diff --git a/policy-F13.patch b/policy-F13.patch
index ebd6186..1374a6f 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -22708,8 +22708,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.if serefpolicy-3.7.19/policy/modules/services/dirsrv.if
--- nsaserefpolicy/policy/modules/services/dirsrv.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.if 2010-11-15 14:19:02.524147919 +0100
-@@ -0,0 +1,193 @@
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.if 2011-01-20 12:07:54.246042815 +0100
+@@ -0,0 +1,212 @@
+## policy for dirsrv
+
+########################################
@@ -22903,6 +22903,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+ allow $1 dirsrv_share_t:file read_file_perms;
+ allow $1 dirsrv_share_t:lnk_file read;
+')
++
++#######################################
++##
++## Connect to dirsrv over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dirsrv_stream_connect',`
++ gen_require(`
++ type dirsrv_t, dirsrv_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te
--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-01-14 16:32:12.778042378 +0100
@@ -25520,8 +25539,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow $1 self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2010-08-30 19:33:49.977335019 +0200
-@@ -112,6 +112,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2011-01-20 12:02:37.297292519 +0100
+@@ -36,6 +36,7 @@
+ domain_obj_id_change_exemption(kpropd_t)
+
+ type krb5_conf_t;
++files_config_file(krb5_conf_t)
+ files_type(krb5_conf_t)
+
+ type krb5_home_t;
+@@ -50,10 +51,10 @@
+
+ # types for KDC configs and principal file(s)
+ type krb5kdc_conf_t;
+-files_type(krb5kdc_conf_t)
++files_config_file(krb5kdc_conf_t)
+
+ type krb5kdc_lock_t;
+-files_type(krb5kdc_lock_t)
++files_lock_file(krb5kdc_lock_t)
+
+ # types for KDC principal file(s)
+ type krb5kdc_principal_t;
+@@ -94,9 +95,9 @@
+ dontaudit kadmind_t krb5_conf_t:file write;
+
+ read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
+-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
++dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+
+-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
++allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
+ allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+ filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+@@ -112,6 +113,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
@@ -25529,7 +25581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
-@@ -126,7 +127,9 @@
+@@ -126,10 +128,13 @@
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
@@ -25539,7 +25591,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
corenet_tcp_bind_reserved_port(kadmind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
-@@ -149,6 +152,7 @@
++corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+
+ dev_read_sysfs(kadmind_t)
+ dev_read_rand(kadmind_t)
+@@ -149,6 +154,7 @@
logging_send_syslog_msg(kadmind_t)
@@ -25547,7 +25603,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
miscfiles_read_localization(kadmind_t)
seutil_read_file_contexts(kadmind_t)
-@@ -198,8 +202,7 @@
+@@ -160,6 +166,14 @@
+ userdom_dontaudit_search_user_home_dirs(kadmind_t)
+
+ optional_policy(`
++ ldap_stream_connect(kadmind_t)
++')
++
++optional_policy(`
++ dirsrv_stream_connect(kadmind_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(kadmind_t)
+ ')
+
+@@ -193,13 +207,12 @@
+ read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
+ dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
++allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
@@ -25557,7 +25634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -249,6 +252,7 @@
+@@ -249,6 +262,7 @@
logging_send_syslog_msg(krb5kdc_t)
@@ -25565,7 +25642,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
-@@ -283,7 +287,7 @@
+@@ -260,6 +274,14 @@
+ userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+ optional_policy(`
++ ldap_stream_connect(krb5kdc_t)
++')
++
++optional_policy(`
++ dirsrv_stream_connect(krb5kdc_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(krb5kdc_t)
+ ')
+
+@@ -283,7 +305,7 @@
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
@@ -26526,10 +26618,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.19/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-08-17 15:06:26.581085303 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2011-01-20 10:58:55.708051696 +0100
@@ -1,4 +1,5 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -31631,7 +31723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-12-01 11:48:07.920042722 +0100
++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2011-01-20 10:59:48.876041237 +0100
@@ -6,6 +6,15 @@
# Declarations
#
@@ -31664,7 +31756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
type postfix_exec_t;
application_executable_file(postfix_exec_t)
-@@ -27,13 +36,20 @@
+@@ -27,13 +36,21 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
@@ -31674,6 +31766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+mta_send_mail(postfix_local_t)
+
+userdom_read_user_home_content_files(postfix_local_t)
++userdom_exec_user_bin_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
@@ -31687,7 +31780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
-@@ -44,6 +60,9 @@
+@@ -44,6 +61,9 @@
# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
@@ -31697,7 +31790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
postfix_server_domain_template(pickup)
postfix_server_domain_template(pipe)
-@@ -68,13 +87,13 @@
+@@ -68,13 +88,13 @@
postfix_server_domain_template(smtpd)
@@ -31714,7 +31807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_type(postfix_spool_flush_t)
type postfix_public_t;
-@@ -90,9 +109,6 @@
+@@ -90,9 +110,6 @@
postfix_server_domain_template(virtual)
mta_mailserver_delivery(postfix_virtual_t)
@@ -31724,7 +31817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix master process local policy
-@@ -103,6 +119,7 @@
+@@ -103,6 +120,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -31732,7 +31825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -132,6 +149,7 @@
+@@ -132,6 +150,7 @@
# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
@@ -31740,7 +31833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
-@@ -142,6 +160,7 @@
+@@ -142,6 +161,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -31748,7 +31841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
kernel_read_all_sysctls(postfix_master_t)
-@@ -153,6 +172,9 @@
+@@ -153,6 +173,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -31758,7 +31851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -170,6 +192,8 @@
+@@ -170,6 +193,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -31767,7 +31860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
term_dontaudit_search_ptys(postfix_master_t)
-@@ -181,6 +205,8 @@
+@@ -181,6 +206,8 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -31776,7 +31869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
ifdef(`distro_redhat',`
# for newer main.cf that uses /etc/aliases
-@@ -193,6 +219,10 @@
+@@ -193,6 +220,10 @@
')
optional_policy(`
@@ -31787,7 +31880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for postalias
mailman_manage_data_files(postfix_master_t)
')
-@@ -202,6 +232,10 @@
+@@ -202,6 +233,10 @@
')
optional_policy(`
@@ -31798,7 +31891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
sendmail_signal(postfix_master_t)
')
-@@ -219,6 +253,7 @@
+@@ -219,6 +254,7 @@
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -31806,7 +31899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -240,11 +275,18 @@
+@@ -240,11 +276,18 @@
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
@@ -31825,7 +31918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix local local policy
-@@ -253,10 +295,6 @@
+@@ -253,10 +296,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
@@ -31836,7 +31929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -270,18 +308,35 @@
+@@ -270,18 +309,35 @@
files_read_etc_files(postfix_local_t)
@@ -31872,7 +31965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -292,8 +347,7 @@
+@@ -292,8 +348,7 @@
#
# Postfix map local policy
#
@@ -31882,7 +31975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,14 +394,15 @@
+@@ -340,14 +395,15 @@
miscfiles_read_localization(postfix_map_t)
@@ -31902,7 +31995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix pickup local policy
-@@ -372,6 +427,7 @@
+@@ -372,6 +428,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -31910,7 +32003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -379,6 +435,14 @@
+@@ -379,6 +436,14 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -31925,7 +32018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -388,6 +452,16 @@
+@@ -388,6 +453,16 @@
')
optional_policy(`
@@ -31942,7 +32035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -415,6 +489,10 @@
+@@ -415,6 +490,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
@@ -31953,7 +32046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -424,8 +502,11 @@
+@@ -424,8 +503,11 @@
')
optional_policy(`
@@ -31967,7 +32060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
#######################################
-@@ -451,6 +532,17 @@
+@@ -451,6 +533,17 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -31985,7 +32078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +556,7 @@
+@@ -464,6 +557,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -31993,7 +32086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +592,14 @@
+@@ -499,13 +593,14 @@
#
# connect to master process
@@ -32009,7 +32102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +629,19 @@
+@@ -535,9 +630,19 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -32029,7 +32122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +663,22 @@
+@@ -559,20 +664,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -44820,10 +44913,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.7.19/policy/modules/system/raid.fc
+--- nsaserefpolicy/policy/modules/system/raid.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/raid.fc 2011-01-20 11:41:49.880042636 +0100
+@@ -1,5 +1,10 @@
+ /dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+
++#669402
++/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++
+ /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.19/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/raid.te 2010-05-28 09:42:00.511610748 +0200
-@@ -58,6 +58,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/raid.te 2011-01-20 11:45:32.007043992 +0100
+@@ -26,6 +26,7 @@
+ dontaudit mdadm_t self:capability sys_tty_config;
+ allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+ allow mdadm_t self:fifo_file rw_fifo_file_perms;
++allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ # create .mdadm files in /dev
+ allow mdadm_t mdadm_map_t:file manage_file_perms;
+@@ -58,6 +59,7 @@
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
@@ -44831,6 +44946,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+@@ -69,6 +71,7 @@
+ storage_manage_fixed_disk(mdadm_t)
+ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
++storage_write_scsi_generic(mdadm_t)
+
+ term_dontaudit_list_ptys(mdadm_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.19/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.fc 2010-05-28 09:42:00.511610748 +0200
@@ -45276,7 +45399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2011-01-19 17:28:25.370292769 +0100
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2011-01-20 12:32:53.438042580 +0100
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -45375,7 +45498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -261,25 +267,25 @@
+@@ -261,25 +267,30 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -45400,6 +45523,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(newrole_t)
++')
++
+optional_policy(`
+ xserver_dontaudit_exec_xauth(newrole_t)
+')
@@ -45407,7 +45535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -313,6 +319,8 @@
+@@ -313,6 +324,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -45416,7 +45544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -336,6 +344,8 @@
+@@ -336,6 +349,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -45425,7 +45553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +364,7 @@
+@@ -354,7 +369,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -45434,7 +45562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +385,8 @@
+@@ -375,6 +390,8 @@
mls_rangetrans_source(run_init_t)
@@ -45443,7 +45571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t)
-@@ -383,7 +395,6 @@
+@@ -383,7 +400,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -45451,10 +45579,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +417,10 @@
+@@ -406,6 +422,15 @@
')
')
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(run_init_t)
++')
++
+optional_policy(`
+ rpm_domtrans(run_init_t)
+')
@@ -45462,7 +45595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +436,22 @@
+@@ -421,61 +446,22 @@
# semodule local policy
#
@@ -45476,20 +45609,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-domain_use_interactive_fds(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -45509,11 +45642,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
+-
+-locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
--locallogin_use_fds(semanage_t)
--
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -45532,7 +45665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +460,24 @@
+@@ -484,12 +470,24 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -45557,7 +45690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,112 +487,54 @@
+@@ -499,112 +497,54 @@
userdom_read_user_tmp_files(semanage_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 24cd46e..8caf73e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 84%{?dist}
+Release: 85%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Thu Jan 20 2011 Miroslav Grepl 3.7.19-85
+- Treat irpinit, iprupdate, iprdump services with raid policy
+- Fixes for kerberos policy
+
* Tue Jan 19 2011 Miroslav Grepl 3.7.19-84
- Fixes for newrole_t domain related to namespace.init
- Add puppetmaster_uses_db boolean