--- nsaserefpolicy/policy/modules/admin/su.if	2008-08-07 11:15:13.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/admin/su.if	2008-08-14 13:53:54.000000000 -0400
@@ -41,15 +41,13 @@
 
 	allow $2 $1_su_t:process signal;
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
-	allow $1_su_t self:key { search write };
+	allow $1_su_t self:key manage_key_perms;
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
 
-	# Transition from the user domain to this domain.
 	domtrans_pattern($2, su_exec_t, $1_su_t)
 
 	# By default, revert to the calling domain when a shell is executed.
@@ -89,28 +87,24 @@
 	libs_use_ld_so($1_su_t)
 	libs_use_shared_libs($1_su_t)
 
+	logging_send_audit_msgs($1_su_t)
 	logging_send_syslog_msg($1_su_t)
 
 	miscfiles_read_localization($1_su_t)
 
-	ifdef(`distro_rhel4',`
-		domain_role_change_exemption($1_su_t)
-		domain_subj_id_change_exemption($1_su_t)
-		domain_obj_id_change_exemption($1_su_t)
-
-		selinux_get_fs_mount($1_su_t)
-		selinux_validate_context($1_su_t)
-		selinux_compute_access_vector($1_su_t)
-		selinux_compute_create_context($1_su_t)
-		selinux_compute_relabel_context($1_su_t)
-		selinux_compute_user_contexts($1_su_t)
+	auth_login_pgm_domain($1_su_t)
 
 		seutil_read_config($1_su_t)
 		seutil_read_default_contexts($1_su_t)
 
 		# Only allow transitions to unprivileged user domains.
 		userdom_spec_domtrans_unpriv_users($1_su_t)
-	')
+
+	# Deal with unconfined_terminals.
+	term_use_all_user_ttys($1_su_t)
+	term_use_all_user_ptys($1_su_t)
+	term_relabel_all_user_ttys($1_su_t)
+	term_relabel_all_user_ptys($1_su_t)
 
 	optional_policy(`
 		cron_read_pipes($1_su_t)
@@ -120,10 +114,17 @@
 		kerberos_use($1_su_t)
 	')
 
-	ifdef(`TODO',`
-	# Caused by su - init scripts
-	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-	') dnl end TODO
+	optional_policy(`
+		xserver_domtrans_user_xauth($1, $1_su_t)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_search_nfs($1_su_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_search_cifs($1_su_t)
+	')
 ')
 
 #######################################
@@ -172,14 +173,14 @@
 	domain_interactive_fd($1_su_t)
 	role $3 types $1_su_t;
 
-	allow $2 $1_su_t:process signal;
+	allow $2 $1_su_t:process { getsched signal };
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
-	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:process { getsched setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:key { search write };
+	allow $1_su_t $1_t:key search;
 
 	# Transition from the user domain to this domain.
 	domtrans_pattern($2, su_exec_t, $1_su_t)
@@ -188,7 +189,7 @@
 	corecmd_shell_domtrans($1_su_t, $2)
 	allow $2 $1_su_t:fd use;
 	allow $2 $1_su_t:fifo_file rw_file_perms;
-	allow $2 $1_su_t:process sigchld;
+	allow $2 $1_su_t:process { getsched signal sigchld };
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
@@ -203,15 +204,15 @@
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
 
-	auth_domtrans_user_chk_passwd($1, $1_su_t)
+	auth_run_chk_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t })
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
-	auth_rw_faillog($1_su_t)
 
-	corecmd_search_bin($1_su_t)
+	corecmd_exec_bin($1_su_t)
 
 	domain_use_interactive_fds($1_su_t)
 
+	files_read_usr_symlinks($1_su_t)
 	files_read_etc_files($1_su_t)
 	files_read_etc_runtime_files($1_su_t)
 	files_search_var_lib($1_su_t)
@@ -226,12 +227,14 @@
 	libs_use_ld_so($1_su_t)
 	libs_use_shared_libs($1_su_t)
 
+	logging_send_audit_msgs($1_su_t)
 	logging_send_syslog_msg($1_su_t)
 
 	miscfiles_read_localization($1_su_t)
 
-	userdom_use_user_terminals($1, $1_su_t)
+	sysadm_search_home_dirs($1_su_t)
 	userdom_search_user_home_dirs($1, $1_su_t)
+	userdom_use_user_terminals($1, $1_su_t)
 
 	ifdef(`distro_rhel4',`
 		domain_role_change_exemption($1_su_t)
@@ -295,13 +298,7 @@
 		xserver_domtrans_user_xauth($1, $1_su_t)
 	')
 
-	ifdef(`TODO',`
-	allow $1_su_t $1_home_t:file manage_file_perms;
-
-	# Access sshd cookie files.
-	allow $1_su_t sshd_tmp_t:file rw_file_perms;
-	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-	') dnl end TODO
+	userdom_search_all_users_home_dirs($1_su_t)
 ')
 
 #######################################