From 302c4d576a502750866dcc1cc7bd8014896b0a3a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Nov 06 2007 21:51:09 +0000
Subject: - Allow all dns_resolves to use avahi stream

- Don't transition from unconfined_t to ping_t

---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index f39af0d..3741fe1 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -8529,7 +8529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2007-11-06 16:45:48.000000000 -0500
 @@ -42,6 +42,10 @@
  	dontaudit $1 krb5_conf_t:file write;
  	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@@ -8541,6 +8541,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  	tunable_policy(`allow_kerberos',`
  		allow $1 self:tcp_socket create_socket_perms;
+@@ -62,8 +66,8 @@
+ 		corenet_sendrecv_kerberos_client_packets($1)
+ 		corenet_sendrecv_ocsp_client_packets($1)
+ 
+-		sysnet_read_config($1)
+-		sysnet_dns_name_resolve($1)
++#		sysnet_read_config($1)
++#		sysnet_dns_name_resolve($1)
+ 	')
+ 
+ 	optional_policy(`
 @@ -172,3 +176,51 @@
  	allow $1 krb5kdc_conf_t:file read_file_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8ec7752..8f420c0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 46%{?dist}
+Release: 47%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -379,6 +379,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-47
+- Allow all dns_resolves to use avahi stream
+- Don't transition from unconfined_t to ping_t
+
 * Tue Nov 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-46
 - Allow sendmail to interact with winbind
 - Allow dovecot to write log files