +25,7 @@ Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-po.patch
 Patch3:	 policycoreutils-gui.patch
 Patch4:	 policycoreutils-sepolgen.patch
 Patch5:	 policycoreutils-sandbox.patch
 Obsoletes: policycoreutils < 2.0.61-2
 %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")
@ -63,6 +64,7 @@ context.
 %patch1 -p1 -b .rhatpo
 %patch3 -p1 -b .gui
 %patch4 -p1 -b .sepolgen
 %patch5 -p1 -b .sandbox
 %build
 make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all 
@ -331,6 +333,12 @@ fi
 exit 0
 %changelog
 * Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-8
 - Do not drop capability bounding set in seunshare, this allows sandbox to 
 - run setuid apps.
 - Cleanup policy generation template
 - Pass dpi settings to sandbox
 * Fri Apr 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7
 - Clean up some of the templates for sepolgen