diff --git a/policy-F13.patch b/policy-F13.patch
index 4f4b3e7..51f7920 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -5617,7 +5617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-05-11 09:52:36.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-05-21 09:19:05.000000000 -0400
@@ -41,6 +41,7 @@
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -5634,6 +5634,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
udev_read_db(pulseaudio_t)
')
+@@ -138,3 +140,7 @@
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
+ ')
++
++optional_policy(`
++ sandbox_manage_tmpfs_files(pulseaudio_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.19/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2010-02-22 08:30:53.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/apps/qemu.fc 2010-05-11 15:39:25.000000000 -0400
@@ -5877,8 +5885,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-13 13:55:29.000000000 -0400
-@@ -0,0 +1,294 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-21 09:21:11.000000000 -0400
+@@ -0,0 +1,314 @@
+
+## policy for sandbox
+
@@ -5930,7 +5938,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+
-+ allow $1 sandbox_tmpfs_type:file read_file_perms;
++ allow $1 sandbox_tmpfs_type:file manage_file_perms;
++ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -6085,6 +6094,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+########################################
+##
++## allow domain to manage
++## sandbox tmpfs files
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_manage_tmpfs_files',`
++ gen_require(`
++ attribute sandbox_tmpfs_type;
++ ')
++
++ allow $1 sandbox_tmpfs_type:file manage_file_perms;
++')
++
++########################################
++##
+## Delete sandbox files
+##
+##
@@ -8055,7 +8083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-17 10:59:49.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-20 10:58:34.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8950,7 +8978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-13 15:55:04.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-20 10:58:33.000000000 -0400
@@ -559,7 +559,7 @@
########################################
@@ -9258,7 +9286,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#######################################
##
## Create, read, write, and delete dirs
-@@ -1899,6 +1953,7 @@
+@@ -1831,6 +1885,25 @@
+
+ ########################################
+ ##
++## Get the attributes of an hugetlbfs
++## filesystem;
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_hugetlbfs',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $1 hugetlbfs_t:filesystem getattr;
++')
++
++########################################
++##
+ ## Read and write hugetlbfs files.
+ ##
+ ##
+@@ -1899,6 +1972,7 @@
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -9266,7 +9320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2295,6 +2350,25 @@
+@@ -2295,6 +2369,25 @@
########################################
##
@@ -9292,7 +9346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Append files
## on a NFS filesystem.
##
-@@ -2349,7 +2423,7 @@
+@@ -2349,7 +2442,7 @@
type nfs_t;
')
@@ -9301,7 +9355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2537,6 +2611,24 @@
+@@ -2537,6 +2630,24 @@
########################################
##
@@ -9326,7 +9380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
##
##
-@@ -2745,7 +2837,7 @@
+@@ -2745,7 +2856,7 @@
#########################################
##
## Create, read, write, and delete symbolic links
@@ -9335,7 +9389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
##
##
##
-@@ -3870,6 +3962,24 @@
+@@ -3870,6 +3981,24 @@
########################################
##
@@ -9360,7 +9414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4432,6 +4542,44 @@
+@@ -4432,6 +4561,44 @@
########################################
##
@@ -9405,7 +9459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
##
-@@ -4549,3 +4697,24 @@
+@@ -4549,3 +4716,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -11819,7 +11873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.19/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-17 11:04:12.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-20 09:42:12.000000000 -0400
@@ -19,6 +19,28 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -11882,7 +11936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
######################################
##
## Read abrt logs.
-@@ -76,6 +124,140 @@
+@@ -76,6 +124,158 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
@@ -12020,12 +12074,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ allow $1 abrt_t:process signull;
+')
+
++########################################
++##
++## Read and write abrt fifo files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_fifo_file',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
#####################################
##
## All of the rules required to administrate
+@@ -124,3 +324,4 @@
+ files_search_tmp($1)
+ admin_pattern($1, abrt_tmp_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-05-14 14:40:37.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-05-20 09:37:25.000000000 -0400
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -12052,7 +12129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
allow abrt_t self:process { signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
-@@ -58,15 +70,19 @@
+@@ -58,15 +70,20 @@
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -12064,6 +12141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
++files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
# abrt pid files
-manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -12074,7 +12152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,25 +91,40 @@
+@@ -75,25 +92,40 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -12122,7 +12200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sysnet_read_config(abrt_t)
-@@ -103,22 +134,116 @@
+@@ -103,22 +135,116 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -27532,6 +27610,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
term_dontaudit_search_ptys(fsdaemon_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.19/policy/modules/services/smokeping.te
+--- nsaserefpolicy/policy/modules/services/smokeping.te 2010-03-29 15:04:22.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/smokeping.te 2010-05-21 09:11:43.000000000 -0400
+@@ -45,6 +45,7 @@
+ files_search_tmp(smokeping_t)
+
+ auth_use_nsswitch(smokeping_t)
++auth_dontaudit_read_shadow(smokeping_t)
+
+ logging_send_syslog_msg(smokeping_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.19/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-03-23 10:55:15.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/snmp.te 2010-04-14 10:48:18.000000000 -0400
@@ -28820,7 +28909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-05-14 14:29:09.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-05-20 09:55:53.000000000 -0400
@@ -36,13 +36,6 @@
##
@@ -29031,18 +29120,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -446,6 +487,10 @@
+@@ -445,6 +486,11 @@
+ fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
-
++fs_getattr_hugetlbfs(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
- term_use_generic_ptys(virt_domain)
-@@ -462,8 +507,13 @@
+@@ -462,8 +508,13 @@
')
optional_policy(`
@@ -30717,7 +30807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-17 10:44:07.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-21 09:15:58.000000000 -0400
@@ -41,7 +41,6 @@
##
#
@@ -33025,7 +33115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-05 14:07:49.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-20 09:42:45.000000000 -0400
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -33167,16 +33257,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -117,6 +167,8 @@
+@@ -117,6 +167,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
++
++optional_policy(`
++ abrt_rw_fifo_file(mount_t)
++')
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +184,17 @@
+@@ -132,10 +188,17 @@
')
')
@@ -33194,7 +33288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -165,6 +224,8 @@
+@@ -165,6 +228,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -33203,7 +33297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +233,25 @@
+@@ -172,6 +237,25 @@
')
optional_policy(`
@@ -33229,7 +33323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +259,11 @@
+@@ -179,6 +263,11 @@
')
')
@@ -33241,7 +33335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +271,19 @@
+@@ -186,6 +275,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -33261,7 +33355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -194,6 +292,42 @@
+@@ -194,6 +296,42 @@
#
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8bc0ff7..f3b549c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,6 +468,13 @@ exit 0
%endif
%changelog
+* Thu May 20 2010 Dan Walsh 3.7.19-20
+- Allow mount to r/w abrt fifo file
+Resolves: #594014
+- Allow svirt_t to getattr on hugetlbfs
+Resolves: #537389
+- Allow abrt to create a directory under /var/spool
+
* Wed May 19 2010 Dan Walsh 3.7.19-19
- Add labels for /sys
- Allow sshd to getattr on shutdown