From e74b348928c02e100e96980a61fd38f5a0b8b64d Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mar 01 2011 13:52:15 +0000
Subject: - Add virt_home_ type files located in ~/.libvirt directory

- virt creates monitor sockets in the users home dir
- Allow lvm setfscreate
- mta search /var/lib/logcheck
- sssd needs to bind to random UDP ports
- certmonger wants to read keytab files

---

diff --git a/policy-F13.patch b/policy-F13.patch
index bb69297..93008f9 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -290,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
 --- nsaserefpolicy/policy/mcs	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/mcs	2011-02-22 18:00:53.341097838 +0000
++++ serefpolicy-3.7.19/policy/mcs	2011-03-01 12:53:22.768577523 +0000
 @@ -86,10 +86,10 @@
  	(( h1 dom h2 ) and ( l2 eq h2 ));
  
@@ -332,7 +332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
  mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
  	( h1 dom h2 );
  
-@@ -126,10 +132,22 @@
+@@ -126,10 +132,25 @@
  mlsconstrain db_tuple { relabelfrom select update delete use }
  	( h1 dom h2 );
  
@@ -352,6 +352,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
  mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
  	( h1 dom h2 );
  
++mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
++	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++
 +mlsconstrain packet { send recv }
 +    (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
 +
@@ -2966,8 +2969,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
 --- nsaserefpolicy/policy/modules/admin/shutdown.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te	2011-02-07 15:02:32.542796002 +0000
-@@ -0,0 +1,71 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te	2011-02-25 17:15:02.692365619 +0000
+@@ -0,0 +1,75 @@
 +policy_module(shutdown,1.0.0)
 +
 +########################################
@@ -3026,6 +3029,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +miscfiles_read_localization(shutdown_t)
 +
 +optional_policy(`
++	cron_system_entry(shutdown_t, shutdown_exec_t)
++')
++
++optional_policy(`
 +	dbus_system_bus_client(shutdown_t)
 +	dbus_connect_system_bus(shutdown_t)
 +')
@@ -19064,8 +19071,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
 --- nsaserefpolicy/policy/modules/services/certmonger.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te	2010-12-15 14:05:16.000000000 +0000
-@@ -0,0 +1,92 @@
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te	2011-02-25 17:14:37.956974505 +0000
+@@ -0,0 +1,93 @@
 +policy_module(certmonger,1.0.0)
 +
 +########################################
@@ -19151,6 +19158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +
 +optional_policy(`
 +	kerberos_use(certmonger_t)
++	kerberos_read_keytab(certmonger_t)
 +')
 +
 +optional_policy(`
@@ -23589,7 +23597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.19/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te	2010-10-13 06:36:11.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te	2011-03-01 12:38:16.907876101 +0000
 @@ -19,6 +19,9 @@
  type dnsmasq_lease_t;
  files_type(dnsmasq_lease_t)
@@ -23626,7 +23634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
  files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
  
-@@ -87,6 +93,22 @@
+@@ -87,6 +93,23 @@
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
  optional_policy(`
@@ -23639,6 +23647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
 +
 +optional_policy(`
 +	dbus_system_bus_client(dnsmasq_t)
++	dbus_connect_system_bus(dnsmasq_t)
 +')
 +
 +optional_policy(`
@@ -27335,7 +27344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te	2011-01-04 14:53:26.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/mta.te	2011-02-25 12:50:49.452607424 +0000
 @@ -21,8 +21,8 @@
  type etc_mail_t;
  files_config_file(etc_mail_t)
@@ -27489,7 +27498,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
  
-@@ -245,6 +256,10 @@
+@@ -238,6 +249,10 @@
+ ')
+ 
+ optional_policy(`
++	logwatch_search_cache_dir(mailserver_delivery)
++')
++
++optional_policy(`
+ 	# so MTA can access /var/lib/mailman/mail/wrapper
+ 	files_search_var_lib(mailserver_delivery)
+ 
+@@ -245,6 +260,10 @@
  	mailman_read_data_symlinks(mailserver_delivery)
  ')
  
@@ -27500,7 +27520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ########################################
  #
  # User send mail local policy
-@@ -288,3 +303,33 @@
+@@ -288,3 +307,33 @@
  	postfix_read_config(user_mail_t)
  	postfix_list_spool(user_mail_t)
  ')
@@ -33617,7 +33637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te
 --- nsaserefpolicy/policy/modules/services/puppet.te	2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/puppet.te	2011-02-23 12:36:31.000366945 +0000
++++ serefpolicy-3.7.19/policy/modules/services/puppet.te	2011-02-25 13:14:14.528020225 +0000
 @@ -14,6 +14,13 @@
  ## </desc>
  gen_tunable(puppet_manage_all_files, false)
@@ -33647,7 +33667,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
  kernel_read_system_state(puppetmaster_t)
  kernel_read_crypto_sysctls(puppetmaster_t)
  
-@@ -213,15 +227,31 @@
+@@ -210,18 +224,35 @@
+ dev_read_rand(puppetmaster_t)
+ dev_read_urand(puppetmaster_t)
+ 
++domain_obj_id_change_exemption(puppetmaster_t)
  domain_read_all_domains_state(puppetmaster_t)
  
  files_read_etc_files(puppetmaster_t)
@@ -33679,7 +33703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
  optional_policy(`
  	hostname_exec(puppetmaster_t)
  ')
-@@ -232,3 +262,8 @@
+@@ -232,3 +263,8 @@
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -36433,7 +36457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te	2011-01-27 14:24:59.458455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/samba.te	2011-02-25 12:35:52.540685721 +0000
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -38854,7 +38878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  	sssd_initrc_domtrans($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/sssd.te	2010-08-18 11:10:17.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/sssd.te	2011-03-01 12:58:07.985556649 +0000
 @@ -29,9 +29,12 @@
  #
  # sssd local policy
@@ -38869,23 +38893,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
  manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -50,6 +53,7 @@
+@@ -50,6 +53,10 @@
  files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
  
  kernel_read_system_state(sssd_t)
 +kernel_read_network_state(sssd_t)
++
++corenet_udp_bind_generic_port(sssd_t)
++corenet_dontaudit_udp_bind_all_ports(sssd_t)
  
  corecmd_exec_bin(sssd_t)
  
-@@ -81,6 +85,8 @@
+@@ -61,6 +68,7 @@
+ files_list_tmp(sssd_t)
+ files_read_etc_files(sssd_t)
+ files_read_usr_files(sssd_t)
++files_list_var_lib(sssd_t)
+ 
+ fs_list_inotifyfs(sssd_t)
+ 
+@@ -81,6 +89,11 @@
  
  miscfiles_read_localization(sssd_t)
  
++sysnet_dns_name_resolve(sssd_t)
++sysnet_use_ldap(sssd_t)
++
 +userdom_manage_tmp_role(system_r, sssd_t)
 +
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
  	dbus_connect_system_bus(sssd_t)
+@@ -89,3 +102,11 @@
+ optional_policy(`
+ 	kerberos_manage_host_rcache(sssd_t)
+ ')
++
++optional_policy(`
++	dirsrv_stream_connect(sssd_t)
++')
++
++optional_policy(`
++	ldap_stream_connect(sssd_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.19/policy/modules/services/sysstat.te
 --- nsaserefpolicy/policy/modules/services/sysstat.te	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/services/sysstat.te	2010-07-27 13:46:39.000000000 +0000
@@ -39448,8 +39498,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.fc	2010-08-18 12:33:42.000000000 +0000
-@@ -12,18 +12,19 @@
++++ serefpolicy-3.7.19/policy/modules/services/virt.fc	2011-03-01 12:46:03.926380019 +0000
+@@ -1,4 +1,5 @@
+-HOME_DIR/.virtinst(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
++HOME_DIR/.libvirt(/.*)?     gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/.virtinst(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
+ HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
+ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+ 
+@@ -12,18 +13,19 @@
  /etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
  /etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
@@ -39689,7 +39746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +')    
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te	2011-01-24 17:03:51.777455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.te	2011-03-01 12:47:10.941730376 +0000
 @@ -1,5 +1,5 @@
  
 -policy_module(virt, 1.3.2)
@@ -39711,7 +39768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ## Allow virt to use usb devices
  ## </p>
  ## </desc>
-@@ -51,12 +58,12 @@
+@@ -51,35 +58,44 @@
  virt_domain_template(svirt)
  role system_r types svirt_t;
  
@@ -39727,7 +39784,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  type virt_etc_t;
  files_config_file(virt_etc_t)
  
-@@ -66,20 +73,26 @@
+ type virt_etc_rw_t;
+ files_type(virt_etc_rw_t)
+ 
++type virt_home_t;
++userdom_user_home_content(virt_home_t)
++
  # virt Image files
  type virt_image_t; # customizable
  virt_image(virt_image_t)
@@ -39754,7 +39816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  type virtd_t;
  type virtd_exec_t;
-@@ -90,6 +103,11 @@
+@@ -90,6 +106,11 @@
  type virtd_initrc_exec_t;
  init_script_file(virtd_initrc_exec_t)
  
@@ -39766,7 +39828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -105,15 +123,12 @@
+@@ -105,15 +126,12 @@
  
  allow svirt_t self:udp_socket create_socket_perms;
  
@@ -39783,7 +39845,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
  
  list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -148,11 +163,13 @@
+@@ -134,6 +152,8 @@
+ userdom_search_user_home_content(svirt_t)
+ userdom_read_user_home_content_symlinks(svirt_t)
+ userdom_read_all_users_state(svirt_t)
++append_files_pattern(svirt_t, virt_home_t, virt_home_t)
++stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
+ 
+ tunable_policy(`virt_use_comm',`
+ 	term_use_unallocated_ttys(svirt_t)
+@@ -148,11 +168,13 @@
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(svirt_t)
  	fs_manage_nfs_files(svirt_t)
@@ -39797,7 +39868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  tunable_policy(`virt_use_sysfs',`
-@@ -161,11 +178,18 @@
+@@ -161,11 +183,18 @@
  
  tunable_policy(`virt_use_usb',`
  	dev_rw_usbfs(svirt_t)
@@ -39816,7 +39887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  	xen_rw_image_files(svirt_t)
  ')
  
-@@ -179,22 +203,32 @@
+@@ -179,22 +208,32 @@
  #
  
  allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -39852,7 +39923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  
-@@ -205,8 +239,14 @@
+@@ -205,8 +244,14 @@
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -39869,7 +39940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -225,6 +265,7 @@
+@@ -225,6 +270,7 @@
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
@@ -39877,7 +39948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  
-@@ -248,18 +289,27 @@
+@@ -248,18 +294,27 @@
  dev_rw_kvm(virtd_t)
  dev_getattr_all_chr_files(virtd_t)
  dev_rw_mtrr(virtd_t)
@@ -39906,7 +39977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -267,6 +317,18 @@
+@@ -267,6 +322,18 @@
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -39925,14 +39996,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  mcs_process_set_categories(virtd_t)
  
-@@ -290,16 +352,26 @@
+@@ -290,16 +357,31 @@
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
 +logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
  
++selinux_validate_context(virtd_t)
++
 +seutil_read_config(virtd_t)
  seutil_read_default_contexts(virtd_t)
 +seutil_read_file_contexts(virtd_t)
@@ -39947,12 +40018,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  userdom_read_user_home_content_files(virtd_t)
 +userdom_relabel_user_home_files(virtd_t)
 +userdom_setattr_user_home_content_files(virtd_t)
++manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
++userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
 +
 +consoletype_exec(virtd_t)
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -318,6 +390,10 @@
+@@ -318,6 +400,10 @@
  ')
  
  optional_policy(`
@@ -39963,7 +40039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -370,6 +446,8 @@
+@@ -370,6 +456,8 @@
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -39972,7 +40048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  optional_policy(`
-@@ -407,6 +485,19 @@
+@@ -407,6 +495,19 @@
  allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
  allow virt_domain self:tcp_socket create_stream_socket_perms;
  
@@ -39992,7 +40068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +518,7 @@
+@@ -427,6 +528,7 @@
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -40000,7 +40076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -434,10 +526,12 @@
+@@ -434,10 +536,12 @@
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -40013,7 +40089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -445,6 +539,11 @@
+@@ -445,6 +549,11 @@
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -40025,7 +40101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -462,8 +561,13 @@
+@@ -462,8 +571,13 @@
  ')
  
  optional_policy(`
@@ -42224,7 +42300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.te	2011-01-14 13:32:33.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te	2011-03-01 12:58:30.780995518 +0000
 @@ -6,9 +6,17 @@
  # Declarations
  #
@@ -42252,7 +42328,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  
  allow chkpwd_t shadow_t:file read_file_perms;
  files_list_etc(chkpwd_t)
-@@ -395,3 +403,13 @@
+@@ -100,6 +108,9 @@
+ files_read_etc_files(chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var(chkpwd_t)
++#671882
++files_read_usr_symlinks(chkpwd_t)
++files_list_tmp(chkpwd_t)
+ 
+ fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+ 
+@@ -395,3 +406,13 @@
  	xserver_use_xdm_fds(utempter_t)
  	xserver_rw_xdm_pipes(utempter_t)
  ')
@@ -44658,7 +44744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.te	2011-02-03 10:53:43.756796001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/lvm.te	2011-02-25 16:51:35.365008252 +0000
 @@ -13,6 +13,9 @@
  type clvmd_initrc_exec_t;
  init_script_file(clvmd_initrc_exec_t)
@@ -44669,6 +44755,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  type clvmd_var_run_t;
  files_pid_file(clvmd_var_run_t)
  
+@@ -25,7 +28,7 @@
+ role system_r types lvm_t;
+ 
+ type lvm_etc_t;
+-files_type(lvm_etc_t)
++files_config_file(lvm_etc_t)
+ 
+ type lvm_lock_t;
+ files_lock_file(lvm_lock_t)
 @@ -57,6 +60,10 @@
  allow clvmd_t self:tcp_socket create_stream_socket_perms;
  allow clvmd_t self:udp_socket create_socket_perms;
@@ -44692,15 +44787,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  	ccs_stream_connect(clvmd_t)
  ')
  
-@@ -171,6 +183,7 @@
- allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+@@ -168,13 +180,15 @@
+ # net_admin for multipath
+ allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+ dontaudit lvm_t self:capability sys_tty_config;
+-allow lvm_t self:process { sigchld sigkill sigstop signull signal };
++allow lvm_t self:process { setfscreate sigchld sigkill sigstop signull signal };
  # LVM will complain a lot if it cannot set its priority.
  allow lvm_t self:process setsched;
 +allow lvm_t self:sem create_sem_perms;
  allow lvm_t self:file rw_file_perms;
  allow lvm_t self:fifo_file manage_fifo_file_perms;
  allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -218,6 +231,7 @@
+ allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow lvm_t self:sem create_sem_perms;
+ 
+ allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+@@ -191,8 +205,9 @@
+ can_exec(lvm_t, lvm_exec_t)
+ 
+ # Creating lock files
++manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+-files_lock_filetrans(lvm_t, lvm_lock_t, file)
++files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
+ 
+ manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+ manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+@@ -201,7 +216,7 @@
+ manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file sock_file })
+ 
+ read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+ read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+@@ -211,6 +226,7 @@
+ files_etc_filetrans(lvm_t, lvm_metadata_t, file)
+ files_search_mnt(lvm_t)
+ 
++kernel_get_sysvipc_info(lvm_t)
+ kernel_read_system_state(lvm_t)
+ kernel_read_kernel_sysctls(lvm_t)
+ # Read system variables in /proc/sys
+@@ -218,6 +234,7 @@
  # it has no reason to need this
  kernel_dontaudit_getattr_core_if(lvm_t)
  kernel_use_fds(lvm_t)
@@ -44708,7 +44840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  kernel_search_debugfs(lvm_t)
  
  corecmd_exec_bin(lvm_t)
-@@ -244,6 +258,7 @@
+@@ -244,6 +261,7 @@
  dev_dontaudit_getattr_generic_blk_files(lvm_t)
  dev_dontaudit_getattr_generic_pipes(lvm_t)
  dev_create_generic_dirs(lvm_t)
@@ -44716,7 +44848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  
  domain_use_interactive_fds(lvm_t)
  domain_read_all_domains_state(lvm_t)
-@@ -253,8 +268,9 @@
+@@ -253,8 +271,9 @@
  files_read_etc_runtime_files(lvm_t)
  # for when /usr is not mounted:
  files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -44727,7 +44859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  fs_search_auto_mountpoints(lvm_t)
  fs_list_tmpfs(lvm_t)
  fs_read_tmpfs_symlinks(lvm_t)
-@@ -264,6 +280,7 @@
+@@ -264,6 +283,7 @@
  
  mls_file_read_all_levels(lvm_t)
  mls_file_write_to_clearance(lvm_t)
@@ -44735,7 +44867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  
  selinux_get_fs_mount(lvm_t)
  selinux_validate_context(lvm_t)
-@@ -311,6 +328,11 @@
+@@ -311,6 +331,11 @@
  ')
  
  optional_policy(`
@@ -44747,7 +44879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  	bootloader_rw_tmp_files(lvm_t)
  ')
  
-@@ -331,6 +353,10 @@
+@@ -331,6 +356,10 @@
  ')
  
  optional_policy(`
@@ -48095,7 +48227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2011-02-07 16:39:28.257796001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2011-02-25 17:52:11.239507921 +0000
 @@ -30,8 +30,9 @@
  	')
  
@@ -49238,7 +49370,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1116,10 +1325,13 @@
+@@ -1102,6 +1311,9 @@
+ 	dev_rename_all_blk_files($1_t)
+ 	dev_rename_all_chr_files($1_t)
+ 	dev_create_generic_symlinks($1_t)
++	# needed by lsusb
++	dev_rw_generic_usb_dev($1_t)
++	dev_rw_usbfs($1_t)
+ 
+ 	domain_setpriority_all_domains($1_t)
+ 	domain_read_all_domains_state($1_t)
+@@ -1116,15 +1328,19 @@
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -49252,7 +49394,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	fs_set_all_quotas($1_t)
  	fs_exec_noxattr($1_t)
  
-@@ -1139,6 +1351,7 @@
+ 	storage_raw_read_removable_device($1_t)
+ 	storage_raw_write_removable_device($1_t)
++	storage_dontaudit_read_fixed_disk($1_t)
+ 
+ 	term_use_all_terms($1_t)
+ 
+@@ -1139,6 +1355,7 @@
  	logging_send_syslog_msg($1_t)
  
  	modutils_domtrans_insmod($1_t)
@@ -49260,7 +49408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1207,6 +1420,8 @@
+@@ -1207,6 +1424,8 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -49269,7 +49417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1219,6 +1434,7 @@
+@@ -1219,6 +1438,7 @@
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -49277,7 +49425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	auth_relabel_all_files_except_shadow($1)
  	auth_relabel_shadow($1)
-@@ -1234,6 +1450,7 @@
+@@ -1234,6 +1454,7 @@
  	seutil_run_checkpolicy($1,$2)
  	seutil_run_loadpolicy($1,$2)
  	seutil_run_semanage($1,$2)
@@ -49285,7 +49433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	seutil_run_setfiles($1, $2)
  
  	optional_policy(`
-@@ -1272,11 +1489,15 @@
+@@ -1272,11 +1493,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -49301,7 +49449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1387,6 +1608,7 @@
+@@ -1387,6 +1612,7 @@
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -49309,7 +49457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_home($1)
  ')
  
-@@ -1433,6 +1655,14 @@
+@@ -1433,6 +1659,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -49324,7 +49472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1448,9 +1678,11 @@
+@@ -1448,9 +1682,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -49336,7 +49484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1507,6 +1739,42 @@
+@@ -1507,6 +1743,42 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -49379,7 +49527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1581,6 +1849,8 @@
+@@ -1581,6 +1853,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -49388,7 +49536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1595,10 +1865,12 @@
+@@ -1595,10 +1869,12 @@
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -49403,7 +49551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1641,6 +1913,24 @@
+@@ -1641,6 +1917,24 @@
  
  ########################################
  ## <summary>
@@ -49428,7 +49576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1692,10 +1982,30 @@
+@@ -1692,10 +1986,30 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -49459,7 +49607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ########################################
  ## <summary>
  ##	Do not audit attempts to read user home files.
-@@ -1708,11 +2018,14 @@
+@@ -1708,11 +2022,14 @@
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -49477,7 +49625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1802,8 +2115,7 @@
+@@ -1802,8 +2119,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -49487,7 +49635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1815,24 +2127,17 @@
+@@ -1815,24 +2131,17 @@
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -49516,7 +49664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  ########################################
  ## <summary>
-@@ -1866,6 +2171,7 @@
+@@ -1866,6 +2175,7 @@
  interface(`userdom_manage_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -49524,7 +49672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2408,25 @@
+@@ -2102,6 +2412,25 @@
  
  ########################################
  ## <summary>
@@ -49550,7 +49698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to list user
  ##	temporary directories.
  ## </summary>
-@@ -2218,6 +2543,25 @@
+@@ -2218,6 +2547,25 @@
  
  ########################################
  ## <summary>
@@ -49576,7 +49724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to manage users
  ##	temporary files.
  ## </summary>
-@@ -2427,13 +2771,14 @@
+@@ -2427,13 +2775,14 @@
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -49592,7 +49740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2454,6 +2799,24 @@
+@@ -2454,6 +2803,24 @@
  
  ########################################
  ## <summary>
@@ -49617,7 +49765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Get the attributes of a user domain tty.
  ## </summary>
  ## <param name="domain">
-@@ -2747,6 +3110,25 @@
+@@ -2747,6 +3114,25 @@
  
  ########################################
  ## <summary>
@@ -49643,7 +49791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Execute bin_t in the unprivileged user domains. This
  ##	is an explicit transition, requiring the
  ##	caller to use setexeccon().
-@@ -2787,7 +3169,7 @@
+@@ -2787,7 +3173,7 @@
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -49652,7 +49800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2803,11 +3185,13 @@
+@@ -2803,11 +3189,13 @@
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -49668,7 +49816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2944,7 +3328,7 @@
+@@ -2944,7 +3332,7 @@
  		type user_tmp_t;
  	')
  
@@ -49677,7 +49825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2981,6 +3365,7 @@
+@@ -2981,6 +3369,7 @@
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -49685,7 +49833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3111,3 +3496,725 @@
+@@ -3111,3 +3500,725 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7e10342..a59ea5f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 95%{?dist}
+Release: 96%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
 %endif
 
 %changelog
+* Tue Mar 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-96
+- Add virt_home_ type files located in ~/.libvirt directory
+- virt creates monitor sockets in the users home dir
+- Allow lvm setfscreate
+- mta search /var/lib/logcheck
+- sssd needs to bind to random UDP ports
+- certmonger wants to read keytab files
+
 * Thu Feb 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-95
 - Fix spec file to not restore context on /var/lib
 - Fix for policykit