diff --git a/policy-F13.patch b/policy-F13.patch
index a602f6f..a73f764 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -290,8 +290,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
--- nsaserefpolicy/policy/mcs 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/mcs 2011-03-01 12:53:22.768577523 +0000
-@@ -86,10 +86,10 @@
++++ serefpolicy-3.7.19/policy/mcs 2011-04-08 17:41:01.661000002 +0000
+@@ -69,16 +69,21 @@
+ # - /proc/pid operations are not constrained.
+
+ mlsconstrain file { read ioctl lock execute execute_no_trans }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain file { write setattr append unlink link rename }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain dir { search read ioctl lock }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
++
+
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+@@ -86,10 +91,10 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
# new file labels must be dominated by the relabeling subject clearance
@@ -304,7 +330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
-@@ -101,13 +101,16 @@
+@@ -101,13 +106,16 @@
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
@@ -322,7 +348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain { db_tuple } { insert relabelto }
-@@ -117,6 +120,9 @@
+@@ -117,6 +125,9 @@
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
@@ -332,7 +358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
( h1 dom h2 );
-@@ -126,10 +132,25 @@
+@@ -126,10 +137,25 @@
mlsconstrain db_tuple { relabelfrom select update delete use }
( h1 dom h2 );
@@ -1114,7 +1140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-10-25 08:18:24.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2011-04-11 08:13:49.818000002 +0000
@@ -20,6 +20,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -1136,7 +1162,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -93,12 +100,13 @@
+@@ -59,6 +66,7 @@
+ files_read_var_symlinks(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
++files_read_system_conf_files(logwatch_t)
+ files_read_usr_files(logwatch_t)
+ files_search_spool(logwatch_t)
+ files_search_mnt(logwatch_t)
+@@ -93,12 +101,13 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1151,7 +1185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -146,3 +154,26 @@
+@@ -146,3 +155,26 @@
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -3293,7 +3327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2011-02-14 15:06:53.162796002 +0000
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2011-04-08 17:45:34.634000002 +0000
@@ -121,6 +121,10 @@
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -3394,7 +3428,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -471,6 +486,7 @@
+@@ -460,6 +475,7 @@
+ fs_getattr_xattr_fs(useradd_t)
+
+ mls_file_upgrade(useradd_t)
++mls_process_read_to_clearance(useradd_t)
+
+ # Allow access to context for shadow file
+ selinux_get_fs_mount(useradd_t)
+@@ -471,6 +487,7 @@
term_use_all_ttys(useradd_t)
term_use_all_ptys(useradd_t)
@@ -3402,7 +3444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,12 +514,8 @@
+@@ -498,12 +515,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -3416,7 +3458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
mta_manage_spool(useradd_t)
-@@ -527,6 +539,12 @@
+@@ -527,6 +540,12 @@
')
optional_policy(`
@@ -7988,8 +8030,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-04-04 18:36:33.935000001 +0000
-@@ -0,0 +1,478 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-04-08 17:54:32.262000002 +0000
+@@ -0,0 +1,482 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8256,6 +8298,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
+
+optional_policy(`
++ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
++')
++
++optional_policy(`
+ dbus_system_bus_client(sandbox_x_domain)
+')
+
@@ -8505,33 +8551,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
files_search_home($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2011-03-04 14:38:26.802413002 +0000
-@@ -25,7 +25,7 @@
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain allowed to transition.
- ##
- ##
- ##
-@@ -53,8 +53,14 @@
++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2011-04-11 09:40:16.897000002 +0000
+@@ -2,59 +2,14 @@
########################################
##
--## Role access for seunshare
+-## Execute a domain transition to run seunshare.
+## The role template for the seunshare module.
##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-#
+-interface(`seunshare_domtrans',`
+- gen_require(`
+- type seunshare_t, seunshare_exec_t;
+- ')
+-
+- domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+-')
+-
+-########################################
+-##
+-## Execute seunshare in the seunshare domain, and
+-## allow the specified role the seunshare domain.
+-##
+-##
+##
-+##
+ ##
+-## Domain allowed access.
+-##
+-##
+-##
+-##
+-## Role allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
-+##
-+##
+ ##
+ ##
+-#
+-interface(`seunshare_run',`
+- gen_require(`
+- type seunshare_t;
+- ')
+-
+- seunshare_domtrans($1)
+- role $2 types seunshare_t;
+-
+- allow $1 seunshare_t:process signal_perms;
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+- ')
+-')
+-
+-########################################
+-##
+-## Role access for seunshare
+-##
##
##
## Role allowed access.
-@@ -66,15 +72,31 @@
+@@ -66,15 +21,31 @@
##
##
#
@@ -8547,18 +8632,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ type $1_seunshare_t, seunshare_domain;
+ application_domain($1_seunshare_t, seunshare_exec_t)
+ role $2 types $1_seunshare_t;
-
-- seunshare_domtrans($1)
++
+ mls_process_set_level($1_seunshare_t)
-
-- ps_process_pattern($2, seunshare_t)
-- allow $2 seunshare_t:process signal;
++
+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
+ sandbox_transition($1_seunshare_t, $2)
-+
+
+- seunshare_domtrans($1)
+ ps_process_pattern($3, $1_seunshare_t)
+ allow $3 $1_seunshare_t:process signal_perms;
-+
+
+- ps_process_pattern($2, seunshare_t)
+- allow $2 seunshare_t:process signal;
+ allow $1_seunshare_t $3:process transition;
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
@@ -10538,7 +10623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.19/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2011-01-14 13:56:43.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2011-04-08 17:41:56.083000002 +0000
@@ -611,7 +611,7 @@
########################################
@@ -10595,10 +10680,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
-@@ -1445,3 +1461,22 @@
+@@ -1444,4 +1460,29 @@
+ typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
- ')
++
++ mcs_file_read_all($1)
++ mcs_file_write_all($1)
++ mcs_killall($1)
++ mcs_ptrace_all($1)
++ mcs_socket_write_all_levels($1)
++')
+
+########################################
+##
@@ -10617,7 +10709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ ')
+
+ dontaudit $1 domain:socket_class_set { read write };
-+')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.19/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2011-02-14 14:48:35.612796002 +0000
@@ -13700,7 +13792,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-04-05 20:22:37.666000001 +0000
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-04-08 17:50:24.049000002 +0000
+@@ -17,9 +17,9 @@
+
+ userdom_admin_user_template(sysadm)
+
+-ifndef(`enable_mls',`
++#ifndef(`enable_mls',`
+ userdom_security_admin_template(sysadm_t, sysadm_r)
+-')
++#')
+
+ ########################################
+ #
@@ -28,17 +28,31 @@
corecmd_exec_shell(sysadm_t)
@@ -13733,14 +13837,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -56,6 +70,7 @@
+@@ -52,11 +66,12 @@
+ ')
+ ')
+
+-ifndef(`enable_mls',`
++#ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
+-')
+ logging_stream_connect_syslog(sysadm_t)
- ')
++#')
tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
@@ -70,7 +85,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
@@ -15254,7 +15365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.19/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te 2011-01-27 14:39:30.789455000 +0000
++++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te 2011-04-08 17:49:10.449000002 +0000
@@ -13,10 +13,17 @@
userdom_unpriv_user_template(user)
@@ -15273,18 +15384,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
optional_policy(`
auth_role(user_r, user_t)
')
-@@ -109,11 +116,30 @@
+@@ -109,19 +116,39 @@
optional_policy(`
rssh_role(user_r, user_t)
')
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- screen_role_template(user, user_r, user_t)
+ netutils_run_ping_cond(user_t, user_r)
+ netutils_run_traceroute_cond(user_t, user_r)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- spamassassin_role(user_r, user_t)
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
@@ -15295,16 +15408,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
+optional_policy(`
+ sandbox_transition(user_t, user_r)
+')
++
++optional_policy(`
++ screen_role_template(user, user_r, user_t)
+ ')
optional_policy(`
- screen_role_template(user, user_r, user_t)
+ ssh_role_template(user, user_r, user_t)
')
+ifndef(`distro_redhat',`
++optional_policy(`
++ spamassassin_role(user_r, user_t)
++')
++
++
optional_policy(`
- spamassassin_role(user_r, user_t)
+ su_role_template(user, user_r, user_t)
')
-@@ -154,6 +180,12 @@
+@@ -154,6 +181,12 @@
wireshark_role(user_r, user_t)
')
@@ -22703,8 +22825,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.19/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2010-09-16 12:43:03.000000000 +0000
-@@ -139,6 +139,26 @@
++++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2011-04-08 17:53:19.231000002 +0000
+@@ -139,6 +139,47 @@
########################################
##
@@ -22726,12 +22848,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+')
+
++#######################################
++##
++## Dontaudit Send and receive messages from
++## devicekit disk over dbus.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`devicekit_dontaudit_dbus_chat_disk',`
++ gen_require(`
++ type devicekit_disk_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 devicekit_disk_t:dbus send_msg;
++ dontaudit devicekit_disk_t $1:dbus send_msg;
++ ')
++
+########################################
+##
## All of the rules required to administrate
## an devicekit environment
##
-@@ -162,16 +182,16 @@
+@@ -162,16 +203,16 @@
interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
@@ -26726,7 +26869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.fc serefpolicy-3.7.19/policy/modules/services/matahari.fc
--- nsaserefpolicy/policy/modules/services/matahari.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/matahari.fc 2011-03-16 14:17:03.980107001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/matahari.fc 2011-04-08 17:47:37.603000002 +0000
@@ -0,0 +1,15 @@
+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
@@ -26741,8 +26884,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mata
+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
+
+/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
-+/var/run/matahari.pid gen_context(system_u:object_r:matahari_var_run_t,s0)
-+
++/var/run/matahari\.pid gen_context(system_u:object_r:matahari_var_run_t,s0)
++/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.if serefpolicy-3.7.19/policy/modules/services/matahari.if
--- nsaserefpolicy/policy/modules/services/matahari.if 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/matahari.if 2011-03-16 14:17:03.980107001 +0000
@@ -29576,7 +29719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2011-03-04 12:16:27.592413002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2011-04-11 08:29:59.550000002 +0000
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -29587,7 +29730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
-@@ -33,14 +36,16 @@
+@@ -33,14 +36,18 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -29595,6 +29738,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
++#bug in kernel
++dontaudit NetworkManager_t self:capability sys_module;
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
@@ -29606,7 +29751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -51,8 +56,14 @@
+@@ -51,8 +58,14 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -29623,7 +29768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -62,7 +73,9 @@
+@@ -62,7 +75,9 @@
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -29634,7 +29779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +94,18 @@
+@@ -81,13 +96,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -29653,7 +29798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
mls_file_read_all_levels(NetworkManager_t)
-@@ -98,15 +116,20 @@
+@@ -98,15 +118,20 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
@@ -29675,7 +29820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +139,43 @@
+@@ -116,25 +141,43 @@
seutil_read_config(NetworkManager_t)
@@ -29726,7 +29871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -142,12 +183,31 @@
+@@ -142,12 +185,31 @@
')
optional_policy(`
@@ -29761,7 +29906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,23 +215,58 @@
+@@ -155,23 +217,58 @@
')
optional_policy(`
@@ -29823,7 +29968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -179,12 +274,16 @@
+@@ -179,12 +276,16 @@
')
optional_policy(`
@@ -36109,8 +36254,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-03-18 14:46:13.492630000 +0000
-@@ -0,0 +1,281 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-04-11 08:54:04.983000002 +0000
+@@ -0,0 +1,288 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -36253,13 +36398,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+#
+
+allow foghorn_t self:process { signal };
++allow foghorn_t self:udp_socket create_socket_perms;
+
+files_read_etc_files(foghorn_t)
++files_read_usr_files(foghorn_t)
+
+optional_policy(`
+ dbus_connect_system_bus(foghorn_t)
+ ')
+
++optional_policy(`
++ snmp_read_snmp_var_lib_files(foghorn_t)
++ snmp_stream_connect(foghorn_t)
++')
++
+######################################
+#
+# gfs_controld local policy
@@ -39686,7 +39838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-04-06 12:03:25.085000001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-04-08 17:44:36.599000002 +0000
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -39857,7 +40009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_keysign_t)
files_read_etc_files(ssh_keysign_t)
-@@ -282,36 +248,39 @@
+@@ -282,36 +248,40 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -39898,6 +40050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
-',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
++ userdom_spec_domtrans_all_users(sshd_t)
')
optional_policy(`
@@ -39906,7 +40059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -319,10 +288,27 @@
+@@ -319,10 +289,27 @@
')
optional_policy(`
@@ -39934,7 +40087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +319,18 @@
+@@ -333,10 +320,18 @@
')
optional_policy(`
@@ -39954,7 +40107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
-@@ -368,6 +362,7 @@
+@@ -368,6 +363,7 @@
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -39962,7 +40115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-@@ -376,14 +371,21 @@
+@@ -376,14 +372,21 @@
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
@@ -39984,7 +40137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
domain_use_interactive_fds(ssh_keygen_t)
-@@ -397,6 +399,13 @@
+@@ -397,6 +400,13 @@
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -41082,7 +41235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-03-04 13:37:14.590413001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-04-11 08:32:09.748000002 +0000
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -41228,11 +41381,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
xen_rw_image_files(svirt_t)
')
-@@ -179,22 +213,32 @@
+@@ -179,22 +213,34 @@
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
++#kernel bug
++dontaudit virtd_t self:capability sys_module;
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom
@@ -41264,7 +41419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -205,8 +249,14 @@
+@@ -205,8 +251,14 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -41281,7 +41436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -225,6 +275,7 @@
+@@ -225,6 +277,7 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -41289,7 +41444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -248,18 +299,27 @@
+@@ -248,18 +301,27 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -41318,7 +41473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -267,6 +327,18 @@
+@@ -267,6 +329,18 @@
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -41337,7 +41492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -290,16 +362,31 @@
+@@ -290,16 +364,31 @@
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -41369,7 +41524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -318,6 +405,10 @@
+@@ -318,6 +407,10 @@
')
optional_policy(`
@@ -41380,7 +41535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -370,6 +461,8 @@
+@@ -370,6 +463,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -41389,7 +41544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -399,7 +492,6 @@
+@@ -399,7 +494,6 @@
# virtual domains common policy
#
@@ -41397,7 +41552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
allow virt_domain self:process { execmem execstack signal getsched signull };
allow virt_domain self:fifo_file rw_file_perms;
allow virt_domain self:shm create_shm_perms;
-@@ -407,6 +499,19 @@
+@@ -407,6 +501,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -41417,7 +41572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +532,7 @@
+@@ -427,6 +534,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -41425,7 +41580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,10 +540,12 @@
+@@ -434,10 +542,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -41438,7 +41593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -445,6 +553,11 @@
+@@ -445,6 +555,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -41450,7 +41605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +575,13 @@
+@@ -462,8 +577,13 @@
')
optional_policy(`
@@ -48955,8 +49110,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.19/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/udev.te 2011-03-04 12:59:56.537413001 +0000
-@@ -50,6 +50,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/udev.te 2011-04-11 08:32:50.784000002 +0000
+@@ -36,6 +36,8 @@
+
+ allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+ dontaudit udev_t self:capability sys_tty_config;
++#kernel bug
++dontaudit udev_t self:capability sys_module;
+ allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow udev_t self:process { execmem setfscreate };
+ allow udev_t self:fd use;
+@@ -50,6 +52,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -48964,7 +49128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -104,6 +105,8 @@
+@@ -104,6 +107,8 @@
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -48973,7 +49137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
-@@ -111,6 +114,7 @@
+@@ -111,6 +116,7 @@
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -48981,7 +49145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
-@@ -138,6 +142,7 @@
+@@ -138,6 +144,7 @@
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -48989,7 +49153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -211,6 +216,10 @@
+@@ -211,6 +218,10 @@
')
optional_policy(`
@@ -49000,7 +49164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
consoletype_exec(udev_t)
')
-@@ -254,6 +263,10 @@
+@@ -254,6 +265,10 @@
')
optional_policy(`
@@ -49011,7 +49175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -268,6 +281,10 @@
+@@ -268,6 +283,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b4e992d..21cef76 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 105%{?dist}
+Release: 106%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
%endif
%changelog
+* Fri Apr 11 2011 Miroslav Grepl 3.7.19-106
+- Add label for matahari-broker.pid file
+- Allow foghor to read snmp lib files
+- Other fixes for foghorn policy
+- Make sysadm security admin
+- Fix ssh_sysadm_login boolean
+- Fix seunshare interface
+
* Wed Apr 6 2011 Miroslav Grepl 3.7.19-105
- Fix labeling for drupal
- Allow ssh_keygen_t read and write a user TTYs and PTYs