diff --git a/policy-F13.patch b/policy-F13.patch
index a73f764..8260000 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1429,12 +1429,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-28 07:41:59.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2011-04-18 09:20:51.327000002 +0000
@@ -9,6 +9,8 @@
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-+/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
@@ -1650,7 +1650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-09-16 13:32:42.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2011-04-13 10:11:37.712000002 +0000
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -1729,7 +1729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -99,5 +119,65 @@
+@@ -99,5 +119,66 @@
')
optional_policy(`
@@ -1749,6 +1749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+# Prelink Cron system Policy
+#
+
++allow prelink_cron_system_t self:capability { dac_read_search dac_override };
+allow prelink_cron_system_t self:capability setuid;
+allow prelink_cron_system_t self:process { setsched setfscreate signal };
+
@@ -8030,8 +8031,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-04-08 17:54:32.262000002 +0000
-@@ -0,0 +1,482 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-04-18 10:25:26.560000003 +0000
+@@ -0,0 +1,484 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8216,6 +8217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
@@ -8471,6 +8473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
+
+optional_policy(`
++ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
+')
@@ -9678,7 +9681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2011-01-14 13:27:46.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2011-04-18 09:08:49.734000003 +0000
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -9757,7 +9760,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -189,7 +206,8 @@
+@@ -167,6 +184,7 @@
+ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -189,7 +207,8 @@
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -9767,7 +9778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -216,11 +234,17 @@
+@@ -216,11 +235,17 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -9785,7 +9796,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +264,7 @@
+@@ -236,10 +261,12 @@
+ /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -9793,7 +9809,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +322,7 @@
+@@ -266,6 +293,7 @@
+ /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+@@ -297,6 +325,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -9801,7 +9825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -305,6 +331,7 @@
+@@ -305,12 +334,13 @@
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -9809,7 +9833,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -331,3 +358,24 @@
+ /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
+@@ -331,3 +361,24 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -9834,7 +9865,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+
+/usr/local/Brother/(.*/)?inf/brprintconf.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/setup.* -- gen_context(system_u:object_r:bin_t,s0)
-Binary files nsaserefpolicy/policy/modules/kernel/.corecommands.fc.swp and serefpolicy-3.7.19/policy/modules/kernel/.corecommands.fc.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-10-08 09:10:25.000000000 +0000
@@ -9881,7 +9911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-03-16 14:25:07.223107001 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-04-19 12:36:28.365000004 +0000
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -9952,7 +9982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-@@ -124,40 +133,58 @@
+@@ -124,40 +133,59 @@
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -9992,6 +10022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
@@ -10013,7 +10044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,18 +204,22 @@
+@@ -177,18 +205,22 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -10037,7 +10068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,23 +232,23 @@
+@@ -201,23 +233,23 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -10067,7 +10098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
########################################
#
-@@ -266,5 +297,5 @@
+@@ -266,5 +298,5 @@
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -11008,7 +11039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-03-04 14:14:25.595413001 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-04-18 10:12:35.616000004 +0000
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -11606,7 +11637,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
##
## Get the attributes of the tmp directory (/tmp).
##
-@@ -3705,6 +4117,32 @@
+@@ -3649,6 +4061,24 @@
+ dontaudit $1 tmp_t:dir list_dir_perms;
+ ')
+
++#######################################
++##
++## Allow read and write to the tmp directory (/tmp).
++##
++##
++##
++## Domain not to audit.
++##
++##
++#
++interface(`files_rw_generic_tmp_dir',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ allow $1 tmp_t:dir rw_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Remove entries from the tmp directory.
+@@ -3705,6 +4135,32 @@
########################################
##
@@ -11639,7 +11695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
##
##
-@@ -3757,6 +4195,24 @@
+@@ -3757,6 +4213,24 @@
rw_sock_files_pattern($1, tmp_t, tmp_t)
')
@@ -11664,7 +11720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
##
## Set the attributes of all tmp directories.
-@@ -3918,6 +4374,13 @@
+@@ -3918,6 +4392,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11678,7 +11734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4013,6 +4476,24 @@
+@@ -4013,6 +4494,24 @@
########################################
##
@@ -11703,7 +11759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Delete generic files in /usr in the caller domain.
##
##
-@@ -4026,7 +4507,7 @@
+@@ -4026,7 +4525,7 @@
type usr_t;
')
@@ -11712,7 +11768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4107,6 +4588,24 @@
+@@ -4107,6 +4606,24 @@
########################################
##
@@ -11737,7 +11793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## dontaudit write of /usr files
##
##
-@@ -5032,6 +5531,43 @@
+@@ -5032,6 +5549,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -11781,7 +11837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
##
## Do not audit attempts to search
-@@ -5091,6 +5627,24 @@
+@@ -5091,6 +5645,24 @@
########################################
##
@@ -11806,7 +11862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Create an object in the process ID directory, with a private type.
##
##
-@@ -5238,6 +5792,7 @@
+@@ -5238,6 +5810,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -11814,7 +11870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5306,6 +5861,24 @@
+@@ -5306,6 +5879,24 @@
########################################
##
@@ -11839,7 +11895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -5494,12 +6067,15 @@
+@@ -5494,12 +6085,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -11856,7 +11912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5520,3 +6096,229 @@
+@@ -5520,3 +6114,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -14904,8 +14960,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2011-02-17 14:43:35.779796002 +0000
-@@ -0,0 +1,457 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2011-04-18 08:45:34.996000002 +0000
+@@ -0,0 +1,462 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -15262,6 +15318,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
+
+optional_policy(`
++ quota_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
@@ -15293,6 +15353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
++ virt_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -18042,13 +18103,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.19/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2011-01-25 17:02:22.368455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2011-04-18 09:02:11.798000003 +0000
@@ -40,12 +40,13 @@
#
# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
-+allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
++allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
dontaudit asterisk_t self:capability sys_tty_config;
-allow asterisk_t self:process { setsched signal_perms };
+allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
@@ -18059,12 +18120,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
allow asterisk_t self:tcp_socket create_stream_socket_perms;
allow asterisk_t self:udp_socket create_socket_perms;
-@@ -79,11 +80,14 @@
- manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
- files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+@@ -54,6 +55,8 @@
+ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+ files_search_etc(asterisk_t)
+can_exec(asterisk_t, asterisk_exec_t)
+
+ manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+ logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
+
+@@ -74,16 +77,18 @@
+ manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+ files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+
++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
+
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
+kernel_request_load_module(asterisk_t)
@@ -18075,7 +18150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
-@@ -96,6 +100,7 @@
+@@ -96,6 +101,7 @@
corenet_tcp_bind_generic_node(asterisk_t)
corenet_udp_bind_generic_node(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
@@ -18083,14 +18158,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
corenet_udp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_sip_port(asterisk_t)
corenet_sendrecv_asterisk_server_packets(asterisk_t)
-@@ -104,10 +109,16 @@
+@@ -104,10 +110,17 @@
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
++corenet_tcp_connect_festival_port(asterisk_t)
++corenet_tcp_connect_pktcable_port(asterisk_t)
+corenet_tcp_connect_postgresql_port(asterisk_t)
+corenet_tcp_connect_snmp_port(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
-+corenet_tcp_connect_festival_port(asterisk_t)
+dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
@@ -18100,8 +18176,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
domain_use_interactive_fds(asterisk_t)
-@@ -118,19 +129,33 @@
+@@ -116,21 +129,40 @@
+ # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+ # are labeled usr_t
files_read_usr_files(asterisk_t)
++files_dontaudit_search_home(asterisk_t)
fs_getattr_all_fs(asterisk_t)
+fs_list_inotifyfs(asterisk_t)
@@ -18121,6 +18200,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
optional_policy(`
- nis_use_ypbind(asterisk_t)
++ alsa_read_rw_config(asterisk_t)
++')
++
++optional_policy(`
+ mysql_stream_connect(asterisk_t)
+')
+
@@ -18137,7 +18220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
')
optional_policy(`
-@@ -138,10 +163,11 @@
+@@ -138,10 +170,11 @@
')
optional_policy(`
@@ -26291,7 +26374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.7.19/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc 2010-07-23 11:43:56.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc 2011-04-18 10:09:06.721000003 +0000
@@ -8,7 +8,7 @@
/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -26301,9 +26384,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+@@ -31,3 +31,4 @@
+ /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+
+ /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-03-25 08:29:07.333630001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-04-18 10:10:50.229000004 +0000
@@ -74,7 +74,7 @@
')
@@ -26359,7 +26447,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
########################################
##
## Create a derived type for kerberos keytab
-@@ -374,3 +397,41 @@
+@@ -285,6 +308,7 @@
+
+ seutil_read_file_contexts($1)
+
++ files_rw_generic_tmp_dir($1)
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_search_tmp($1)
+ ')
+@@ -374,3 +398,41 @@
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -36254,8 +36350,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-04-11 08:54:04.983000002 +0000
-@@ -0,0 +1,288 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-04-13 10:37:12.156000002 +0000
+@@ -0,0 +1,297 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -36398,8 +36494,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+#
+
+allow foghorn_t self:process { signal };
++allow foghorn_t self:tcp_socket create_stream_socket_perms;
+allow foghorn_t self:udp_socket create_socket_perms;
+
++corenet_tcp_connect_agentx_port(foghorn_t)
++
++dev_read_urand(foghorn_t)
++
+files_read_etc_files(foghorn_t)
+files_read_usr_files(foghorn_t)
+
@@ -36412,6 +36513,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+ snmp_stream_connect(foghorn_t)
+')
+
++optional_policy(`
++ unconfined_domain(foghorn_t)
++')
++
+######################################
+#
+# gfs_controld local policy
@@ -38400,17 +38505,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te 2010-05-28 07:42:00.000000000 +0000
-@@ -22,13 +22,19 @@
- type setroubleshoot_var_run_t;
- files_pid_file(setroubleshoot_var_run_t)
++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te 2011-04-18 09:18:29.205000002 +0000
+@@ -11,6 +11,10 @@
+ domain_type(setroubleshootd_t)
+ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+type setroubleshoot_fixit_t;
+type setroubleshoot_fixit_exec_t;
+dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
- ########################################
- #
+ type setroubleshoot_var_lib_t;
+ files_type(setroubleshoot_var_lib_t)
+
+@@ -27,8 +31,10 @@
# setroubleshootd local policy
#
@@ -38423,7 +38530,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -52,7 +58,10 @@
+@@ -46,16 +52,21 @@
+ logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
+
+ # pid file
++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+ manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+-files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
++files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
@@ -38434,7 +38549,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +77,26 @@
++corecmd_read_all_executables(setroubleshootd_t)
+
+ corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+ corenet_all_recvfrom_netlabel(setroubleshootd_t)
+@@ -68,16 +79,27 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -38452,17 +38571,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
+files_read_all_symlinks(setroubleshootd_t)
++files_read_mnt_files(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
++fs_list_inotifyfs(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
-+fs_list_inotifyfs(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,81 @@
+@@ -90,27 +112,87 @@
+ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
+
++libs_exec_ld_so(setroubleshootd_t)
++
+ miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -38484,13 +38610,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
- dbus_system_bus_client(setroubleshootd_t)
- dbus_connect_system_bus(setroubleshootd_t)
+ locate_read_lib_files(setroubleshootd_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
optional_policy(`
++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
++')
++
++optional_policy(`
+ rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
@@ -38511,6 +38637,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+setroubleshoot_stream_connect(setroubleshoot_fixit_t)
+
++kernel_read_system_state(setroubleshoot_fixit_t)
++
+corecmd_exec_bin(setroubleshoot_fixit_t)
+corecmd_exec_shell(setroubleshoot_fixit_t)
+
@@ -38521,8 +38649,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+files_read_etc_files(setroubleshoot_fixit_t)
+files_list_tmp(setroubleshoot_fixit_t)
+
-+kernel_read_system_state(setroubleshoot_fixit_t)
-+
+auth_use_nsswitch(setroubleshoot_fixit_t)
+
+logging_send_audit_msgs(setroubleshoot_fixit_t)
@@ -38545,7 +38671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+')
+
+optional_policy(`
-+ policykit_dbus_chat(setroubleshoot_fixit_t)
++ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.7.19/policy/modules/services/smartmon.if
@@ -39329,7 +39455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
gen_require(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.19/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/squid.te 2011-01-03 08:56:23.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/squid.te 2011-04-18 10:11:50.678000002 +0000
@@ -14,6 +14,13 @@
##
gen_tunable(squid_connect_any, false)
@@ -39383,15 +39509,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -186,8 +203,3 @@
- optional_policy(`
+@@ -187,7 +204,6 @@
udev_read_db(squid_t)
')
--
+
-ifdef(`TODO',`
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
++optional_policy(`
++ kerberos_manage_host_rcache(squid_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2011-01-25 15:34:07.026455001 +0000
@@ -40948,7 +41076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2011-03-25 08:50:01.013630001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2011-04-19 12:14:15.572000005 +0000
@@ -1,4 +1,5 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -40956,7 +41084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-@@ -12,18 +13,22 @@
+@@ -12,18 +13,29 @@
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -40982,9 +41110,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+# bug 685061
+/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
++# support for AEOLUS project
++/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
++/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
++/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2011-03-17 10:41:54.513325002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2011-04-19 12:15:25.589000003 +0000
@@ -21,6 +21,8 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -41034,7 +41169,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -171,6 +161,7 @@
+@@ -114,6 +104,29 @@
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
+ ')
+
++######################################
++##
++## Execute a domain transition to run virt.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`virt_run',`
++ gen_require(`
++ type virtd_t;
++ type qemu_t;
++ ')
++
++ virt_domtrans($1)
++
++ role $2 types virtd_t;
++ role $2 types qemu_t;
++
++')
++
+ #######################################
+ ##
+ ## Connect to virt over an unix domain stream socket.
+@@ -171,6 +184,7 @@
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -41042,7 +41207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -192,6 +183,7 @@
+@@ -192,6 +206,7 @@
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -41050,7 +41215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -229,6 +221,24 @@
+@@ -229,6 +244,24 @@
')
')
@@ -41075,7 +41240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
##
## Read virt PID files.
-@@ -306,6 +316,24 @@
+@@ -306,6 +339,24 @@
read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
@@ -41100,7 +41265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
##
## Create, read, write, and delete
-@@ -386,6 +414,24 @@
+@@ -386,6 +437,24 @@
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
')
@@ -41125,7 +41290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
##
## Allow domain to read virt image files
-@@ -433,15 +479,15 @@
+@@ -433,15 +502,15 @@
##
##
#
@@ -41146,10 +41311,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +562,86 @@
+@@ -515,4 +584,92 @@
+ virt_manage_lib_files($1)
virt_manage_log($1)
- ')
++
++ virt_manage_images($1)
++
++ allow $1 virt_domain:process { ptrace signal_perms };
++
++')
+
+########################################
+##
@@ -41196,7 +41367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+ type virtd_t;
+ ')
+ dontaudit $1 virtd_t:fifo_file write;
-+')
+ ')
+
+######################################
+##
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 21cef76..ba727e5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 106%{?dist}
+Release: 107%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
%endif
%changelog
+* Tue Apr 19 2011 Miroslav Grepl 3.7.19-107
+- Add support for AEOLUS project
+- Fixes for asterisk and setroubleshoot domains
+- Fix label for /usr/sbin/fping
+- Fix label for chrome
+- Fixes for foghorn policy
+- Fix virt_admin interface
+
* Fri Apr 11 2011 Miroslav Grepl 3.7.19-106
- Add label for matahari-broker.pid file
- Allow foghor to read snmp lib files