Index: /selinux/Makefile
===================================================================
--- /selinux/Makefile	(revision 116)
+++ /selinux/Makefile	(revision 117)
@@ -9,9 +9,10 @@
 
 install:
-	/usr/sbin/semodule -i admof.pp;
-	/usr/sbin/semodule -i nagios-nrpe.pp;
-	/usr/sbin/semodule -i openafs.pp;
-	/usr/sbin/semodule -i scripts.pp;
-	/usr/sbin/semodule -i signup.pp;
-	/usr/sbin/semodule -i zephyr.pp;
+	/usr/sbin/semodule -n -i openafs.pp;
+	/usr/sbin/semodule -n -i scripts.pp;
+	/usr/sbin/semodule -n -i signup.pp;
+	/usr/sbin/semodule -n -i admof.pp;
+	/usr/sbin/semodule -n -i nagios-nrpe.pp;
+	/usr/sbin/semodule -n -i zephyr.pp;
+	/usr/sbin/semodule -R
 	/usr/sbin/getenforce
Index: linux/build/afsagent.fc
===================================================================
--- /selinux/build/afsagent.fc	(revision 116)
+++ 	(revision )
@@ -1,4 +1,0 @@
-# Joe Presbrey
-# presbrey@mit.edu
-# 2006/1/15
-
Index: linux/build/afsagent.if
===================================================================
--- /selinux/build/afsagent.if	(revision 116)
+++ 	(revision )
@@ -1,4 +1,0 @@
-# Joe Presbrey
-# presbrey@mit.edu
-# 2006/1/15
-
Index: linux/build/afsagent.te
===================================================================
--- /selinux/build/afsagent.te	(revision 116)
+++ 	(revision )
@@ -1,60 +1,0 @@
-# Joe Presbrey
-# presbrey@mit.edu
-# 2006/1/15
-
-policy_module(signup,1.0.0)
-
-require {
-	attribute domain, userdomain, unpriv_userdomain;
-};
-
-require { type sudo_exec_t; };
-type signup_t, domain, userdomain, unpriv_userdomain;
-type signup_su_t, domain, userdomain;
-role system_r types { signup_t signup_su_t };
-role user_r types { signup_t signup_su_t };
-afs_access(signup_t)
-afs_access(signup_su_t)
-afs_access(useradd_t)
-files_read_etc_files(signup_t)
-libs_use_ld_so(signup_t)
-libs_use_shared_libs(signup_t)
-miscfiles_read_localization(signup_t)
-files_read_etc_files(signup_su_t)
-libs_use_ld_so(signup_su_t)
-libs_use_shared_libs(signup_su_t)
-miscfiles_read_localization(signup_su_t)
-domain_auto_trans(signup_t, sudo_exec_t, signup_su_t)
-auth_rw_shadow(signup_su_t)
-sysnet_dns_name_resolve(signup_t)
-sysnet_dns_name_resolve(signup_su_t)
-usermanage_run_useradd(signup_su_t,system_r,signup_t)
-usermanage_run_groupadd(signup_su_t,system_r,signup_t)
-allow groupadd_t signup_t:fifo_file { getattr ioctl read write };
-allow groupadd_t signup_t:process sigchld;
-
-allow useradd_t { httpd_t signup_t }:fd use;
-allow useradd_t { httpd_t signup_t }:fifo_file { getattr ioctl read write};
-allow useradd_t signup_t:process sigchld;
-allow signup_su_t signup_t:fd use;
-allow signup_su_t signup_t:fifo_file { ioctl write };
-allow signup_su_t signup_t:process sigchld;
-allow signup_su_t sudo_exec_t:file entrypoint;
-allow signup_su_t self:capability { audit_write setgid setuid };
-dev_read_urand(signup_t)
-kernel_read_system_state(signup_t)
-logging_send_syslog_msg(signup_su_t)
-
-corecmd_exec_all_executables(signup_t)
-allow signup_t sbin_t:dir search;
-allow signup_t sbin_t:file { execute execute_no_trans read };
-allow signup_t shell_exec_t:file { execute execute_no_trans getattr read };
-allow signup_t self:fifo_file { getattr ioctl read write };
-
-# SUEXEC #
-require { type httpd_suexec_t, httpd_t; };
-allow httpd_suexec_t { signup_t }:process { transition siginh rlimitinh noatsecure };
-allow { signup_t } httpd_t:fd { use };
-allow { signup_t } httpd_t:fifo_file { getattr ioctl read write };
-allow { signup_t } httpd_t:process { sigchld };
-allow { signup_t } httpd_suexec_t:fd { use };
Index: /selinux/build/openafs.if
===================================================================
--- /selinux/build/openafs.if	(revision 116)
+++ /selinux/build/openafs.if	(revision 117)
@@ -38,3 +38,4 @@
 	fs_manage_nfs_named_sockets($1)
 	allow $1 nfs_t:file entrypoint;
+	allow $1 nfs_t:{file dir} rx_file_perms;
 ')
Index: /selinux/build/scripts.te
===================================================================
--- /selinux/build/scripts.te	(revision 116)
+++ /selinux/build/scripts.te	(revision 117)
@@ -8,8 +8,32 @@
 
 require {
+	attribute domain, userdomain, unpriv_userdomain;
 	type user_t;
 };
 
+type user_setuid_t, domain, userdomain, unpriv_userdomain;
+role user_r types user_setuid_t;
+domain_interactive_fd(user_setuid_t)
+files_read_etc_files(user_setuid_t)
+libs_use_ld_so(user_setuid_t)
+libs_use_shared_libs(user_setuid_t)
+miscfiles_read_localization(user_setuid_t)
+corecmd_exec_all_executables(user_setuid_t)
+term_use_all_user_ptys(user_setuid_t)
+
+allow user_setuid_t bin_t:file entrypoint;
+allow user_setuid_t sbin_t:file entrypoint;
+
+# allow user_setuid_t domain to call setuid and setgid
+allow user_setuid_t self:capability { setuid setgid };
+
+# transition back to the user domain when executing "user" binaries
+domain_auto_trans(user_setuid_t, nfs_t, user_t)
+
+# allow user_setuid_t domain to signal its caller
+allow user_setuid_t user_t:process sigchld;
+
 afs_access(user_t);
+afs_access(user_setuid_t);
 zephyr_access(user_t);
 
Index: /selinux/build/signup.fc
===================================================================
--- /selinux/build/signup.fc	(revision 117)
+++ /selinux/build/signup.fc	(revision 117)
@@ -0,0 +1,4 @@
+# Joe Presbrey
+# presbrey@mit.edu
+# 2006/1/15
+
Index: /selinux/build/signup.if
===================================================================
--- /selinux/build/signup.if	(revision 117)
+++ /selinux/build/signup.if	(revision 117)
@@ -0,0 +1,4 @@
+# Joe Presbrey
+# presbrey@mit.edu
+# 2006/1/15
+
Index: /selinux/build/signup.te
===================================================================
--- /selinux/build/signup.te	(revision 117)
+++ /selinux/build/signup.te	(revision 117)
@@ -0,0 +1,60 @@
+# Joe Presbrey
+# presbrey@mit.edu
+# 2006/1/15
+
+policy_module(signup,1.0.0)
+
+require {
+	attribute domain, userdomain, unpriv_userdomain;
+};
+
+require { type sudo_exec_t; };
+type signup_t, domain, userdomain, unpriv_userdomain;
+type signup_su_t, domain, userdomain;
+role system_r types { signup_t signup_su_t };
+role user_r types { signup_t signup_su_t };
+afs_access(signup_t)
+afs_access(signup_su_t)
+afs_access(useradd_t)
+files_read_etc_files(signup_t)
+libs_use_ld_so(signup_t)
+libs_use_shared_libs(signup_t)
+miscfiles_read_localization(signup_t)
+files_read_etc_files(signup_su_t)
+libs_use_ld_so(signup_su_t)
+libs_use_shared_libs(signup_su_t)
+miscfiles_read_localization(signup_su_t)
+domain_auto_trans(signup_t, sudo_exec_t, signup_su_t)
+auth_rw_shadow(signup_su_t)
+sysnet_dns_name_resolve(signup_t)
+sysnet_dns_name_resolve(signup_su_t)
+usermanage_run_useradd(signup_su_t,system_r,signup_t)
+usermanage_run_groupadd(signup_su_t,system_r,signup_t)
+allow groupadd_t signup_t:fifo_file { getattr ioctl read write };
+allow groupadd_t signup_t:process sigchld;
+
+allow useradd_t { httpd_t signup_t }:fd use;
+allow useradd_t { httpd_t signup_t }:fifo_file { getattr ioctl read write};
+allow useradd_t signup_t:process sigchld;
+allow signup_su_t signup_t:fd use;
+allow signup_su_t signup_t:fifo_file { ioctl write };
+allow signup_su_t signup_t:process sigchld;
+allow signup_su_t sudo_exec_t:file entrypoint;
+allow signup_su_t self:capability { audit_write setgid setuid };
+dev_read_urand(signup_t)
+kernel_read_system_state(signup_t)
+logging_send_syslog_msg(signup_su_t)
+
+corecmd_exec_all_executables(signup_t)
+allow signup_t sbin_t:dir search;
+allow signup_t sbin_t:file { execute execute_no_trans read };
+allow signup_t shell_exec_t:file { execute execute_no_trans getattr read };
+allow signup_t self:fifo_file { getattr ioctl read write };
+
+# SUEXEC #
+require { type httpd_suexec_t, httpd_t; };
+allow httpd_suexec_t { signup_t }:process { transition siginh rlimitinh noatsecure };
+allow { signup_t } httpd_t:fd { use };
+allow { signup_t } httpd_t:fifo_file { getattr ioctl read write };
+allow { signup_t } httpd_t:process { sigchld };
+allow { signup_t } httpd_suexec_t:fd { use };