diff --git a/policy-F13.patch b/policy-F13.patch
index 166c362..ca9c034 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -720,7 +720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-05-28 09:41:59.956610558 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-06-08 14:47:28.309627171 +0200
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -802,7 +802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+#
+
+allow prelink_cron_system_t self:capability setuid;
-+allow prelink_cron_system_t self:process { setsched setfscreate };
++allow prelink_cron_system_t self:process { setsched setfscreate signal };
+
+allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
@@ -2255,13 +2255,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.19/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-05-28 09:41:59.969610893 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-06-08 14:44:13.503860559 +0200
@@ -31,7 +31,7 @@
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t self:tun_socket create;
-+allow vpnc_t self:tun_socket { create_socket_perms };
++allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
@@ -2779,6 +2779,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+ policykit_dbus_chat(firewallgui_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.7.19/policy/modules/apps/gitosis.fc
+--- nsaserefpolicy/policy/modules/apps/gitosis.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gitosis.fc 2010-06-08 14:54:39.156860589 +0200
+@@ -1,3 +1,5 @@
+ /usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
++/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+ /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
++/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.19/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/gitosis.if 2010-05-28 09:41:59.975610499 +0200
@@ -2791,6 +2800,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.
')
######################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.7.19/policy/modules/apps/gitosis.te
+--- nsaserefpolicy/policy/modules/apps/gitosis.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gitosis.te 2010-06-08 14:54:39.156860589 +0200
+@@ -26,12 +26,17 @@
+ manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+
++kernel_read_system_state(gitosis_t)
++
+ corecmd_exec_bin(gitosis_t)
+ corecmd_exec_shell(gitosis_t)
+
+-kernel_read_system_state(gitosis_t)
++dev_read_urand(gitosis_t)
+
++files_read_etc_files(gitosis_t)
+ files_read_usr_files(gitosis_t)
+ files_search_var_lib(gitosis_t)
+
+ miscfiles_read_localization(gitosis_t)
++
++sysnet_read_config(gitosis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.19/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-05-28 09:41:59.976610853 +0200
@@ -4164,7 +4195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-05-28 09:41:59.985610961 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-06-08 15:04:19.920622331 +0200
@@ -0,0 +1,68 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -4183,7 +4214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+# system-config-kdump local policy
+#
+
-+allow kdumpgui_t self:capability { net_admin sys_rawio };
++allow kdumpgui_t self:capability { sys_admin net_admin sys_rawio };
+allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+
+allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -5736,8 +5767,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-05-28 09:41:59.998610877 +0200
-@@ -41,6 +41,7 @@
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-06-08 14:18:19.967627028 +0200
+@@ -41,9 +41,11 @@
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs(pulseaudio_t)
@@ -5745,7 +5776,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -128,6 +129,7 @@
++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+ manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+@@ -128,6 +130,7 @@
')
optional_policy(`
@@ -5753,7 +5788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
udev_read_db(pulseaudio_t)
')
-@@ -138,3 +140,7 @@
+@@ -138,3 +141,7 @@
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -7188,7 +7223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.19/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-06-01 17:53:10.951411029 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-06-08 14:24:13.013626203 +0200
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -7213,16 +7248,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
-@@ -87,6 +97,8 @@
+@@ -87,7 +97,10 @@
manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+can_exec(vmware_host_t, vmware_host_exec_t)
+
kernel_read_kernel_sysctls(vmware_host_t)
++kernel_read_network_state(vmware_host_t)
kernel_read_system_state(vmware_host_t)
-@@ -114,6 +126,7 @@
+ corenet_all_recvfrom_unlabeled(vmware_host_t)
+@@ -114,6 +127,7 @@
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
@@ -7369,7 +7406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-05-28 09:42:00.017610539 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-06-08 14:54:39.159871918 +0200
@@ -49,7 +49,8 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -7400,7 +7437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -217,10 +224,13 @@
+@@ -217,10 +224,15 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -7411,10 +7448,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +250,7 @@
+@@ -240,6 +252,7 @@
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7422,7 +7461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +308,7 @@
+@@ -297,6 +310,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -7430,7 +7469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +343,21 @@
+@@ -331,3 +345,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7668,7 +7707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-06-03 09:52:19.243160045 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-06-08 15:56:44.863609937 +0200
@@ -407,7 +407,7 @@
########################################
@@ -7754,7 +7793,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
##
-@@ -711,6 +765,33 @@
+@@ -514,6 +568,24 @@
+ dontaudit $1 device_t:lnk_file setattr;
+ ')
+
++#######################################
++##
++## Read symbolic links in device directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_generic_symlinks',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:lnk_file read_lnk_file_perms;
++')
++
+ ########################################
+ ##
+ ## Create symbolic links in device directories.
+@@ -711,6 +783,33 @@
########################################
##
@@ -7788,7 +7852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Getattr on all block file device nodes.
##
##
-@@ -934,6 +1015,42 @@
+@@ -934,6 +1033,42 @@
########################################
##
@@ -7831,7 +7895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
##
##
-@@ -2042,6 +2159,24 @@
+@@ -2042,6 +2177,24 @@
########################################
##
@@ -7856,7 +7920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read the lvm comtrol device.
##
##
-@@ -2597,6 +2732,7 @@
+@@ -2597,6 +2750,7 @@
type mtrr_device_t;
')
@@ -7864,7 +7928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
dontaudit $1 mtrr_device_t:chr_file write;
')
-@@ -3440,6 +3576,24 @@
+@@ -3440,6 +3594,24 @@
########################################
##
@@ -7889,7 +7953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
##
##
-@@ -3733,6 +3887,24 @@
+@@ -3733,6 +3905,24 @@
########################################
##
@@ -7914,7 +7978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
##
##
-@@ -3905,6 +4077,26 @@
+@@ -3905,6 +4095,26 @@
########################################
##
@@ -9961,7 +10025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-05-28 09:42:00.039611192 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-06-08 14:14:59.376610813 +0200
@@ -46,15 +46,6 @@
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -10012,7 +10076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -270,6 +272,8 @@
+@@ -270,19 +272,29 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -10020,8 +10084,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+files_manage_generic_spool_dirs(kernel_t)
mcs_process_set_categories(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
-@@ -277,12 +281,18 @@
+ mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -10040,7 +10106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -359,6 +369,10 @@
+@@ -359,6 +371,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -15760,7 +15826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-05-28 09:42:00.078610798 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-06-08 15:32:46.193610434 +0200
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -15806,14 +15872,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-@@ -246,6 +259,12 @@
+@@ -246,6 +259,14 @@
mta_send_mail(clamscan_t)
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
++ allow clamscan_t self:process execmem;
+', `
+ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
+')
+
optional_policy(`
@@ -16116,8 +16184,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te
--- nsaserefpolicy/policy/modules/services/cmirrord.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-05-28 12:25:06.226860459 +0200
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-06-04 07:40:07.080159214 +0200
+@@ -0,0 +1,63 @@
+
+policy_module(cmirrord,1.0.0)
+
@@ -16168,6 +16236,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+
+files_read_etc_files(cmirrord_t)
+
++storage_raw_read_fixed_disk(cmirrord_t)
++storage_raw_write_fixed_disk(cmirrord_t)
++
+libs_use_ld_so(cmirrord_t)
+libs_use_shared_libs(cmirrord_t)
+
@@ -18440,7 +18511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-05-28 09:42:00.105610536 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-06-08 14:51:46.576610409 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -18572,7 +18643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,11 +284,19 @@
+@@ -263,15 +284,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -18592,6 +18663,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_manage_cifs_files(dovecot_t)
fs_manage_cifs_symlinks(dovecot_t)
')
+
+ optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
++ mta_read_queue(dovecot_deliver_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/exim.fc 2010-05-28 09:42:00.105610536 +0200
@@ -29664,7 +29740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-06-03 09:52:19.271161182 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-06-08 15:55:41.764860629 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -29876,7 +29952,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -434,6 +489,7 @@
+@@ -427,6 +482,7 @@
+ corenet_tcp_bind_virt_migration_port(virt_domain)
+ corenet_tcp_connect_virt_migration_port(virt_domain)
+
++dev_read_generic_symlinks(virt_domain)
+ dev_read_rand(virt_domain)
+ dev_read_sound(virt_domain)
+ dev_read_urand(virt_domain)
+@@ -434,6 +490,7 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -29884,7 +29968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
domain_use_interactive_fds(virt_domain)
-@@ -445,6 +501,11 @@
+@@ -445,6 +502,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -29896,7 +29980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +523,13 @@
+@@ -462,8 +524,13 @@
')
optional_policy(`
@@ -30673,7 +30757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-28 09:42:00.207610801 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-06-08 14:36:03.433610464 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -30854,7 +30938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +293,63 @@
+@@ -250,30 +293,65 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -30868,6 +30952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
++ userdom_dontaudit_write_user_tmp_files(iceauth_t)
+
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
@@ -30911,17 +30996,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xauth_t)
+files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
+-
+-fs_getattr_xattr_fs(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
-
--fs_getattr_xattr_fs(xauth_t)
++
+fs_dontaudit_leaks(xauth_t)
++fs_dontaudit_list_inotifyfs(xauth_t)
+fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +359,36 @@
+@@ -283,17 +361,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -30958,7 +31045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +400,33 @@
+@@ -305,20 +402,33 @@
# XDM Local policy
#
@@ -30995,7 +31082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -326,32 +434,53 @@
+@@ -326,32 +436,53 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -31054,7 +31141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +488,13 @@
+@@ -359,10 +490,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -31068,7 +31155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +503,21 @@
+@@ -371,15 +505,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -31091,7 +31178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +532,14 @@
+@@ -394,11 +534,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -31106,7 +31193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +547,7 @@
+@@ -406,6 +549,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -31114,7 +31201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +556,22 @@
+@@ -414,18 +558,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -31140,7 +31227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +582,17 @@
+@@ -436,9 +584,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -31158,7 +31245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +601,19 @@
+@@ -447,14 +603,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -31178,7 +31265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +624,12 @@
+@@ -465,10 +626,12 @@
logging_read_generic_logs(xdm_t)
@@ -31193,7 +31280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +638,11 @@
+@@ -477,6 +640,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -31205,7 +31292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +674,17 @@
+@@ -508,11 +676,17 @@
')
optional_policy(`
@@ -31223,7 +31310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +692,50 @@
+@@ -520,12 +694,50 @@
')
optional_policy(`
@@ -31274,7 +31361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +753,59 @@
+@@ -543,20 +755,59 @@
')
optional_policy(`
@@ -31336,7 +31423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +814,6 @@
+@@ -565,7 +816,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -31344,7 +31431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +824,10 @@
+@@ -576,6 +826,10 @@
')
optional_policy(`
@@ -31355,7 +31442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +852,9 @@
+@@ -600,10 +854,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -31367,7 +31454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +866,18 @@
+@@ -615,6 +868,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -31386,7 +31473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +897,19 @@
+@@ -634,12 +899,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -31408,7 +31495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +943,6 @@
+@@ -673,7 +945,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -31416,7 +31503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +952,12 @@
+@@ -683,9 +954,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -31430,7 +31517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +972,13 @@
+@@ -700,8 +974,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -31444,7 +31531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1000,14 @@
+@@ -723,11 +1002,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -31459,7 +31546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1059,24 @@
+@@ -779,12 +1061,28 @@
')
optional_policy(`
@@ -31473,6 +31560,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
++ setrans_translate_context(xserver_t)
++')
++
++optional_policy(`
+ sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
@@ -31485,7 +31576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1103,7 @@
+@@ -811,7 +1109,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -31494,7 +31585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1124,14 @@
+@@ -832,9 +1130,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -31509,7 +31600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1146,14 @@
+@@ -849,11 +1152,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -31526,7 +31617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1299,33 @@
+@@ -999,3 +1305,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -33926,7 +34017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-28 09:42:00.510610814 +0200
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-06-08 14:39:55.422610327 +0200
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -33976,7 +34067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,30 +71,50 @@
+@@ -47,30 +71,51 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -34017,6 +34108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_search_all(mount_t)
files_read_etc_files(mount_t)
++files_delete_etc_files(mount_t)
files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
@@ -34029,7 +34121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -80,15 +124,18 @@
+@@ -80,15 +125,18 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -34051,7 +34143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -99,6 +146,7 @@
+@@ -99,6 +147,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -34059,7 +34151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -107,6 +155,8 @@
+@@ -107,6 +156,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -34068,7 +34160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -117,6 +167,12 @@
+@@ -117,6 +168,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -34081,7 +34173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +188,17 @@
+@@ -132,10 +189,17 @@
')
')
@@ -34099,7 +34191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -165,6 +228,8 @@
+@@ -165,6 +229,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -34108,7 +34200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +237,25 @@
+@@ -172,6 +238,25 @@
')
optional_policy(`
@@ -34134,7 +34226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +263,11 @@
+@@ -179,6 +264,11 @@
')
')
@@ -34146,7 +34238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +275,19 @@
+@@ -186,6 +276,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -34166,7 +34258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -194,6 +296,42 @@
+@@ -194,6 +297,42 @@
#
optional_policy(`
@@ -35553,7 +35645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-28 09:42:00.519610844 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-08 15:28:13.716610680 +0200
@@ -1,5 +1,5 @@
-policy_module(sysnetwork, 1.10.3)
@@ -35571,15 +35663,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
type dhcpc_state_t;
files_type(dhcpc_state_t)
-@@ -58,6 +61,7 @@
+@@ -58,6 +61,8 @@
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
+allow dhcpc_t dhcp_state_t:file relabelfrom;
++allow dhcpc_t dhcpc_state_t:file relabelfrom;
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-@@ -67,6 +71,8 @@
+@@ -67,6 +72,8 @@
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -35588,7 +35681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -111,6 +117,7 @@
+@@ -111,6 +118,7 @@
# for SSP:
dev_read_urand(dhcpc_t)
@@ -35596,7 +35689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -156,6 +163,10 @@
+@@ -156,6 +164,10 @@
')
optional_policy(`
@@ -35607,7 +35700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -172,6 +183,7 @@
+@@ -172,6 +184,7 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -35615,7 +35708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -193,6 +205,12 @@
+@@ -193,6 +206,12 @@
')
optional_policy(`
@@ -35628,7 +35721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -214,6 +232,7 @@
+@@ -214,6 +233,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -35636,7 +35729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -277,8 +296,11 @@
+@@ -277,8 +297,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -35648,7 +35741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -306,6 +328,8 @@
+@@ -306,6 +329,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -35657,7 +35750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +352,8 @@
+@@ -328,6 +353,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 70a26a0..5d510e5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,16 @@ exit 0
%endif
%changelog
+* Tue Jun 8 2010 Miroslav Grepl 3.7.19-25
+- Fixes for cmirrord policy
+- Dontaudit xauth to list inotifyfs filesystem.
+- Allow xserver to translate contexts.
+- Allow kdumpgui domain sys_admin capability
+- Allow vpnc to relabelfrom tun_socket
+- Allow prelink_cron_system_t to signal
+- Fixes for gitolite
+- Allow virt domain to read symbolic links in device directories
+
* Thu Jun 3 2010 Miroslav Grepl 3.7.19-24
- Add support for /dev/vhost-net
- Allow psad to read files in /usr