diff --git a/policy-20100106.patch b/policy-20100106.patch
index a7df1b9..3e3c538 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -1184,7 +1184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-02-04 19:33:02.466936526 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-02-26 09:33:34.628548195 +0100
@@ -64,6 +64,7 @@
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
@@ -1201,15 +1201,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-@@ -103,6 +105,7 @@
- /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+@@ -104,6 +106,7 @@
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
-+/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
-@@ -162,6 +165,8 @@
+ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -145,6 +148,7 @@
+ /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
+@@ -162,6 +166,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -1220,8 +1228,101 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-10 13:59:22.783608332 +0100
-@@ -1398,6 +1398,42 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-26 09:33:41.069548571 +0100
+@@ -147,6 +147,24 @@
+
+ ########################################
+ ##
++## Add entries to directories in /dev.
++##
++##
++##
++## Domain allowed to add entries.
++##
++##
++#
++interface(`dev_remove_entry_generic_dirs',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:dir del_entry_dir_perms;
++')
++
++########################################
++##
+ ## Create a directory in the device directory.
+ ##
+ ##
+@@ -418,6 +436,24 @@
+
+ ########################################
+ ##
++## Dontaudit getattr for generic character device files.
++##
++##
++##
++## Domain to dontaudit access.
++##
++##
++#
++interface(`dev_rw_generic_chr_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:chr_file rw_chr_file_perms;
++')
++
++########################################
++##
+ ## Dontaudit setattr for generic character device files.
+ ##
+ ##
+@@ -873,6 +909,42 @@
+
+ ########################################
+ ##
++## rw all inherited character device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_chr_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## rw all inherited blk device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_blk_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
++')
++
++########################################
++##
+ ## Delete all block device files.
+ ##
+ ##
+@@ -1398,6 +1470,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -1264,7 +1365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## getattr the dri devices.
-@@ -1728,6 +1764,24 @@
+@@ -1728,6 +1836,24 @@
########################################
##
@@ -1289,12 +1390,60 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Get the attributes of the ksm devices.
##
##
-@@ -2485,6 +2539,25 @@
- rw_chr_files_pattern($1, device_t, mtrr_device_t)
+@@ -1963,7 +2089,7 @@
+
+ ########################################
+ ##
+-## Delete the lvm control device.
++## Do not audit attempts to read and write lvm control device.
+ ##
+ ##
+ ##
+@@ -1971,17 +2097,17 @@
+ ##
+ ##
+ #
+-interface(`dev_delete_lvm_control_dev',`
++interface(`dev_dontaudit_rw_lvm_control',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type lvm_control_t;
+ ')
+
+- delete_chr_files_pattern($1, device_t, lvm_control_t)
++ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
')
-+#######################################
-+##
+ ########################################
+ ##
+-## Do not audit attempts to read and write lvm control device.
++## Delete the lvm control device.
+ ##
+ ##
+ ##
+@@ -1989,15 +2115,14 @@
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_delete_lvm_control_dev',`
+ gen_require(`
+- type lvm_control_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ delete_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+-
+ ########################################
+ ##
+ ## dontaudit getattr raw memory devices (e.g. /dev/mem).
+@@ -2487,6 +2612,24 @@
+
+ ########################################
+ ##
+## Dontaudit write the memory type range registers (MTRR).
+##
+##
@@ -1309,18 +1458,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ dontaudit $1 mtrr_device_t:chr_file write;
-+ dontaudit $1 mtrr_device_t:file write;
+')
+
- ########################################
- ##
++########################################
++##
## Get the attributes of the network control device
-@@ -3551,6 +3624,24 @@
- rw_chr_files_pattern($1, device_t, usb_device_t)
+ ##
+ ##
+@@ -2590,8 +2733,7 @@
+ type device_t, null_device_t;
+ ')
+
+- allow $1 device_t:dir del_entry_dir_perms;
+- allow $1 null_device_t:chr_file unlink;
++ delete_chr_files_pattern($1, device_t, null_device_t)
')
-+######################################
-+##
+ ########################################
+@@ -3553,6 +3695,24 @@
+
+ ########################################
+ ##
+## Read USB monitor devices.
+##
+##
@@ -1337,14 +1495,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
- ########################################
- ##
++########################################
++##
## Mount a usbfs filesystem.
-@@ -3833,6 +3924,24 @@
- write_chr_files_pattern($1, device_t, v4l_device_t)
+ ##
+ ##
+@@ -3741,6 +3901,24 @@
+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
-+#####################################
++######################################
+##
+## Read or write userio device.
+##
@@ -1355,19 +1515,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+#
+interface(`dev_rw_userio_dev',`
-+ gen_require(`
-+ type device_t, userio_device_t;
-+ ')
++ gen_require(`
++ type device_t, userio_device_t;
++ ')
+
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
########################################
##
- ## Read and write VMWare devices.
+ ## Do not audit attempts to get the attributes
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-02-04 19:25:03.244936343 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-02-26 09:33:50.290799322 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(devices, 1.8.2)
++policy_module(devices, 1.9.2)
+
+ ########################################
+ #
@@ -59,6 +59,12 @@
type crypt_device_t;
dev_node(crypt_device_t)
@@ -1381,22 +1548,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type dri_device_t;
dev_node(dri_device_t)
-@@ -228,11 +234,23 @@
- genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
+@@ -84,8 +90,7 @@
+ dev_node(kmsg_device_t)
#
-+# usbmon_device_t is the type for /dev/usbmon
-+#
-+type usbmon_device_t;
-+dev_node(usbmon_device_t)
-+
-+#
- # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+-# ksm_device_t is the type of
+-# /dev/ksm
++# ksm_device_t is the type of /dev/ksm
#
+ type ksm_device_t;
+ dev_node(ksm_device_t)
+@@ -233,6 +238,18 @@
type usb_device_t;
dev_node(usb_device_t)
+#
++# usb_device_t is the type for /dev/usbmon
++#
++type usbmon_device_t;
++dev_node(usbmon_device_t)
++
++#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
@@ -1405,6 +1577,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type v4l_device_t;
dev_node(v4l_device_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-01-18 18:24:22.683530317 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-02-26 09:33:54.830549053 +0100
+@@ -718,10 +718,6 @@
+ dontaudit $1 domain:dir list_dir_perms;
+ dontaudit $1 domain:lnk_file read_lnk_file_perms;
+ dontaudit $1 domain:file read_file_perms;
+-
+- # cjp: these should be removed:
+- dontaudit $1 domain:sock_file read_sock_file_perms;
+- dontaudit $1 domain:fifo_file read_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -763,6 +759,24 @@
+
+ ########################################
+ ##
++## Get the process group ID of all domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_getpgid_all_domains',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:process getpgid;
++')
++
++########################################
++##
+ ## Get the scheduler information of all domains.
+ ##
+ ##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-02-21 20:44:28.920309784 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-02-21 20:53:20.192309481 +0100
@@ -2351,8 +2562,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-01-18 18:24:22.716539752 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-02-25 10:46:02.354878806 +0100
-@@ -273,11 +273,11 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-02-26 09:33:59.084547345 +0100
+@@ -241,6 +241,25 @@
+
+ ########################################
+ ##
++## Do not audit attempts to read from the console.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_dontaudit_read_console',`
++ gen_require(`
++ type console_device_t;
++ ')
++
++ dontaudit $1 console_device_t:chr_file read_chr_file_perms;
++')
++
++########################################
++##
+ ## Read from and write to the console.
+ ##
+ ##
+@@ -273,11 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -2367,7 +2604,179 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1098,6 +1098,25 @@
+@@ -654,6 +673,126 @@
+
+ ########################################
+ ##
++## Relabel to all ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_relabelto_all_ptys',`
++ gen_require(`
++ attribute ptynode;
++ ')
++
++ allow $1 ptynode:chr_file relabelto;
++')
++
++########################################
++##
++## Write to all ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_write_all_ptys',`
++ gen_require(`
++ attribute ptynode;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 ptynode:chr_file write_chr_file_perms;
++')
++
++########################################
++##
++## Read and write all ptys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_ptys',`
++ gen_require(`
++ attribute ptynode;
++ type devpts_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 devpts_t:dir list_dir_perms;
++ allow $1 ptynode:chr_file { rw_term_perms lock append };
++')
++
++########################################
++##
++## Do not audit attempts to read or write any ptys.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`term_dontaudit_use_all_ptys',`
++ gen_require(`
++ attribute ptynode;
++ ')
++
++ dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
++')
++
++########################################
++##
++## Relabel from and to all pty device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_relabel_all_ptys',`
++ gen_require(`
++ attribute ptynode;
++ type devpts_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ relabel_chr_files_pattern($1, devpts_t, ptynode)
++')
++
++########################################
++##
++## Get the attributes of all user
++## pty device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_getattr_all_user_ptys',`
++ gen_require(`
++ attribute ptynode;
++ type devpts_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 devpts_t:dir list_dir_perms;
++ allow $1 ptynode:chr_file getattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to read and
+ ## write the pty multiplexor (/dev/ptmx).
+ ##
+@@ -673,7 +812,7 @@
+
+ ########################################
+ ##
+-## Get the attributes of all user
++## Get the attributes of all
+ ## pty device nodes.
+ ##
+ ##
+@@ -683,7 +822,7 @@
+ ##
+ ##
+ #
+-interface(`term_getattr_all_user_ptys',`
++interface(`term_getattr_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+@@ -697,6 +836,26 @@
+ ########################################
+ ##
+ ## Do not audit attempts to get the
++## attributes of any pty
++## device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_dontaudit_getattr_all_ptys',`
++ gen_require(`
++ attribute ptynode;
++ ')
++
++ dontaudit $1 ptynode:chr_file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to get the
+ ## attributes of any user pty
+ ## device nodes.
+ ##
+@@ -1098,6 +1257,25 @@
allow $1 ttynode:chr_file getattr;
')
@@ -2393,6 +2802,79 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Do not audit attempts to get the
+@@ -1142,6 +1320,26 @@
+
+ ########################################
+ ##
++## Set the attributes of all tty device nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_setattr_all_ttys',`
++ gen_require(`
++ attribute ttynode;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 ttynode:chr_file setattr;
++')
++
++########################################
++##
+ ## Relabel from and to all user
+ ## user tty device nodes.
+ ##
+@@ -1201,6 +1399,45 @@
+
+ ########################################
+ ##
++## Read and write all ttys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`term_use_all_ttys',`
++ gen_require(`
++ attribute ttynode;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 ttynode:chr_file rw_chr_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## any ttys.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_dontaudit_use_all_ttys',`
++ gen_require(`
++ attribute ttynode;
++ ')
++
++ dontaudit $1 ttynode:chr_file rw_chr_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to read or write
+ ## any user ttys.
+ ##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-02-11 17:58:37.444708661 +0100
@@ -3174,6 +3656,75 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cdcc_t self:unix_dgram_socket create_socket_perms;
allow cdcc_t self:udp_socket create_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.32/policy/modules/services/devicekit.fc
+--- nsaserefpolicy/policy/modules/services/devicekit.fc 2010-01-18 18:24:22.778530038 +0100
++++ serefpolicy-3.6.32/policy/modules/services/devicekit.fc 2010-02-26 09:34:03.326558032 +0100
+@@ -1,8 +1,12 @@
+ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+ /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+ /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
++/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+
+ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+ /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te
+--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-01-18 18:24:22.780530921 +0100
++++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2010-02-26 09:34:07.924815056 +0100
+@@ -62,8 +62,8 @@
+ # DeviceKit disk local policy
+ #
+
+-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
+-allow devicekit_disk_t self:process signal_perms;
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
++allow devicekit_disk_t self:process { getsched signal_perms };
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+@@ -82,6 +82,7 @@
+
+ kernel_getattr_message_if(devicekit_disk_t)
+ kernel_read_fs_sysctls(devicekit_disk_t)
++kernel_read_network_state(devicekit_disk_t)
+ kernel_read_software_raid_state(devicekit_disk_t)
+ kernel_read_system_state(devicekit_disk_t)
+ kernel_request_load_module(devicekit_disk_t)
+@@ -96,12 +97,14 @@
+ dev_getattr_usbfs_dirs(devicekit_disk_t)
+ dev_manage_generic_files(devicekit_disk_t)
+ dev_getattr_all_chr_files(devicekit_disk_t)
++dev_getattr_mtrr_dev(devicekit_disk_t)
+
+ domain_getattr_all_pipes(devicekit_disk_t)
+ domain_getattr_all_sockets(devicekit_disk_t)
+ domain_getattr_all_stream_sockets(devicekit_disk_t)
+ domain_read_all_domains_state(devicekit_disk_t)
+
++files_dontaudit_read_all_symlinks(devicekit_disk_t)
+ files_getattr_all_sockets(devicekit_disk_t)
+ files_getattr_all_mountpoints(devicekit_disk_t)
+ files_getattr_all_files(devicekit_disk_t)
+@@ -182,6 +185,7 @@
+ #
+
+ allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
++allow devicekit_power_t self:process getsched;
+ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+ allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -205,6 +209,7 @@
+
+ dev_read_input(devicekit_power_t)
+ dev_rw_generic_usb_dev(devicekit_power_t)
++dev_rw_generic_chr_files(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-11 12:35:57.243619172 +0100
@@ -6714,7 +7265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-18 18:24:22.901529830 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2010-01-19 17:08:54.487643800 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2010-02-26 09:34:13.063547326 +0100
@@ -1,5 +1,5 @@
-policy_module(sssd, 1.0.0)
@@ -6751,16 +7302,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -58,6 +62,8 @@
+@@ -58,6 +62,10 @@
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
+fs_list_inotifyfs(sssd_t)
+
++mls_file_read_to_clearance(sssd_t)
++
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -69,7 +75,7 @@
+@@ -69,7 +77,7 @@
miscfiles_read_localization(sssd_t)
@@ -7553,7 +8106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-12 16:51:50.962967747 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-26 09:34:17.456548521 +0100
@@ -40,6 +40,7 @@
attribute init_script_domain_type;
attribute init_script_file_type;
@@ -7579,7 +8132,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -191,6 +193,7 @@
+@@ -138,6 +140,7 @@
+
+ dev_read_sysfs(init_t)
+
++domain_getpgid_all_domains(init_t)
+ domain_kill_all_domains(init_t)
+ domain_signal_all_domains(init_t)
+ domain_signull_all_domains(init_t)
+@@ -191,6 +194,7 @@
')
ifdef(`distro_redhat',`
@@ -7587,7 +8148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
-@@ -204,6 +207,11 @@
+@@ -204,6 +208,11 @@
')
optional_policy(`
@@ -7599,7 +8160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_login_records(init_t)
')
-@@ -212,6 +220,11 @@
+@@ -212,6 +221,11 @@
')
optional_policy(`
@@ -7611,7 +8172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
-@@ -224,6 +237,10 @@
+@@ -224,6 +238,10 @@
')
optional_policy(`
@@ -7622,7 +8183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domain(init_t)
')
-@@ -312,6 +329,7 @@
+@@ -312,6 +330,7 @@
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -7630,7 +8191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
dev_rw_sysfs(initrc_t)
-@@ -531,6 +549,7 @@
+@@ -531,6 +550,7 @@
# Needs to cp localtime to /var dirs
files_write_var_dirs(initrc_t)
@@ -7638,15 +8199,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_rw_tmpfs_chr_files(initrc_t)
storage_manage_fixed_disk(initrc_t)
-@@ -584,6 +603,7 @@
+@@ -584,6 +604,7 @@
domain_dontaudit_use_interactive_fds(daemon)
userdom_dontaudit_list_admin_dir(daemon)
-+userdom_dontaduit_search_user_tmp(daemon)
++userdom_dontaudit_search_user_tmp(daemon)
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
-@@ -872,6 +892,7 @@
+@@ -872,6 +893,7 @@
optional_policy(`
unconfined_domain(initrc_t)
@@ -7654,7 +8215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -885,6 +906,9 @@
+@@ -885,6 +907,9 @@
# Allow SELinux aware applications to request rpm_script_t execution
rpm_transition_script(initrc_t)
@@ -7872,16 +8433,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-02-10 11:55:45.380624491 +0100
-@@ -74,6 +74,7 @@
- dev_setattr_power_mgmt_dev(local_login_t)
++++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-02-26 09:34:21.814810364 +0100
+@@ -34,8 +34,7 @@
+ #
+
+ allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-allow local_login_t self:process { setrlimit setexec };
++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
+ allow local_login_t self:fd use;
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+ allow local_login_t self:sock_file read_sock_file_perms;
+@@ -75,6 +74,7 @@
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
-+dev_read_video_dev(local_login_t)
dev_rw_generic_usb_dev(local_login_t)
++dev_read_video_dev(local_login_t)
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
-@@ -207,7 +208,7 @@
+ dev_dontaudit_read_framebuffer(local_login_t)
+@@ -113,11 +113,11 @@
+ storage_dontaudit_getattr_removable_dev(local_login_t)
+ storage_dontaudit_setattr_removable_dev(local_login_t)
+
+-term_use_all_user_ttys(local_login_t)
++term_use_all_ttys(local_login_t)
+ term_use_unallocated_ttys(local_login_t)
+ term_relabel_unallocated_ttys(local_login_t)
+-term_relabel_all_user_ttys(local_login_t)
+-term_setattr_all_user_ttys(local_login_t)
++term_relabel_all_ttys(local_login_t)
++term_setattr_all_ttys(local_login_t)
+ term_setattr_unallocated_ttys(local_login_t)
+
+ auth_rw_login_records(local_login_t)
+@@ -207,7 +207,7 @@
allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
@@ -7890,7 +8476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
-@@ -241,6 +242,9 @@
+@@ -241,6 +241,9 @@
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -7900,6 +8486,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`enable_mls',`
sysadm_shell_domtrans(sulogin_t)
',`
+@@ -252,10 +255,6 @@
+ # suse and debian do not use pam with sulogin...
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
+-ifdef(`distro_redhat',`
+- define(`sulogin_no_pam')
+- selinux_compute_user_contexts(sulogin_t)
+-')
+
+ ifdef(`sulogin_no_pam', `
+ allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-16 17:27:23.944598052 +0100
@@ -7957,7 +8554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read all log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-11 12:06:40.363618975 +0100
++++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-26 09:34:26.434798847 +0100
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -7966,7 +8563,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)
-@@ -489,6 +490,10 @@
+@@ -236,6 +237,7 @@
+ files_read_etc_files(audisp_t)
+ files_read_etc_runtime_files(audisp_t)
+
++mls_file_read_all_levels(audisp_t)
+ mls_file_write_all_levels(audisp_t)
+ mls_dbus_send_all_levels(audisp_t)
+
+@@ -489,6 +491,10 @@
')
optional_policy(`
@@ -7977,7 +8582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postgresql_stream_connect(syslogd_t)
')
-@@ -497,6 +502,10 @@
+@@ -497,6 +503,10 @@
')
optional_policy(`
@@ -7988,9 +8593,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
udev_read_db(syslogd_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.32/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/lvm.fc 2010-02-26 09:34:31.069828424 +0100
+@@ -28,6 +28,7 @@
+ #
+ /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+ #
+ # /sbin
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-01-18 18:24:22.953540006 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2010-02-17 15:17:15.102863378 +0100
++++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2010-02-26 09:34:34.736814526 +0100
@@ -143,6 +143,7 @@
optional_policy(`
@@ -7999,7 +8615,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -317,6 +318,7 @@
+@@ -175,6 +176,7 @@
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+ # LVM will complain a lot if it cannot set its priority.
+ allow lvm_t self:process setsched;
++allow lvm_t self:sem create_sem_perms;
+ allow lvm_t self:file rw_file_perms;
+ allow lvm_t self:fifo_file manage_fifo_file_perms;
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+@@ -317,6 +319,7 @@
optional_policy(`
aisexec_stream_connect(lvm_t)
@@ -8225,7 +8849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-02-12 16:51:07.923978020 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-02-26 09:34:38.977548796 +0100
@@ -2316,6 +2316,24 @@
dontaudit $1 user_tmp_t:dir list_dir_perms;
')
@@ -8240,7 +8864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`userdom_dontaduit_search_user_tmp',`
++interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 368905a..db5d7ba 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 93%{?dist}
+Release: 94%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Fri Feb 26 2010 Miroslav Grepl 3.6.32-94
+- Fixes for MLS booting from Dan Walsh
+
* Thu Feb 25 2010 Miroslav Grepl 3.6.32-93
- Fix wine dontaudit mmap_zero
- Add vbetool_mmap_zero_ignore boolean