diff --git a/policy-F13.patch b/policy-F13.patch
index 6d6cfe8..8c8883e 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -15986,7 +15986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-12-01 12:34:56.153042674 +0100
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-12-21 07:41:01.483041039 +0100
@@ -19,11 +19,13 @@
# Declarations
#
@@ -16309,14 +16309,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal(httpd_t)
-+')
-+
+ ')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
- ')
-
++')
++
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
@@ -16405,10 +16405,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +741,23 @@
+@@ -577,12 +741,29 @@
')
optional_policy(`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
@@ -16429,7 +16435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +766,11 @@
+@@ -591,6 +772,11 @@
')
optional_policy(`
@@ -16441,7 +16447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +798,10 @@
+@@ -618,6 +804,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -16452,7 +16458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +883,18 @@
+@@ -699,17 +889,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -16474,7 +16480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +925,21 @@
+@@ -740,10 +931,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -16497,7 +16503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +965,12 @@
+@@ -769,6 +971,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -16510,7 +16516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -791,10 +993,15 @@
+@@ -791,10 +999,15 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -16526,7 +16532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1010,28 @@
+@@ -803,6 +1016,28 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -16555,7 +16561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1059,16 @@
+@@ -830,6 +1065,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -16572,7 +16578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1081,7 @@
+@@ -842,6 +1087,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16580,7 +16586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1131,33 @@
+@@ -891,11 +1137,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -26216,7 +26222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.19/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-12-15 13:43:16.366042386 +0100
++++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-12-20 18:11:37.421042409 +0100
@@ -6,6 +6,65 @@
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
@@ -26266,7 +26272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/load -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
-+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
@@ -28865,17 +28871,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.fc serefpolicy-3.7.19/policy/modules/services/passenger.fc
--- nsaserefpolicy/policy/modules/services/passenger.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/passenger.fc 2010-12-20 17:53:36.719051943 +0100
-@@ -0,0 +1,6 @@
++++ serefpolicy-3.7.19/policy/modules/services/passenger.fc 2010-12-21 07:51:14.801042403 +0100
+@@ -0,0 +1,16 @@
+
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++
++/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
++/var/log/passenger-* -- gen_context(system_u:object_r:passenger_log_t,s0)
++
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.if serefpolicy-3.7.19/policy/modules/services/passenger.if
--- nsaserefpolicy/policy/modules/services/passenger.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/passenger.if 2010-12-20 17:53:36.719051943 +0100
++++ serefpolicy-3.7.19/policy/modules/services/passenger.if 2010-12-21 07:41:31.411042063 +0100
@@ -0,0 +1,67 @@
+## Passenger policy
+
@@ -28899,7 +28915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+ allow $1 passenger_t:process signal;
+
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
-+ allow $1 passenger_t:unix_stream_socket { read write shutdown };
++ allow $1 passenger_t:unix_stream_socket { read write connectto shutdown };
+ allow passenger_t $1:unix_stream_socket { read write };
+')
+
@@ -28946,8 +28962,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.te serefpolicy-3.7.19/policy/modules/services/passenger.te
--- nsaserefpolicy/policy/modules/services/passenger.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/passenger.te 2010-12-20 17:55:05.720041285 +0100
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.7.19/policy/modules/services/passenger.te 2010-12-21 08:02:12.321042395 +0100
+@@ -0,0 +1,76 @@
+policy_module(passanger, 1.0.0)
+
+########################################
@@ -28964,6 +28980,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
++type passenger_log_t;
++logging_log_file(passenger_log_t)
++
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
@@ -28977,11 +28996,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+# passanger local policy
+#
+
-+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
-+allow passenger_t self:process signal;
++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
++allow passenger_t self:process { setpgid setsched sigkill signal };
++
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
++manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
++logging_log_filetrans(passenger_t, passenger_log_t, file)
++
+files_search_var_lib(passenger_t)
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
@@ -28992,6 +29016,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
++can_exec(passenger_t, passenger_exec_t)
++
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2522639..a806f54 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 77%{?dist}
+Release: 78%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
%endif
%changelog
+* Tue Dec 21 2010 Miroslav Grepl 3.7.19-78
+- Fixes for passenger policy
+
* Mon Dec 20 2010 Miroslav Grepl 3.7.19-77
- Fixes for certmonger
- Backport passenger policy