diff --git a/policy-F12.patch b/policy-F12.patch
index b0b998f..4fd3632 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -4816,7 +4816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-12-23 12:39:44.000000000 -0500
@@ -0,0 +1,60 @@
+policy_module(sambagui,1.0.0)
+
@@ -4833,7 +4833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+# system-config-samba local policy
+#
-+
++allow sambagui_t self:capability dac_override;
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
@@ -5078,8 +5078,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-12-21 14:31:10.000000000 -0500
-@@ -0,0 +1,336 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-12-23 12:55:36.000000000 -0500
+@@ -0,0 +1,338 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5318,6 +5318,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
+
++kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
++
+dev_read_rand(sandbox_web_client_t)
+
+# Browse the web, connect to printer
@@ -7015,7 +7017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-12-23 07:51:15.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -7875,22 +7877,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-18 15:27:02.000000000 -0500
-@@ -290,7 +290,7 @@
-
- ########################################
- ##
--## Read and write files on anon_inodefs
-+## Dontaudit Read and write files on anon_inodefs
- ## file systems.
- ##
- ##
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-23 12:11:00.000000000 -0500
@@ -310,6 +310,26 @@
########################################
##
-+## Dontaudit Read and write files on anon_inodefs
-+## file systems.
++## Do not audit attempts to read or write files on
++## anon_inodefs file systems.
+##
+##
+##
@@ -7904,7 +7897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ ')
+
-+ dontaudit $1 anon_inodefs_t:file { read write };
++ dontaudit $1 anon_inodefs_t:file rw_file_perms;
+')
+
+########################################
@@ -7927,40 +7920,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#######################################
+##
-+## Create, read, write, and delete dirs
-+## on a configfs filesystem.
++## Create, read, write, and delete dirs
++## on a configfs filesystem.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`fs_manage_configfs_dirs',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
++ gen_require(`
++ type configfs_t;
++ ')
+
-+ manage_dirs_pattern($1,configfs_t,configfs_t)
++ manage_dirs_pattern($1, configfs_t, configfs_t)
+')
+
+#######################################
+##
-+## Create, read, write, and delete files
-+## on a configfs filesystem.
++## Create, read, write, and delete files
++## on a configfs filesystem.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`fs_manage_configfs_files',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
++ gen_require(`
++ type configfs_t;
++ ')
+
-+ manage_files_pattern($1,configfs_t,configfs_t)
++ manage_files_pattern($1, configfs_t, configfs_t)
+')
+
########################################
@@ -8061,7 +8054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type nfsd_fs_t;
+ ')
+
-+ allow $1 nfsd_fs_t:file getattr;
++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
@@ -8069,34 +8062,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write NFS server files.
##
##
-@@ -3971,3 +4102,159 @@
- relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
- relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
- ')
-+
-+########################################
-+##
-+## Do not audit attempts to read
-+## dirs on a CIFS or SMB filesystem.
+@@ -3572,6 +3703,122 @@
+
+ ########################################
+ ##
++## Mount a XENFS filesystem.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`fs_dontaudit_list_cifs_dirs',`
++interface(`fs_mount_xenfs',`
+ gen_require(`
-+ type cifs_t;
++ type xenfs_t;
+ ')
+
-+ dontaudit $1 cifs_t:dir list_dir_perms;
++ allow $1 xenfs_t:filesystem mount;
+')
+
-+
+########################################
+##
-+## Mount a XENFS filesystem.
++## Search the XENFS filesystem.
+##
+##
+##
@@ -8104,12 +8092,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`fs_mount_xenfs',`
++interface(`fs_search_xenfs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
-+ allow $1 xenfs_t:filesystem mount;
++ allow $1 xenfs_t:dir search_dir_perms;
+')
+
+########################################
@@ -8194,6 +8182,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
+ ## Mount all filesystems.
+ ##
+ ##
+@@ -3971,3 +4218,175 @@
+ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
+ ')
++
++########################################
++##
++## list dirs on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ list_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
++## Do not audit attempts to read
++## dirs on a CIFS or SMB filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_list_cifs_dirs',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ dontaudit $1 cifs_t:dir list_dir_perms;
++')
++
++########################################
++##
+## Manage dirs on cgroup file systems.
+##
+##
@@ -8229,6 +8266,101 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
+')
++########################################
++##
++## Mount a cgroup filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem mount;
++')
++
++########################################
++##
++## Remount a cgroup filesystem This allows
++## some mount options to be changed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_remount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem remount;
++')
++
++########################################
++##
++## Unmount a cgroup file system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem unmount;
++')
++
++########################################
++##
++## Set attributes of files on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_setattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ setattr_files_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
++## Write files on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_write_cgroup_files', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ write_files_pattern($1, cgroup_t, cgroup_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-12-17 11:20:45.000000000 -0500
@@ -8308,7 +8440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Rules for all filesystem types
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-12-23 12:55:00.000000000 -0500
@@ -485,6 +485,25 @@
########################################
@@ -10901,7 +11033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-22 08:42:28.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-23 07:13:32.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10949,7 +11081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,34 @@
+@@ -75,18 +90,35 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -10980,11 +11112,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
+fs_read_fusefs_files(abrt_t)
++fs_read_nfs_files(abrt_t)
+fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
-@@ -96,22 +127,90 @@
+@@ -96,22 +128,90 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -15219,7 +15352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-23 12:11:24.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15281,7 +15414,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
-@@ -232,6 +244,7 @@
+@@ -191,6 +203,7 @@
+
+ fs_getattr_all_fs(cupsd_t)
+ fs_search_auto_mountpoints(cupsd_t)
++fs_search_fusefs(cupsd_t)
+ fs_read_anon_inodefs_files(cupsd_t)
+
+ mls_file_downgrade(cupsd_t)
+@@ -232,6 +245,7 @@
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -15289,7 +15430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_exec_script_files(cupsd_t)
init_read_utmp(cupsd_t)
-@@ -250,6 +263,7 @@
+@@ -250,6 +264,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
@@ -15297,7 +15438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -317,6 +331,10 @@
+@@ -317,6 +332,10 @@
')
optional_policy(`
@@ -15308,7 +15449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
udev_read_db(cupsd_t)
')
-@@ -327,7 +345,7 @@
+@@ -327,7 +346,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -15317,7 +15458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -378,6 +396,8 @@
+@@ -378,6 +397,8 @@
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -15326,7 +15467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -407,6 +427,7 @@
+@@ -407,6 +428,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -15334,7 +15475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +440,15 @@
+@@ -419,12 +441,15 @@
')
optional_policy(`
@@ -15352,7 +15493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +470,10 @@
+@@ -446,6 +471,10 @@
')
optional_policy(`
@@ -15363,7 +15504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_read_db(cupsd_config_t)
')
-@@ -457,6 +485,10 @@
+@@ -457,6 +486,10 @@
udev_read_db(cupsd_config_t)
')
@@ -15374,7 +15515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Cups lpd support
-@@ -542,6 +574,8 @@
+@@ -542,6 +575,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -15383,7 +15524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +590,15 @@
+@@ -556,11 +591,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -15399,7 +15540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +639,9 @@
+@@ -601,6 +640,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -15409,7 +15550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +668,7 @@
+@@ -627,6 +669,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -15973,7 +16114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-22 15:39:34.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-23 12:50:16.000000000 -0500
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -16046,7 +16187,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-@@ -260,3 +274,18 @@
+@@ -247,6 +261,7 @@
+ dovecot_stream_connect_auth(dovecot_deliver_t)
+
+ files_search_tmp(dovecot_deliver_t)
++files_search_var_log(dovecot_auth_t)
+
+ fs_getattr_all_fs(dovecot_deliver_t)
+
+@@ -260,3 +275,17 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')
@@ -16064,7 +16213,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_manage_cifs_files(dovecot_t)
+ fs_manage_cifs_symlinks(dovecot_t)
+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/exim.te 2009-12-17 11:20:45.000000000 -0500
@@ -17271,13 +17419,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc 2009-12-23 07:41:19.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
-+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
++/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.6.32/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.if 2009-12-17 11:20:45.000000000 -0500
@@ -17917,7 +18065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a generic signal to MySQL.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-23 12:06:27.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.0)
@@ -20519,7 +20667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-23 12:07:34.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -20537,13 +20685,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(policykit_t)
-@@ -57,32 +58,53 @@
+@@ -57,32 +58,54 @@
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+kernel_read_system_state(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
++files_dontaudit_search_all_mountpoints(policykit_t)
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
@@ -20595,7 +20744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,21 +114,25 @@
+@@ -92,21 +115,25 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -20624,7 +20773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +145,14 @@
+@@ -119,6 +146,14 @@
hal_read_state(policykit_auth_t)
')
@@ -20639,7 +20788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# polkit_grant local policy
-@@ -126,7 +160,8 @@
+@@ -126,7 +161,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -20649,7 +20798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +191,12 @@
+@@ -156,9 +192,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -20663,7 +20812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +208,8 @@
+@@ -170,7 +209,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -28585,7 +28734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-21 17:51:39.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-23 09:07:45.000000000 -0500
@@ -34,6 +34,13 @@
##
@@ -29006,7 +29155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +565,12 @@
+@@ -460,10 +565,13 @@
logging_read_generic_logs(xdm_t)
@@ -29016,12 +29165,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_fonts(xdm_t)
-
-sysnet_read_config(xdm_t)
++miscfiles_manage_fonts_cache(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +579,10 @@
+@@ -472,6 +580,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -29032,7 +29182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +615,12 @@
+@@ -504,10 +616,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -29045,7 +29195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,12 +628,47 @@
+@@ -515,12 +629,47 @@
')
optional_policy(`
@@ -29093,7 +29243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
-@@ -535,6 +683,7 @@
+@@ -535,6 +684,7 @@
optional_policy(`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool_files(xdm_t)
@@ -29101,7 +29251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -542,6 +691,39 @@
+@@ -542,6 +692,39 @@
')
optional_policy(`
@@ -29141,7 +29291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +732,9 @@
+@@ -550,8 +733,9 @@
')
optional_policy(`
@@ -29153,7 +29303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +743,6 @@
+@@ -560,7 +744,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -29161,7 +29311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +753,10 @@
+@@ -571,6 +754,10 @@
')
optional_policy(`
@@ -29172,7 +29322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +773,9 @@
+@@ -587,10 +774,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -29184,7 +29334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +787,12 @@
+@@ -602,9 +788,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -29197,7 +29347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +804,14 @@
+@@ -616,13 +805,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -29213,7 +29363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +824,19 @@
+@@ -635,9 +825,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -29233,7 +29383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +870,6 @@
+@@ -671,7 +871,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -29241,7 +29391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +879,12 @@
+@@ -681,9 +880,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -29255,7 +29405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +899,12 @@
+@@ -698,8 +900,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -29268,7 +29418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +926,8 @@
+@@ -721,6 +927,8 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -29277,7 +29427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +950,7 @@
+@@ -743,7 +951,7 @@
')
ifdef(`enable_mls',`
@@ -29286,7 +29436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +982,20 @@
+@@ -775,12 +983,20 @@
')
optional_policy(`
@@ -29308,7 +29458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +1022,12 @@
+@@ -807,12 +1023,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29325,7 +29475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1043,14 @@
+@@ -828,9 +1044,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29340,7 +29490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1065,14 @@
+@@ -845,11 +1066,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29356,7 +29506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -882,6 +1105,8 @@
+@@ -882,6 +1106,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -29365,7 +29515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1131,8 @@
+@@ -906,6 +1132,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -29374,7 +29524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1200,49 @@
+@@ -973,17 +1201,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -31475,7 +31625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+permissive kdump_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-22 08:51:17.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-23 12:43:17.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -31683,7 +31833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -307,10 +309,115 @@
+@@ -307,10 +309,117 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -31799,6 +31949,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-12-17 11:20:47.000000000 -0500
@@ -32350,22 +32502,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-12-17 11:20:47.000000000 -0500
-@@ -41,6 +41,7 @@
-
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-12-23 09:06:30.000000000 -0500
+@@ -42,6 +42,7 @@
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+@@ -70,7 +71,7 @@
+
+ /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+
+-/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0)
++/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
+ /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+ /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-12-17 11:20:47.000000000 -0500
-@@ -87,6 +87,45 @@
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-12-23 09:06:09.000000000 -0500
+@@ -73,7 +73,8 @@
+ #
+ interface(`miscfiles_read_fonts',`
+ gen_require(`
+- type fonts_t;
++ type fonts_t, fonts_cache_t;
++
+ ')
- ########################################
- ##
+ # cjp: fonts can be in either of these dirs
+@@ -83,6 +84,49 @@
+ allow $1 fonts_t:dir list_dir_perms;
+ read_files_pattern($1, fonts_t, fonts_t)
+ read_lnk_files_pattern($1, fonts_t, fonts_t)
++
++ allow $1 fonts_cache_t:dir list_dir_perms;
++ read_files_pattern($1, fonts_cache_t, fonts_cache_t)
++ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
++')
++
++########################################
++##
+## Set the attributes on a fonts directory.
+##
+##
@@ -32401,14 +32580,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ dontaudit $1 fonts_t:dir setattr;
+ ')
+
+ ########################################
+@@ -128,6 +172,32 @@
+ manage_dirs_pattern($1, fonts_t, fonts_t)
+ manage_files_pattern($1, fonts_t, fonts_t)
+ manage_lnk_files_pattern($1, fonts_t, fonts_t)
++ miscfiles_manage_fonts_cache($1)
+')
+
+########################################
+##
- ## Do not audit attempts to write fonts.
- ##
- ##
-@@ -255,6 +294,25 @@
++## Create, read, write, and delete fonts cache.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`miscfiles_manage_fonts_cache',`
++ gen_require(`
++ type fonts_t;
++ ')
++
++ # cjp: fonts can be in either of these dirs
++ files_search_usr($1)
++ libs_search_lib($1)
++
++ manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
++ manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
++ manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ ')
+
+ ########################################
+@@ -255,6 +325,25 @@
########################################
##
@@ -32434,7 +32642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to search man pages.
##
##
-@@ -268,7 +326,7 @@
+@@ -268,7 +357,7 @@
type man_t;
')
@@ -32445,7 +32653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.6.32/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.te 2009-12-17 11:20:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.te 2009-12-23 09:05:40.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(miscfiles, 1.7.0)
@@ -32453,6 +32661,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
+@@ -19,6 +19,9 @@
+ type fonts_t;
+ files_type(fonts_t)
+
++type fonts_cache_t;
++files_type(fonts_cache_t)
++
+ #
+ # type for /usr/share/hwdata
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.32/policy/modules/system/modutils.fc
--- nsaserefpolicy/policy/modules/system/modutils.fc 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/modutils.fc 2009-12-17 11:20:47.000000000 -0500
@@ -35283,7 +35501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-21 14:36:02.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-23 07:52:17.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36329,7 +36547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -953,58 +1086,68 @@
+@@ -953,58 +1086,70 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -36346,12 +36564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-+ # Allow users to run TCP servers (bind to ports and accept connection from
-+ # the same domain and outside users) disabling this forces FTP passive mode
-+ # and may change other protocols
-+ tunable_policy(`user_tcp_server',`
-+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+ ')
++ fs_list_cgroup_dirs($1_usertype)
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
@@ -36361,12 +36574,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- storage_raw_write_removable_device($1_t)
- ',`
- storage_raw_read_removable_device($1_t)
-+ optional_policy(`
-+ cdrecord_role($1_r, $1_t)
++ # Allow users to run TCP servers (bind to ports and accept connection from
++ # the same domain and outside users) disabling this forces FTP passive mode
++ # and may change other protocols
++ tunable_policy(`user_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_usertype)
')
+
+ optional_policy(`
-+ cron_role($1_r, $1_t)
++ cdrecord_role($1_r, $1_t)
')
- tunable_policy(`user_dmesg',`
@@ -36374,7 +36590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
+ optional_policy(`
-+ games_rw_data($1_usertype)
++ cron_role($1_r, $1_t)
')
- # Allow users to run TCP servers (bind to ports and accept connection from
@@ -36384,28 +36600,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
++ games_rw_data($1_usertype)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
-+ gpm_stream_connect($1_usertype)
++ gpg_role($1_r, $1_usertype)
')
optional_policy(`
- postgresql_role($1_r,$1_t)
-+ execmem_role_template($1, $1_r, $1_t)
++ gpm_stream_connect($1_usertype)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ java_role_template($1, $1_r, $1_t)
++ execmem_role_template($1, $1_r, $1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ java_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
@@ -36428,7 +36648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1040,7 +1183,7 @@
+@@ -1040,7 +1185,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36437,7 +36657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1049,8 +1192,7 @@
+@@ -1049,8 +1194,7 @@
#
# Inherit rules for ordinary users.
@@ -36447,7 +36667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1217,9 @@
+@@ -1075,6 +1219,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36457,7 +36677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1234,7 @@
+@@ -1089,6 +1236,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36465,7 +36685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1242,6 @@
+@@ -1096,8 +1244,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -36474,7 +36694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,12 +1268,11 @@
+@@ -1124,12 +1270,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -36489,7 +36709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
-@@ -1152,20 +1295,6 @@
+@@ -1152,20 +1297,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36510,7 +36730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1340,7 @@
+@@ -1211,6 +1342,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36518,7 +36738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1406,15 @@
+@@ -1276,11 +1408,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -36534,7 +36754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1391,12 +1525,13 @@
+@@ -1391,12 +1527,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36549,7 +36769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1429,6 +1564,14 @@
+@@ -1429,6 +1566,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -36564,7 +36784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1444,9 +1587,11 @@
+@@ -1444,9 +1589,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -36576,7 +36796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1503,6 +1648,42 @@
+@@ -1503,6 +1650,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -36619,7 +36839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1577,6 +1758,8 @@
+@@ -1577,6 +1760,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36628,7 +36848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1619,6 +1802,24 @@
+@@ -1619,6 +1804,24 @@
########################################
##
@@ -36653,7 +36873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1670,6 +1871,7 @@
+@@ -1670,6 +1873,7 @@
type user_home_dir_t, user_home_t;
')
@@ -36661,7 +36881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1686,11 +1888,11 @@
+@@ -1686,11 +1890,11 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36676,7 +36896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1797,19 +1999,32 @@
+@@ -1797,19 +2001,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -36716,7 +36936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1844,6 +2059,7 @@
+@@ -1844,6 +2061,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -36724,7 +36944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2196,7 +2412,7 @@
+@@ -2196,7 +2414,7 @@
########################################
##
@@ -36733,7 +36953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## temporary files.
##
##
-@@ -2205,21 +2421,40 @@
+@@ -2205,17 +2423,36 @@
##
##
#
@@ -36752,10 +36972,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-## Read user temporary symbolic links.
+## Do not audit attempts to manage users
+## temporary files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
+##
+##
@@ -36771,14 +36990,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+########################################
+##
+## Read user temporary symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
-@@ -2276,6 +2511,46 @@
+ ##
+ ##
+ ##
+@@ -2276,6 +2513,46 @@
########################################
##
## Create, read, write, and delete user
@@ -36825,7 +37040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## temporary symbolic links.
##
##
-@@ -2391,7 +2666,7 @@
+@@ -2391,7 +2668,7 @@
########################################
##
@@ -36834,7 +37049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2399,19 +2674,20 @@
+@@ -2399,19 +2676,20 @@
##
##
#
@@ -36858,7 +37073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2419,7 +2695,7 @@
+@@ -2419,7 +2697,7 @@
##
##
#
@@ -36867,7 +37082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gen_require(`
type user_tmpfs_t;
')
-@@ -2430,6 +2706,26 @@
+@@ -2430,6 +2708,26 @@
fs_search_tmpfs($1)
')
@@ -36894,7 +37109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Get the attributes of a user domain tty.
-@@ -2749,7 +3045,7 @@
+@@ -2749,7 +3047,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -36903,7 +37118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +3061,33 @@
+@@ -2765,11 +3063,33 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -36939,7 +37154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,7 +3215,43 @@
+@@ -2897,7 +3217,43 @@
type user_tmp_t;
')
@@ -36984,7 +37199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2934,6 +3288,7 @@
+@@ -2934,6 +3290,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -36992,7 +37207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3419,656 @@
+@@ -3064,3 +3421,656 @@
allow $1 userdomain:dbus send_msg;
')
@@ -37844,7 +38059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-17 11:20:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-23 08:59:21.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -38032,7 +38247,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
-@@ -304,6 +351,7 @@
+@@ -282,6 +329,8 @@
+
+ files_read_usr_files(xenstored_t)
+
++fs_search_xenfs(xenstored_t)
++
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+ storage_raw_read_removable_device(xenstored_t)
+@@ -304,6 +353,7 @@
#
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
@@ -38040,7 +38264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file rw_fifo_file_perms;
-@@ -312,24 +360,29 @@
+@@ -312,24 +362,29 @@
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -38071,7 +38295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_runtime_files(xm_t)
files_read_usr_files(xm_t)
-@@ -339,15 +392,76 @@
+@@ -339,15 +394,76 @@
storage_raw_read_fixed_disk(xm_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9bff916..b899cbe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 63%{?dist}
+Release: 64%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,7 +449,18 @@ exit 0
%endif
%changelog
-* Tue Dec 21 2009 Dan Walsh 3.6.32-63
+* Wed Dec 23 2009 Dan Walsh 3.6.32-64
+- Update to Rawhide filesystem.if file
+- Allow abrt to read nfs
+- Allow cups to search fusefs
+- Allow dovecot_auth to search var_log
+- Fix label on ksmtuned.pid
+- Dontaudit policykit looking at mount points
+- Allow xdm to manage /var/cache/fontconfig
+- Allow xenstored to search xenfs
+
+
+* Tue Dec 22 2009 Dan Walsh 3.6.32-63
- Allow sendmail setpgid
- Allow dovecot to read nfs homedirs