diff --git a/modules-targeted.conf b/modules-targeted.conf
index 4f68a1a..f302c42 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -669,6 +669,13 @@ hal = module
hddtemp = module
# Layer: services
+# Module: passenger
+#
+# Passenger
+#
+passenger = module
+
+# Layer: services
# Module: policykit
#
# Hardware abstraction layer
diff --git a/policy-F13.patch b/policy-F13.patch
index 26760ce..6d6cfe8 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1017,8 +1017,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.7.19/policy/modules/admin/netutils.if
--- nsaserefpolicy/policy/modules/admin/netutils.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/netutils.if 2010-06-15 18:40:03.058768889 +0200
-@@ -299,3 +299,4 @@
++++ serefpolicy-3.7.19/policy/modules/admin/netutils.if 2010-12-15 14:42:55.632042421 +0100
+@@ -41,6 +41,7 @@
+ ')
+
+ netutils_domtrans($1)
++ allow $1 netutils_t:process { signal sigkill };
+ role $2 types netutils_t;
+ ')
+
+@@ -158,6 +159,7 @@
+
+ netutils_domtrans_ping($1)
+ role $2 types ping_t;
++ allow $1 ping_t:process { signal sigkill };
+ ')
+
+ ########################################
+@@ -187,6 +189,7 @@
+
+ if ( user_ping ) {
+ netutils_domtrans_ping($1)
++ allow $1 ping_t:process { signal sigkill };
+ }
+ ')
+
+@@ -250,6 +253,7 @@
+
+ netutils_domtrans_traceroute($1)
+ role $2 types traceroute_t;
++ allow $1 traceroute_t:process { signal sigkill };
+ ')
+
+ ########################################
+@@ -279,6 +283,7 @@
+
+ if( user_ping ) {
+ netutils_domtrans_traceroute($1)
++ allow $1 traceroute_t:process { signal sigkill };
+ }
+ ')
+
+@@ -299,3 +304,4 @@
can_exec($1, traceroute_exec_t)
')
@@ -6915,8 +6955,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.19/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-05-28 09:42:00.001611798 +0200
-@@ -50,6 +50,8 @@
++++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-12-20 15:25:40.428041440 +0100
+@@ -50,9 +50,12 @@
#
# qemu local policy
#
@@ -6925,7 +6965,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
-@@ -100,6 +102,10 @@
++userdom_stream_connect(qemu_t)
+
+ tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+@@ -100,6 +103,10 @@
xen_rw_image_files(qemu_t)
')
@@ -6936,7 +6980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
########################################
#
# Unconfined qemu local policy
-@@ -109,7 +115,10 @@
+@@ -109,7 +116,10 @@
type unconfined_qemu_t;
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
@@ -12365,8 +12409,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-07-21 16:02:00.296133754 +0200
-@@ -9,25 +9,56 @@
++++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-12-15 14:43:54.408042196 +0100
+@@ -9,25 +9,58 @@
role staff_r;
userdom_unpriv_user_template(staff)
@@ -12392,7 +12436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+netutils_run_ping(staff_t, staff_r)
++netutils_run_traceroute(staff_t, staff_r)
+netutils_signal_ping(staff_t)
++netutils_kill_ping(staff_t)
+
optional_policy(`
apache_role(staff_r, staff_t)
@@ -12423,7 +12469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
bluetooth_role(staff_r, staff_t)
')
-@@ -99,12 +130,18 @@
+@@ -99,12 +132,18 @@
oident_manage_user_content(staff_t)
oident_relabel_user_content(staff_t)
')
@@ -12442,7 +12488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
pyzor_role(staff_r, staff_t)
')
-@@ -119,22 +156,27 @@
+@@ -119,22 +158,27 @@
optional_policy(`
screen_role_template(staff, staff_r, staff_t)
')
@@ -12470,7 +12516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
sudo_role_template(staff, staff_r, staff_t)
-@@ -145,6 +187,11 @@
+@@ -145,6 +189,11 @@
userdom_dontaudit_use_user_terminals(staff_t)
')
@@ -12482,7 +12528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
thunderbird_role(staff_r, staff_t)
')
-@@ -169,6 +216,77 @@
+@@ -169,6 +218,77 @@
wireshark_role(staff_r, staff_t)
')
@@ -14104,7 +14150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.19/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te 2010-05-28 09:42:00.049610676 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te 2010-12-15 14:45:10.473042920 +0100
@@ -13,10 +13,13 @@
userdom_unpriv_user_template(user)
@@ -14119,13 +14165,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
optional_policy(`
auth_role(user_r, user_t)
')
-@@ -109,11 +112,25 @@
+@@ -109,11 +112,30 @@
optional_policy(`
rssh_role(user_r, user_t)
')
+')
+
+optional_policy(`
++ netutils_run_ping_cond(user_t, user_r)
++ netutils_run_traceroute_cond(user_t, user_r)
++')
++
++optional_policy(`
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
@@ -14145,7 +14196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
optional_policy(`
spamassassin_role(user_r, user_t)
')
-@@ -154,6 +171,12 @@
+@@ -154,6 +176,12 @@
wireshark_role(user_r, user_t)
')
@@ -17978,7 +18029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-12-01 11:34:55.678040906 +0100
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-12-15 15:05:16.296042554 +0100
@@ -0,0 +1,92 @@
+policy_module(certmonger,1.0.0)
+
@@ -18005,7 +18056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+# certmonger local policy
+#
+
-+allow certmonger_t self:capability { kill sys_nice };
++allow certmonger_t self:capability { dac_override dac_read_search kill sys_nice };
+dontaudit certmonger_t self:capability sys_tty_config;
+
+allow certmonger_t self:process { fork getsched setsched sigkill };
@@ -22546,7 +22597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-12-01 11:51:00.058042190 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-12-15 15:26:48.255042227 +0100
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -22581,7 +22632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
#
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
-+allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
++allow dovecot_t self:capability { dac_override dac_read_search fsetid chown kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
@@ -25107,15 +25158,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.7.19/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/milter.fc 2010-09-09 10:52:57.640084901 +0200
-@@ -1,3 +1,6 @@
++++ serefpolicy-3.7.19/policy/modules/services/milter.fc 2010-12-20 15:10:54.057041234 +0100
+@@ -1,10 +1,15 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-@@ -5,6 +8,7 @@
+
++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
@@ -25593,8 +25645,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-11-11 20:18:12.828425369 +0100
-@@ -0,0 +1,122 @@
++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-12-16 10:26:52.090042381 +0100
+@@ -0,0 +1,123 @@
+
+policy_module(mpd,1.0.0)
+
@@ -25677,6 +25729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t)
+
++dev_read_sound(mpd_t)
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
@@ -26163,8 +26216,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.19/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-05-28 09:42:00.127610888 +0200
-@@ -6,6 +6,64 @@
++++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-12-15 13:43:16.366042386 +0100
+@@ -6,6 +6,65 @@
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
@@ -26213,6 +26266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/load -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
@@ -26328,7 +26382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-10-01 15:27:17.303600577 +0200
++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-12-20 16:38:45.976041956 +0100
@@ -28,12 +28,26 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -26397,7 +26451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -164,3 +186,161 @@
+@@ -164,3 +186,164 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -26478,6 +26532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+# local policy for service plugins
+#
+
++allow munin_services_plugin_t self:sem create_sem_perms;
+allow munin_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow munin_services_plugin_t self:udp_socket create_socket_perms;
+allow munin_services_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -26498,6 +26553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+sysnet_read_config(munin_services_plugin_t)
+
+optional_policy(`
++ cups_read_config(munin_services_plugin_t)
+ cups_stream_connect(munin_services_plugin_t)
+')
+
@@ -26556,6 +26612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+sysnet_exec_ifconfig(munin_system_plugin_t)
+
+term_getattr_unallocated_ttys(munin_system_plugin_t)
++term_getattr_all_ttys(munin_system_plugin_t)
+term_getattr_all_ptys(munin_system_plugin_t)
+
+auth_use_nsswitch(munin_system_plugin_t)
@@ -26896,7 +26953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.19/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-12-03 10:08:04.831042328 +0100
++++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-12-15 15:55:10.404042137 +0100
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -26969,7 +27026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
########################################
#
# Nagios local policy
-@@ -60,6 +100,9 @@
+@@ -60,8 +100,12 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
@@ -26978,8 +27035,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
++kernel_read_software_raid_state(nagios_t)
-@@ -76,6 +119,9 @@
+ corecmd_exec_bin(nagios_t)
+ corecmd_exec_shell(nagios_t)
+@@ -76,6 +120,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
@@ -26989,7 +27049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
-@@ -86,13 +132,12 @@
+@@ -86,13 +133,12 @@
files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -27005,7 +27065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-@@ -103,12 +148,13 @@
+@@ -103,12 +149,13 @@
userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t)
@@ -27022,7 +27082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
optional_policy(`
seutil_sigchld_newrole(nagios_t)
-@@ -118,61 +164,63 @@
+@@ -118,61 +165,63 @@
udev_read_db(nagios_t)
')
@@ -27118,7 +27178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
-@@ -183,11 +231,15 @@
+@@ -183,11 +232,15 @@
dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
@@ -27134,7 +27194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
logging_send_syslog_msg(nrpe_t)
miscfiles_read_localization(nrpe_t)
-@@ -199,6 +251,11 @@
+@@ -199,6 +252,11 @@
')
optional_policy(`
@@ -27146,7 +27206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
seutil_sigchld_newrole(nrpe_t)
')
-@@ -209,3 +266,148 @@
+@@ -209,3 +267,148 @@
optional_policy(`
udev_read_db(nrpe_t)
')
@@ -28803,6 +28863,157 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads
+ files_search_etc($1)
admin_pattern($1, pads_config_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.fc serefpolicy-3.7.19/policy/modules/services/passenger.fc
+--- nsaserefpolicy/policy/modules/services/passenger.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/passenger.fc 2010-12-20 17:53:36.719051943 +0100
+@@ -0,0 +1,6 @@
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
++
++/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.if serefpolicy-3.7.19/policy/modules/services/passenger.if
+--- nsaserefpolicy/policy/modules/services/passenger.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/passenger.if 2010-12-20 17:53:36.719051943 +0100
+@@ -0,0 +1,67 @@
++## Passenger policy
++
++######################################
++##
++## Execute passenger in the passenger domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`passenger_domtrans',`
++ gen_require(`
++ type passenger_t, passenger_exec_t;
++ ')
++
++ allow $1 self:capability { fowner fsetid };
++
++ allow $1 passenger_t:process signal;
++
++ domtrans_pattern($1, passenger_exec_t, passenger_t)
++ allow $1 passenger_t:unix_stream_socket { read write shutdown };
++ allow passenger_t $1:unix_stream_socket { read write };
++')
++
++######################################
++##
++## Manage passenger var_run content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_manage_pid_content',`
++ gen_require(`
++ type passenger_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
++')
++
++########################################
++##
++## Read passenger lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_read_lib_files',`
++ gen_require(`
++ type passenger_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.te serefpolicy-3.7.19/policy/modules/services/passenger.te
+--- nsaserefpolicy/policy/modules/services/passenger.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/passenger.te 2010-12-20 17:55:05.720041285 +0100
+@@ -0,0 +1,66 @@
++policy_module(passanger, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type passenger_t;
++type passenger_exec_t;
++domain_type(passenger_t)
++domain_entry_file(passenger_t, passenger_exec_t)
++role system_r types passenger_t;
++
++type passenger_tmp_t;
++files_tmp_file(passenger_tmp_t)
++
++type passenger_var_lib_t;
++files_type(passenger_var_lib_t)
++
++type passenger_var_run_t;
++files_pid_file(passenger_var_run_t)
++
++permissive passenger_t;
++
++########################################
++#
++# passanger local policy
++#
++
++allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
++allow passenger_t self:process signal;
++allow passenger_t self:fifo_file rw_fifo_file_perms;
++allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++files_search_var_lib(passenger_t)
++manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
++manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
++
++manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
++
++kernel_read_system_state(passenger_t)
++kernel_read_kernel_sysctls(passenger_t)
++
++corenet_tcp_connect_http_port(passenger_t)
++
++corecmd_exec_bin(passenger_t)
++corecmd_exec_shell(passenger_t)
++
++dev_read_urand(passenger_t)
++
++files_read_etc_files(passenger_t)
++
++auth_use_nsswitch(passenger_t)
++
++miscfiles_read_localization(passenger_t)
++
++userdom_dontaudit_use_user_terminals(passenger_t)
++
++optional_policy(`
++ apache_append_log(passenger_t)
++ apache_read_sys_content(passenger_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 15:11:28.402085340 +0200
@@ -35254,8 +35465,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
domain_use_interactive_fds(snort_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.19/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc 2010-07-21 09:52:32.681135100 +0200
-@@ -1,15 +1,27 @@
++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc 2010-12-20 16:58:16.259041911 +0100
+@@ -1,15 +1,28 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -35271,6 +35482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -42131,16 +42343,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-12-01 16:12:34.019051437 +0100
-@@ -10,6 +10,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-12-20 14:52:26.229042213 +0100
+@@ -9,7 +9,9 @@
+ # /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
ifdef(`distro_redhat',`
-@@ -75,13 +76,11 @@
+@@ -75,13 +77,11 @@
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -43365,7 +43579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-10-26 10:36:50.480651251 +0200
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-12-20 16:32:51.450041217 +0100
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -43515,7 +43729,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +392,6 @@
+@@ -375,6 +384,8 @@
+
+ mls_rangetrans_source(run_init_t)
+
++term_use_console(run_init_t)
++
+ selinux_validate_context(run_init_t)
+ selinux_compute_access_vector(run_init_t)
+ selinux_compute_create_context(run_init_t)
+@@ -383,7 +394,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -43523,7 +43746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +414,10 @@
+@@ -406,6 +416,10 @@
')
')
@@ -43534,7 +43757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +433,22 @@
+@@ -421,61 +435,22 @@
# semodule local policy
#
@@ -43548,16 +43771,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--corecmd_exec_bin(semanage_t)
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-corecmd_exec_bin(semanage_t)
+-
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
@@ -43581,11 +43804,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
+-locallogin_use_fds(semanage_t)
+-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -43604,7 +43827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +457,24 @@
+@@ -484,12 +459,24 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -43629,7 +43852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,112 +484,54 @@
+@@ -499,112 +486,54 @@
userdom_read_user_tmp_files(semanage_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b5178dd..2522639 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 76%{?dist}
+Release: 77%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,13 @@ exit 0
%endif
%changelog
+* Mon Dec 20 2010 Miroslav Grepl 3.7.19-77
+- Fixes for certmonger
+- Backport passenger policy
+- Allow run_init to read console_device
+- Add label for /var/lib/dkim-milter
+- Fixes for munin policy
+
* Thu Dec 9 2010 Miroslav Grepl 3.7.19-76
- Fixes for clamscan