diff --git a/policy-F12.patch b/policy-F12.patch
index 205a406..e446738 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -3026,8 +3026,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.32/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/loadkeys.te 2009-10-01 14:51:17.000000000 -0400
-@@ -45,3 +45,7 @@
++++ serefpolicy-3.6.32/policy/modules/apps/loadkeys.te 2009-11-03 12:14:31.000000000 -0500
+@@ -40,8 +40,12 @@
+ miscfiles_read_localization(loadkeys_t)
+
+ userdom_use_user_ttys(loadkeys_t)
+-userdom_list_user_home_dirs(loadkeys_t)
++userdom_list_user_home_content(loadkeys_t)
+
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
@@ -5732,7 +5738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-29 09:23:17.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-11-03 12:03:04.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5741,6 +5747,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
+@@ -75,7 +76,7 @@
+ network_port(amavisd_send, tcp,10025,s0)
+ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
+ network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
++network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
+ network_port(audit, tcp,60,s0)
+ network_port(auth, tcp,113,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
@@ -87,26 +88,33 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
@@ -5807,8 +5822,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -173,27 +188,34 @@
+@@ -171,29 +186,37 @@
+ network_port(rsync, tcp,873,s0, udp,873,s0)
+ network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
++network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
@@ -5845,7 +5863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -222,6 +244,8 @@
+@@ -222,6 +245,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -9672,7 +9690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-02 13:58:48.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-03 11:21:35.000000000 -0500
@@ -38,7 +38,7 @@
# abrt local policy
#
@@ -9682,7 +9700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow abrt_t self:process { signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
-@@ -60,8 +60,9 @@
+@@ -60,13 +60,15 @@
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
# abrt var/cache files
@@ -9693,7 +9711,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
# abrt pid files
-@@ -75,11 +76,14 @@
+-manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
++manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
++manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+
+ kernel_read_ring_buffer(abrt_t)
+@@ -75,11 +77,14 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -9708,7 +9733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -101,17 +105,32 @@
+@@ -101,17 +106,32 @@
userdom_read_user_home_content_files(abrt_t)
optional_policy(`
@@ -11550,6 +11575,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te
+--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-11-03 12:04:14.000000000 -0500
+@@ -97,6 +97,7 @@
+ corenet_udp_bind_generic_node(asterisk_t)
+ corenet_tcp_bind_asterisk_port(asterisk_t)
+ corenet_udp_bind_asterisk_port(asterisk_t)
++corenet_udp_bind_sip_port(asterisk_t)
+ corenet_sendrecv_asterisk_server_packets(asterisk_t)
+ # for VOIP voice channels.
+ corenet_tcp_bind_generic_port(asterisk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-09-30 16:12:48.000000000 -0400
@@ -12756,7 +12792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.32/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cron.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/cron.if 2009-11-03 08:58:13.000000000 -0500
@@ -12,6 +12,10 @@
##
#
@@ -12824,6 +12860,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
role system_r types $1;
')
+@@ -408,7 +404,7 @@
+ type crond_t;
+ ')
+
+- allow $1 crond_t:fifo_file { getattr read write };
++ allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
@@ -587,11 +583,14 @@
#
interface(`cron_read_system_job_tmp_files',`
@@ -23455,7 +23500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-10-29 17:51:12.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-03 09:21:14.000000000 -0500
@@ -89,8 +89,8 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -23606,7 +23651,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -728,7 +728,7 @@
+@@ -585,6 +585,11 @@
+ ')
+
+ domtrans_pattern($1, xauth_exec_t, xauth_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit xauth_exec_t $1:unix_stream_socket rw_socket_perms;
++ dontaudit xauth_exec_t $1:tcp_socket rw_socket_perms;
++')
+ ')
+
+ ########################################
+@@ -728,7 +733,7 @@
type xdm_t;
')
@@ -23615,7 +23672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -764,11 +764,11 @@
+@@ -764,11 +769,11 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -23629,7 +23686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -802,10 +802,10 @@
+@@ -802,10 +807,10 @@
#
interface(`xserver_setattr_xdm_tmp_dirs',`
gen_require(`
@@ -23642,7 +23699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -821,12 +821,13 @@
+@@ -821,12 +826,13 @@
#
interface(`xserver_create_xdm_tmp_sockets',`
gen_require(`
@@ -23659,7 +23716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -845,7 +846,44 @@
+@@ -845,7 +851,44 @@
')
files_search_pids($1)
@@ -23705,7 +23762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -868,6 +906,75 @@
+@@ -868,6 +911,75 @@
########################################
##
@@ -23781,7 +23838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -886,6 +993,24 @@
+@@ -886,6 +998,24 @@
########################################
##
@@ -23806,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -961,6 +1086,27 @@
+@@ -961,6 +1091,27 @@
########################################
##
@@ -23834,7 +23891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write the X server
## log files.
##
-@@ -1014,11 +1160,11 @@
+@@ -1014,11 +1165,11 @@
#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
@@ -23848,7 +23905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1033,11 +1179,11 @@
+@@ -1033,11 +1184,11 @@
#
interface(`xserver_dontaudit_read_xdm_tmp_files',`
gen_require(`
@@ -23863,7 +23920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1052,11 +1198,11 @@
+@@ -1052,11 +1203,11 @@
#
interface(`xserver_rw_xdm_tmp_files',`
gen_require(`
@@ -23878,7 +23935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1071,10 +1217,10 @@
+@@ -1071,10 +1222,10 @@
#
interface(`xserver_manage_xdm_tmp_files',`
gen_require(`
@@ -23891,7 +23948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1089,10 +1235,10 @@
+@@ -1089,10 +1240,10 @@
#
interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
gen_require(`
@@ -23904,7 +23961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1107,10 +1253,11 @@
+@@ -1107,10 +1258,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -23917,7 +23974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1248,6 +1395,278 @@
+@@ -1248,6 +1400,278 @@
########################################
##
@@ -24196,7 +24253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1261,7 +1680,103 @@
+@@ -1261,7 +1685,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -24205,7 +24262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1 xserver_unconfined_type;
+ typeattribute $1 x_domain;
-+')
+ ')
+
+########################################
+##
@@ -24277,7 +24334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_communicate($1, $1)
+ xserver_stream_connect($1)
+ xserver_use_xdm($1)
- ')
++')
+
+########################################
+##
@@ -24302,7 +24359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-02 09:24:58.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-03 09:20:54.000000000 -0500
@@ -34,6 +34,13 @@
##
@@ -24471,7 +24528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
-@@ -279,6 +301,12 @@
+@@ -279,6 +301,10 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -24479,12 +24536,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_manage_user_home_content_files(xauth_t)
+')
+
-+userdom_dontaudit_rw_stream(xauth_t)
-+
xserver_rw_xdm_tmp_files(xauth_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -300,20 +328,31 @@
+@@ -300,20 +326,31 @@
# XDM Local policy
#
@@ -24519,7 +24574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,26 +364,43 @@
+@@ -325,26 +362,43 @@
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
@@ -24570,7 +24625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +414,7 @@
+@@ -358,6 +412,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -24578,7 +24633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,10 +423,14 @@
+@@ -366,10 +421,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -24594,7 +24649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +450,13 @@
+@@ -389,11 +448,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -24608,7 +24663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +464,7 @@
+@@ -401,6 +462,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -24616,7 +24671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +477,17 @@
+@@ -413,14 +475,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -24636,7 +24691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +498,13 @@
+@@ -431,9 +496,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -24650,7 +24705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +513,7 @@
+@@ -442,6 +511,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24658,7 +24713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +522,7 @@
+@@ -450,6 +520,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -24666,7 +24721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +533,11 @@
+@@ -460,10 +531,11 @@
logging_read_generic_logs(xdm_t)
@@ -24680,7 +24735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +546,9 @@
+@@ -472,6 +544,9 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24690,7 +24745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +581,12 @@
+@@ -504,10 +579,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -24703,7 +24758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,12 +594,46 @@
+@@ -515,12 +592,46 @@
')
optional_policy(`
@@ -24750,7 +24805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
-@@ -542,6 +655,38 @@
+@@ -542,6 +653,38 @@
')
optional_policy(`
@@ -24789,7 +24844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +695,9 @@
+@@ -550,8 +693,9 @@
')
optional_policy(`
@@ -24801,7 +24856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +706,6 @@
+@@ -560,7 +704,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -24809,7 +24864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +716,10 @@
+@@ -571,6 +714,10 @@
')
optional_policy(`
@@ -24820,7 +24875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +736,9 @@
+@@ -587,10 +734,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24832,7 +24887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +750,12 @@
+@@ -602,9 +748,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24845,7 +24900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +767,14 @@
+@@ -616,13 +765,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -24861,7 +24916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +787,19 @@
+@@ -635,9 +785,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24881,7 +24936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +833,6 @@
+@@ -671,7 +831,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -24889,7 +24944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +842,12 @@
+@@ -681,9 +840,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -24903,7 +24958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +862,12 @@
+@@ -698,8 +860,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24916,7 +24971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +889,7 @@
+@@ -721,6 +887,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -24924,7 +24979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +912,7 @@
+@@ -743,7 +910,7 @@
')
ifdef(`enable_mls',`
@@ -24933,7 +24988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +944,20 @@
+@@ -775,12 +942,20 @@
')
optional_policy(`
@@ -24955,7 +25010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +984,12 @@
+@@ -807,12 +982,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -24972,7 +25027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1005,14 @@
+@@ -828,9 +1003,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24987,7 +25042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1027,14 @@
+@@ -845,11 +1025,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -25003,7 +25058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -882,6 +1067,8 @@
+@@ -882,6 +1065,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -25012,7 +25067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1093,8 @@
+@@ -906,6 +1091,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25021,7 +25076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1162,49 @@
+@@ -973,17 +1160,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -25512,13 +25567,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# PAM local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2009-11-02 15:59:17.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -21,7 +20,6 @@
+@@ -6,6 +5,7 @@
+ /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -21,7 +21,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -28119,7 +28182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-11-03 08:56:35.000000000 -0500
@@ -18,8 +18,12 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -28270,10 +28333,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -172,6 +212,21 @@
+@@ -172,6 +212,25 @@
')
optional_policy(`
++ cron_system_entry(mount_t, mount_exec_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(mount_t)
+
+ optional_policy(`
@@ -28292,7 +28359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +234,11 @@
+@@ -179,6 +238,11 @@
')
')
@@ -28304,7 +28371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +246,7 @@
+@@ -186,6 +250,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -28312,7 +28379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -195,5 +256,8 @@
+@@ -195,5 +260,8 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -30540,7 +30607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-02 08:56:44.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-03 11:58:36.000000000 -0500
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 26675e0..e361b47 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 39%{?dist}
+Release: 40%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,10 @@ exit 0
%endif
%changelog
+* Tue Nov 3 2009 Dan Walsh 3.6.32-40
+- Abrt creates lnk_files
+
+
* Mon Nov 2 2009 Dan Walsh 3.6.32-39
- Allow setroubleshoot-fix to signull user domains