diff --git a/policy-F13.patch b/policy-F13.patch
index 9539051..a3607cc 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1798,8 +1798,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-04-30 16:48:20.000000000 -0400
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-05-11 11:03:41.000000000 -0400
+@@ -0,0 +1,61 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -1857,6 +1857,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+ dbus_system_bus_client(shutdown_t)
+ dbus_connect_system_bus(shutdown_t)
+')
++
++optional_policy(`
++ xserver_dontaudit_write_log(shutdown_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-04-14 10:48:18.000000000 -0400
@@ -2720,7 +2724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.19/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-05-10 10:58:40.000000000 -0400
@@ -74,6 +74,24 @@
########################################
@@ -5504,7 +5508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-04-20 08:58:33.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-05-11 09:52:36.000000000 -0400
@@ -41,6 +41,7 @@
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -5521,6 +5525,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
udev_read_db(pulseaudio_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.19/policy/modules/apps/qemu.fc
+--- nsaserefpolicy/policy/modules/apps/qemu.fc 2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/apps/qemu.fc 2010-05-11 15:39:25.000000000 -0400
+@@ -1,2 +1,4 @@
+-/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.19/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-04-14 10:48:18.000000000 -0400
@@ -5755,7 +5768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-07 09:45:49.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-11 13:32:11.000000000 -0400
@@ -0,0 +1,293 @@
+
+## policy for sandbox
@@ -5793,7 +5806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
-+ dontaudit sandbox_x_domain $1:process signal;
++ allow sandbox_x_domain $1:process { sigchld signull };
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
@@ -6052,8 +6065,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-07 10:09:38.000000000 -0400
-@@ -0,0 +1,369 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-11 10:25:49.000000000 -0400
+@@ -0,0 +1,377 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6357,7 +6370,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
++files_dontaudit_getattr_all_dirs(sandbox_web_type)
++
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
++fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+auth_use_nsswitch(sandbox_web_type)
+
@@ -6372,6 +6388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+seutil_read_default_contexts(sandbox_web_type)
+
+userdom_rw_user_tmpfs_files(sandbox_web_type)
++userdom_delete_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
@@ -6399,6 +6416,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
+')
+
++optional_policy(`
++ udev_read_state(sandbox_web_type)
++ udev_read_db(sandbox_web_type)
++')
++
+########################################
+#
+# sandbox_net_client_t local policy
@@ -6422,7 +6444,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-04-14 10:48:18.000000000 -0400
@@ -7083,7 +7104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-05-05 08:09:07.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-05-10 14:33:53.000000000 -0400
@@ -49,7 +49,8 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -7879,7 +7900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-07 09:36:54.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-11 10:28:57.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8774,7 +8795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-07 09:50:32.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-11 09:56:44.000000000 -0400
@@ -569,10 +569,10 @@
#
interface(`fs_mount_cgroup', `
@@ -9142,7 +9163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-29 10:22:42.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-11 09:49:46.000000000 -0400
@@ -534,6 +534,37 @@
########################################
@@ -12017,8 +12038,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.19/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,41 @@
++++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-05-11 10:35:04.000000000 -0400
+@@ -0,0 +1,44 @@
+policy_module(aiccu,1.0.0)
+
+########################################
@@ -12055,11 +12076,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+
+files_read_etc_files(aiccu_t)
+
++corenet_rw_tun_tap_dev(aiccu_t)
++
+miscfiles_read_localization(aiccu_t)
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.19/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/aisexec.fc 2010-04-14 10:48:18.000000000 -0400
@@ -13409,7 +13433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
userdom_dontaudit_use_unpriv_user_fds(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.7.19/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/avahi.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/avahi.if 2010-05-11 15:39:25.000000000 -0400
@@ -90,6 +90,7 @@
class dbus send_msg;
')
@@ -15908,7 +15932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.19/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-05-10 14:15:29.000000000 -0400
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15963,7 +15987,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -156,6 +166,7 @@
+@@ -129,6 +139,7 @@
+ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
++manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ allow cupsd_t cupsd_log_t:dir setattr;
+ logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+@@ -156,6 +167,7 @@
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
@@ -15971,7 +16003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
-@@ -171,6 +182,7 @@
+@@ -171,6 +183,7 @@
corenet_udp_bind_generic_node(cupsd_t)
corenet_tcp_bind_ipp_port(cupsd_t)
corenet_udp_bind_ipp_port(cupsd_t)
@@ -15979,7 +16011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
-@@ -191,6 +203,7 @@
+@@ -191,6 +204,7 @@
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
@@ -15987,7 +16019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_read_anon_inodefs_files(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -250,6 +263,7 @@
+@@ -250,6 +264,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
@@ -15995,7 +16027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -285,8 +299,10 @@
+@@ -285,8 +300,10 @@
hal_dbus_chat(cupsd_t)
')
@@ -16006,7 +16038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
')
-@@ -317,6 +333,10 @@
+@@ -317,6 +334,10 @@
')
optional_policy(`
@@ -16017,7 +16049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
udev_read_db(cupsd_t)
')
-@@ -327,7 +347,7 @@
+@@ -327,7 +348,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -16026,7 +16058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -378,6 +398,8 @@
+@@ -378,6 +399,8 @@
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -16035,7 +16067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -407,6 +429,7 @@
+@@ -407,6 +430,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -16043,7 +16075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +442,15 @@
+@@ -419,12 +443,15 @@
')
optional_policy(`
@@ -16061,7 +16093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -432,6 +458,10 @@
+@@ -432,6 +459,10 @@
')
optional_policy(`
@@ -16072,7 +16104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -446,6 +476,11 @@
+@@ -446,6 +477,11 @@
')
optional_policy(`
@@ -16084,7 +16116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
rpm_read_db(cupsd_config_t)
')
-@@ -457,6 +492,10 @@
+@@ -457,6 +493,10 @@
udev_read_db(cupsd_config_t)
')
@@ -16095,7 +16127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# Cups lpd support
-@@ -520,6 +559,7 @@
+@@ -520,6 +560,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
@@ -16103,7 +16135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cups_stream_connect(cupsd_lpd_t)
-@@ -532,7 +572,7 @@
+@@ -532,7 +573,7 @@
# cups_pdf local policy
#
@@ -16112,7 +16144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cups_pdf_t self:fifo_file rw_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
-@@ -542,6 +582,8 @@
+@@ -542,6 +583,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -16121,7 +16153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,13 +598,18 @@
+@@ -556,13 +599,18 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -16140,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_manage_nfs_dirs(cups_pdf_t)
fs_manage_nfs_files(cups_pdf_t)
')
-@@ -601,6 +648,9 @@
+@@ -601,6 +649,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -16150,7 +16182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +677,7 @@
+@@ -627,6 +678,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -17116,7 +17148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-05-10 11:18:49.000000000 -0400
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -17146,7 +17178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-@@ -73,14 +77,25 @@
+@@ -73,14 +77,26 @@
can_exec(dovecot_t, dovecot_exec_t)
@@ -17168,12 +17200,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
++manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-@@ -93,6 +108,7 @@
+@@ -93,6 +109,7 @@
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
@@ -17181,7 +17214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -103,6 +119,7 @@
+@@ -103,6 +120,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
@@ -17189,7 +17222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
-@@ -142,6 +159,10 @@
+@@ -142,6 +160,10 @@
')
optional_policy(`
@@ -17200,7 +17233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
seutil_sigchld_newrole(dovecot_t)
')
-@@ -172,11 +193,6 @@
+@@ -172,11 +194,6 @@
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -17212,7 +17245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
-@@ -197,8 +213,8 @@
+@@ -197,8 +214,8 @@
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
@@ -17222,7 +17255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
init_rw_utmp(dovecot_auth_t)
-@@ -225,6 +241,7 @@
+@@ -225,6 +242,7 @@
')
optional_policy(`
@@ -17230,7 +17263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,6 +251,8 @@
+@@ -234,6 +252,8 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -17239,7 +17272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-@@ -246,6 +265,7 @@
+@@ -246,6 +266,7 @@
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
@@ -17247,7 +17280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,11 +283,19 @@
+@@ -263,11 +284,19 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -18517,7 +18550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-04 15:34:12.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-10 14:13:40.000000000 -0400
@@ -367,7 +367,7 @@
##
#
@@ -18556,7 +18589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.19/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-05-10 14:14:13.000000000 -0400
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -18580,7 +18613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
-+kernel_search_network_sysctl(hald_t)
++kernel_rw_net_sysctls(hald_t)
kernel_setsched(hald_t)
kernel_request_load_module(hald_t)
@@ -18617,7 +18650,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
auth_use_nsswitch(hald_t)
-@@ -266,6 +273,10 @@
+@@ -209,10 +216,12 @@
+ seutil_read_default_contexts(hald_t)
+ seutil_read_file_contexts(hald_t)
+
+-sysnet_read_config(hald_t)
++sysnet_delete_dhcpc_pid(hald_t)
+ sysnet_domtrans_dhcpc(hald_t)
+ sysnet_domtrans_ifconfig(hald_t)
++sysnet_read_config(hald_t)
+ sysnet_read_dhcp_config(hald_t)
++sysnet_read_dhcpc_pid(hald_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(hald_t)
+ userdom_dontaudit_search_user_home_dirs(hald_t)
+@@ -266,6 +275,10 @@
')
optional_policy(`
@@ -18628,7 +18675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -295,6 +306,7 @@
+@@ -295,6 +308,7 @@
')
optional_policy(`
@@ -18636,7 +18683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
ppp_read_rw_config(hald_t)
')
-@@ -315,11 +327,19 @@
+@@ -315,11 +329,19 @@
')
optional_policy(`
@@ -18656,7 +18703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
updfstab_domtrans(hald_t)
')
-@@ -331,6 +351,10 @@
+@@ -331,6 +353,10 @@
virt_manage_images(hald_t)
')
@@ -18667,7 +18714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Hal acl local policy
-@@ -351,6 +375,7 @@
+@@ -351,6 +377,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -18675,7 +18722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
corecmd_exec_bin(hald_acl_t)
-@@ -463,6 +488,10 @@
+@@ -463,6 +490,10 @@
miscfiles_read_localization(hald_keymap_t)
@@ -18742,13 +18789,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc 2010-05-07 11:18:55.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc 2010-05-10 14:06:00.000000000 -0400
@@ -3,3 +3,5 @@
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+
-+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
++/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-05-07 11:19:16.000000000 -0400
@@ -19459,7 +19506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-05-10 09:29:06.000000000 -0400
@@ -28,12 +28,26 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -19520,7 +19567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -164,3 +185,147 @@
+@@ -164,3 +185,149 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -19655,6 +19702,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+
+corecmd_exec_shell(munin_system_plugin_t)
+
++files_read_etc_files(munin_system_plugin_t)
++
+fs_getattr_all_fs(munin_system_plugin_t)
+
+dev_read_sysfs(munin_system_plugin_t)
@@ -20513,7 +20562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-05-11 13:37:59.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -20539,7 +20588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
-+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
++allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
@@ -20612,7 +20661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +139,41 @@
+@@ -116,25 +139,42 @@
seutil_read_config(NetworkManager_t)
@@ -20650,6 +20699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+ avahi_kill(NetworkManager_t)
+ avahi_signal(NetworkManager_t)
+ avahi_signull(NetworkManager_t)
++ avahi_dbus_chat(NetworkManager_t)
+')
optional_policy(`
@@ -20661,7 +20711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -142,12 +181,29 @@
+@@ -142,12 +182,29 @@
')
optional_policy(`
@@ -20694,7 +20744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,23 +211,51 @@
+@@ -155,23 +212,51 @@
')
optional_policy(`
@@ -20749,7 +20799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -179,12 +263,15 @@
+@@ -179,12 +264,15 @@
')
optional_policy(`
@@ -22226,8 +22276,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.19/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.te 2010-04-20 08:47:32.000000000 -0400
-@@ -0,0 +1,107 @@
++++ serefpolicy-3.7.19/policy/modules/services/plymouthd.te 2010-05-10 13:59:20.000000000 -0400
+@@ -0,0 +1,109 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -22301,6 +22351,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
+
++userdom_read_admin_home_files(plymouthd_t)
++
+########################################
+#
+# Plymouth private policy
@@ -27858,7 +27910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
dbus_connect_system_bus(sssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.19/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-03-09 15:39:06.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-05-10 13:52:16.000000000 -0400
@@ -38,7 +38,7 @@
allow tgtd_t self:unix_dgram_socket create_socket_perms;
@@ -27868,7 +27920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
-@@ -60,6 +60,8 @@
+@@ -60,8 +60,12 @@
files_read_etc_files(tgtd_t)
@@ -27877,6 +27929,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
storage_manage_fixed_disk(tgtd_t)
logging_send_syslog_msg(tgtd_t)
+
+ miscfiles_read_localization(tgtd_t)
++
++iscsi_manage_semaphores(tgtd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.19/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2010-03-23 10:55:15.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/tuned.te 2010-04-14 10:48:18.000000000 -0400
@@ -28321,7 +28377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.19/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-07 09:56:35.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-11 10:20:29.000000000 -0400
@@ -2,13 +2,23 @@
# HOME_DIR
#
@@ -28396,12 +28452,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,17 +98,42 @@
+@@ -89,17 +98,43 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
@@ -28444,7 +28501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-05-07 10:02:24.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-05-11 11:03:17.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -28619,6 +28676,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
+@@ -916,7 +952,7 @@
+ type xserver_log_t;
+ ')
+
+- dontaudit $1 xserver_log_t:file { append write };
++ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
@@ -964,6 +1000,44 @@
########################################
@@ -29017,7 +29083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-07 09:59:15.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-11 10:03:21.000000000 -0400
@@ -36,6 +36,13 @@
##
@@ -29191,7 +29257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +293,60 @@
+@@ -250,30 +293,63 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -29203,6 +29269,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
+
++ userdom_dontaudit_read_user_home_content_files(iceauth_t)
++ userdom_dontaudit_write_user_home_content_files(iceauth_t)
++
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
+ ')
@@ -29255,7 +29324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +356,36 @@
+@@ -283,17 +359,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -29292,7 +29361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +397,32 @@
+@@ -305,20 +400,32 @@
# XDM Local policy
#
@@ -29328,7 +29397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -326,32 +430,52 @@
+@@ -326,32 +433,52 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -29386,7 +29455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +483,13 @@
+@@ -359,10 +486,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -29400,7 +29469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +498,21 @@
+@@ -371,15 +501,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -29423,7 +29492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +527,14 @@
+@@ -394,11 +530,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -29438,7 +29507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +542,7 @@
+@@ -406,6 +545,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -29446,7 +29515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +551,22 @@
+@@ -414,18 +554,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -29472,7 +29541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +577,17 @@
+@@ -436,9 +580,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -29490,7 +29559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +596,19 @@
+@@ -447,14 +599,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -29510,7 +29579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +619,12 @@
+@@ -465,10 +622,12 @@
logging_read_generic_logs(xdm_t)
@@ -29525,7 +29594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +633,11 @@
+@@ -477,6 +636,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -29537,7 +29606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +670,12 @@
+@@ -509,10 +673,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -29550,7 +29619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +683,50 @@
+@@ -520,12 +686,50 @@
')
optional_policy(`
@@ -29592,7 +29661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-+ gnome_read_gconf_config(xdm_t)
++ gnome_manage_gconf_home_files(xdm_t)
+ gnome_read_config(xdm_t)
+ gnome_append_gconf_home_files(xdm_t)
+')
@@ -29601,7 +29670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +744,59 @@
+@@ -543,20 +747,59 @@
')
optional_policy(`
@@ -29663,7 +29732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +805,6 @@
+@@ -565,7 +808,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -29671,7 +29740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +815,10 @@
+@@ -576,6 +818,10 @@
')
optional_policy(`
@@ -29682,7 +29751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +843,9 @@
+@@ -600,10 +846,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -29694,7 +29763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +857,18 @@
+@@ -615,6 +860,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -29713,7 +29782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +888,19 @@
+@@ -634,12 +891,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -29735,7 +29804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +934,6 @@
+@@ -673,7 +937,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -29743,7 +29812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +943,12 @@
+@@ -683,9 +946,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -29757,7 +29826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +963,13 @@
+@@ -700,8 +966,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -29771,7 +29840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +991,14 @@
+@@ -723,11 +994,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -29786,7 +29855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1050,24 @@
+@@ -779,12 +1053,24 @@
')
optional_policy(`
@@ -29812,7 +29881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1094,7 @@
+@@ -811,7 +1097,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29821,7 +29890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1115,14 @@
+@@ -832,9 +1118,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29836,7 +29905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1137,14 @@
+@@ -849,11 +1140,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29853,7 +29922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1290,33 @@
+@@ -999,3 +1293,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -31235,6 +31304,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.7.19/policy/modules/system/iscsi.if
+--- nsaserefpolicy/policy/modules/system/iscsi.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/system/iscsi.if 2010-05-10 13:56:09.000000000 -0400
+@@ -56,3 +56,21 @@
+ allow $1 iscsi_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+ ')
++
++########################################
++##
++## Manage iscsid sempaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`iscsi_manage_semaphores',`
++ gen_require(`
++ type iscsid_t;
++ ')
++
++ allow $1 iscsid_t:sem create_sem_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-04-19 09:16:53.000000000 -0400
@@ -31851,6 +31945,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
modutils_domtrans_insmod(lvm_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc
+--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-05-11 10:30:09.000000000 -0400
+@@ -76,6 +76,8 @@
+ /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+ /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
++/var/lib/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
++/var/lib/cobbler/links(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+
+ /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-04-14 10:48:18.000000000 -0400
@@ -33266,6 +33372,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.7.19/policy/modules/system/setrans.te
+--- nsaserefpolicy/policy/modules/system/setrans.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/system/setrans.te 2010-05-11 14:37:16.000000000 -0400
+@@ -13,6 +13,7 @@
+ type setrans_t;
+ type setrans_exec_t;
+ init_daemon_domain(setrans_t, setrans_exec_t)
++mls_trusted_object(setrans_t)
+
+ type setrans_initrc_exec_t;
+ init_script_file(setrans_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.7.19/policy/modules/system/sosreport.fc
--- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/system/sosreport.fc 2010-04-14 10:48:18.000000000 -0400
@@ -33532,7 +33649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-05 09:51:53.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-10 14:13:53.000000000 -0400
@@ -60,25 +60,24 @@
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
@@ -33692,7 +33809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-05 08:18:04.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-10 14:12:59.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -33731,7 +33848,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -193,6 +203,12 @@
+@@ -172,6 +182,7 @@
+
+ optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
++ hal_dontaudit_write_log(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -193,6 +204,12 @@
')
optional_policy(`
@@ -33744,7 +33869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -214,6 +230,7 @@
+@@ -214,6 +231,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -33752,7 +33877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -277,8 +294,11 @@
+@@ -277,8 +295,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -33764,7 +33889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -306,6 +326,8 @@
+@@ -306,6 +327,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -33773,7 +33898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +350,8 @@
+@@ -328,6 +351,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -34629,7 +34754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-04 13:38:19.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-11 10:03:28.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -35927,7 +36052,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1819,20 +2065,14 @@
+@@ -1802,8 +2048,7 @@
+ type user_home_dir_t, user_home_t;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -1819,20 +2064,14 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -35952,7 +36087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
-@@ -1866,6 +2106,7 @@
+@@ -1866,6 +2105,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -35960,7 +36095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2343,25 @@
+@@ -2102,6 +2342,25 @@
########################################
##
@@ -35986,7 +36121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
##
-@@ -2218,7 +2478,7 @@
+@@ -2218,7 +2477,7 @@
########################################
##
@@ -35995,7 +36130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## temporary files.
##
##
-@@ -2227,37 +2487,56 @@
+@@ -2227,32 +2486,51 @@
##
##
#
@@ -36032,11 +36167,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- allow $1 user_tmp_t:dir list_dir_perms;
- files_search_tmp($1)
+ dontaudit $1 user_tmp_t:file manage_file_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete user
++')
++
++########################################
++##
+## Read user temporary symbolic links.
+##
+##
@@ -36053,15 +36187,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:dir list_dir_perms;
+ files_search_tmp($1)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete user
- ## temporary directories.
- ##
- ##
-@@ -2427,13 +2706,14 @@
+ ')
+
+ ########################################
+@@ -2427,13 +2705,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -36077,7 +36206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2454,6 +2734,24 @@
+@@ -2454,6 +2733,24 @@
########################################
##
@@ -36102,7 +36231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
##
##
-@@ -2747,6 +3045,25 @@
+@@ -2747,6 +3044,25 @@
########################################
##
@@ -36128,7 +36257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3104,7 @@
+@@ -2787,7 +3103,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -36137,7 +36266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3120,13 @@
+@@ -2803,11 +3119,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -36153,7 +36282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3263,7 @@
+@@ -2944,7 +3262,7 @@
type user_tmp_t;
')
@@ -36162,7 +36291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3300,7 @@
+@@ -2981,6 +3299,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -36170,7 +36299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3431,664 @@
+@@ -3111,3 +3430,664 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f90f950..c5aca28 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,6 +468,18 @@ exit 0
%endif
%changelog
+* Mon May 10 2010 Dan Walsh 3.7.19-15
+- Allow gdm to edit ~/.gconf dir
+Resolves: #590677
+- Allow dovecot to create directories in /var/lib/dovecot
+Partially resolves 590224
+- Allow avahi to dbus chat with NetworkManager
+- Fix cobbler labels
+- Dontaudit iceauth_t leaks
+- fix /var/lib/lxdm file context
+- Allow aiccu to use tun tap devices
+- Dontaudit shutdown using xserver.log
+
* Fri May 6 2010 Dan Walsh 3.7.19-14
- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
@@ -483,6 +495,7 @@ Resolves: #586663
- Allow initrc_t to remove dhcpc_state_t
- Fix label on sa-update.cron
- Allow dhcpc to restart chrony initrc
+- Don't allow sandbox to send signals to its parent processes
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
Resolves: #589136
@@ -496,6 +509,7 @@ Resolves: #586760
* Fri Apr 30 2010 Dan Walsh 3.7.19-10
- Dontaudit sandbox trying to connect to netlink sockets
Resolves: #587609
+- Add policy for piranha
* Thu Apr 29 2010 Dan Walsh 3.7.19-9
- Fixups for xguest policy