From 56c8871c5d1be65976d1e4e0b8426ca06fb4ef16 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Apr 18 2012 11:42:13 +0000
Subject: * Wed Apr 18 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-8

- Make sure /var/spool/postfix/lib64 is labeled as /var/spool
- Nagios fixes
  * Bacport from F17

---

diff --git a/policy-F16.patch b/policy-F16.patch
index a93eff4..eba5b86 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -15004,7 +15004,7 @@ index 35fed4f..51ad69a 100644
  
  #
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..fa24001 100644
+index 6cf8784..c384d6f 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,12 +15,14 @@
@@ -15049,7 +15049,7 @@ index 6cf8784..fa24001 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -187,8 +193,6 @@ ifdef(`distro_suse', `
+@@ -187,12 +193,16 @@ ifdef(`distro_suse', `
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -15058,9 +15058,10 @@ index 6cf8784..fa24001 100644
  ifdef(`distro_redhat',`
  # originally from named.fc
  /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +200,8 @@ ifdef(`distro_redhat',`
+ /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
++/var/spool/postfix/dev    -d    gen_context(system_u:object_r:device_t,s0)
  ')
 +
 +#
@@ -25300,14 +25301,14 @@ index deca9d3..ac92fce 100644
  ')
  
 diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..5a10781 100644
+index 9e39aa5..a9021c8 100644
 --- a/policy/modules/services/apache.fc
 +++ b/policy/modules/services/apache.fc
 @@ -1,21 +1,30 @@
  HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_user_content_ra_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
  
  /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
  /etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
@@ -47056,10 +47057,10 @@ index 1fc9905..1d05c60 100644
 -/usr/lib(64)?/nagios/plugins/check_by_ssh	--	gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
 +/usr/lib/nagios/plugins/check_by_ssh	--	gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
 diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..2367841 100644
+index 8581040..3983667 100644
 --- a/policy/modules/services/nagios.if
 +++ b/policy/modules/services/nagios.if
-@@ -12,10 +12,8 @@
+@@ -12,13 +12,11 @@
  ## </param>
  #
  template(`nagios_plugin_template',`
@@ -47070,7 +47071,11 @@ index 8581040..2367841 100644
 +		type nagios_t, nrpe_t, nagios_log_t;
  	')
  
- 	type nagios_$1_plugin_t;
+-	type nagios_$1_plugin_t;
++	type nagios_$1_plugin_t, nagios_plugin_domain;
+ 	type nagios_$1_plugin_exec_t;
+ 	application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
+ 	role system_r types nagios_$1_plugin_t;
 @@ -26,9 +24,11 @@ template(`nagios_plugin_template',`
  	allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
  
@@ -47147,10 +47152,19 @@ index 8581040..2367841 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..9ad9024 100644
+index bf64a4c..2275f40 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
-@@ -25,7 +25,10 @@ type nagios_var_run_t;
+@@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
+ # Declarations
+ #
+ 
++attribute nagios_plugin_domain;
++
+ type nagios_t;
+ type nagios_exec_t;
+ init_daemon_domain(nagios_t, nagios_exec_t)
+@@ -25,7 +27,10 @@ type nagios_var_run_t;
  files_pid_file(nagios_var_run_t)
  
  type nagios_spool_t;
@@ -47162,7 +47176,18 @@ index bf64a4c..9ad9024 100644
  
  nagios_plugin_template(admin)
  nagios_plugin_template(checkdisk)
-@@ -77,8 +80,13 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+@@ -33,6 +38,10 @@ nagios_plugin_template(mail)
+ nagios_plugin_template(services)
+ nagios_plugin_template(system)
+ nagios_plugin_template(unconfined)
++nagios_plugin_template(eventhandler)
++
++type nagios_eventhandler_plugin_tmp_t;
++files_tmp_file(nagios_eventhandler_plugin_tmp_t)
+ 
+ type nagios_system_plugin_tmp_t;
+ files_tmp_file(nagios_system_plugin_tmp_t)
+@@ -77,8 +86,13 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
  manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
  files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
  
@@ -47176,7 +47201,7 @@ index bf64a4c..9ad9024 100644
  
  corecmd_exec_bin(nagios_t)
  corecmd_exec_shell(nagios_t)
-@@ -107,13 +115,11 @@ files_read_etc_files(nagios_t)
+@@ -107,13 +121,11 @@ files_read_etc_files(nagios_t)
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
  files_search_spool(nagios_t)
@@ -47191,7 +47216,7 @@ index bf64a4c..9ad9024 100644
  auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
-@@ -124,10 +130,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+@@ -124,10 +136,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
  userdom_dontaudit_search_user_home_dirs(nagios_t)
  
  mta_send_mail(nagios_t)
@@ -47204,7 +47229,7 @@ index bf64a4c..9ad9024 100644
  	netutils_kill_ping(nagios_t)
  ')
  
-@@ -143,6 +149,7 @@ optional_policy(`
+@@ -143,6 +155,7 @@ optional_policy(`
  #
  # Nagios CGI local policy
  #
@@ -47212,7 +47237,7 @@ index bf64a4c..9ad9024 100644
  optional_policy(`
  	apache_content_template(nagios)
  	typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -180,11 +187,13 @@ optional_policy(`
+@@ -180,11 +193,13 @@ optional_policy(`
  #
  
  allow nrpe_t self:capability { setuid setgid };
@@ -47227,7 +47252,7 @@ index bf64a4c..9ad9024 100644
  domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
  
  read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
-@@ -201,7 +210,8 @@ corecmd_exec_shell(nrpe_t)
+@@ -201,7 +216,8 @@ corecmd_exec_shell(nrpe_t)
  
  corenet_tcp_bind_generic_node(nrpe_t)
  corenet_tcp_bind_inetd_child_port(nrpe_t)
@@ -47237,7 +47262,7 @@ index bf64a4c..9ad9024 100644
  
  dev_read_sysfs(nrpe_t)
  dev_read_urand(nrpe_t)
-@@ -211,6 +221,7 @@ domain_read_all_domains_state(nrpe_t)
+@@ -211,6 +227,7 @@ domain_read_all_domains_state(nrpe_t)
  
  files_read_etc_runtime_files(nrpe_t)
  files_read_etc_files(nrpe_t)
@@ -47245,7 +47270,15 @@ index bf64a4c..9ad9024 100644
  
  fs_getattr_all_fs(nrpe_t)
  fs_search_auto_mountpoints(nrpe_t)
-@@ -270,12 +281,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -251,7 +268,6 @@ optional_policy(`
+ corecmd_read_bin_files(nagios_admin_plugin_t)
+ corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+ 
+-dev_read_urand(nagios_admin_plugin_t)
+ dev_getattr_all_chr_files(nagios_admin_plugin_t)
+ dev_getattr_all_blk_files(nagios_admin_plugin_t)
+ 
+@@ -270,19 +286,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -47258,7 +47291,14 @@ index bf64a4c..9ad9024 100644
  kernel_read_kernel_sysctls(nagios_mail_plugin_t)
  
  corecmd_read_bin_files(nagios_mail_plugin_t)
-@@ -299,7 +308,7 @@ optional_policy(`
+ corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+ 
+-dev_read_urand(nagios_mail_plugin_t)
+-
+ files_read_etc_files(nagios_mail_plugin_t)
+ 
+ logging_send_syslog_msg(nagios_mail_plugin_t)
+@@ -299,7 +311,7 @@ optional_policy(`
  
  optional_policy(`
  	postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -47267,7 +47307,7 @@ index bf64a4c..9ad9024 100644
  ')
  
  ######################################
-@@ -310,6 +319,9 @@ optional_policy(`
+@@ -310,6 +322,9 @@ optional_policy(`
  # needed by ioctl()
  allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
@@ -47277,7 +47317,7 @@ index bf64a4c..9ad9024 100644
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
  fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +335,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +338,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  
  allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
  allow nagios_services_plugin_t self:process { signal sigkill };
@@ -47285,7 +47325,7 @@ index bf64a4c..9ad9024 100644
  allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
  allow nagios_services_plugin_t self:udp_socket create_socket_perms;
  
-@@ -340,6 +351,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +354,8 @@ files_read_usr_files(nagios_services_plugin_t)
  
  optional_policy(`
  	netutils_domtrans_ping(nagios_services_plugin_t)
@@ -47294,7 +47334,7 @@ index bf64a4c..9ad9024 100644
  ')
  
  optional_policy(`
-@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +379,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
@@ -47303,7 +47343,13 @@ index bf64a4c..9ad9024 100644
  kernel_read_system_state(nagios_system_plugin_t)
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
-@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+@@ -370,12 +388,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
+ corecmd_exec_shell(nagios_system_plugin_t)
+ 
+ dev_read_sysfs(nagios_system_plugin_t)
+-dev_read_urand(nagios_system_plugin_t)
+ 
+ domain_read_all_domains_state(nagios_system_plugin_t)
  
  files_read_etc_files(nagios_system_plugin_t)
  
@@ -47312,6 +47358,59 @@ index bf64a4c..9ad9024 100644
  # needed by check_users plugin
  optional_policy(`
  	init_read_utmp(nagios_system_plugin_t)
+@@ -389,3 +408,52 @@ optional_policy(`
+ optional_policy(`
+ 	unconfined_domain(nagios_unconfined_plugin_t)
+ ')
++
++#######################################
++#
++# Event handler plugin plugin policy
++#
++
++manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
++manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
++files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file })
++
++corecmd_exec_bin(nagios_eventhandler_plugin_t)
++corecmd_exec_shell(nagios_eventhandler_plugin_t)
++
++init_domtrans_script(nagios_eventhandler_plugin_t)
++
++systemd_exec_systemctl(nagios_eventhandler_plugin_t)
++
++allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
++
++optional_policy(`
++    unconfined_domain(nagios_eventhandler_plugin_t)
++')
++
++######################################
++#
++# nagios plugin domain policy
++#
++
++allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
++
++allow nrpe_t nagios_plugin_domain:process { signal sigkill };
++   
++allow nagios_t nagios_plugin_domain:process signal_perms;
++
++# cjp: leaked file descriptor
++dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
++dontaudit nagios_plugin_domain nagios_log_t:file { read write };
++
++kernel_read_system_state(nagios_plugin_domain)
++
++dev_read_urand(nagios_plugin_domain)
++dev_read_rand(nagios_plugin_domain)
++
++files_read_usr_files(nagios_plugin_domain)
++
++miscfiles_read_localization(nagios_plugin_domain)
++
++userdom_use_inherited_user_ptys(nagios_plugin_domain)
++userdom_use_inherited_user_ttys(nagios_plugin_domain)
 diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
 index 74da57f..b94bb3b 100644
 --- a/policy/modules/services/nessus.fc
@@ -49216,7 +49315,7 @@ index 7f8fdc2..047d985 100644
  optional_policy(`
  	seutil_sigchld_newrole(openct_t)
 diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..117a7ac 100644
+index 8b550f4..3075607 100644
 --- a/policy/modules/services/openvpn.te
 +++ b/policy/modules/services/openvpn.te
 @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -49291,8 +49390,12 @@ index 8b550f4..117a7ac 100644
  corenet_tcp_connect_http_cache_port(openvpn_t)
  corenet_rw_tun_tap_dev(openvpn_t)
  corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -102,6 +110,8 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -100,8 +108,12 @@ dev_read_urand(openvpn_t)
+ files_read_etc_files(openvpn_t)
+ files_read_etc_runtime_files(openvpn_t)
  
++fs_getattr_xattr_fs(openvpn_t)
++
  auth_use_pam(openvpn_t)
  
 +init_read_utmp(openvpn_t)
@@ -49300,7 +49403,7 @@ index 8b550f4..117a7ac 100644
  logging_send_syslog_msg(openvpn_t)
  
  miscfiles_read_localization(openvpn_t)
-@@ -112,21 +122,23 @@ sysnet_exec_ifconfig(openvpn_t)
+@@ -112,21 +124,23 @@ sysnet_exec_ifconfig(openvpn_t)
  sysnet_manage_config(openvpn_t)
  sysnet_etc_filetrans_config(openvpn_t)
  
@@ -49332,7 +49435,7 @@ index 8b550f4..117a7ac 100644
  
  optional_policy(`
  	daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +150,7 @@ optional_policy(`
+@@ -138,3 +152,7 @@ optional_policy(`
  
  	networkmanager_dbus_chat(openvpn_t)
  ')
@@ -63998,7 +64101,7 @@ index 7c5d8d8..45bac8e 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..bea24d2 100644
+index 3eca020..813bca2 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -64538,7 +64641,7 @@ index 3eca020..bea24d2 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,25 +618,375 @@ files_search_all(virt_domain)
+@@ -440,25 +618,387 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -64898,15 +65001,19 @@ index 3eca020..bea24d2 100644
 +#
 +# virt_qmf local policy
 +#
-+allow virt_qmf_t self:process signal;
++
++allow virt_qmf_t self:capability { sys_nice sys_tty_config };
++allow virt_qmf_t self:process { setsched signal };
 +allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
 +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
 +allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
++allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 +
 +kernel_read_network_state(virt_qmf_t)
 +
-+dev_list_sysfs(virt_qmf_t)
 +dev_read_sysfs(virt_qmf_t)
++dev_read_rand(virt_qmf_t)
++dev_read_urand(virt_qmf_t)
 +
 +corenet_tcp_connect_matahari_port(virt_qmf_t)
 +
@@ -64917,6 +65024,14 @@ index 3eca020..bea24d2 100644
 +logging_send_syslog_msg(virt_qmf_t)
 +
 +miscfiles_read_localization(virt_qmf_t)
++
++optional_policy(`
++        dbus_read_lib_files(virt_qmf_t)
++')
++
++optional_policy(`
++        virt_stream_connect(virt_qmf_t)
++')
 diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
 index 11533cc..4d81b99 100644
 --- a/policy/modules/services/vnstatd.fc
@@ -65128,10 +65243,10 @@ index 0000000..a554011
 +')
 diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
 new file mode 100644
-index 0000000..45918db
+index 0000000..f719e71
 --- /dev/null
 +++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,51 @@
 +policy_module(wdmd,1.0.0)
 +
 +########################################
@@ -65153,7 +65268,6 @@ index 0000000..45918db
 +#
 +# wdmd local policy
 +#
-+
 +allow wdmd_t self:capability { chown sys_nice ipc_lock };
 +allow wdmd_t self:process { setsched signal };
 +
@@ -72575,7 +72689,7 @@ index a0b379d..bf90918 100644
 -	nscd_socket_use(sulogin_t)
 -')
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..7470a2e 100644
+index 02f4c97..fe034f7 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
 @@ -17,6 +17,13 @@
@@ -72601,16 +72715,15 @@ index 02f4c97..7470a2e 100644
  /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
  /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
  /var/log/cron[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -54,6 +61,8 @@ ifndef(`distro_gentoo',`
+@@ -54,6 +61,7 @@ ifndef(`distro_gentoo',`
  ifdef(`distro_redhat',`
  /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
  /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
-+/var/spool/postfix/dev	  -d	gen_context(system_u:object_r:var_log_t,s0)	
 +/var/spool/postfix/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
  ')
  
  /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -73,4 +82,8 @@ ifdef(`distro_redhat',`
+@@ -73,4 +81,8 @@ ifdef(`distro_redhat',`
  /var/spool/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
  /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
  
@@ -72831,7 +72944,7 @@ index 831b909..efe1038 100644
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..aea710e 100644
+index b6ec597..199b2cb 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -73030,7 +73143,7 @@ index b6ec597..aea710e 100644
  
  miscfiles_read_localization(syslogd_t)
  
-@@ -496,11 +559,20 @@ optional_policy(`
+@@ -496,11 +559,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -73038,6 +73151,10 @@ index b6ec597..aea710e 100644
 +')
 +
 +optional_policy(`
++	postfix_search_spool(syslogd_t)
++')
++
++optional_policy(`
  	postgresql_stream_connect(syslogd_t)
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cf5aa30..17a027c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 83%{?dist}
+Release: 84%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Apr 18 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
+- Make sure /var/spool/postfix/lib64 is labeled as /var/spool/postfix/lib
+- Nagios fixes
+  * Bacport from F17
+
 * Mon Apr 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-83
 - Allow wdmd chown
 - Add storage_dev_filetrans_named_fixed_disk() for fsdaemon