From f8860b48b302e992d77a10a48e1d750269e638d1 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Nov 16 2011 14:45:15 +0000 Subject: - Allow spamd and clamd to steam connect to each other - Allow colord to execute ifconfig - Allow smbcontrol to signal themselves - Make faillog MLS trusted to make sudo_$1_t working --- diff --git a/policy-F15.patch b/policy-F15.patch index 32d3d4e..23a501e 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -11582,7 +11582,7 @@ index 5a07a43..096bc60 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..794a39b 100644 +index 0757523..d0b509a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -11687,7 +11687,7 @@ index 0757523..794a39b 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -126,43 +152,59 @@ network_port(iscsi, tcp,3260,s0) +@@ -126,43 +152,60 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -11711,6 +11711,7 @@ index 0757523..794a39b 100644 +network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) ++network_port(mongod, tcp,27017,s0) network_port(monopd, tcp,1234,s0) +network_port(movaz_ssc, tcp,5252,s0) +network_port(mpd, tcp,6600,s0) @@ -11753,7 +11754,7 @@ index 0757523..794a39b 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,25 +219,30 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,25 +220,30 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -11789,7 +11790,7 @@ index 0757523..794a39b 100644 network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -205,20 +252,23 @@ network_port(transproxy, tcp,8081,s0) +@@ -205,20 +253,23 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -11816,7 +11817,7 @@ index 0757523..794a39b 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -272,9 +322,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -272,9 +323,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -23164,7 +23165,7 @@ index 1f11572..7f6a7ab 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..a2e2d35 100644 +index f758323..73fd6d3 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ @@ -23217,30 +23218,42 @@ index f758323..a2e2d35 100644 corenet_sendrecv_clamd_server_packets(clamd_t) dev_read_rand(clamd_t) -@@ -127,12 +132,16 @@ logging_send_syslog_msg(clamd_t) +@@ -127,13 +132,6 @@ logging_send_syslog_msg(clamd_t) miscfiles_read_localization(clamd_t) -cron_use_fds(clamd_t) -cron_use_system_job_fds(clamd_t) -cron_rw_pipes(clamd_t) -+optional_policy(` +- +-mta_read_config(clamd_t) +-mta_send_mail(clamd_t) +- + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +@@ -142,13 +140,30 @@ optional_policy(` + ') + + optional_policy(` + cron_use_fds(clamd_t) + cron_use_system_job_fds(clamd_t) + cron_rw_pipes(clamd_t) +') ++ ++optional_policy(` + exim_read_spool_files(clamd_t) + ') --mta_read_config(clamd_t) --mta_send_mail(clamd_t) +optional_policy(` + mta_read_config(clamd_t) + mta_send_mail(clamd_t) +') - - optional_policy(` - amavis_read_lib_files(clamd_t) -@@ -147,8 +156,10 @@ optional_policy(` - ++ ++optional_policy(` ++ spamd_stream_connect(clamd_t) ++') ++ tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; -', ` @@ -23251,7 +23264,7 @@ index f758323..a2e2d35 100644 ') ######################################## -@@ -178,10 +189,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +193,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -23270,7 +23283,7 @@ index f758323..a2e2d35 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +206,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +210,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -23278,7 +23291,7 @@ index f758323..a2e2d35 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +225,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +229,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -23301,7 +23314,7 @@ index f758323..a2e2d35 100644 ######################################## # # clamscam local policy -@@ -248,9 +268,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) +@@ -248,9 +272,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) corenet_tcp_sendrecv_generic_node(clamscan_t) corenet_tcp_sendrecv_all_ports(clamscan_t) corenet_tcp_sendrecv_clamd_port(clamscan_t) @@ -23313,7 +23326,7 @@ index f758323..a2e2d35 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +286,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +290,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -23399,10 +23412,10 @@ index 0000000..b5058ac + diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if new file mode 100644 -index 0000000..917f8d4 +index 0000000..6451167 --- /dev/null +++ b/policy/modules/services/cloudform.if -@@ -0,0 +1,23 @@ +@@ -0,0 +1,40 @@ +## cloudform policy + +####################################### @@ -23424,11 +23437,28 @@ index 0000000..917f8d4 + type $1_t, cloudform_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) ++') ++ ++###################################### ++## ++## Execute mongod in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`cloudform_exec_mongod',` ++ gen_require(` ++ type mogod_exec_t; ++ ') + ++ can_exec($1, mogod_exec_t) +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..51accbe +index 0000000..b1f481a --- /dev/null +++ b/policy/modules/services/cloudform.te @@ -0,0 +1,212 @@ @@ -23595,7 +23625,7 @@ index 0000000..51accbe +files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) + +corenet_tcp_bind_generic_node(mongod_t) -+corenet_tcp_bind_generic_port(mongod_t) ++corenet_tcp_bind_mongod_port(mongod_t) + +files_read_usr_files(mongod_t) + @@ -24642,10 +24672,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..76bf893 +index 0000000..2d54d11 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,132 @@ +@@ -0,0 +1,135 @@ +policy_module(colord,1.0.0) + +######################################## @@ -24738,8 +24768,6 @@ index 0000000..76bf893 + +miscfiles_read_localization(colord_t) + -+sysnet_dns_name_resolve(colord_t) -+ +userdom_read_inherited_user_home_content_files(colord_t) +userdom_rw_user_tmpfs_files(colord_t) + @@ -24770,6 +24798,11 @@ index 0000000..76bf893 +') + +optional_policy(` ++ sysnet_exec_ifconfig(colord_t) ++ sysnet_dns_name_resolve(colord_t) ++') ++ ++optional_policy(` + udev_read_db(colord_t) +') + @@ -44091,7 +44124,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..e27fb71 100644 +index e30bb63..d2dac53 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -44210,7 +44243,14 @@ index e30bb63..e27fb71 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +558,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -555,18 +553,20 @@ optional_policy(` + # smbcontrol local policy + # + ++ ++allow smbcontrol_t self:process signal; + # internal communication is often done using fifo and unix sockets. + allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -44228,7 +44268,7 @@ index e30bb63..e27fb71 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -644,8 +642,6 @@ auth_use_nsswitch(smbmount_t) +@@ -644,8 +644,6 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -44237,7 +44277,7 @@ index e30bb63..e27fb71 100644 locallogin_use_fds(smbmount_t) logging_search_logs(smbmount_t) -@@ -657,6 +653,10 @@ optional_policy(` +@@ -657,6 +655,10 @@ optional_policy(` cups_read_rw_config(smbmount_t) ') @@ -44248,7 +44288,7 @@ index e30bb63..e27fb71 100644 ######################################## # # SWAT Local policy -@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -44257,7 +44297,7 @@ index e30bb63..e27fb71 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -44272,7 +44312,7 @@ index e30bb63..e27fb71 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -44280,7 +44320,7 @@ index e30bb63..e27fb71 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +757,8 @@ logging_search_logs(swat_t) +@@ -754,6 +759,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -44289,7 +44329,7 @@ index e30bb63..e27fb71 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -44311,7 +44351,7 @@ index e30bb63..e27fb71 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -44319,7 +44359,7 @@ index e30bb63..e27fb71 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +929,18 @@ optional_policy(` +@@ -922,6 +931,18 @@ optional_policy(` # optional_policy(` @@ -44338,7 +44378,7 @@ index e30bb63..e27fb71 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +951,12 @@ optional_policy(` +@@ -932,9 +953,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -45306,7 +45346,7 @@ index c954f31..7f57f22 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..b4c21bd 100644 +index ec1eb1e..29f86b2 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,54 +6,101 @@ policy_module(spamassassin, 2.4.0) @@ -45624,7 +45664,7 @@ index ec1eb1e..b4c21bd 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +468,27 @@ files_read_var_lib_files(spamd_t) +@@ -367,22 +468,31 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -45642,6 +45682,10 @@ index ec1eb1e..b4c21bd 100644 userdom_search_user_home_dirs(spamd_t) +optional_policy(` ++ clamav_stream_connect(spamd_t) ++') ++ ++optional_policy(` + exim_manage_spool_dirs(spamd_t) + exim_manage_spool_files(spamd_t) +') @@ -45656,7 +45700,7 @@ index ec1eb1e..b4c21bd 100644 fs_manage_cifs_files(spamd_t) ') -@@ -399,24 +505,24 @@ optional_policy(` +@@ -399,24 +509,24 @@ optional_policy(` ') optional_policy(` @@ -45688,7 +45732,7 @@ index ec1eb1e..b4c21bd 100644 ') optional_policy(` -@@ -424,9 +530,7 @@ optional_policy(` +@@ -424,9 +534,7 @@ optional_policy(` ') optional_policy(` @@ -45699,7 +45743,7 @@ index ec1eb1e..b4c21bd 100644 postgresql_stream_connect(spamd_t) ') -@@ -437,6 +541,10 @@ optional_policy(` +@@ -437,6 +545,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -45710,7 +45754,7 @@ index ec1eb1e..b4c21bd 100644 ') optional_policy(` -@@ -451,3 +559,51 @@ optional_policy(` +@@ -451,3 +563,51 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -45881,7 +45925,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..7cf2180 100644 +index 22adaca..485666a 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -46149,7 +46193,51 @@ index 22adaca..7cf2180 100644 files_search_pids($1) ') -@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',` +@@ -643,6 +676,43 @@ interface(`ssh_agent_exec',` + + ######################################## + ## ++## Getattr ssh home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_getattr_user_home_dir',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ allow $1 ssh_home_t:dir getattr; ++') ++ ++######################################## ++## ++## Dontaudit search ssh home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_dontaudit_search_user_home_dir',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ dontaudit $1 ssh_home_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++>>>>>>> 6e8a117... Add ssh_dontaudit_search_home_dir + ## Read ssh home directory content + ## + ## +@@ -680,6 +750,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -46182,7 +46270,7 @@ index 22adaca..7cf2180 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +791,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -46191,7 +46279,7 @@ index 22adaca..7cf2180 100644 ') ###################################### -@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +831,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -60917,10 +61005,10 @@ index eae5001..71e46b2 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..392d1ee 100644 +index db75976..1b82cb5 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,17 @@ +@@ -1,4 +1,18 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -60936,11 +61024,12 @@ index db75976..392d1ee 100644 +HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..1ff8612 100644 +index 28b88de..1e62428 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -62861,7 +62950,7 @@ index 28b88de..1ff8612 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3729,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3729,1093 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -63938,6 +64027,23 @@ index 28b88de..1ff8612 100644 + dontaudit $1 user_tmp_type:file read_file_perms; +') + ++####################################### ++## ++## Read and write unpriviledged user SysV sempaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_unpriv_user_semaphores',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:sem rw_sem_perms; ++') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index df29ca1..2a5c03d 100644 --- a/policy/modules/system/userdomain.te diff --git a/selinux-policy.spec b/selinux-policy.spec index e875335..719a190 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 46%{?dist} +Release: 47%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,12 @@ exit 0 %endif %changelog +* Wed Nov 16 2011 Miroslav Grepl 3.9.16-47 +- Allow spamd and clamd to steam connect to each other +- Allow colord to execute ifconfig +- Allow smbcontrol to signal themselves +- Make faillog MLS trusted to make sudo_$1_t working + * Mon Nov 7 2011 Miroslav Grepl 3.9.16-46 - Backport MCS fixes from F16 - Other chrome fixes from F16