diff --git a/modules-minimum.conf b/modules-minimum.conf
index 1f08acc..e9325ed 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1576,6 +1576,13 @@ tgtd = module
#
udev = base
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+#
+usbmuxd = module
+
# Layer: system
# Module: userdomain
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 1f08acc..e9325ed 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1576,6 +1576,13 @@ tgtd = module
#
udev = base
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+#
+usbmuxd = module
+
# Layer: system
# Module: userdomain
#
diff --git a/policy-20100106.patch b/policy-20100106.patch
index b12534a..816aab0 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -84,6 +84,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
+--- nsaserefpolicy/policy/modules/apps/firewallgui.te 2010-01-18 18:24:22.593530742 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2010-02-02 18:41:27.873067758 +0100
+@@ -59,6 +59,10 @@
+ iptables_initrc_domtrans(firewallgui_t)
+
+ optional_policy(`
++ gnome_read_gconf_home_files(firewallgui_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100
@@ -753,8 +767,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(dns, udp,53,s0, tcp,53,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-27 17:35:56.087613943 +0100
-@@ -103,6 +103,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-02-02 15:44:16.896067937 +0100
+@@ -83,6 +83,7 @@
+ /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+ /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+@@ -103,6 +104,7 @@
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -762,7 +784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
-@@ -162,6 +163,8 @@
+@@ -162,6 +164,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -1156,6 +1178,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc
+--- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-01-18 18:24:22.753540198 +0100
++++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc 2010-02-02 18:56:12.191317011 +0100
+@@ -1,4 +1,6 @@
+
++/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
++
+ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
+ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te
+--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-01-18 18:24:22.755539963 +0100
++++ serefpolicy-3.6.32/policy/modules/services/chronyd.te 2010-02-02 18:55:49.615067744 +0100
+@@ -12,6 +12,9 @@
+ type chronyd_initrc_exec_t;
+ init_script_file(chronyd_initrc_exec_t)
+
++type chronyd_keys_t;
++files_type(chronyd_keys_t)
++
+ # var/lib files
+ type chronyd_var_lib_t;
+ files_type(chronyd_var_lib_t)
+@@ -30,11 +33,14 @@
+ # chronyd local policy
+ #
+
+-allow chronyd_t self:capability { setuid setgid sys_time };
+-allow chronyd_t self:process { getcap setcap };
++allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
++allow chronyd_t self:process { getcap setcap setrlimit };
+
+ allow chronyd_t self:udp_socket create_socket_perms;
+ allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:shm create_shm_perms;
++
++allow chronyd_t chronyd_keys_t:file read_file_perms;
+
+ # chronyd var/lib files
+ manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+@@ -64,4 +70,7 @@
+
+ miscfiles_read_localization(chronyd_t)
+
+-permissive chronyd_t;
++optional_policy(`
++ gpsd_rw_shm(chronyd_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-01-18 18:24:22.769530360 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-01-29 09:59:49.239614360 +0100
@@ -2605,6 +2676,144 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(tgtd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
+--- nsaserefpolicy/policy/modules/services/tuned.te 2010-01-18 18:24:22.909530847 +0100
++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-02 19:06:55.670067778 +0100
+@@ -36,7 +36,7 @@
+ kernel_read_system_state(tuned_t)
+
+ dev_read_sysfs(tuned_t)
+-
++dev_read_urand(tuned_t)
+ # to allow cpu tuning
+ dev_rw_netcontrol(tuned_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc
+--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc 2010-02-02 19:00:16.333067308 +0100
+@@ -0,0 +1,6 @@
++
++/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
++
++/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
++
++/var/run/usbmuxd\.lock -- gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.6.32/policy/modules/services/usbmuxd.if
+--- nsaserefpolicy/policy/modules/services/usbmuxd.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.if 2010-02-02 19:06:22.735067968 +0100
+@@ -0,0 +1,64 @@
++## Daemon for communicating with Apple's iPod Touch and iPhone
++
++########################################
++##
++## Execute a domain transition to run usbmuxd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`usbmuxd_domtrans',`
++ gen_require(`
++ type usbmuxd_t, usbmuxd_exec_t;
++ ')
++
++ domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
++')
++
++#######################################
++##
++## Execute usbmuxd in the usbmuxd domain, and
++## allow the specified role the usbmuxd domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the usbmuxd domain.
++##
++##
++#
++interface(`usbmuxd_run',`
++ gen_require(`
++ type usbmuxd_t;
++ ')
++
++ usbmuxd_domtrans($1)
++ role $2 types usbmuxd_t;
++')
++
++#####################################
++##
++## Connect to usbmuxd over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usbmuxd_stream_connect',`
++ gen_require(`
++ type usbmuxd_t, usbmuxd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
+--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-02 18:58:37.916068136 +0100
+@@ -0,0 +1,44 @@
++
++policy_module(usbmuxd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type usbmuxd_t;
++type usbmuxd_exec_t;
++application_domain(usbmuxd_t, usbmuxd_exec_t)
++
++type usbmuxd_var_run_t;
++files_pid_file(usbmuxd_var_run_t)
++
++permissive usbmuxd_t;
++
++########################################
++#
++# usbmuxd local policy
++#
++
++allow usbmuxd_t self:capability { kill setgid setuid };
++allow usbmuxd_t self:process { fork signal signull };
++
++# Init script handling
++domain_use_interactive_fds(usbmuxd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
++allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
++manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
++manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
++files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
++
++files_read_etc_files(usbmuxd_t)
++
++miscfiles_read_localization(usbmuxd_t)
++
++auth_use_nsswitch(usbmuxd_t)
++
++logging_send_syslog_msg(usbmuxd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-01 17:46:33.611080298 +0100
@@ -3052,8 +3261,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-25 17:40:43.288687056 +0100
-@@ -181,6 +181,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-02-02 18:59:46.438067812 +0100
+@@ -155,6 +155,8 @@
+ seutil_read_config(mount_t)
+
+ userdom_use_all_users_fds(mount_t)
++userdom_read_user_home_content_symlinks(mount_t)
++userdom_read_user_home_content_files(mount_t)
+ userdom_manage_user_home_content_dirs(mount_t)
+
+ ifdef(`distro_redhat',`
+@@ -181,6 +183,7 @@
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
files_mounton_non_security(mount_t)
@@ -3061,11 +3279,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -260,6 +261,10 @@
+@@ -260,6 +263,14 @@
samba_read_config(mount_t)
')
+optional_policy(`
++ usbmuxd_stream_connect(mount_t)
++')
++
++optional_policy(`
+ vmware_exec_host(mount_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 491df01..de1197d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -462,6 +462,7 @@ exit 0
- Allow rsyslogd to connect to MySQL using a unix domain stream socket
- Allow apache to list inotifyfs filesystem
- Add label for /dev/pps device
+- Fixes for chronyd policy
* Mon Feb 1 2010 Miroslav Grepl 3.6.32-80
- Allow xdm to execute octave