diff --git a/policy-F14.patch b/policy-F14.patch
index b5b0f88..0fe1337 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -3027,8 +3027,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.9.7/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/gnome.fc 2011-03-18 13:32:25.005630001 +0000
-@@ -1,9 +1,31 @@
++++ serefpolicy-3.9.7/policy/modules/apps/gnome.fc 2011-03-18 16:54:24.232630000 +0000
+@@ -1,9 +1,33 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -3055,6 +3055,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
++
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
@@ -3064,7 +3066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.9.7/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/gnome.if 2011-02-25 17:40:39.098545596 +0000
++++ serefpolicy-3.9.7/policy/modules/apps/gnome.if 2011-03-18 16:41:57.494630000 +0000
@@ -37,8 +37,7 @@
########################################
@@ -3204,12 +3206,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+## Read generic cache home files (.cache)
+##
+##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--template(`gnome_read_gconf_config',`
++##
++## Domain allowed access.
++##
++##
++#
+interface(`gnome_read_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
@@ -3355,11 +3356,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+## read gconf config files
+##
+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-template(`gnome_read_gconf_config',`
+interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
@@ -3462,7 +3464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
')
########################################
-@@ -151,40 +431,192 @@
+@@ -151,40 +431,213 @@
########################################
##
@@ -3493,7 +3495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
##
-## manage gnome homedir content (.config)
+## manage gconf home files
-+##
+ ##
+##
+##
+## Domain allowed access.
@@ -3512,7 +3514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+########################################
+##
+## Connect to gnome over an unix stream socket.
- ##
++##
+##
+##
+## Domain allowed access.
@@ -3548,8 +3550,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
gen_require(`
- type gnome_home_t;
+ type config_home_t;
-+ ')
-+
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
@@ -3566,10 +3570,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+template(`gnome_setattr_home_config',`
+ gen_require(`
+ type config_home_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
++ ')
++
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
userdom_search_user_home_dirs($1)
')
@@ -3667,9 +3669,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
++
++######################################
++##
++## Allow manage kde config content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_usr_config',`
++ gen_require(`
++ type config_usr_t;
++ ')
++
++ files_search_usr($1)
++ manage_dirs_pattern($1, config_usr_t, config_usr_t)
++ manage_files_pattern($1, config_usr_t, config_usr_t)
++ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.9.7/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/gnome.te 2011-02-25 17:40:39.098545596 +0000
++++ serefpolicy-3.9.7/policy/modules/apps/gnome.te 2011-03-18 16:33:37.244630000 +0000
@@ -6,11 +6,24 @@
#
@@ -3696,7 +3719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -30,12 +43,20 @@
+@@ -30,12 +43,24 @@
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
@@ -3707,6 +3730,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
++# type KDE /usr/share/config files
++type config_usr_t;
++files_type(config_usr_t)
++
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
@@ -3718,7 +3745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
##############################
#
# Local Policy
-@@ -75,3 +96,91 @@
+@@ -75,3 +100,91 @@
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -23663,6 +23690,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+ dontaudit $1 gnomeclock_t:dbus send_msg;
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.9.7/policy/modules/services/gnomeclock.te
+--- nsaserefpolicy/policy/modules/services/gnomeclock.te 2010-10-12 20:42:49.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/gnomeclock.te 2011-03-18 16:32:35.811630000 +0000
+@@ -22,8 +22,11 @@
+ corecmd_exec_bin(gnomeclock_t)
+
+ files_read_etc_files(gnomeclock_t)
++files_read_etc_runtime_files(gnomeclock_t)
+ files_read_usr_files(gnomeclock_t)
+
++fs_getattr_xattr_fs(gnomeclock_t)
++
+ auth_use_nsswitch(gnomeclock_t)
+
+ clock_domtrans(gnomeclock_t)
+@@ -39,6 +42,14 @@
+ ')
+
+ optional_policy(`
++ gnome_manage_usr_config(gnomeclock_t)
++')
++
++optional_policy(`
++ ntp_domtrans_ntpdate(gnomeclock_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
+ policykit_domtrans_auth(gnomeclock_t)
+ policykit_read_lib(gnomeclock_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.if serefpolicy-3.9.7/policy/modules/services/gpm.if
--- nsaserefpolicy/policy/modules/services/gpm.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/gpm.if 2011-02-25 17:40:39.961524353 +0000
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1e67446..b35267e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,9 @@ exit 0
%endif
%changelog
+* Fri Mar 18 2011 Miroslav Grepl 3.9.7-35
+- Additional fixes for gnomeclock policy
+
* Fri Mar 18 2011 Miroslav Grepl 3.9.7-34
- Add matahari policy
- Allow shutdown setsched and sys_nice