diff --git a/policy-F12.patch b/policy-F12.patch
index f6f90cd..0f10fa7 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -666,8 +666,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.32/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-12-03 13:45:10.000000000 -0500
-@@ -151,11 +151,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-12-10 15:16:57.000000000 -0500
+@@ -21,6 +21,25 @@
+
+ ########################################
+ ##
++## Execute the prelink program in the current domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`prelink_exec',`
++ gen_require(`
++ type prelink_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, prelink_exec_t)
++')
++
++########################################
++##
+ ## Execute the prelink program in the prelink domain.
+ ##
+ ##
+@@ -151,11 +170,11 @@
##
##
#
@@ -3635,7 +3661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-12-03 13:45:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-12-10 16:33:27.000000000 -0500
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -3694,7 +3720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -231,11 +233,15 @@
+@@ -231,11 +233,20 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
@@ -3707,10 +3733,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ pulseaudio_exec(mozilla_t)
++ pulseaudio_stream_connect(mozilla_t)
')
optional_policy(`
-@@ -256,5 +262,10 @@
+@@ -256,5 +267,10 @@
')
optional_policy(`
@@ -4065,7 +4096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-12-03 13:45:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-12-10 15:41:45.000000000 -0500
@@ -0,0 +1,295 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -7282,7 +7313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-05 18:26:09.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-10 10:34:27.000000000 -0500
@@ -110,6 +110,11 @@
##
#
@@ -9979,8 +10010,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-09 10:12:44.000000000 -0500
-@@ -0,0 +1,449 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-10 15:25:20.000000000 -0500
+@@ -0,0 +1,450 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10155,6 +10186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ optional_policy(`
+ xserver_rw_shm(unconfined_usertype)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
++ xserver_xdm_dbus_chat(unconfined_usertype)
+ ')
+')
+
@@ -10843,7 +10875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-06 09:56:21.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-10 13:05:08.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10923,7 +10955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_read_config(abrt_t)
-@@ -96,22 +124,84 @@
+@@ -96,22 +124,90 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10931,10 +10963,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-# read ~/.abrt/Bugzilla.conf
-userdom_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_user_home_content_files(abrt_t)
-
- optional_policy(`
-- dbus_connect_system_bus(abrt_t)
-- dbus_system_bus_client(abrt_t)
++
++optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
@@ -10952,6 +10982,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
++')
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
++ prelink_exec(abrt_t)
++ libs_exec_ld_so(abrt_t)
++ corecmd_exec_all_executables(abrt_t)
')
# to install debuginfo packages
@@ -13919,7 +13957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-10 15:36:16.000000000 -0500
@@ -21,7 +21,7 @@
# consolekit local policy
#
@@ -13929,11 +13967,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -59,16 +59,21 @@
+@@ -59,16 +59,22 @@
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
+auth_manage_pam_console_data(consolekit_t)
++auth_dontaudit_write_login_records(consolekit_t)
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
@@ -13951,7 +13990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_user_tmp_files(consolekit_t)
hal_ptrace(consolekit_t)
-@@ -84,9 +89,12 @@
+@@ -84,9 +90,12 @@
')
optional_policy(`
@@ -13965,7 +14004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hal_dbus_chat(consolekit_t)
')
-@@ -100,6 +108,7 @@
+@@ -100,6 +109,7 @@
')
optional_policy(`
@@ -13973,7 +14012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
-@@ -108,10 +117,21 @@
+@@ -108,10 +118,21 @@
optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
@@ -15478,9 +15517,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(dnsmasq_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.32/policy/modules/services/dovecot.fc
+--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.fc 2009-12-10 13:09:30.000000000 -0500
+@@ -34,6 +34,7 @@
+
+ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
++/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+ /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
+ /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-10 13:13:04.000000000 -0500
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -15490,7 +15540,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -103,6 +103,7 @@
+@@ -73,8 +73,9 @@
+
+ can_exec(dovecot_t, dovecot_exec_t)
+
++manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+ manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+-logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
++logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+
+ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -103,6 +104,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
@@ -15498,7 +15559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
-@@ -142,6 +143,10 @@
+@@ -142,6 +144,10 @@
')
optional_policy(`
@@ -15509,7 +15570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(dovecot_t)
')
-@@ -159,7 +164,7 @@
+@@ -159,7 +165,7 @@
#
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
@@ -15518,7 +15579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -220,15 +225,23 @@
+@@ -220,15 +226,23 @@
')
optional_policy(`
@@ -15542,7 +15603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-@@ -260,3 +273,14 @@
+@@ -260,3 +274,14 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')
@@ -15644,7 +15705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_sendrecv_generic_if(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.32/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-12-10 15:34:43.000000000 -0500
@@ -37,6 +37,8 @@
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
@@ -15654,12 +15715,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(fprintd_t)
miscfiles_read_localization(fprintd_t)
-@@ -51,5 +53,7 @@
+@@ -51,5 +53,8 @@
optional_policy(`
policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
+ policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
++ policykit_dbus_chat_auth(fprintd_t)
')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
@@ -16423,8 +16485,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-03 13:45:11.000000000 -0500
-@@ -55,6 +55,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-10 11:28:12.000000000 -0500
+@@ -55,13 +55,16 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -16434,6 +16496,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Local policy
+ #
+
+ # execute openvt which needs setuid
+-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice sys_resource dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+ allow hald_t self:process { getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
@@ -100,7 +103,9 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
@@ -18289,10 +18359,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.6.32/policy/modules/services/ntop.fc
+--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ntop.fc 2009-12-10 11:04:30.000000000 -0500
+@@ -1,7 +1,6 @@
+ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
+
+ /usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0)
+
+ /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
+ /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.6.32/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-03 13:45:11.000000000 -0500
-@@ -37,7 +37,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-10 11:04:34.000000000 -0500
+@@ -14,9 +14,6 @@
+ type ntop_etc_t;
+ files_config_file(ntop_etc_t)
+
+-type ntop_http_content_t;
+-files_type(ntop_http_content_t)
+-
+ type ntop_tmp_t;
+ files_tmp_file(ntop_tmp_t)
+
+@@ -37,15 +34,14 @@
allow ntop_t self:fifo_file rw_fifo_file_perms;
allow ntop_t self:tcp_socket create_stream_socket_perms;
allow ntop_t self:udp_socket create_socket_perms;
@@ -18302,7 +18393,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ntop_t ntop_etc_t:dir list_dir_perms;
read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
-@@ -57,6 +59,8 @@
+ read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+
+-allow ntop_t ntop_http_content_t:dir list_dir_perms;
+-read_files_pattern(ntop_t, ntop_http_content_t, ntop_http_content_t)
+-
+ manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+ manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+@@ -57,6 +53,8 @@
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
@@ -18311,7 +18410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
-@@ -72,12 +76,17 @@
+@@ -72,12 +70,17 @@
corenet_raw_sendrecv_generic_node(ntop_t)
corenet_tcp_sendrecv_all_ports(ntop_t)
corenet_udp_sendrecv_all_ports(ntop_t)
@@ -18329,7 +18428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(ntop_t)
fs_search_auto_mountpoints(ntop_t)
-@@ -85,6 +94,7 @@
+@@ -85,6 +88,7 @@
logging_send_syslog_msg(ntop_t)
miscfiles_read_localization(ntop_t)
@@ -18337,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_read_config(ntop_t)
-@@ -92,6 +102,10 @@
+@@ -92,6 +96,10 @@
userdom_dontaudit_search_user_home_dirs(ntop_t)
optional_policy(`
@@ -18743,21 +18842,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-03 13:45:11.000000000 -0500
-@@ -1,7 +1,12 @@
++++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-10 11:22:15.000000000 -0500
+@@ -1,7 +1,15 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
-+/opt/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-
--/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
++/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+ /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+-
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
- /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
++/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
++
++/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
++/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
-+/usr/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+
+ /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-12-03 13:45:11.000000000 -0500
@@ -19075,8 +19177,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-03 13:45:11.000000000 -0500
-@@ -0,0 +1,286 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-10 15:27:49.000000000 -0500
+@@ -0,0 +1,304 @@
+## policy for plymouthd
+
+########################################
@@ -19099,6 +19201,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Execute a plymoth in the current domain
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`plymouth_exec', `
++ gen_require(`
++ type plymouthd_exec_t;
++ ')
++
++ can_exec($1, plymouthd_exec_t)
++')
++
++########################################
++##
+## Execute a domain transition to run plymouthd.
+##
+##
@@ -19365,8 +19485,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-12-03 13:45:11.000000000 -0500
-@@ -0,0 +1,101 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-12-10 15:31:04.000000000 -0500
+@@ -0,0 +1,102 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -19425,6 +19545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_usr_files(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
++miscfiles_read_fonts(plymouthd_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
@@ -19488,8 +19609,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.32/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-12-03 13:45:11.000000000 -0500
-@@ -17,6 +17,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-12-10 15:31:52.000000000 -0500
+@@ -17,12 +17,37 @@
class dbus send_msg;
')
@@ -19498,7 +19619,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
-@@ -62,6 +64,9 @@
+
+ ########################################
+ ##
++## Send and receive messages from
++## policykit over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`policykit_dbus_chat_auth',`
++ gen_require(`
++ type policykit_auth_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(policykit_auth_t, $1)
++
++ allow $1 policykit_auth_t:dbus send_msg;
++ allow policykit_auth_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Execute a domain transition to run polkit_auth.
+ ##
+ ##
+@@ -62,6 +87,9 @@
policykit_domtrans_auth($1)
role $2 types policykit_auth_t;
@@ -19508,7 +19658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -206,4 +211,47 @@
+@@ -206,4 +234,47 @@
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
@@ -19558,7 +19708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-09 09:05:31.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-10 10:38:47.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -19634,7 +19784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,12 +114,14 @@
+@@ -92,21 +114,25 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -19642,16 +19792,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
-
++files_search_home(policykit_auth_t)
++
+fs_getattr_all_fs(polkit_auth_t)
+fs_search_tmpfs(polkit_auth_t)
-+
+
auth_use_nsswitch(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
logging_send_syslog_msg(policykit_auth_t)
-@@ -106,7 +130,7 @@
+ miscfiles_read_localization(policykit_auth_t)
++miscfiles_read_fonts(policykit_auth_t)
+
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
@@ -19660,7 +19813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +143,14 @@
+@@ -119,6 +145,14 @@
hal_read_state(policykit_auth_t)
')
@@ -19675,7 +19828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# polkit_grant local policy
-@@ -126,7 +158,8 @@
+@@ -126,7 +160,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -19685,7 +19838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +189,12 @@
+@@ -156,9 +191,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -19699,7 +19852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +206,8 @@
+@@ -170,7 +208,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -26357,21 +26510,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-05 06:43:26.000000000 -0500
-@@ -74,6 +74,12 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-10 15:23:11.000000000 -0500
+@@ -74,6 +74,13 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+ifdef(`hide_broken_symptoms', `
+ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
++ dontaudit iceauth_t $2:udp_socket rw_socket_perms;
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+')
+
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -89,8 +95,8 @@
+@@ -89,8 +96,8 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -26382,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $2 xdm_t:tcp_socket { read write };
# Client read xserver shm
-@@ -211,6 +217,7 @@
+@@ -211,6 +218,7 @@
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -26390,7 +26544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -245,7 +252,7 @@
+@@ -245,7 +253,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -26399,7 +26553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -299,7 +306,7 @@
+@@ -299,7 +307,7 @@
interface(`xserver_user_client',`
refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
@@ -26408,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
-@@ -308,14 +315,14 @@
+@@ -308,14 +316,14 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26428,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $1 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -367,7 +374,6 @@
+@@ -367,7 +375,6 @@
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
@@ -26436,7 +26590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
attribute xproperty_type;
attribute xevent_type;
attribute input_xevent_type;
-@@ -376,6 +382,8 @@
+@@ -376,6 +383,8 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -26445,7 +26599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -383,20 +391,11 @@
+@@ -383,20 +392,11 @@
# Local Policy
#
@@ -26466,7 +26620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
-@@ -409,8 +408,10 @@
+@@ -409,8 +409,10 @@
type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
type_transition $2 xevent_t:x_event $1_default_xevent_t;
@@ -26478,7 +26632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -484,13 +485,14 @@
+@@ -484,13 +486,14 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -26497,7 +26651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -498,9 +500,9 @@
+@@ -498,9 +501,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -26510,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -526,6 +528,10 @@
+@@ -526,6 +529,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -26521,7 +26675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -585,6 +591,12 @@
+@@ -585,6 +592,13 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -26529,12 +26683,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifdef(`hide_broken_symptoms', `
+ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
+ dontaudit xauth_t $1:tcp_socket rw_socket_perms;
++ dontaudit xauth_t $1:udp_socket rw_socket_perms;
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+')
')
########################################
-@@ -728,7 +740,7 @@
+@@ -728,7 +742,7 @@
type xdm_t;
')
@@ -26543,7 +26698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -764,11 +776,11 @@
+@@ -764,11 +778,11 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -26557,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -802,10 +814,10 @@
+@@ -802,10 +816,10 @@
#
interface(`xserver_setattr_xdm_tmp_dirs',`
gen_require(`
@@ -26570,7 +26725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -821,12 +833,13 @@
+@@ -821,12 +835,13 @@
#
interface(`xserver_create_xdm_tmp_sockets',`
gen_require(`
@@ -26587,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -845,7 +858,44 @@
+@@ -845,7 +860,44 @@
')
files_search_pids($1)
@@ -26633,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -868,6 +918,75 @@
+@@ -868,6 +920,75 @@
########################################
##
@@ -26709,7 +26864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -886,6 +1005,24 @@
+@@ -886,6 +1007,24 @@
########################################
##
@@ -26734,7 +26889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -961,6 +1098,27 @@
+@@ -961,6 +1100,27 @@
########################################
##
@@ -26762,7 +26917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write the X server
## log files.
##
-@@ -1014,11 +1172,11 @@
+@@ -1014,11 +1174,11 @@
#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
@@ -26776,7 +26931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1033,11 +1191,11 @@
+@@ -1033,11 +1193,11 @@
#
interface(`xserver_dontaudit_read_xdm_tmp_files',`
gen_require(`
@@ -26791,7 +26946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1052,11 +1210,11 @@
+@@ -1052,11 +1212,11 @@
#
interface(`xserver_rw_xdm_tmp_files',`
gen_require(`
@@ -26806,7 +26961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1071,10 +1229,10 @@
+@@ -1071,10 +1231,10 @@
#
interface(`xserver_manage_xdm_tmp_files',`
gen_require(`
@@ -26819,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1089,10 +1247,10 @@
+@@ -1089,10 +1249,10 @@
#
interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
gen_require(`
@@ -26832,7 +26987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1107,10 +1265,11 @@
+@@ -1107,10 +1267,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -26845,7 +27000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1248,6 +1407,288 @@
+@@ -1248,6 +1409,288 @@
########################################
##
@@ -27134,7 +27289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1261,7 +1702,103 @@
+@@ -1261,7 +1704,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -27240,7 +27395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-09 11:40:19.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-10 15:28:03.000000000 -0500
@@ -34,6 +34,13 @@
##
@@ -27734,7 +27889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -542,6 +677,38 @@
+@@ -542,6 +677,39 @@
')
optional_policy(`
@@ -27751,6 +27906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ plymouth_search_spool(xdm_t)
++ plymouth_exec(xdm_t)
+')
+
+optional_policy(`
@@ -27773,7 +27929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +717,9 @@
+@@ -550,8 +718,9 @@
')
optional_policy(`
@@ -27785,7 +27941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +728,6 @@
+@@ -560,7 +729,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -27793,7 +27949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +738,10 @@
+@@ -571,6 +739,10 @@
')
optional_policy(`
@@ -27804,7 +27960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +758,9 @@
+@@ -587,10 +759,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -27816,7 +27972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +772,12 @@
+@@ -602,9 +773,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -27829,7 +27985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +789,14 @@
+@@ -616,13 +790,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -27845,7 +28001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +809,19 @@
+@@ -635,9 +810,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27865,7 +28021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +855,6 @@
+@@ -671,7 +856,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27873,7 +28029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +864,12 @@
+@@ -681,9 +865,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -27887,7 +28043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +884,12 @@
+@@ -698,8 +885,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27900,7 +28056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +911,7 @@
+@@ -721,6 +912,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -27908,7 +28064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +934,7 @@
+@@ -743,7 +935,7 @@
')
ifdef(`enable_mls',`
@@ -27917,7 +28073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +966,20 @@
+@@ -775,12 +967,20 @@
')
optional_policy(`
@@ -27939,7 +28095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +1006,12 @@
+@@ -807,12 +1007,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -27956,7 +28112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1027,14 @@
+@@ -828,9 +1028,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27971,7 +28127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1049,14 @@
+@@ -845,11 +1050,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -27987,7 +28143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -882,6 +1089,8 @@
+@@ -882,6 +1090,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -27996,7 +28152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1115,8 @@
+@@ -906,6 +1116,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -28005,7 +28161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1184,49 @@
+@@ -973,17 +1185,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28184,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-07 15:55:13.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-10 15:35:58.000000000 -0500
@@ -40,17 +40,76 @@
##
##
@@ -28502,16 +28658,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-12-03 13:45:11.000000000 -0500
-@@ -103,6 +103,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-12-10 13:28:10.000000000 -0500
+@@ -103,8 +103,10 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t)
++term_dontaudit_use_all_server_ptys(chkpwd_t)
-@@ -125,9 +126,18 @@
+ auth_use_nsswitch(chkpwd_t)
+
+@@ -125,9 +127,18 @@
')
optional_policy(`
@@ -29537,7 +29696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-10 11:41:15.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -29552,7 +29711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t, ipsec_exec_t)
-@@ -15,6 +22,9 @@
+@@ -15,13 +22,22 @@
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)
@@ -29562,17 +29721,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
-@@ -22,6 +32,9 @@
- # Default type for IPSEC SPD entries
- type ipsec_spd_t;
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
+ # Default type for IPSEC SPD entries
+ type ipsec_spd_t;
+
++type ipsec_tmp_t;
++files_tmp_file(ipsec_tmp_t)
++
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
-@@ -43,6 +56,9 @@
+@@ -43,6 +59,9 @@
init_daemon_domain(racoon_t, racoon_exec_t)
role system_r types racoon_t;
@@ -29582,7 +29744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
-@@ -53,21 +69,23 @@
+@@ -53,21 +72,23 @@
# ipsec Local policy
#
@@ -29609,7 +29771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,16 +100,17 @@
+@@ -82,16 +103,17 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
@@ -29629,7 +29791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
-@@ -120,7 +139,9 @@
+@@ -120,7 +142,9 @@
domain_use_interactive_fds(ipsec_t)
@@ -29639,7 +29801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -154,16 +175,19 @@
+@@ -154,16 +178,19 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -29661,7 +29823,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-@@ -241,6 +265,7 @@
+@@ -188,6 +215,10 @@
+ manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+ files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
+
++manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
++
+ # whack needs to connect to pluto
+ stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+
+@@ -241,6 +272,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -29669,7 +29842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -280,6 +305,13 @@
+@@ -280,6 +312,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
@@ -29683,7 +29856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +329,13 @@
+@@ -297,6 +336,13 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -29697,7 +29870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +353,8 @@
+@@ -314,6 +360,8 @@
files_read_etc_files(racoon_t)
@@ -29706,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
-@@ -328,6 +369,14 @@
+@@ -328,6 +376,14 @@
miscfiles_read_localization(racoon_t)
@@ -29721,7 +29894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Setkey local policy
-@@ -341,12 +390,15 @@
+@@ -341,12 +397,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -29737,6 +29910,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
+@@ -358,3 +417,5 @@
+ seutil_read_config(setkey_t)
+
+ userdom_use_user_terminals(setkey_t)
++
++userdom_read_user_tmp_files(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-12-03 13:45:11.000000000 -0500
@@ -33838,7 +34017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-09 09:27:20.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-10 15:29:01.000000000 -0500
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7c4e142..2985949 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,8 +449,20 @@ exit 0
%endif
%changelog
+* Thu Dec 10 2009 Dan Walsh 3.6.32-58
+- Dontaudit udp_socket leaks for xauth_t
+
* Wed Dec 9 2009 Dan Walsh 3.6.32-57
- Allow unconfined_t to send dbus messages to setroubleshoot
+- Allow confined screen app to setattr on user ttys
+- remove wine_t from unconfined domain when unconfined.pp disabled
+- Allow sysadm_t to communicate with racoon
+- Allow xauth to be run from all unconfined user types
+- Fix labeling on all /var/cache/mod_* apps
+- Allow asterisk to communicate with postgresql
+- Fix labeling for /var/lib/certmaster
+- Add policy for ksmtuned and tgtd
+- Fixes fro vhostmd
* Mon Dec 7 2009 Dan Walsh 3.6.32-56
- Dontaudit exec of fusermount from xguest