From a374ff91a8a70e5868216fca8c159e16aef8a056 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Mar 29 2010 17:45:49 +0000
Subject: - Fix ~/.fontconfig label

- Add /root/.cert label
- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
- Allow qemu_exec_t as an entrypoint to svirt_t

---

diff --git a/policy-F13.patch b/policy-F13.patch
index 1118bed..84f5c30 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -59,14 +59,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.1
  	 ( t1 == mlsnetwrite ));
  
  # these access vectors have no MLS restrictions
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accounts_daemon.fc serefpolicy-3.7.16/policy/modules/admin/accounts_daemon.fc
---- nsaserefpolicy/policy/modules/admin/accounts_daemon.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/admin/accounts_daemon.fc	2010-03-23 11:38:44.000000000 -0400
-@@ -0,0 +1,4 @@
-+
-+/usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accounts_daemon_exec_t,s0)
-+
-+/var/lib/AccountsService(/.*)?			gen_context(system_u:object_r:accounts_daemon_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.7.16/policy/modules/admin/accountsd.fc
 --- nsaserefpolicy/policy/modules/admin/accountsd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.7.16/policy/modules/admin/accountsd.fc	2010-03-23 11:38:44.000000000 -0400
@@ -247,8 +239,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.16/policy/modules/admin/accountsd.te
 --- nsaserefpolicy/policy/modules/admin/accountsd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/admin/accountsd.te	2010-03-23 11:38:44.000000000 -0400
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.7.16/policy/modules/admin/accountsd.te	2010-03-29 12:59:08.000000000 -0400
+@@ -0,0 +1,48 @@
 +policy_module(accountsd,1.0.0)
 +
 +########################################
@@ -279,6 +271,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +
 +corecmd_exec_bin(accountsd_t)
 +
++files_read_usr_files(accountsd_t)
++
 +fs_list_inotifyfs(accountsd_t)
 +
 +auth_use_nsswitch(accountsd_t)
@@ -295,7 +289,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +optional_policy(`
 +	policykit_dbus_chat(accountsd_t)
 +')
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.16/policy/modules/admin/acct.te
 --- nsaserefpolicy/policy/modules/admin/acct.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.7.16/policy/modules/admin/acct.te	2010-03-23 11:38:44.000000000 -0400
@@ -307,6 +300,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te
  
  corecmd_exec_bin(acct_t)
  corecmd_exec_shell(acct_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.16/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te	2010-03-12 11:48:14.000000000 -0500
++++ serefpolicy-3.7.16/policy/modules/admin/alsa.te	2010-03-29 10:04:13.000000000 -0400
+@@ -52,6 +52,8 @@
+ files_read_usr_files(alsa_t)
+ 
+ term_dontaudit_use_console(alsa_t)
++term_dontaudit_use_generic_ptys(alsa_t)
++term_dontaudit_use_all_ptys(alsa_t)
+ 
+ auth_use_nsswitch(alsa_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.16/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.16/policy/modules/admin/anaconda.te	2010-03-23 11:38:44.000000000 -0400
@@ -3176,8 +3181,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if 
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.16/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/apps/java.te	2010-03-23 11:38:44.000000000 -0400
-@@ -147,6 +147,14 @@
++++ serefpolicy-3.7.16/policy/modules/apps/java.te	2010-03-29 09:55:13.000000000 -0400
+@@ -147,6 +147,15 @@
  
  	init_dbus_chat_script(unconfined_java_t)
  
@@ -3187,6 +3192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te 
 +
  	unconfined_domain_noaudit(unconfined_java_t)
  	unconfined_dbus_chat(unconfined_java_t)
++	userdom_unpriv_usertype(unconfined, unconfined_java_t)
 +
 +	optional_policy(`
 +		rpm_domtrans(unconfined_java_t)
@@ -4089,8 +4095,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.16/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/apps/nsplugin.te	2010-03-23 11:38:44.000000000 -0400
-@@ -0,0 +1,295 @@
++++ serefpolicy-3.7.16/policy/modules/apps/nsplugin.te	2010-03-26 15:11:49.000000000 -0400
+@@ -0,0 +1,296 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -4230,6 +4236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +miscfiles_read_localization(nsplugin_t)
 +miscfiles_read_fonts(nsplugin_t)
 +miscfiles_dontaudit_write_fonts(nsplugin_t)
++miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
 +
 +userdom_manage_user_tmp_dirs(nsplugin_t)
 +userdom_manage_user_tmp_files(nsplugin_t)
@@ -4794,7 +4801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.16/policy/modules/apps/qemu.if
 --- nsaserefpolicy/policy/modules/apps/qemu.if	2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/apps/qemu.if	2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/apps/qemu.if	2010-03-29 13:34:11.000000000 -0400
 @@ -127,12 +127,14 @@
  template(`qemu_role',`
  	gen_require(`
@@ -4878,11 +4885,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if 
  ##	Manage qemu temporary dirs.
  ## </summary>
  ## <param name="domain">
-@@ -306,3 +369,4 @@
+@@ -306,3 +369,23 @@
  
  	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
  ')
 +
++########################################
++## <summary>
++##	Make qemu_exec_t an entrypoint for
++##	the specified domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The domain for which qemu_exec_t is an entrypoint.
++##	</summary>
++## </param>
++#
++interface(`qemu_entry_type',`
++	gen_require(`
++		type qemu_exec_t;
++	')
++
++	domain_entry_file($1, qemu_exec_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.16/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2010-02-22 08:30:53.000000000 -0500
 +++ serefpolicy-3.7.16/policy/modules/apps/qemu.te	2010-03-23 11:38:44.000000000 -0400
@@ -6198,7 +6224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.16/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/kernel/corecommands.if	2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/kernel/corecommands.if	2010-03-29 13:31:59.000000000 -0400
 @@ -931,6 +931,7 @@
  
  	read_lnk_files_pattern($1, bin_t, bin_t)
@@ -8042,9 +8068,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 +	fs_type($1)
 +	mls_trusted_object($1)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.16/policy/modules/kernel/storage.if
+--- nsaserefpolicy/policy/modules/kernel/storage.if	2009-12-18 11:38:25.000000000 -0500
++++ serefpolicy-3.7.16/policy/modules/kernel/storage.if	2010-03-26 08:59:44.000000000 -0400
+@@ -101,6 +101,8 @@
+ 	dev_list_all_dev_nodes($1)
+ 	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ 	allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++	#577012
++	allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
+ 	typeattribute $1 fixed_disk_raw_read;
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.16/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/kernel/terminal.if	2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/kernel/terminal.if	2010-03-29 10:04:19.000000000 -0400
 @@ -292,9 +292,11 @@
  interface(`term_dontaudit_use_console',`
  	gen_require(`
@@ -11641,7 +11679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.16/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2010-03-18 06:48:02.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/apache.te	2010-03-23 15:40:50.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/apache.te	2010-03-29 09:50:03.000000000 -0400
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -13818,8 +13856,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.16/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/services/clamav.te	2010-03-23 11:38:44.000000000 -0400
-@@ -57,6 +57,7 @@
++++ serefpolicy-3.7.16/policy/modules/services/clamav.te	2010-03-29 10:11:31.000000000 -0400
+@@ -1,6 +1,13 @@
+ 
+ policy_module(clamav, 1.7.1)
+ 
++## <desc>
++## <p>
++## Allow clamd to use JIT compiler
++## </p>
++## </desc>
++gen_tunable(clamd_use_jit, false)
++
+ ########################################
+ #
+ # Declarations
+@@ -57,6 +64,7 @@
  #
  
  allow clamd_t self:capability { kill setgid setuid dac_override };
@@ -13827,7 +13879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  allow clamd_t self:fifo_file rw_fifo_file_perms;
  allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -189,10 +190,14 @@
+@@ -189,10 +197,14 @@
  
  auth_use_nsswitch(freshclam_t)
  
@@ -13842,6 +13894,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  optional_policy(`
  	cron_system_entry(freshclam_t, freshclam_exec_t)
  ')
+@@ -246,6 +258,12 @@
+ 
+ mta_send_mail(clamscan_t)
+ 
++tunable_policy(`clamd_use_jit',`
++	allow clamd_t self:process execmem;
++', ` 
++	dontaudit clamd_t self:process execmem;
++') 
++
+ optional_policy(`
+ 	amavis_read_spool_files(clamscan_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.16/policy/modules/services/clogd.fc
 --- nsaserefpolicy/policy/modules/services/clogd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.7.16/policy/modules/services/clogd.fc	2010-03-23 11:38:44.000000000 -0400
@@ -14056,13 +14121,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t,  httpd_cobbler_content_rw_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.16/policy/modules/services/consolekit.fc
 --- nsaserefpolicy/policy/modules/services/consolekit.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/consolekit.fc	2010-03-23 11:38:44.000000000 -0400
-@@ -2,4 +2,5 @@
++++ serefpolicy-3.7.16/policy/modules/services/consolekit.fc	2010-03-29 13:08:45.000000000 -0400
+@@ -1,5 +1,7 @@
+ /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
  
  /var/log/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_log_t,s0)
++
  /var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 -/var/run/ConsoleKit(/.*)?	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
-+
++/var/run/console-kit-daemon\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 +/var/run/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.16/policy/modules/services/consolekit.if
 --- nsaserefpolicy/policy/modules/services/consolekit.if	2009-07-14 14:19:57.000000000 -0400
@@ -14483,7 +14550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.16/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/cron.if	2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/cron.if	2010-03-25 14:56:10.000000000 -0400
 @@ -12,6 +12,10 @@
  ## </param>
  #
@@ -14659,7 +14726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.16/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/services/cron.te	2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/cron.te	2010-03-29 13:12:03.000000000 -0400
 @@ -38,8 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -14938,6 +15005,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	unconfined_domain(system_cronjob_t)
  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
  ')
+@@ -590,7 +670,7 @@
+ userdom_manage_user_home_content_sockets(cronjob_t)
+ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+ 
+-list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ 
+ tunable_policy(`fcron_crond', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.16/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2009-07-28 15:51:13.000000000 -0400
 +++ serefpolicy-3.7.16/policy/modules/services/cups.fc	2010-03-23 11:38:44.000000000 -0400
@@ -24533,6 +24609,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +',`
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.16/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te	2010-03-23 10:55:15.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/sasl.te	2010-03-29 09:28:33.000000000 -0400
+@@ -50,6 +50,9 @@
+ kernel_read_kernel_sysctls(saslauthd_t)
+ kernel_read_system_state(saslauthd_t)
+ 
++#577519
++corecmd_exec_bin(saslauthd_t)
++
+ corenet_all_recvfrom_unlabeled(saslauthd_t)
+ corenet_all_recvfrom_netlabel(saslauthd_t)
+ corenet_tcp_sendrecv_generic_if(saslauthd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.16/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2010-01-11 09:40:36.000000000 -0500
 +++ serefpolicy-3.7.16/policy/modules/services/sendmail.if	2010-03-23 11:38:44.000000000 -0400
@@ -26898,7 +26987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.16/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/virt.te	2010-03-25 14:51:49.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/virt.te	2010-03-29 13:34:58.000000000 -0400
 @@ -36,13 +36,6 @@
  
  ## <desc>
@@ -27000,7 +27089,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -446,6 +458,10 @@
+@@ -370,6 +382,7 @@
+ 	qemu_signal(virtd_t)
+ 	qemu_kill(virtd_t)
+ 	qemu_setsched(virtd_t)
++	qemu_entry_type(virt_domain)
+ ')
+ 
+ optional_policy(`
+@@ -446,6 +459,10 @@
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
  
@@ -27035,12 +27132,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.16/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/xserver.fc	2010-03-23 11:38:44.000000000 -0400
-@@ -3,12 +3,21 @@
++++ serefpolicy-3.7.16/policy/modules/services/xserver.fc	2010-03-26 15:09:02.000000000 -0400
+@@ -2,13 +2,23 @@
+ # HOME_DIR
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
++HOME_DIR/\.fonts\.d(/.*)?	gen_context(system_u:object_r:user_fonts_config_t,s0)
  HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
-+HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_config_t,s0)
++HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
  HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
  HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 +HOME_DIR/\.DCOP.* 	   --	gen_context(system_u:object_r:iceauth_home_t,s0)
@@ -27058,7 +27157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  #
  # /dev
  #
-@@ -32,11 +41,6 @@
+@@ -32,11 +42,6 @@
  /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  
@@ -27070,7 +27169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  #
  # /opt
  #
-@@ -47,21 +51,23 @@
+@@ -47,21 +52,23 @@
  # /tmp
  #
  
@@ -27098,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
  ifdef(`distro_debian', `
-@@ -89,17 +95,42 @@
+@@ -89,17 +96,42 @@
  
  /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
@@ -27146,7 +27245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.16/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/services/xserver.if	2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/xserver.if	2010-03-26 15:10:37.000000000 -0400
 @@ -19,9 +19,10 @@
  interface(`xserver_restricted_role',`
  	gen_require(`
@@ -29143,7 +29242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.16/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/system/init.te	2010-03-23 15:35:31.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/system/init.te	2010-03-29 13:05:05.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -29260,7 +29359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  can_exec(initrc_t, initrc_tmp_t)
  manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -259,13 +293,19 @@
+@@ -259,13 +293,21 @@
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -29275,14 +29374,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +files_setattr_pid_dirs(initrc_t)
  
  files_read_kernel_symbol_table(initrc_t)
--
--corecmd_exec_all_executables(initrc_t)
 +files_exec_etc_files(initrc_t)
 +files_manage_etc_symlinks(initrc_t)
  
+-corecmd_exec_all_executables(initrc_t)
++fs_manage_tmpfs_dirs(initrc_t)
+ 
  corenet_all_recvfrom_unlabeled(initrc_t)
  corenet_all_recvfrom_netlabel(initrc_t)
-@@ -299,6 +339,7 @@
+@@ -299,6 +341,7 @@
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -29290,7 +29390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  corecmd_exec_all_executables(initrc_t)
  
-@@ -325,8 +366,10 @@
+@@ -325,8 +368,10 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -29302,7 +29402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -342,6 +385,8 @@
+@@ -342,6 +387,8 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -29311,7 +29411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
-@@ -352,6 +397,11 @@
+@@ -352,6 +399,11 @@
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -29323,7 +29423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -395,15 +445,16 @@
+@@ -395,15 +447,16 @@
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -29342,7 +29442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
  # started from init should be placed in their own domain.
  userdom_use_user_terminals(initrc_t)
-@@ -471,7 +522,7 @@
+@@ -471,7 +524,7 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -29351,7 +29451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -517,6 +568,15 @@
+@@ -517,6 +570,15 @@
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -29367,7 +29467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -542,6 +602,34 @@
+@@ -542,6 +604,34 @@
  	')
  ')
  
@@ -29402,7 +29502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +642,8 @@
+@@ -554,6 +644,8 @@
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -29411,7 +29511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -594,6 +684,7 @@
+@@ -594,6 +686,7 @@
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29419,7 +29519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	optional_policy(`
  		consolekit_dbus_chat(initrc_t)
-@@ -647,11 +738,6 @@
+@@ -647,11 +740,6 @@
  ')
  
  optional_policy(`
@@ -29431,7 +29531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	kerberos_use(initrc_t)
  ')
  
-@@ -690,12 +776,18 @@
+@@ -690,12 +778,18 @@
  ')
  
  optional_policy(`
@@ -29450,7 +29550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -718,6 +810,10 @@
+@@ -718,6 +812,10 @@
  ')
  
  optional_policy(`
@@ -29461,7 +29561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -760,8 +856,6 @@
+@@ -760,8 +858,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29470,7 +29570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -774,10 +868,12 @@
+@@ -774,10 +870,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -29483,7 +29583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +886,7 @@
+@@ -790,6 +888,7 @@
  
  optional_policy(`
  	udev_rw_db(initrc_t)
@@ -29491,7 +29591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	udev_manage_pid_files(initrc_t)
  ')
  
-@@ -801,8 +898,15 @@
+@@ -801,8 +900,15 @@
  	virt_manage_svirt_cache(initrc_t)
  ')
  
@@ -29507,7 +29607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +916,25 @@
+@@ -812,6 +918,25 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29533,7 +29633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -837,3 +960,34 @@
+@@ -837,3 +962,34 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29709,8 +29809,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.16/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-03-23 11:19:40.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/system/libraries.fc	2010-03-23 11:38:44.000000000 -0400
-@@ -302,13 +302,8 @@
++++ serefpolicy-3.7.16/policy/modules/system/libraries.fc	2010-03-29 09:05:19.000000000 -0400
+@@ -208,6 +208,7 @@
+ 
+ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libgpac\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -302,13 +303,8 @@
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -29726,7 +29834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ') dnl end distro_redhat
  
  #
-@@ -319,14 +314,144 @@
+@@ -319,14 +315,144 @@
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
@@ -32894,14 +33002,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.16/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/system/userdomain.fc	2010-03-23 11:38:44.000000000 -0400
-@@ -1,4 +1,10 @@
++++ serefpolicy-3.7.16/policy/modules/system/userdomain.fc	2010-03-26 08:56:41.000000000 -0400
+@@ -1,4 +1,11 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 -
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
++/root/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 +/dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 +HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4e46342..d0140e2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.16
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,8 +466,19 @@ exit 0
 %endif
 
 %changelog
+* Fri Mar 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-2
+- Fix ~/.fontconfig label
+- Add /root/.cert label
+- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
+- Allow qemu_exec_t as an entrypoint to svirt_t
+
 * Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-1
 - Update to upstream
+- Allow tmpreaper to delete sandbox sock files
+- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems
+- Fixes for gitosis
+- No transition on livecd to passwd or chfn
+- Fixes for denyhosts
 
 * Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-4
 - Add label for /var/lib/upower