diff --git a/policy-F13.patch b/policy-F13.patch
index e7fb58f..0e28057 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -13567,7 +13567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-02-08 16:31:28.403796002 +0000
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-03-04 13:15:26.285413000 +0000
@@ -28,17 +28,31 @@
corecmd_exec_shell(sysadm_t)
@@ -13843,7 +13843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +465,21 @@
+@@ -393,23 +465,31 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -13865,7 +13865,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +493,11 @@
+ ')
+
+ optional_policy(`
++ udev_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ unprivuser_role_change(sysadm_r)
+ ')
+
+@@ -417,9 +497,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -13877,7 +13887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +505,15 @@
+@@ -427,9 +509,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -13893,7 +13903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +524,30 @@
+@@ -440,13 +528,30 @@
')
optional_policy(`
@@ -28897,7 +28907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-11-10 09:33:17.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2011-03-04 12:16:27.592413002 +0000
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -28996,7 +29006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +139,42 @@
+@@ -116,25 +139,43 @@
seutil_read_config(NetworkManager_t)
@@ -29018,6 +29028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+sysnet_delete_dhcpc_state(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
++sysnet_signull_dhcpc(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
@@ -29046,7 +29057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -142,12 +182,31 @@
+@@ -142,12 +183,31 @@
')
optional_policy(`
@@ -29081,7 +29092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,23 +214,58 @@
+@@ -155,23 +215,58 @@
')
optional_policy(`
@@ -29143,7 +29154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -179,12 +273,16 @@
+@@ -179,12 +274,16 @@
')
optional_policy(`
@@ -39753,7 +39764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-03-01 12:47:10.941730376 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-03-04 13:37:14.590413001 +0000
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -39852,16 +39863,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -134,6 +152,8 @@
+@@ -134,6 +152,13 @@
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
+stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
++
++#676372
++allow svirt_t virt_home_t:dir { add_name write };
++allow svirt_t virt_home_t:sock_file manage_sock_file_perms;
++allow svirt_t virt_home_t:file rw_inherited_file_perms;
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -148,11 +168,13 @@
+@@ -148,11 +173,13 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -39875,7 +39891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
tunable_policy(`virt_use_sysfs',`
-@@ -161,11 +183,18 @@
+@@ -161,11 +188,18 @@
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -39894,7 +39910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
xen_rw_image_files(svirt_t)
')
-@@ -179,22 +208,32 @@
+@@ -179,22 +213,32 @@
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -39930,7 +39946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -205,8 +244,14 @@
+@@ -205,8 +249,14 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -39947,7 +39963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -225,6 +270,7 @@
+@@ -225,6 +275,7 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -39955,7 +39971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -248,18 +294,27 @@
+@@ -248,18 +299,27 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -39984,7 +40000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -267,6 +322,18 @@
+@@ -267,6 +327,18 @@
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -40003,7 +40019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -290,16 +357,31 @@
+@@ -290,16 +362,31 @@
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -40035,7 +40051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -318,6 +400,10 @@
+@@ -318,6 +405,10 @@
')
optional_policy(`
@@ -40046,7 +40062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -370,6 +456,8 @@
+@@ -370,6 +461,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -40055,7 +40071,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -407,6 +495,19 @@
+@@ -399,7 +492,6 @@
+ # virtual domains common policy
+ #
+
+-allow virt_domain self:capability { dac_read_search dac_override kill };
+ allow virt_domain self:process { execmem execstack signal getsched signull };
+ allow virt_domain self:fifo_file rw_file_perms;
+ allow virt_domain self:shm create_shm_perms;
+@@ -407,6 +499,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -40075,7 +40099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +528,7 @@
+@@ -427,6 +532,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -40083,7 +40107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,10 +536,12 @@
+@@ -434,10 +540,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -40096,7 +40120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -445,6 +549,11 @@
+@@ -445,6 +553,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -40108,7 +40132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +571,13 @@
+@@ -462,8 +575,13 @@
')
optional_policy(`
@@ -47364,8 +47388,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.19/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-09-16 13:27:33.000000000 +0000
-@@ -88,8 +88,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/udev.if 2011-03-04 13:01:58.267413001 +0000
+@@ -1,5 +1,31 @@
+ ## Policy for udev.
+
++######################################
++##
++## Execute udev in the udev domain, and
++## allow the specified role the udev domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the iptables domain.
++##
++##
++##
++#
++interface(`udev_run',`
++ gen_require(`
++ type udev_t;
++ ')
++
++ udev_domtrans($1)
++ role $2 types udev_t;
++')
++
+ ########################################
+ ##
+ ## Send generic signals to udev.
+@@ -88,8 +114,7 @@
')
kernel_search_proc($1)
@@ -47375,7 +47431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
')
########################################
-@@ -196,6 +195,25 @@
+@@ -196,6 +221,25 @@
########################################
##
@@ -47403,7 +47459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.19/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/udev.te 2011-01-14 13:25:52.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/udev.te 2011-03-04 12:59:56.537413001 +0000
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -47412,7 +47468,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -111,6 +112,7 @@
+@@ -104,6 +105,8 @@
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+
++# console_init manages files in /etc/sysconfig
++files_manage_etc_files(udev_t)
+ files_read_usr_files(udev_t)
+ files_read_etc_runtime_files(udev_t)
+ files_read_etc_files(udev_t)
+@@ -111,6 +114,7 @@
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -47420,7 +47485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
-@@ -138,6 +140,7 @@
+@@ -138,6 +142,7 @@
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -47428,7 +47493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -211,6 +214,10 @@
+@@ -211,6 +216,10 @@
')
optional_policy(`
@@ -47439,7 +47504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
consoletype_exec(udev_t)
')
-@@ -254,6 +261,10 @@
+@@ -254,6 +263,10 @@
')
optional_policy(`
@@ -47450,7 +47515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -268,6 +279,10 @@
+@@ -268,6 +281,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a59ea5f..c6534f9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 96%{?dist}
+Release: 97%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Fri Mar 4 2011 Miroslav Grepl 3.7.19-97
+- Allow svirt to manage sock_file in ~/.libvirt directory
+- Allow sysamd to run udev in udev_t domain
+- Remove capability from svirt
+- Add lvm_exec_t label for kpartx
+
* Tue Mar 1 2011 Miroslav Grepl 3.7.19-96
- Add virt_home_ type files located in ~/.libvirt directory
- virt creates monitor sockets in the users home dir