From d32aaec0efff57f85d9d8933285f07f3da751188 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 01 2008 16:18:19 +0000
Subject: - Change dhclient to be able to red networkmanager_var_run


---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index e659508..67720dc 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -1761,8 +1761,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  files_manage_generic_spool_dirs(logrotate_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.8/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2008-06-12 23:37:55.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/logwatch.te	2008-06-12 23:37:59.000000000 -0400
-@@ -48,7 +48,7 @@
++++ serefpolicy-3.0.8/policy/modules/admin/logwatch.te	2008-07-24 07:12:26.000000000 -0400
+@@ -48,21 +48,20 @@
  corecmd_exec_shell(logwatch_t)
  
  dev_read_urand(logwatch_t)
@@ -1771,7 +1771,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  
  # Read /proc/PID directories for all domains.
  domain_read_all_domains_state(logwatch_t)
-@@ -59,10 +59,8 @@
+ 
+ files_list_var(logwatch_t)
++files_read_var_symlinks(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
  files_read_usr_files(logwatch_t)
  files_search_spool(logwatch_t)
  files_search_mnt(logwatch_t)
@@ -1783,7 +1787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  
  fs_getattr_all_fs(logwatch_t)
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
-@@ -88,9 +86,6 @@
+@@ -88,9 +87,6 @@
  
  sysnet_dns_name_resolve(logwatch_t)
  
@@ -1793,7 +1797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  mta_send_mail(logwatch_t)
  
  optional_policy(`
-@@ -132,4 +127,5 @@
+@@ -132,4 +128,5 @@
  
  optional_policy(`
  	samba_read_log(logwatch_t)
@@ -4516,7 +4520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te 
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2008-08-01 12:16:35.000000000 -0400
 @@ -7,6 +7,7 @@
  /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4565,15 +4569,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  
  /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -163,9 +166,16 @@
+@@ -163,9 +166,14 @@
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
 -/usr/local/Brother/lpd(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother(/.*)?/cupswrapper(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother(/.*)?/lpd(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Printer/[^/]*/cupswrapper(/.*)?      gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Printer/[^/]*/lpd(/.*)?      	gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/local/linuxprinter/filters(/.*)?   	gen_context(system_u:object_r:bin_t,s0)
  
 +/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4583,7 +4585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -180,6 +190,7 @@
+@@ -180,6 +188,7 @@
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
@@ -4591,7 +4593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -188,6 +199,7 @@
+@@ -188,6 +197,7 @@
  
  ifdef(`distro_redhat', `
  /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -4599,7 +4601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/sbin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
  /usr/lib64/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +271,21 @@
+@@ -259,3 +269,21 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -4710,7 +4712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2008-08-01 11:19:02.000000000 -0400
 @@ -55,6 +55,11 @@
  type reserved_port_t, port_type, reserved_port_type;
  
@@ -4806,7 +4808,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
  network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +176,20 @@
+@@ -154,19 +170,26 @@
+ network_port(syslogd, udp,514,s0)
+ network_port(telnetd, tcp,23,s0)
+ network_port(tftp, udp,69,s0)
+-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
++network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+ network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
+ network_port(transproxy, tcp,8081,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
  network_port(vnc, tcp,5900,s0)
@@ -9166,7 +9175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.fc	2008-06-12 23:37:58.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc	2008-07-30 11:33:25.000000000 -0400
 @@ -8,24 +8,28 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -9210,12 +9219,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -51,4 +55,7 @@
+@@ -51,4 +55,8 @@
  /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  
 -/var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/local/Printer/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -12725,8 +12735,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc	2008-06-12 23:37:58.000000000 -0400
-@@ -1,7 +1,11 @@
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc	2008-07-24 14:08:47.000000000 -0400
+@@ -1,7 +1,13 @@
  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -12736,12 +12746,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++
 +/var/log/wpa_supplicant\.log.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 +/etc/NetworkManager/dispatcher.d(/.*)	gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if	2008-06-12 23:37:58.000000000 -0400
-@@ -97,3 +97,40 @@
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if	2008-07-24 14:08:32.000000000 -0400
+@@ -97,3 +97,59 @@
  	allow $1 NetworkManager_t:dbus send_msg;
  	allow NetworkManager_t $1:dbus send_msg;
  ')
@@ -12782,6 +12794,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +	init_script_domtrans_spec($1, NetworkManager_script_exec_t)
 +')
 +
++
++########################################
++## <summary>
++##	Read NetworkManager PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`networkmanager_read_pid_files',`
++	gen_require(`
++		type NetworkManager_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 NetworkManager_var_run_t:file read_file_perms;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-06-12 23:37:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-07-02 15:53:02.000000000 -0400
@@ -15191,6 +15222,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
 +	manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
 +	read_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.te serefpolicy-3.0.8/policy/modules/services/rdisc.te
+--- nsaserefpolicy/policy/modules/services/rdisc.te	2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rdisc.te	2008-08-01 12:04:32.000000000 -0400
+@@ -45,6 +45,8 @@
+ libs_use_ld_so(rdisc_t)
+ libs_use_shared_libs(rdisc_t)
+ 
++miscfiles_read_localization(rdisc_t)
++
+ logging_send_syslog_msg(rdisc_t)
+ 
+ sysnet_read_config(rdisc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.0.8/policy/modules/services/remotelogin.if
 --- nsaserefpolicy/policy/modules/services/remotelogin.if	2008-06-12 23:37:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/remotelogin.if	2008-06-12 23:37:58.000000000 -0400
@@ -15979,7 +16022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te	2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.te	2008-07-29 15:52:14.000000000 -0400
 @@ -137,6 +137,11 @@
  type winbind_var_run_t;
  files_pid_file(winbind_var_run_t)
@@ -16009,7 +16052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_read_proc_symlinks(samba_net_t)
  
  corenet_all_recvfrom_unlabeled(samba_net_t)
-@@ -190,19 +196,15 @@
+@@ -190,24 +196,20 @@
  
  miscfiles_read_localization(samba_net_t) 
  
@@ -16031,6 +16074,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # smbd Local policy
+ #
+-allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search };
+ dontaudit smbd_t self:capability sys_tty_config;
+ allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow smbd_t self:process setrlimit;
 @@ -217,19 +219,16 @@
  allow smbd_t self:msgq create_msgq_perms;
  allow smbd_t self:sem create_sem_perms;
@@ -22622,7 +22671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te	2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te	2008-07-24 14:09:14.000000000 -0400
 @@ -45,7 +45,7 @@
  dontaudit dhcpc_t self:capability sys_tty_config;
  # for access("/etc/bashrc", X_OK) on Red Hat
@@ -22659,18 +22708,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  # for the dhcp client to run ping to check IP addresses
  optional_policy(`
  	netutils_domtrans_ping(dhcpc_t)
-@@ -187,6 +193,10 @@
+@@ -187,6 +193,11 @@
  ')
  
  optional_policy(`
 +	networkmanager_domtrans(dhcpc_t)
++	networkmanager_read_pid_files(dhcpc_t)
 +')
 +
 +optional_policy(`
  	nis_use_ypbind(dhcpc_t)
  	nis_signal_ypbind(dhcpc_t)
  	nis_read_ypbind_pid(dhcpc_t)
-@@ -203,9 +213,7 @@
+@@ -203,9 +214,7 @@
  ')
  
  optional_policy(`
@@ -22681,7 +22731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -216,6 +224,7 @@
+@@ -216,6 +225,7 @@
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -22689,7 +22739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -227,6 +236,10 @@
+@@ -227,6 +237,10 @@
  ')
  
  optional_policy(`
@@ -22700,7 +22750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	kernel_read_xen_state(dhcpc_t)
  	kernel_write_xen_state(dhcpc_t)
  	xen_append_log(dhcpc_t)
-@@ -240,7 +253,6 @@
+@@ -240,7 +254,6 @@
  
  allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -22708,7 +22758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  allow ifconfig_t self:fd use;
  allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -254,6 +266,7 @@
+@@ -254,6 +267,7 @@
  allow ifconfig_t self:sem create_sem_perms;
  allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
@@ -22716,7 +22766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -269,7 +282,10 @@
+@@ -269,7 +283,10 @@
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
  kernel_search_network_sysctl(ifconfig_t)
@@ -22727,7 +22777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
-@@ -280,8 +296,11 @@
+@@ -280,8 +297,11 @@
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
  
@@ -22739,7 +22789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  domain_use_interactive_fds(ifconfig_t)
  
-@@ -327,6 +346,14 @@
+@@ -327,6 +347,14 @@
  ')
  
  optional_policy(`
@@ -25830,8 +25880,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te	2008-06-12 23:37:59.000000000 -0400
-@@ -0,0 +1,12 @@
++++ serefpolicy-3.0.8/policy/modules/users/guest.te	2008-07-24 14:16:29.000000000 -0400
+@@ -0,0 +1,22 @@
 +policy_module(guest,1.0.1)
 +userdom_restricted_user_template(guest)
 +userdom_restricted_user_template(gadmin)
@@ -25844,6 +25894,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
 +	dbus_chat_user_bus(xguest,xguest_mozilla_t)
 +	dbus_connectto_user_bus(xguest,xguest_mozilla_t)
 +')
++
++optional_policy(`
++	gen_require(`
++		type openoffice_exec_t;
++		type xguest_mozilla_t;
++		type xguest_openoffice_t;
++	')
++	
++	domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/policy/modules/users/logadm.fc	2008-06-12 23:37:59.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7b08ad7..a624161 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 111%{?dist}
+Release: 112%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Jul 24 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-112
+- Change dhclient to be able to red networkmanager_var_run
+
 * Wed Jul 2 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-111
 - Handle updated NetworkManager