diff --git a/policy-F14.patch b/policy-F14.patch
index d6da465..6659588 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -274,6 +274,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.9.7
#
# MCS policy for SELinux-enabled databases
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.if serefpolicy-3.9.7/policy/modules/admin/acct.if
+--- nsaserefpolicy/policy/modules/admin/acct.if 2010-10-12 22:42:51.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/admin/acct.if 2010-12-22 13:20:41.408042200 +0100
+@@ -78,3 +78,21 @@
+ manage_files_pattern($1, acct_data_t, acct_data_t)
+ manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
+ ')
++
++#######################################
++##
++## Dontaudit Attempts to list acct_data directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`acct_dontaudit_list_data',`
++ gen_require(`
++ type acct_data_t;
++ ')
++
++ dontaudit $1 acct_data_t:dir list_dir_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.9.7/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2010-10-12 22:42:51.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/admin/alsa.if 2010-11-05 14:02:26.400649407 +0100
@@ -5545,8 +5570,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.9.7/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/apps/qemu.te 2010-11-05 14:02:26.477917104 +0100
-@@ -90,7 +90,9 @@
++++ serefpolicy-3.9.7/policy/modules/apps/qemu.te 2010-12-20 15:27:51.269051478 +0100
+@@ -55,6 +55,7 @@
+
+ userdom_search_user_home_content(qemu_t)
+ userdom_read_user_tmpfs_files(qemu_t)
++userdom_stream_connect(qemu_t)
+
+ tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+@@ -90,7 +91,9 @@
')
optional_policy(`
@@ -5557,7 +5590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
')
optional_policy(`
-@@ -102,6 +104,10 @@
+@@ -102,6 +105,10 @@
xen_rw_image_files(qemu_t)
')
@@ -5568,7 +5601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
########################################
#
# Unconfined qemu local policy
-@@ -112,6 +118,8 @@
+@@ -112,6 +119,8 @@
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
@@ -10780,7 +10813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.9.7/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/roles/staff.te 2010-12-15 14:43:23.494291455 +0100
++++ serefpolicy-3.9.7/policy/modules/roles/staff.te 2010-12-22 13:17:33.238042369 +0100
@@ -8,12 +8,48 @@
role staff_r;
@@ -10830,7 +10863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,104 @@
+@@ -27,25 +63,108 @@
')
optional_policy(`
@@ -10863,6 +10896,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
+
+optional_policy(`
++ mysql_exec(staff_t)
++')
++
++optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+')
@@ -10937,7 +10974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
xserver_role(staff_r, staff_t)
-@@ -133,10 +248,6 @@
+@@ -133,10 +252,6 @@
')
optional_policy(`
@@ -13565,7 +13602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.9.7/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/apache.if 2010-11-05 14:02:26.584900257 +0100
++++ serefpolicy-3.9.7/policy/modules/services/apache.if 2010-12-22 13:21:57.145041696 +0100
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -13642,7 +13679,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +104,6 @@
+@@ -105,22 +101,10 @@
+
+ miscfiles_read_fonts(httpd_$1_script_t)
+ miscfiles_read_public_files(httpd_$1_script_t)
++ miscfiles_dontaudit_setattr_fonts_cache_dirs(httpd_$1_script_t)
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -13662,7 +13703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,26 +123,36 @@
+@@ -140,26 +124,36 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -13699,7 +13740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
-@@ -172,6 +165,7 @@
+@@ -172,6 +166,7 @@
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -13707,7 +13748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -182,10 +176,6 @@
+@@ -182,10 +177,6 @@
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -13718,7 +13759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -211,16 +201,15 @@
+@@ -211,16 +202,15 @@
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
@@ -13738,7 +13779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-@@ -229,6 +218,13 @@
+@@ -229,6 +219,13 @@
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -13752,7 +13793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -243,6 +239,8 @@
+@@ -243,6 +240,8 @@
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -13761,7 +13802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -312,6 +310,25 @@
+@@ -312,6 +311,25 @@
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -13787,7 +13828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
#######################################
##
## Send a generic signal to apache.
-@@ -400,7 +417,7 @@
+@@ -400,7 +418,7 @@
type httpd_t;
')
@@ -13796,7 +13837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -482,7 +499,7 @@
+@@ -482,7 +500,7 @@
type httpd_cache_t;
')
@@ -13805,7 +13846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -526,6 +543,25 @@
+@@ -526,6 +544,25 @@
########################################
##
## Allow the specified domain to delete
@@ -13831,7 +13872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Apache cache.
##
##
-@@ -544,6 +580,27 @@
+@@ -544,6 +581,27 @@
########################################
##
@@ -13859,7 +13900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow the specified domain to read
## apache configuration files.
##
-@@ -694,7 +751,7 @@
+@@ -694,7 +752,7 @@
type httpd_log_t;
')
@@ -13868,7 +13909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -740,6 +797,25 @@
+@@ -740,6 +798,25 @@
########################################
##
@@ -13894,7 +13935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +832,7 @@
+@@ -756,6 +833,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -13902,7 +13943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -814,6 +891,7 @@
+@@ -814,6 +892,7 @@
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -13910,7 +13951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -841,6 +919,74 @@
+@@ -841,6 +920,75 @@
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -13952,6 +13993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ ')
+
+ files_search_var($1)
++ apache_search_sys_content($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -13985,7 +14027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
##
## Execute all web scripts in the system
-@@ -857,7 +1003,11 @@
+@@ -857,7 +1005,11 @@
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -13998,7 +14040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -916,9 +1066,10 @@
+@@ -916,9 +1068,10 @@
##
##
##
@@ -14010,7 +14052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -945,7 +1096,7 @@
+@@ -945,7 +1098,7 @@
type httpd_squirrelmail_t;
')
@@ -14019,7 +14061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1086,6 +1237,25 @@
+@@ -1086,6 +1239,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -14045,7 +14087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
##
## Dontaudit attempts to write
-@@ -1102,7 +1272,7 @@
+@@ -1102,7 +1274,7 @@
type httpd_tmp_t;
')
@@ -14054,7 +14096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1165,17 +1335,14 @@
+@@ -1165,17 +1337,14 @@
#
interface(`apache_admin',`
gen_require(`
@@ -14076,7 +14118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1186,10 +1353,10 @@
+@@ -1186,10 +1355,10 @@
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -14089,7 +14131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1367,43 @@
+@@ -1200,14 +1369,43 @@
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -23831,15 +23873,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.9.7/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/milter.fc 2010-11-05 14:02:26.708655241 +0100
-@@ -1,3 +1,6 @@
++++ serefpolicy-3.9.7/policy/modules/services/milter.fc 2010-12-20 15:03:06.213042299 +0100
+@@ -1,10 +1,15 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-@@ -5,6 +8,7 @@
+
++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
@@ -25685,8 +25728,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+miscfiles_read_localization(munin_plugin_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.9.7/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mysql.if 2010-11-05 14:02:26.731900350 +0100
-@@ -73,6 +73,7 @@
++++ serefpolicy-3.9.7/policy/modules/services/mysql.if 2010-12-22 13:16:48.806042370 +0100
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, mysqld_exec_t, mysqld_t)
+ ')
+
++#####################################
++##
++## Execute MySQL in the coller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_exec',`
++ gen_require(`
++ type mysqld_exec_t;
++ ')
++
++ can_exec($1, mysqld_exec_t)
++')
++
+ ########################################
+ ##
+ ## Send a generic signal to MySQL.
+@@ -73,6 +91,7 @@
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
@@ -25694,7 +25762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,7 +253,7 @@
+@@ -252,7 +271,7 @@
')
logging_search_logs($1)
@@ -25703,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
######################################
-@@ -329,10 +330,9 @@
+@@ -329,10 +348,9 @@
#
interface(`mysql_admin',`
gen_require(`
@@ -25717,7 +25785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +343,17 @@
+@@ -343,13 +361,17 @@
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -27098,17 +27166,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads
files_etc_filetrans(pads_t, pads_config_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.fc serefpolicy-3.9.7/policy/modules/services/passenger.fc
--- nsaserefpolicy/policy/modules/services/passenger.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/passenger.fc 2010-11-05 14:02:26.750899875 +0100
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.9.7/policy/modules/services/passenger.fc 2010-12-22 13:14:36.720042389 +0100
+@@ -0,0 +1,16 @@
+
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++
++/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
++/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
++
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.if serefpolicy-3.9.7/policy/modules/services/passenger.if
--- nsaserefpolicy/policy/modules/services/passenger.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/passenger.if 2010-11-05 14:02:26.750899875 +0100
++++ serefpolicy-3.9.7/policy/modules/services/passenger.if 2010-12-22 13:14:36.720042389 +0100
@@ -0,0 +1,67 @@
+## Passenger policy
+
@@ -27132,7 +27210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+ allow $1 passenger_t:process signal;
+
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
-+ allow $1 passenger_t:unix_stream_socket { read write shutdown };
++ allow $1 passenger_t:unix_stream_socket { read write connectto shutdown };
+ allow passenger_t $1:unix_stream_socket { read write };
+')
+
@@ -27179,8 +27257,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.te serefpolicy-3.9.7/policy/modules/services/passenger.te
--- nsaserefpolicy/policy/modules/services/passenger.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/passenger.te 2010-11-05 14:02:26.751900858 +0100
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.9.7/policy/modules/services/passenger.te 2010-12-22 13:14:36.720042389 +0100
+@@ -0,0 +1,76 @@
+policy_module(passanger, 1.0.0)
+
+########################################
@@ -27197,6 +27275,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
++type passenger_log_t;
++logging_log_file(passenger_log_t)
++
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
@@ -27210,11 +27291,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+# passanger local policy
+#
+
-+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
-+allow passenger_t self:process signal;
++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
++allow passenger_t self:process { setpgid setsched sigkill signal };
++
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
++manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
++logging_log_filetrans(passenger_t, passenger_log_t, file)
++
+files_search_var_lib(passenger_t)
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
@@ -27225,6 +27311,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
++can_exec(passenger_t, passenger_exec_t)
++
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
@@ -38362,7 +38450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.9.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2010-11-18 11:00:04.226398724 +0100
++++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2010-12-22 13:21:17.650042380 +0100
@@ -26,27 +26,50 @@
#
@@ -38966,7 +39054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -503,12 +707,24 @@
+@@ -503,12 +707,28 @@
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -38980,6 +39068,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ accountsd_read_lib_files(xdm_t)
+')
+
++optional_policy(`
++ acct_dontaudit_list_data(xdm_t)
++')
++
optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
@@ -38991,7 +39083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +732,49 @@
+@@ -516,12 +736,49 @@
')
optional_policy(`
@@ -39041,7 +39133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,28 +792,63 @@
+@@ -539,28 +796,63 @@
')
optional_policy(`
@@ -39114,7 +39206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -572,6 +860,10 @@
+@@ -572,6 +864,10 @@
')
optional_policy(`
@@ -39125,7 +39217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +888,7 @@
+@@ -596,7 +892,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -39134,7 +39226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +902,14 @@
+@@ -610,6 +906,14 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -39149,7 +39241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +929,19 @@
+@@ -629,12 +933,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -39171,7 +39263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +949,7 @@
+@@ -642,6 +953,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -39179,7 +39271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +976,6 @@
+@@ -668,7 +980,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -39187,7 +39279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +985,17 @@
+@@ -678,11 +989,17 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -39205,7 +39297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1006,13 @@
+@@ -693,8 +1010,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -39219,7 +39311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1034,14 @@
+@@ -716,11 +1038,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -39234,7 +39326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1094,28 @@
+@@ -773,12 +1098,28 @@
')
optional_policy(`
@@ -39264,7 +39356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1124,10 @@
+@@ -787,6 +1128,10 @@
')
optional_policy(`
@@ -39275,7 +39367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1143,10 @@
+@@ -802,10 +1147,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -39289,7 +39381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1154,7 @@
+@@ -813,7 +1158,7 @@
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -39298,7 +39390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1167,9 @@
+@@ -826,6 +1171,9 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -39308,7 +39400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1177,11 @@
+@@ -833,6 +1181,11 @@
fs_manage_nfs_symlinks(xserver_t)
')
@@ -39320,7 +39412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1190,14 @@
+@@ -841,11 +1194,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -39337,7 +39429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -853,6 +1205,10 @@
+@@ -853,6 +1209,10 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -39348,7 +39440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1252,7 @@
+@@ -896,7 +1256,7 @@
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -39357,7 +39449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1306,31 @@
+@@ -950,11 +1310,31 @@
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -39389,7 +39481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1352,32 @@
+@@ -976,18 +1356,32 @@
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -44389,7 +44481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.9.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2010-12-15 15:18:40.209041681 +0100
++++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2010-12-20 16:32:49.331042277 +0100
@@ -22,6 +22,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -44532,7 +44624,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -405,6 +423,10 @@
+@@ -380,6 +398,8 @@
+ selinux_compute_relabel_context(run_init_t)
+ selinux_compute_user_contexts(run_init_t)
+
++term_use_console(run_init_t)
++
+ auth_use_nsswitch(run_init_t)
+ auth_domtrans_chk_passwd(run_init_t)
+ auth_domtrans_upd_passwd(run_init_t)
+@@ -405,6 +425,10 @@
')
')
@@ -44543,7 +44644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +442,22 @@
+@@ -420,61 +444,22 @@
# semodule local policy
#
@@ -44613,7 +44714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -483,12 +466,23 @@
+@@ -483,12 +468,23 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -44637,7 +44738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -498,112 +492,54 @@
+@@ -498,112 +494,54 @@
userdom_read_user_tmp_files(semanage_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0e5efa9..d5b2b38 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Wed Dec 22 2010 Miroslav Grepl 3.9.7-19
+- Fixes for passenger policy
+- Allow staff user to execute mysql
+
* Thu Dec 16 2010 Miroslav Grepl 3.9.7-18
- Other fixes for munin plugins policy