From 49c044653e97a47c806b24042e7aaaaf663f02e6 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mar 25 2011 10:59:46 +0000
Subject: - Add support for a new cluster service - foghorn

- Add /var/spool/audit support for new version of audit
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- Add support for vdsm
- Allow syslogd setrlimit, sys_nice
- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed

---

diff --git a/policy-F13.patch b/policy-F13.patch
index 7efbf39..e72ea26 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -9748,6 +9748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +
 +/usr/local/Brother/(.*/)?inf/brprintconf.*  --  gen_context(system_u:object_r:bin_t,s0)
 +/usr/local/Brother/(.*/)?inf/setup.*        --  gen_context(system_u:object_r:bin_t,s0)
+Binary files nsaserefpolicy/policy/modules/kernel/.corecommands.fc.swp and serefpolicy-3.7.19/policy/modules/kernel/.corecommands.fc.swp differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if	2010-10-08 09:10:25.000000000 +0000
@@ -21810,7 +21811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  tunable_policy(`fcron_crond', `
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.19/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cups.fc	2010-05-28 07:42:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/cups.fc	2011-03-17 09:51:02.274851002 +0000
 @@ -13,10 +13,14 @@
  /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -21844,8 +21845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  /var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
  
  /var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
 +/var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/cups(/.*)?            gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
  /var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
  /var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
  /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -26131,7 +26133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if	2011-03-16 13:57:42.672107002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if	2011-03-25 08:29:07.333630001 +0000
 @@ -74,7 +74,7 @@
  	')
  
@@ -26187,7 +26189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  ########################################
  ## <summary>
  ##	Create a derived type for kerberos keytab
-@@ -374,3 +397,22 @@
+@@ -374,3 +397,41 @@
  
  	admin_pattern($1, krb5kdc_var_run_t)
  ')
@@ -26210,6 +26212,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +
 +       files_tmp_filetrans($1, krb5_host_rcache_t, file)
 +')
++
++########################################
++## <summary>
++##     read kerberos homedir content (.k5login)
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed access.
++##     </summary>
++## </param>
++#
++template(`kerberos_read_home_content',`
++       gen_require(`
++               type krb5_home_t;
++       ')
++
++       userdom_search_user_home_dirs($1)
++       read_files_pattern($1, krb5_home_t, krb5_home_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/services/kerberos.te	2011-03-16 13:51:14.123107002 +0000
@@ -35064,16 +35085,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.7.19/policy/modules/services/remotelogin.te
 --- nsaserefpolicy/policy/modules/services/remotelogin.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te	2011-03-16 13:26:33.488107001 +0000
-@@ -50,6 +50,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te	2011-03-18 14:13:40.122630000 +0000
+@@ -50,6 +50,8 @@
  fs_search_auto_mountpoints(remote_login_t)
  
  term_relabel_all_ptys(remote_login_t)
++term_setattr_all_ptys(remote_login_t)
 +term_use_all_ptys(remote_login_t)
  
  auth_rw_login_records(remote_login_t)
  auth_rw_faillog(remote_login_t)
-@@ -88,6 +89,7 @@
+@@ -88,6 +90,7 @@
  # since very weak authentication is used.
  userdom_signal_unpriv_users(remote_login_t)
  userdom_spec_domtrans_unpriv_users(remote_login_t)
@@ -35485,12 +35507,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc
 --- nsaserefpolicy/policy/modules/services/rhcs.fc	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc	2010-09-16 15:00:39.000000000 +0000
-@@ -0,0 +1,26 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc	2011-03-18 14:46:37.941630000 +0000
+@@ -0,0 +1,27 @@
 +/usr/sbin/dlm_controld                  --      gen_context(system_u:object_r:dlm_controld_exec_t,s0)
 +/usr/sbin/fenced                        --      gen_context(system_u:object_r:fenced_exec_t,s0)
 +/usr/sbin/fence_node                    --      gen_context(system_u:object_r:fenced_exec_t,s0)
 +/usr/sbin/fence_tool					--      gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/foghorn               --      gen_context(system_u:object_r:foghorn_exec_t,s0)
 +/usr/sbin/gfs_controld                  --      gen_context(system_u:object_r:gfs_controld_exec_t,s0)
 +/usr/sbin/groupd                        --      gen_context(system_u:object_r:groupd_exec_t,s0)
 +/usr/sbin/qdiskd                       	--      gen_context(system_u:object_r:qdiskd_exec_t,s0)
@@ -35977,8 +36000,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
 --- nsaserefpolicy/policy/modules/services/rhcs.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te	2011-02-17 10:04:32.623796000 +0000
-@@ -0,0 +1,265 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te	2011-03-18 14:46:13.492630000 +0000
+@@ -0,0 +1,281 @@
 +
 +policy_module(rhcs,1.1.0)
 +
@@ -36009,6 +36032,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +type fenced_lock_t;
 +files_lock_file(fenced_lock_t)
 +
++rhcs_domain_template(foghorn)
++permissive foghorn_t;
++
 +rhcs_domain_template(gfs_controld)
 +
 +rhcs_domain_template(groupd)
@@ -36114,6 +36140,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +
 +######################################
 +#
++# foghorn local policy
++#
++
++allow foghorn_t self:process { signal };
++
++files_read_etc_files(foghorn_t)
++
++optional_policy(`
++        dbus_connect_system_bus(foghorn_t)
++        ')
++
++######################################
++#
 +# gfs_controld local policy
 +#
 +
@@ -39113,7 +39152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if	2011-03-08 14:16:27.328413001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if	2011-03-18 14:50:44.915630000 +0000
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -39202,15 +39241,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	corenet_tcp_bind_ssh_port($1_t)
  	corenet_tcp_connect_all_ports($1_t)
 +	corenet_tcp_bind_all_unreserved_ports($1_t)
-+	corenet_sendrecv_ssh_server_packets($1_t)
-+	# -R qualifier
  	corenet_sendrecv_ssh_server_packets($1_t)
++	# -R qualifier
++	corenet_sendrecv_ssh_server_packets($1_t)
 +	# tunnel feature and -w (net_admin capability also)
 +	corenet_rw_tun_tap_dev($1_t)
  
  	fs_dontaudit_getattr_all_fs($1_t)
  
-@@ -234,17 +239,18 @@
+@@ -234,21 +239,27 @@
  	corecmd_getattr_bin_files($1_t)
  
  	domain_interactive_fd($1_t)
@@ -39231,7 +39270,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	# Allow checking users mail at login
  	mta_getattr_spool($1_t)
-@@ -265,9 +271,16 @@
+ 
++	tunable_policy(`use_fusefs_home_dirs',`
++        fs_manage_fusefs_dirs($1_t)
++        fs_manage_fusefs_files($1_t)
++    ')
++
+ 	tunable_policy(`use_nfs_home_dirs',`
+ 		fs_read_nfs_files($1_t)
+ 		fs_read_nfs_symlinks($1_t)
+@@ -265,9 +276,16 @@
  
  	optional_policy(`
  		files_read_var_lib_symlinks($1_t)
@@ -39249,7 +39297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  ########################################
-@@ -290,6 +303,7 @@
+@@ -290,6 +308,7 @@
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -39257,7 +39305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  #
  template(`ssh_role_template',`
  	gen_require(`
-@@ -327,7 +341,7 @@
+@@ -327,7 +346,7 @@
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -39266,7 +39314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	# for rsync
  	allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +352,7 @@
+@@ -338,6 +357,7 @@
  	manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
  	manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
  	userdom_search_user_home_dirs($1_t)
@@ -39274,7 +39322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	##############################
  	#
-@@ -359,7 +374,7 @@
+@@ -359,7 +379,7 @@
  	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
  
  	# Allow the user shell to signal the ssh program.
@@ -39283,7 +39331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	# allow ps to show ssh
  	ps_process_pattern($3, $1_ssh_agent_t)
-@@ -388,6 +403,7 @@
+@@ -388,6 +408,7 @@
  	logging_send_syslog_msg($1_ssh_agent_t)
  
  	miscfiles_read_localization($1_ssh_agent_t)
@@ -39291,7 +39339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	seutil_dontaudit_read_config($1_ssh_agent_t)
  
-@@ -395,10 +411,8 @@
+@@ -395,10 +416,8 @@
  	userdom_use_user_terminals($1_ssh_agent_t)
  
  	# for the transition back to normal privs upon exec
@@ -39303,7 +39351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_ssh_agent_t)
-@@ -475,7 +489,7 @@
+@@ -475,7 +494,7 @@
  		type sshd_t;
  	')
  
@@ -39312,7 +39360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  ########################################
  ## <summary>
-@@ -492,7 +506,7 @@
+@@ -492,7 +511,7 @@
  		type sshd_t;
  	')
  
@@ -39321,7 +39369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  ########################################
-@@ -582,6 +596,25 @@
+@@ -582,6 +601,25 @@
  	domtrans_pattern($1, sshd_exec_t, sshd_t)
  ')
  
@@ -39347,7 +39395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ########################################
  ## <summary>
  ##	Execute the ssh client in the caller domain.
-@@ -616,7 +649,7 @@
+@@ -616,7 +654,7 @@
  		type sshd_key_t;
  	')
  
@@ -39356,7 +39404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	files_search_pids($1)
  ')
  
-@@ -678,6 +711,32 @@
+@@ -678,6 +716,32 @@
  	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
  ')
  
@@ -39389,7 +39437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ########################################
  ## <summary>
  ##	Read ssh server keys
-@@ -693,7 +752,51 @@
+@@ -693,7 +757,51 @@
  		type sshd_key_t;
  	')
  
@@ -39442,7 +39490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  #######################################
-@@ -714,3 +817,67 @@
+@@ -714,3 +822,67 @@
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -39512,7 +39560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-03-16 12:45:02.432107002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-03-18 14:51:36.890630000 +0000
 @@ -34,13 +34,12 @@
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
@@ -39603,7 +39651,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  tunable_policy(`allow_ssh_keysign',`
  	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -201,54 +205,6 @@
+@@ -180,6 +184,11 @@
+ 	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+ ')
+ 
++tunable_policy(`use_fusefs_home_dirs',`
++        fs_manage_fusefs_dirs(ssh_t)
++        fs_manage_fusefs_files(ssh_t)
++    ')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ 	fs_manage_nfs_dirs(ssh_t)
+ 	fs_manage_nfs_files(ssh_t)
+@@ -201,54 +210,6 @@
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -39658,7 +39718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -282,36 +238,39 @@
+@@ -282,36 +243,39 @@
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
  
@@ -39707,7 +39767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -319,10 +278,27 @@
+@@ -319,10 +283,27 @@
  ')
  
  optional_policy(`
@@ -39735,7 +39795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -333,10 +309,18 @@
+@@ -333,10 +314,18 @@
  ')
  
  optional_policy(`
@@ -39755,7 +39815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ifdef(`TODO',`
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
-@@ -368,6 +352,7 @@
+@@ -368,6 +357,7 @@
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -39763,7 +39823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  dontaudit ssh_keygen_t self:capability sys_tty_config;
  allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
  
-@@ -376,6 +361,10 @@
+@@ -376,6 +366,10 @@
  allow ssh_keygen_t sshd_key_t:file manage_file_perms;
  files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
  
@@ -39774,7 +39834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  kernel_read_kernel_sysctls(ssh_keygen_t)
  
  fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -384,6 +373,7 @@
+@@ -384,6 +378,7 @@
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
@@ -39782,7 +39842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  domain_use_interactive_fds(ssh_keygen_t)
  
-@@ -397,6 +387,11 @@
+@@ -397,6 +392,11 @@
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -39838,7 +39898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  	sssd_initrc_domtrans($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/sssd.te	2011-03-01 12:58:07.985556649 +0000
++++ serefpolicy-3.7.19/policy/modules/services/sssd.te	2011-03-25 08:31:03.587630001 +0000
 @@ -29,9 +29,12 @@
  #
  # sssd local policy
@@ -39884,10 +39944,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
  	dbus_connect_system_bus(sssd_t)
-@@ -89,3 +102,11 @@
+@@ -88,4 +101,25 @@
+ 
  optional_policy(`
  	kerberos_manage_host_rcache(sssd_t)
- ')
++	kerberos_read_home_content(sssd_t)
++')
 +
 +optional_policy(`
 +	dirsrv_stream_connect(sssd_t)
@@ -39896,6 +39958,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
 +optional_policy(`
 +	ldap_stream_connect(sssd_t)
 +')
++
++tunable_policy(`use_nfs_home_dirs',`
++       fs_read_nfs_files(sssd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++       fs_read_cifs_files(sssd_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++       fs_read_fusefs_files(sssd_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.19/policy/modules/services/sysstat.te
 --- nsaserefpolicy/policy/modules/services/sysstat.te	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/services/sysstat.te	2010-07-27 13:46:39.000000000 +0000
@@ -40577,7 +40651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.fc	2011-03-01 12:46:03.926380019 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.fc	2011-03-25 08:50:01.013630001 +0000
 @@ -1,4 +1,5 @@
 -HOME_DIR/.virtinst(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +HOME_DIR/.libvirt(/.*)?     gen_context(system_u:object_r:virt_home_t,s0)
@@ -40585,7 +40659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
  HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
  
-@@ -12,18 +13,19 @@
+@@ -12,18 +13,22 @@
  /etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
  /etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
@@ -40607,10 +40681,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 -/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
  
++# support for vdsm
++# bug 685061
++/usr/share/vdsm/vdsm	--	gen_context(system_u:object_r:virtd_exec_t,s0)
  /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if	2010-09-23 10:59:31.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.if	2011-03-17 10:41:54.513325002 +0000
 @@ -21,6 +21,8 @@
  	type $1_t, virt_domain;
  	domain_type($1_t)
@@ -40772,7 +40849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -516,3 +562,50 @@
+@@ -516,3 +562,86 @@
  
  	virt_manage_log($1)
  ')
@@ -40822,6 +40899,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +		type virtd_t;
 +	')
 +	dontaudit $1 virtd_t:fifo_file write;
++')
++
++######################################
++## <summary>
++##  Send a sigkill to virtual machines
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`virt_kill_svirt',`
++    gen_require(`
++        attribute virt_domain;
++    ')
++
++    allow $1 virt_domain:process sigkill;
++')
++
++######################################
++## <summary>
++##  Send a signal to virtual machines
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`virt_signal_svirt',`
++    gen_require(`
++        attribute virt_domain;
++    ')
++
++    allow $1 virt_domain:process signal;
 +')    
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-04-13 18:44:37.000000000 +0000
@@ -44141,7 +44254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/init.te	2011-02-17 09:49:30.499796002 +0000
++++ serefpolicy-3.7.19/policy/modules/system/init.te	2011-03-25 08:48:15.759630001 +0000
 @@ -1,5 +1,5 @@
  
 -policy_module(init, 1.14.2)
@@ -44588,7 +44701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	udev_manage_pid_files(initrc_t)
  ')
  
-@@ -798,11 +950,19 @@
+@@ -798,11 +950,26 @@
  ')
  
  optional_policy(`
@@ -44606,10 +44719,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	unconfined_domain(initrc_t)
 +	domain_role_change_exemption(initrc_t)
++
++	# bug 685061
++	mcs_file_read_all(initrc_t)
++ 	mcs_file_write_all(initrc_t)
++ 	mcs_socket_write_all_levels(initrc_t)
++ 	mcs_killall(initrc_t)
++ 	mcs_ptrace_all(initrc_t)
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +972,25 @@
+@@ -812,6 +979,25 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -44635,7 +44755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -837,3 +1016,35 @@
+@@ -837,3 +1023,35 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -44808,7 +44928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te	2010-08-10 15:44:19.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te	2011-03-25 08:41:51.030630001 +0000
 @@ -73,7 +73,7 @@
  #
  
@@ -44845,7 +44965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
  userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,7 +190,9 @@
+@@ -186,13 +190,17 @@
  
  allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
  dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -44856,7 +44976,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +231,6 @@
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+ 
++allow ipsec_mgmt_t ipsec_t:process { rlimitinh  sigchld };
++
+ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
+ files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+ 
+@@ -225,7 +233,6 @@
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
  manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -44864,7 +44992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  # whack needs to connect to pluto
  stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +263,13 @@
+@@ -258,7 +265,13 @@
  
  domain_use_interactive_fds(ipsec_mgmt_t)
  # denials when ps tries to search /proc. Do not audit these denials.
@@ -44879,7 +45007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  # suppress audit messages about unnecessary socket access
  # cjp: this seems excessive
  domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -270,19 +281,25 @@
+@@ -270,19 +283,25 @@
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -44893,9 +45021,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  term_use_console(ipsec_mgmt_t)
 -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
 +term_use_all_terms(ipsec_mgmt_t)
-+
-+auth_dontaudit_read_login_records(ipsec_mgmt_t)
  
++auth_dontaudit_read_login_records(ipsec_mgmt_t)
++
 +init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
  init_exec_script_files(ipsec_mgmt_t)
@@ -44906,7 +45034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  logging_send_syslog_msg(ipsec_mgmt_t)
  
  miscfiles_read_localization(ipsec_mgmt_t)
-@@ -291,15 +308,38 @@
+@@ -291,15 +310,38 @@
  
  seutil_dontaudit_search_config(ipsec_mgmt_t)
  
@@ -44945,7 +45073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  	nscd_socket_use(ipsec_mgmt_t)
  ')
  
-@@ -386,6 +426,8 @@
+@@ -386,6 +428,8 @@
  
  sysnet_exec_ifconfig(racoon_t)
  
@@ -44954,7 +45082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +454,7 @@
+@@ -412,6 +456,7 @@
  files_read_etc_files(setkey_t)
  
  init_dontaudit_use_fds(setkey_t)
@@ -44962,7 +45090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +466,4 @@
+@@ -423,3 +468,4 @@
  seutil_read_config(setkey_t)
  
  userdom_use_user_terminals(setkey_t)
@@ -45570,7 +45698,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.19/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/logging.fc	2011-01-03 09:28:54.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/logging.fc	2011-03-25 08:35:24.361630001 +0000
+@@ -1,4 +1,4 @@
+-/dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
++/dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+ 
+ /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 @@ -17,6 +17,10 @@
  /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
  /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -45582,7 +45716,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
  /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
  /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -54,18 +58,24 @@
+@@ -37,13 +41,14 @@
+ 
+ /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
++/var/log/boot\.log             gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/cron[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+-/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/log/syslog-ng(/.*)?       gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+ 
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -54,18 +59,25 @@
  /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
  ')
  
@@ -45597,17 +45747,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
  /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
  /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+-/var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/run/syslogd\.pid  --      gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 +/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 +/var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
  
  /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
  /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
- /var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
+-/var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/plymouth/boot\.log  gen_context(system_u:object_r:var_log_t,mls_systemhigh)
  /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
- 
-+/var/stockmaniac/templates_cache(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/audit(/.*)?         gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 +
++/var/stockmaniac/templates_cache(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+ 
  /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 +
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
@@ -45713,8 +45866,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  	domain_system_change_exemption($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/logging.te	2010-08-18 11:16:17.000000000 +0000
-@@ -61,6 +61,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/logging.te	2011-03-25 09:50:43.190630001 +0000
+@@ -20,6 +20,11 @@
+ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+ 
++type audit_spool_t;
++files_type(audit_spool_t)
++files_security_file(audit_spool_t)
++files_security_mountpoint(audit_spool_t)
++
+ type auditd_t;
+ type auditd_exec_t;
+ init_daemon_domain(auditd_t, auditd_exec_t)
+@@ -61,6 +66,7 @@
  type syslogd_t;
  type syslogd_exec_t;
  init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -45722,7 +45887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  type syslogd_initrc_exec_t;
  init_script_file(syslogd_initrc_exec_t)
-@@ -180,6 +181,8 @@
+@@ -180,6 +186,8 @@
  logging_domtrans_dispatcher(auditd_t)
  logging_signal_dispatcher(auditd_t)
  
@@ -45731,7 +45896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  miscfiles_read_localization(auditd_t)
  
  mls_file_read_all_levels(auditd_t)
-@@ -235,7 +238,12 @@
+@@ -235,7 +243,12 @@
  files_read_etc_files(audisp_t)
  files_read_etc_runtime_files(audisp_t)
  
@@ -45744,7 +45909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  logging_send_syslog_msg(audisp_t)
  
-@@ -245,6 +253,10 @@
+@@ -245,6 +258,10 @@
  
  optional_policy(`
  	dbus_system_bus_client(audisp_t)
@@ -45755,7 +45920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ')
  
  ########################################
-@@ -252,6 +264,9 @@
+@@ -252,8 +269,15 @@
  # Audit remote logger local policy
  #
  
@@ -45764,8 +45929,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +
  allow audisp_remote_t self:tcp_socket create_socket_perms;
  
++manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
++
  corenet_all_recvfrom_unlabeled(audisp_remote_t)
-@@ -266,6 +281,15 @@
+ corenet_all_recvfrom_netlabel(audisp_remote_t)
+ corenet_tcp_sendrecv_generic_if(audisp_remote_t)
+@@ -266,6 +290,15 @@
  
  files_read_etc_files(audisp_remote_t)
  
@@ -45781,7 +45952,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  logging_send_syslog_msg(audisp_remote_t)
  
  miscfiles_read_localization(audisp_remote_t)
-@@ -372,8 +396,10 @@
+@@ -339,10 +372,10 @@
+ # chown fsetid for syslog-ng
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # cjp: why net_admin!
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+ dontaudit syslogd_t self:capability sys_tty_config;
+ # setpgid for metalog
+-allow syslogd_t self:process { signal_perms setpgid };
++allow syslogd_t self:process { setrlimit signal_perms setpgid };
+ # receive messages to be logged
+ allow syslogd_t self:unix_dgram_socket create_socket_perms;
+ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -372,8 +405,10 @@
  manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
  files_search_var_lib(syslogd_t)
  
@@ -45794,7 +45978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  # manage pid file
  manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -491,6 +517,10 @@
+@@ -491,6 +526,10 @@
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f951f3..d1c2f4e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 101%{?dist}
+Release: 102%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ exit 0
 %endif
 
 %changelog
+* Fri Mar 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-102
+- Add support for a new cluster service - foghorn
+- Add /var/spool/audit support for new version of audit
+- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
+- sssd wants to read .k5login file in users homedir
+- Add support for vdsm
+- Allow syslogd setrlimit, sys_nice
+- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
+
 * Wed Mar 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-101
 - Fixes for sandbox/seunshare policy
 - Add matahari policy