-@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -48799,7 +48947,7 @@ index cc83689..e83c909 100644
files_search_etc($1)
')
-@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1268,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -48824,7 +48972,7 @@ index cc83689..e83c909 100644
## Dontaudit read all init script files.
##
##
-@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1337,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -48838,7 +48986,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1577,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -48866,7 +49014,7 @@ index cc83689..e83c909 100644
## init scripts over dbus.
##
##
-@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1684,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -48892,7 +49040,7 @@ index cc83689..e83c909 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1761,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -48917,7 +49065,7 @@ index cc83689..e83c909 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1934,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -48926,7 +49074,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -1715,6 +1974,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -49001,7 +49149,7 @@ index cc83689..e83c909 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2076,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -49142,7 +49290,7 @@ index cc83689..e83c909 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..f00a023 100644
+index ea29513..51b8e22 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -49301,7 +49449,7 @@ index ea29513..f00a023 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +234,119 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +234,120 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -49365,7 +49513,8 @@ index ea29513..f00a023 100644
+ fs_relabel_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_files(init_t)
+ fs_mount_all_fs(init_t)
-+ fs_remount_autofs(init_t)
++ fs_unmount_all_fs(init_t)
++ fs_remount_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
@@ -49421,7 +49570,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -199,10 +354,25 @@ optional_policy(`
+@@ -199,10 +355,25 @@ optional_policy(`
')
optional_policy(`
@@ -49447,7 +49596,7 @@ index ea29513..f00a023 100644
unconfined_domain(init_t)
')
-@@ -212,7 +382,7 @@ optional_policy(`
+@@ -212,7 +383,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -49456,7 +49605,7 @@ index ea29513..f00a023 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +411,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +412,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -49472,7 +49621,7 @@ index ea29513..f00a023 100644
init_write_initctl(initrc_t)
-@@ -258,20 +431,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +432,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -49509,7 +49658,7 @@ index ea29513..f00a023 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +464,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +465,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -49517,7 +49666,7 @@ index ea29513..f00a023 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +477,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +478,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -49525,7 +49674,7 @@ index ea29513..f00a023 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +485,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +486,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -49541,7 +49690,7 @@ index ea29513..f00a023 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +503,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +504,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -49549,7 +49698,7 @@ index ea29513..f00a023 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +511,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +512,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -49561,7 +49710,7 @@ index ea29513..f00a023 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +530,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +531,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -49575,7 +49724,7 @@ index ea29513..f00a023 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +545,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +546,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -49584,7 +49733,7 @@ index ea29513..f00a023 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +559,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +560,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -49592,7 +49741,7 @@ index ea29513..f00a023 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +571,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +572,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -49600,7 +49749,7 @@ index ea29513..f00a023 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +592,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +593,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -49616,7 +49765,7 @@ index ea29513..f00a023 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -458,6 +655,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +656,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -49627,7 +49776,7 @@ index ea29513..f00a023 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +679,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +680,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -49636,7 +49785,7 @@ index ea29513..f00a023 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +694,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +695,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -49644,7 +49793,7 @@ index ea29513..f00a023 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +724,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +725,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -49674,7 +49823,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -531,10 +754,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +755,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -49692,7 +49841,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -549,6 +779,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +780,39 @@ ifdef(`distro_suse',`
')
')
@@ -49732,7 +49881,7 @@ index ea29513..f00a023 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +824,8 @@ optional_policy(`
+@@ -561,6 +825,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -49741,7 +49890,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -577,6 +842,7 @@ optional_policy(`
+@@ -577,6 +843,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -49749,7 +49898,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -589,6 +855,11 @@ optional_policy(`
+@@ -589,6 +856,11 @@ optional_policy(`
')
optional_policy(`
@@ -49761,7 +49910,7 @@ index ea29513..f00a023 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +876,13 @@ optional_policy(`
+@@ -605,9 +877,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -49775,7 +49924,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -649,6 +924,11 @@ optional_policy(`
+@@ -649,6 +925,11 @@ optional_policy(`
')
optional_policy(`
@@ -49787,7 +49936,7 @@ index ea29513..f00a023 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +986,13 @@ optional_policy(`
+@@ -706,7 +987,13 @@ optional_policy(`
')
optional_policy(`
@@ -49801,7 +49950,7 @@ index ea29513..f00a023 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1015,10 @@ optional_policy(`
+@@ -729,6 +1016,10 @@ optional_policy(`
')
optional_policy(`
@@ -49812,7 +49961,7 @@ index ea29513..f00a023 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1028,20 @@ optional_policy(`
+@@ -738,10 +1029,20 @@ optional_policy(`
')
optional_policy(`
@@ -49833,7 +49982,7 @@ index ea29513..f00a023 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1050,10 @@ optional_policy(`
+@@ -750,6 +1051,10 @@ optional_policy(`
')
optional_policy(`
@@ -49844,7 +49993,7 @@ index ea29513..f00a023 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1075,6 @@ optional_policy(`
+@@ -771,8 +1076,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -49853,7 +50002,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -781,14 +1083,21 @@ optional_policy(`
+@@ -781,14 +1084,21 @@ optional_policy(`
')
optional_policy(`
@@ -49875,7 +50024,7 @@ index ea29513..f00a023 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1109,6 @@ optional_policy(`
+@@ -800,7 +1110,6 @@ optional_policy(`
')
optional_policy(`
@@ -49883,7 +50032,7 @@ index ea29513..f00a023 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1118,24 @@ optional_policy(`
+@@ -810,11 +1119,24 @@ optional_policy(`
')
optional_policy(`
@@ -49909,7 +50058,7 @@ index ea29513..f00a023 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1145,25 @@ optional_policy(`
+@@ -824,6 +1146,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -49935,7 +50084,7 @@ index ea29513..f00a023 100644
')
optional_policy(`
-@@ -849,3 +1189,42 @@ optional_policy(`
+@@ -849,3 +1190,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -55067,7 +55216,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..352e672 100644
+index 416e668..9f3c1c1 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,34 @@
@@ -55118,7 +55267,7 @@ index 416e668..352e672 100644
+ domain_mmap_low($1)
+
-+ mls_file_read_all_levels($1)
++ mcs_file_read_all($1)
+
+ ubac_process_exempt($1)
+
@@ -55818,7 +55967,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..4984747 100644
+index 28b88de..f690d75 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -56744,7 +56893,7 @@ index 28b88de..4984747 100644
##############################
#
# Local policy
-@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1030,114 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -56802,6 +56951,7 @@ index 28b88de..4984747 100644
+ # bug: #682499
+ optional_policy(`
+ gnome_read_usr_config($1_usertype)
++ gnome_role_gkeyringd($1, $1_r, $1_t)
')
optional_policy(`
@@ -56869,7 +57019,7 @@ index 28b88de..4984747 100644
')
')
-@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -56878,7 +57028,7 @@ index 28b88de..4984747 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -56992,7 +57142,7 @@ index 28b88de..4984747 100644
')
')
-@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -57001,7 +57151,7 @@ index 28b88de..4984747 100644
')
##############################
-@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -57009,7 +57159,7 @@ index 28b88de..4984747 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -57019,7 +57169,7 @@ index 28b88de..4984747 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -57027,7 +57177,7 @@ index 28b88de..4984747 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -57041,7 +57191,7 @@ index 28b88de..4984747 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,15 +1380,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1381,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -57061,7 +57211,7 @@ index 28b88de..4984747 100644
term_use_all_terms($1_t)
-@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -57073,7 +57223,7 @@ index 28b88de..4984747 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -57082,7 +57232,7 @@ index 28b88de..4984747 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -57090,7 +57240,7 @@ index 28b88de..4984747 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -57098,7 +57248,7 @@ index 28b88de..4984747 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -57136,7 +57286,7 @@ index 28b88de..4984747 100644
ubac_constrained($1)
')
-@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -57144,7 +57294,7 @@ index 28b88de..4984747 100644
files_search_home($1)
')
-@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -57159,7 +57309,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -57171,7 +57321,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -57184,7 +57334,7 @@ index 28b88de..4984747 100644
##
##
##
-@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,21 +1836,57 @@ interface(`userdom_relabelto_user_home_dirs',`
##
##
#
@@ -57250,7 +57400,7 @@ index 28b88de..4984747 100644
##
## Do a domain transition to the specified
## domain when executing a program in the
-@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57259,7 +57409,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -57274,7 +57424,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -57300,7 +57450,7 @@ index 28b88de..4984747 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -57333,7 +57483,7 @@ index 28b88de..4984747 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -57351,7 +57501,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1779,6 +2170,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -57376,7 +57526,7 @@ index 28b88de..4984747 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2219,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57386,7 +57536,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -1827,20 +2235,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2236,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57411,7 +57561,7 @@ index 28b88de..4984747 100644
########################################
##
-@@ -2008,7 +2410,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -57420,7 +57570,7 @@ index 28b88de..4984747 100644
files_search_home($1)
')
-@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57429,7 +57579,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -2435,13 +2837,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57445,7 +57595,7 @@ index 28b88de..4984747 100644
##
##
##
-@@ -2462,26 +2865,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -57472,7 +57622,7 @@ index 28b88de..4984747 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2815,7 +3198,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3199,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57481,7 +57631,7 @@ index 28b88de..4984747 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3214,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3215,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57497,7 +57647,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -2917,7 +3302,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3303,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57506,7 +57656,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -2972,7 +3357,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3358,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57553,7 +57703,7 @@ index 28b88de..4984747 100644
')
########################################
-@@ -3009,6 +3432,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3433,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57561,7 +57711,7 @@ index 28b88de..4984747 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3511,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3512,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -57586,7 +57736,7 @@ index 28b88de..4984747 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3581,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3582,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 30ca4e3..a9f3ec6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,12 +21,11 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F15.patch
-patch1: policy-dbus.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -203,7 +202,6 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-%{version} -q
%patch -p1
-%patch1 -p1
%install
mkdir selinux_config
@@ -473,6 +471,11 @@ exit 0
%endif
%changelog
+* Mon May 2 2011 Dan Walsh 3.9.16-21
+- Fixes for colord and vnstatd policy
+- telepathy needs to dbus chat with unconfined_t and unconfined_dbusd_t
+- Remove dbus.patch and move it to policy-F15.patch
+
* Fri Apr 29 2011 Dan Walsh 3.9.16-20
- Adding in unconfined_r telepathy domains so telepathy apps will not crash on update