rpms/selinux-policy/F-12 policy-F12.patch, 1.152, 1.153 selinux-policy.spec, 1.980, 1.981

Daniel J Walsh dwalsh at fedoraproject.org
Thu Dec 10 21:38:25 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22917

Modified Files:
	policy-F12.patch selinux-policy.spec 
Log Message:
* Thu Dec 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-58
- Dontaudit udp_socket leaks for xauth_t


policy-F12.patch:
 Makefile                                  |    2 
 policy/flask/access_vectors               |    1 
 policy/global_tunables                    |   24 
 policy/mcs                                |   10 
 policy/modules/admin/alsa.te              |    2 
 policy/modules/admin/anaconda.te          |    3 
 policy/modules/admin/brctl.te             |    2 
 policy/modules/admin/certwatch.te         |    2 
 policy/modules/admin/consoletype.te       |    3 
 policy/modules/admin/dmesg.fc             |    2 
 policy/modules/admin/dmesg.te             |   10 
 policy/modules/admin/firstboot.te         |    6 
 policy/modules/admin/kismet.fc            |    2 
 policy/modules/admin/kismet.te            |   13 
 policy/modules/admin/logrotate.te         |   27 
 policy/modules/admin/logwatch.te          |    8 
 policy/modules/admin/mrtg.te              |    1 
 policy/modules/admin/netutils.te          |    2 
 policy/modules/admin/ntop.fc              |    5 
 policy/modules/admin/ntop.if              |  158 ++
 policy/modules/admin/ntop.te              |   40 
 policy/modules/admin/portage.te           |    2 
 policy/modules/admin/prelink.fc           |    1 
 policy/modules/admin/prelink.if           |   23 
 policy/modules/admin/prelink.te           |   77 +
 policy/modules/admin/readahead.te         |    1 
 policy/modules/admin/rpm.fc               |   21 
 policy/modules/admin/rpm.if               |  344 ++++++
 policy/modules/admin/rpm.te               |   98 +
 policy/modules/admin/shorewall.fc         |    6 
 policy/modules/admin/shorewall.if         |   40 
 policy/modules/admin/shorewall.te         |    9 
 policy/modules/admin/smoltclient.fc       |    4 
 policy/modules/admin/smoltclient.if       |    1 
 policy/modules/admin/smoltclient.te       |   66 +
 policy/modules/admin/sudo.if              |   13 
 policy/modules/admin/tmpreaper.te         |   10 
 policy/modules/admin/tzdata.te            |    2 
 policy/modules/admin/usermanage.if        |   11 
 policy/modules/admin/usermanage.te        |   35 
 policy/modules/admin/vbetool.te           |   14 
 policy/modules/admin/vpn.te               |    4 
 policy/modules/apps/calamaris.te          |    7 
 policy/modules/apps/chrome.fc             |    2 
 policy/modules/apps/chrome.if             |   86 +
 policy/modules/apps/chrome.te             |   78 +
 policy/modules/apps/cpufreqselector.te    |    2 
 policy/modules/apps/execmem.fc            |   42 
 policy/modules/apps/execmem.if            |   80 +
 policy/modules/apps/execmem.te            |   11 
 policy/modules/apps/firewallgui.fc        |    3 
 policy/modules/apps/firewallgui.if        |   23 
 policy/modules/apps/firewallgui.te        |   64 +
 policy/modules/apps/gitosis.if            |   45 
 policy/modules/apps/gnome.fc              |   12 
 policy/modules/apps/gnome.if              |  170 +++
 policy/modules/apps/gnome.te              |   99 +
 policy/modules/apps/gpg.te                |   20 
 policy/modules/apps/java.fc               |   24 
 policy/modules/apps/java.if               |  114 +-
 policy/modules/apps/java.te               |   19 
 policy/modules/apps/kdumpgui.fc           |    2 
 policy/modules/apps/kdumpgui.if           |    2 
 policy/modules/apps/kdumpgui.te           |   67 +
 policy/modules/apps/livecd.fc             |    2 
 policy/modules/apps/livecd.if             |   52 
 policy/modules/apps/livecd.te             |   27 
 policy/modules/apps/loadkeys.te           |    6 
 policy/modules/apps/mono.fc               |    2 
 policy/modules/apps/mono.if               |  101 +
 policy/modules/apps/mono.te               |    9 
 policy/modules/apps/mozilla.fc            |    1 
 policy/modules/apps/mozilla.if            |   68 +
 policy/modules/apps/mozilla.te            |   28 
 policy/modules/apps/nsplugin.fc           |   11 
 policy/modules/apps/nsplugin.if           |  323 +++++
 policy/modules/apps/nsplugin.te           |  295 +++++
 policy/modules/apps/openoffice.fc         |    3 
 policy/modules/apps/openoffice.if         |   93 +
 policy/modules/apps/openoffice.te         |   11 
 policy/modules/apps/podsleuth.te          |    4 
 policy/modules/apps/ptchown.if            |   25 
 policy/modules/apps/pulseaudio.if         |    2 
 policy/modules/apps/pulseaudio.te         |   13 
 policy/modules/apps/qemu.fc               |    4 
 policy/modules/apps/qemu.if               |  189 +++
 policy/modules/apps/qemu.te               |   85 +
 policy/modules/apps/sambagui.fc           |    1 
 policy/modules/apps/sambagui.if           |    2 
 policy/modules/apps/sambagui.te           |   60 +
 policy/modules/apps/sandbox.fc            |    1 
 policy/modules/apps/sandbox.if            |  188 +++
 policy/modules/apps/sandbox.te            |  331 +++++
 policy/modules/apps/screen.if             |    8 
 policy/modules/apps/sectoolm.fc           |    6 
 policy/modules/apps/sectoolm.if           |    3 
 policy/modules/apps/sectoolm.te           |  120 ++
 policy/modules/apps/seunshare.fc          |    2 
 policy/modules/apps/seunshare.if          |   81 +
 policy/modules/apps/seunshare.te          |   43 
 policy/modules/apps/vmware.te             |    1 
 policy/modules/apps/wine.fc               |   24 
 policy/modules/apps/wine.if               |  115 ++
 policy/modules/apps/wine.te               |   34 
 policy/modules/kernel/corecommands.fc     |   45 
 policy/modules/kernel/corecommands.if     |   21 
 policy/modules/kernel/corenetwork.te.in   |   46 
 policy/modules/kernel/devices.fc          |   13 
 policy/modules/kernel/devices.if          |  309 +++++
 policy/modules/kernel/devices.te          |   25 
 policy/modules/kernel/domain.if           |  170 ++-
 policy/modules/kernel/domain.te           |   89 +
 policy/modules/kernel/files.fc            |    5 
 policy/modules/kernel/files.if            |  417 +++++++
 policy/modules/kernel/files.te            |    6 
 policy/modules/kernel/filesystem.fc       |    2 
 policy/modules/kernel/filesystem.if       |  256 ++++
 policy/modules/kernel/filesystem.te       |   16 
 policy/modules/kernel/kernel.if           |   98 +
 policy/modules/kernel/kernel.te           |   32 
 policy/modules/kernel/selinux.if          |   25 
 policy/modules/kernel/storage.fc          |    2 
 policy/modules/kernel/storage.if          |    3 
 policy/modules/kernel/terminal.fc         |    1 
 policy/modules/kernel/terminal.if         |   65 +
 policy/modules/kernel/terminal.te         |    1 
 policy/modules/roles/guest.te             |    8 
 policy/modules/roles/staff.te             |  124 --
 policy/modules/roles/sysadm.te            |  127 --
 policy/modules/roles/unconfineduser.fc    |    8 
 policy/modules/roles/unconfineduser.if    |  667 +++++++++++
 policy/modules/roles/unconfineduser.te    |  450 ++++++++
 policy/modules/roles/unprivuser.te        |  127 --
 policy/modules/roles/xguest.te            |   74 +
 policy/modules/services/abrt.fc           |    6 
 policy/modules/services/abrt.if           |  102 +
 policy/modules/services/abrt.te           |  116 +-
 policy/modules/services/afs.fc            |    1 
 policy/modules/services/afs.te            |    3 
 policy/modules/services/aisexec.fc        |   12 
 policy/modules/services/aisexec.if        |  106 +
 policy/modules/services/aisexec.te        |  112 +
 policy/modules/services/amavis.te         |    2 
 policy/modules/services/apache.fc         |   57 -
 policy/modules/services/apache.if         |  410 ++++---
 policy/modules/services/apache.te         |  453 ++++++--
 policy/modules/services/apm.te            |    6 
 policy/modules/services/arpwatch.te       |    2 
 policy/modules/services/asterisk.if       |   39 
 policy/modules/services/asterisk.te       |   25 
 policy/modules/services/automount.te      |    2 
 policy/modules/services/avahi.te          |   10 
 policy/modules/services/bind.if           |   40 
 policy/modules/services/bitlbee.te        |    2 
 policy/modules/services/bluetooth.if      |   21 
 policy/modules/services/bluetooth.te      |   11 
 policy/modules/services/ccs.fc            |    8 
 policy/modules/services/ccs.te            |   33 
 policy/modules/services/certmaster.fc     |    3 
 policy/modules/services/certmaster.te     |    2 
 policy/modules/services/chronyd.fc        |   11 
 policy/modules/services/chronyd.if        |  105 +
 policy/modules/services/chronyd.te        |   67 +
 policy/modules/services/clamav.te         |   18 
 policy/modules/services/clogd.fc          |    4 
 policy/modules/services/clogd.if          |   98 +
 policy/modules/services/clogd.te          |   62 +
 policy/modules/services/cobbler.fc        |    2 
 policy/modules/services/cobbler.if        |   44 
 policy/modules/services/cobbler.te        |    5 
 policy/modules/services/consolekit.fc     |    3 
 policy/modules/services/consolekit.if     |   39 
 policy/modules/services/consolekit.te     |   25 
 policy/modules/services/corosync.fc       |   13 
 policy/modules/services/corosync.if       |  108 +
 policy/modules/services/corosync.te       |  109 +
 policy/modules/services/courier.if        |   18 
 policy/modules/services/courier.te        |    1 
 policy/modules/services/cron.fc           |    6 
 policy/modules/services/cron.if           |   74 +
 policy/modules/services/cron.te           |   84 +
 policy/modules/services/cups.fc           |   13 
 policy/modules/services/cups.te           |   51 
 policy/modules/services/cvs.te            |    1 
 policy/modules/services/cyrus.te          |    1 
 policy/modules/services/dbus.if           |   54 
 policy/modules/services/dbus.te           |   25 
 policy/modules/services/dcc.te            |    8 
 policy/modules/services/ddclient.if       |   25 
 policy/modules/services/devicekit.fc      |    2 
 policy/modules/services/devicekit.if      |   22 
 policy/modules/services/devicekit.te      |   60 -
 policy/modules/services/dnsmasq.te        |   12 
 policy/modules/services/dovecot.fc        |    1 
 policy/modules/services/dovecot.te        |   31 
 policy/modules/services/exim.te           |    5 
 policy/modules/services/fail2ban.if       |   21 
 policy/modules/services/fail2ban.te       |    2 
 policy/modules/services/fetchmail.te      |    3 
 policy/modules/services/fprintd.te        |    5 
 policy/modules/services/ftp.te            |   60 -
 policy/modules/services/git.fc            |    8 
 policy/modules/services/git.if            |  286 +++++
 policy/modules/services/git.te            |  166 ++
 policy/modules/services/gpm.te            |    3 
 policy/modules/services/gpsd.fc           |    5 
 policy/modules/services/gpsd.if           |   27 
 policy/modules/services/gpsd.te           |   14 
 policy/modules/services/hal.fc            |    1 
 policy/modules/services/hal.if            |   18 
 policy/modules/services/hal.te            |   51 
 policy/modules/services/howl.te           |    2 
 policy/modules/services/inetd.fc          |    2 
 policy/modules/services/inetd.te          |    4 
 policy/modules/services/irqbalance.te     |    4 
 policy/modules/services/kerberos.if       |    6 
 policy/modules/services/kerberos.te       |   16 
 policy/modules/services/kerneloops.te     |    2 
 policy/modules/services/ksmtuned.fc       |    5 
 policy/modules/services/ksmtuned.if       |   76 +
 policy/modules/services/ksmtuned.te       |   46 
 policy/modules/services/ktalk.te          |    1 
 policy/modules/services/lircd.fc          |    2 
 policy/modules/services/lircd.if          |    9 
 policy/modules/services/lircd.te          |   24 
 policy/modules/services/mailman.te        |    4 
 policy/modules/services/memcached.te      |    2 
 policy/modules/services/milter.if         |    2 
 policy/modules/services/modemmanager.te   |    5 
 policy/modules/services/mta.fc            |    2 
 policy/modules/services/mta.if            |   32 
 policy/modules/services/mta.te            |   36 
 policy/modules/services/munin.fc          |    3 
 policy/modules/services/munin.te          |    3 
 policy/modules/services/mysql.te          |    9 
 policy/modules/services/nagios.fc         |   20 
 policy/modules/services/nagios.if         |   89 +
 policy/modules/services/nagios.te         |  106 +
 policy/modules/services/networkmanager.fc |   15 
 policy/modules/services/networkmanager.if |   65 +
 policy/modules/services/networkmanager.te |  117 +-
 policy/modules/services/nis.fc            |    5 
 policy/modules/services/nis.if            |   87 +
 policy/modules/services/nis.te            |   13 
 policy/modules/services/nscd.if           |   18 
 policy/modules/services/nscd.te           |   21 
 policy/modules/services/nslcd.if          |    8 
 policy/modules/services/ntop.fc           |    1 
 policy/modules/services/ntop.te           |   20 
 policy/modules/services/ntp.if            |   46 
 policy/modules/services/ntp.te            |    8 
 policy/modules/services/nut.fc            |   16 
 policy/modules/services/nut.if            |   58 +
 policy/modules/services/nut.te            |  188 +++
 policy/modules/services/nx.fc             |   10 
 policy/modules/services/nx.if             |   67 +
 policy/modules/services/nx.te             |   13 
 policy/modules/services/oddjob.if         |    1 
 policy/modules/services/oddjob.te         |    5 
 policy/modules/services/openvpn.te        |    2 
 policy/modules/services/pcscd.if          |   41 
 policy/modules/services/pcscd.te          |    4 
 policy/modules/services/pegasus.te        |   28 
 policy/modules/services/plymouth.fc       |    5 
 policy/modules/services/plymouth.if       |  304 +++++
 policy/modules/services/plymouth.te       |  102 +
 policy/modules/services/policykit.fc      |    5 
 policy/modules/services/policykit.if      |   71 +
 policy/modules/services/policykit.te      |   67 -
 policy/modules/services/portreserve.te    |    1 
 policy/modules/services/postfix.fc        |    2 
 policy/modules/services/postfix.if        |  150 ++
 policy/modules/services/postfix.te        |  142 ++
 policy/modules/services/postgresql.fc     |   16 
 policy/modules/services/postgresql.if     |   43 
 policy/modules/services/postgresql.te     |    9 
 policy/modules/services/ppp.if            |    6 
 policy/modules/services/ppp.te            |   16 
 policy/modules/services/prelude.te        |    3 
 policy/modules/services/privoxy.fc        |    3 
 policy/modules/services/privoxy.te        |    3 
 policy/modules/services/procmail.te       |   12 
 policy/modules/services/pyzor.fc          |    4 
 policy/modules/services/pyzor.if          |   47 
 policy/modules/services/pyzor.te          |   37 
 policy/modules/services/radvd.te          |    1 
 policy/modules/services/razor.fc          |    1 
 policy/modules/services/razor.if          |   42 
 policy/modules/services/razor.te          |   32 
 policy/modules/services/rgmanager.fc      |    8 
 policy/modules/services/rgmanager.if      |   59 +
 policy/modules/services/rgmanager.te      |   83 +
 policy/modules/services/rhcs.fc           |   22 
 policy/modules/services/rhcs.if           |  348 ++++++
 policy/modules/services/rhcs.te           |  394 +++++++
 policy/modules/services/ricci.te          |   30 
 policy/modules/services/rpc.if            |    7 
 policy/modules/services/rpc.te            |   19 
 policy/modules/services/rpcbind.if        |   20 
 policy/modules/services/rpcbind.te        |    1 
 policy/modules/services/rsync.te          |   23 
 policy/modules/services/rtkit.if          |   20 
 policy/modules/services/rtkit.te          |    4 
 policy/modules/services/samba.fc          |    4 
 policy/modules/services/samba.if          |  104 +
 policy/modules/services/samba.te          |   89 +
 policy/modules/services/sasl.te           |   15 
 policy/modules/services/sendmail.if       |  137 ++
 policy/modules/services/sendmail.te       |   87 +
 policy/modules/services/setroubleshoot.fc |    2 
 policy/modules/services/setroubleshoot.if |  124 ++
 policy/modules/services/setroubleshoot.te |   83 +
 policy/modules/services/smartmon.te       |   15 
 policy/modules/services/snmp.if           |   38 
 policy/modules/services/snmp.te           |    4 
 policy/modules/services/snort.te          |    1 
 policy/modules/services/spamassassin.fc   |   15 
 policy/modules/services/spamassassin.if   |   89 +
 policy/modules/services/spamassassin.te   |  139 ++
 policy/modules/services/squid.te          |    9 
 policy/modules/services/ssh.fc            |    2 
 policy/modules/services/ssh.if            |  207 +++
 policy/modules/services/ssh.te            |  155 ++
 policy/modules/services/sssd.fc           |    5 
 policy/modules/services/sssd.if           |   62 +
 policy/modules/services/sssd.te           |   15 
 policy/modules/services/sysstat.te        |    5 
 policy/modules/services/tftp.fc           |    2 
 policy/modules/services/tgtd.fc           |    3 
 policy/modules/services/tgtd.if           |   28 
 policy/modules/services/tgtd.te           |   69 +
 policy/modules/services/tor.te            |   13 
 policy/modules/services/tuned.fc          |    6 
 policy/modules/services/tuned.if          |  140 ++
 policy/modules/services/tuned.te          |   58 +
 policy/modules/services/uucp.te           |   10 
 policy/modules/services/vhostmd.fc        |    6 
 policy/modules/services/vhostmd.if        |  228 ++++
 policy/modules/services/vhostmd.te        |   87 +
 policy/modules/services/virt.fc           |   14 
 policy/modules/services/virt.if           |  210 +++
 policy/modules/services/virt.te           |  276 ++++
 policy/modules/services/w3c.te            |    7 
 policy/modules/services/xserver.fc        |   45 
 policy/modules/services/xserver.if        |  637 ++++++++++-
 policy/modules/services/xserver.te        |  368 +++++-
 policy/modules/services/zebra.if          |   20 
 policy/modules/system/application.if      |   20 
 policy/modules/system/application.te      |   12 
 policy/modules/system/authlogin.fc        |    9 
 policy/modules/system/authlogin.if        |  210 +++
 policy/modules/system/authlogin.te        |   11 
 policy/modules/system/fstools.fc          |    3 
 policy/modules/system/fstools.te          |    7 
 policy/modules/system/init.fc             |    7 
 policy/modules/system/init.if             |  163 ++
 policy/modules/system/init.te             |  290 +++--
 policy/modules/system/ipsec.fc            |    7 
 policy/modules/system/ipsec.if            |   45 
 policy/modules/system/ipsec.te            |   75 +
 policy/modules/system/iptables.fc         |   17 
 policy/modules/system/iptables.if         |   97 +
 policy/modules/system/iptables.te         |   22 
 policy/modules/system/iscsi.if            |   40 
 policy/modules/system/iscsi.te            |    8 
 policy/modules/system/kdump.te            |    5 
 policy/modules/system/libraries.fc        |  184 ++-
 policy/modules/system/libraries.if        |    5 
 policy/modules/system/libraries.te        |   18 
 policy/modules/system/locallogin.te       |   30 
 policy/modules/system/logging.fc          |   12 
 policy/modules/system/logging.if          |   20 
 policy/modules/system/logging.te          |   38 
 policy/modules/system/lvm.if              |   39 
 policy/modules/system/lvm.te              |   31 
 policy/modules/system/miscfiles.fc        |    1 
 policy/modules/system/miscfiles.if        |   60 +
 policy/modules/system/miscfiles.te        |    2 
 policy/modules/system/modutils.fc         |    1 
 policy/modules/system/modutils.if         |   46 
 policy/modules/system/modutils.te         |   56 
 policy/modules/system/mount.fc            |    7 
 policy/modules/system/mount.if            |   82 +
 policy/modules/system/mount.te            |   86 +
 policy/modules/system/raid.fc             |    2 
 policy/modules/system/raid.te             |    8 
 policy/modules/system/selinuxutil.fc      |   17 
 policy/modules/system/selinuxutil.if      |  309 +++++
 policy/modules/system/selinuxutil.te      |  229 +---
 policy/modules/system/setrans.if          |   20 
 policy/modules/system/sysnetwork.fc       |   10 
 policy/modules/system/sysnetwork.if       |  114 +-
 policy/modules/system/sysnetwork.te       |   79 +
 policy/modules/system/udev.fc             |    3 
 policy/modules/system/udev.if             |   39 
 policy/modules/system/udev.te             |   39 
 policy/modules/system/unconfined.fc       |   15 
 policy/modules/system/unconfined.if       |  443 -------
 policy/modules/system/unconfined.te       |  224 ---
 policy/modules/system/userdomain.fc       |    7 
 policy/modules/system/userdomain.if       | 1685 +++++++++++++++++++++++-------
 policy/modules/system/userdomain.te       |   51 
 policy/modules/system/xen.fc              |    6 
 policy/modules/system/xen.if              |   47 
 policy/modules/system/xen.te              |  144 ++
 policy/support/obj_perm_sets.spt          |   31 
 policy/users                              |   13 
 407 files changed, 20787 insertions(+), 2822 deletions(-)

Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.152
retrieving revision 1.153
diff -u -p -r1.152 -r1.153
--- policy-F12.patch	9 Dec 2009 19:53:38 -0000	1.152
+++ policy-F12.patch	10 Dec 2009 21:38:24 -0000	1.153
@@ -666,8 +666,34 @@ diff -b -B --ignore-all-space --exclude-
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.32/policy/modules/admin/prelink.if
 --- nsaserefpolicy/policy/modules/admin/prelink.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/prelink.if	2009-12-03 13:45:10.000000000 -0500
-@@ -151,11 +151,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/prelink.if	2009-12-10 15:16:57.000000000 -0500
+@@ -21,6 +21,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Execute the prelink program in the current domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`prelink_exec',`
++	gen_require(`
++		type prelink_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, prelink_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Execute the prelink program in the prelink domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -151,11 +170,11 @@
  ##	</summary>
  ## </param>
  #
@@ -3635,7 +3661,7 @@ diff -b -B --ignore-all-space --exclude-
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te	2009-12-03 13:45:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te	2009-12-10 16:33:27.000000000 -0500
 @@ -59,6 +59,7 @@
  manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
  manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -3694,7 +3720,7 @@ diff -b -B --ignore-all-space --exclude-
  
  xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
  xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -231,11 +233,15 @@
+@@ -231,11 +233,20 @@
  optional_policy(`
  	dbus_system_bus_client(mozilla_t)
  	dbus_session_bus_client(mozilla_t)
@@ -3707,10 +3733,15 @@ diff -b -B --ignore-all-space --exclude-
  	gnome_stream_connect_gconf(mozilla_t)
  	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++	pulseaudio_exec(mozilla_t)
++	pulseaudio_stream_connect(mozilla_t)
  ')
  
  optional_policy(`
-@@ -256,5 +262,10 @@
+@@ -256,5 +267,10 @@
  ')
  
  optional_policy(`
@@ -4065,7 +4096,7 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te	2009-12-03 13:45:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te	2009-12-10 15:41:45.000000000 -0500
 @@ -0,0 +1,295 @@
 +
 +policy_module(nsplugin, 1.0.0)
@@ -7282,7 +7313,7 @@ diff -b -B --ignore-all-space --exclude-
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if	2009-12-05 18:26:09.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if	2009-12-10 10:34:27.000000000 -0500
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -9979,8 +10010,8 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-12-09 10:12:44.000000000 -0500
-@@ -0,0 +1,449 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-12-10 15:25:20.000000000 -0500
+@@ -0,0 +1,450 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -10155,6 +10186,7 @@ diff -b -B --ignore-all-space --exclude-
 +	optional_policy(`
 +		xserver_rw_shm(unconfined_usertype)
 +		xserver_run_xauth(unconfined_usertype, unconfined_r)
++		xserver_xdm_dbus_chat(unconfined_usertype)
 +	')
 +')
 +
@@ -10843,7 +10875,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	All of the rules required to administrate 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-12-06 09:56:21.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-12-10 13:05:08.000000000 -0500
 @@ -33,12 +33,24 @@
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
@@ -10923,7 +10955,7 @@ diff -b -B --ignore-all-space --exclude-
  
  sysnet_read_config(abrt_t)
  
-@@ -96,22 +124,84 @@
+@@ -96,22 +124,90 @@
  miscfiles_read_certs(abrt_t)
  miscfiles_read_localization(abrt_t)
  
@@ -10931,10 +10963,8 @@ diff -b -B --ignore-all-space --exclude-
 -# read ~/.abrt/Bugzilla.conf
 -userdom_read_user_home_content_files(abrt_t)
 +userdom_dontaudit_read_user_home_content_files(abrt_t)
- 
- optional_policy(`
--	dbus_connect_system_bus(abrt_t)
--	dbus_system_bus_client(abrt_t)
++
++optional_policy(`
 +	dbus_system_domain(abrt_t, abrt_exec_t)
 +')
 +
@@ -10952,6 +10982,14 @@ diff -b -B --ignore-all-space --exclude-
 +	policykit_domtrans_auth(abrt_t)
 +	policykit_read_lib(abrt_t)
 +	policykit_read_reload(abrt_t)
++')
+ 
+ optional_policy(`
+-	dbus_connect_system_bus(abrt_t)
+-	dbus_system_bus_client(abrt_t)
++	prelink_exec(abrt_t)
++	libs_exec_ld_so(abrt_t)
++	corecmd_exec_all_executables(abrt_t)
  ')
  
  # to install debuginfo packages 
@@ -13919,7 +13957,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te	2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te	2009-12-10 15:36:16.000000000 -0500
 @@ -21,7 +21,7 @@
  # consolekit local policy
  #
@@ -13929,11 +13967,12 @@ diff -b -B --ignore-all-space --exclude-
  allow consolekit_t self:process { getsched signal };
  allow consolekit_t self:fifo_file rw_fifo_file_perms;
  allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -59,16 +59,21 @@
+@@ -59,16 +59,22 @@
  term_use_all_terms(consolekit_t)
  
  auth_use_nsswitch(consolekit_t)
 +auth_manage_pam_console_data(consolekit_t)
++auth_dontaudit_write_login_records(consolekit_t)
  
  init_telinit(consolekit_t)
  init_rw_utmp(consolekit_t)
@@ -13951,7 +13990,7 @@ diff -b -B --ignore-all-space --exclude-
  userdom_read_user_tmp_files(consolekit_t)
  
  hal_ptrace(consolekit_t)
-@@ -84,9 +89,12 @@
+@@ -84,9 +90,12 @@
  ')
  
  optional_policy(`
@@ -13965,7 +14004,7 @@ diff -b -B --ignore-all-space --exclude-
  		hal_dbus_chat(consolekit_t)
  	')
  
-@@ -100,6 +108,7 @@
+@@ -100,6 +109,7 @@
  ')
  
  optional_policy(`
@@ -13973,7 +14012,7 @@ diff -b -B --ignore-all-space --exclude-
  	policykit_domtrans_auth(consolekit_t)
  	policykit_read_lib(consolekit_t)
  	policykit_read_reload(consolekit_t)
-@@ -108,10 +117,21 @@
+@@ -108,10 +118,21 @@
  optional_policy(`
  	xserver_read_xdm_pid(consolekit_t)
  	xserver_read_user_xauth(consolekit_t)
@@ -15478,9 +15517,20 @@ diff -b -B --ignore-all-space --exclude-
  	seutil_sigchld_newrole(dnsmasq_t)
  ')
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.32/policy/modules/services/dovecot.fc
+--- nsaserefpolicy/policy/modules/services/dovecot.fc	2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.fc	2009-12-10 13:09:30.000000000 -0500
+@@ -34,6 +34,7 @@
+ 
+ /var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+ 
++/var/log/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_log_t,s0)
+ /var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)
+ 
+ /var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2009-12-10 13:13:04.000000000 -0500
 @@ -56,7 +56,7 @@
  
  allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -15490,7 +15540,18 @@ diff -b -B --ignore-all-space --exclude-
  allow dovecot_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_t self:tcp_socket create_stream_socket_perms;
  allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -103,6 +103,7 @@
+@@ -73,8 +73,9 @@
+ 
+ can_exec(dovecot_t, dovecot_exec_t)
+ 
++manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+ manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+-logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
++logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+ 
+ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -103,6 +104,7 @@
  dev_read_urand(dovecot_t)
  
  fs_getattr_all_fs(dovecot_t)
@@ -15498,7 +15559,7 @@ diff -b -B --ignore-all-space --exclude-
  fs_search_auto_mountpoints(dovecot_t)
  fs_list_inotifyfs(dovecot_t)
  
-@@ -142,6 +143,10 @@
+@@ -142,6 +144,10 @@
  ')
  
  optional_policy(`
@@ -15509,7 +15570,7 @@ diff -b -B --ignore-all-space --exclude-
  	seutil_sigchld_newrole(dovecot_t)
  ')
  
-@@ -159,7 +164,7 @@
+@@ -159,7 +165,7 @@
  #
  
  allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
@@ -15518,7 +15579,7 @@ diff -b -B --ignore-all-space --exclude-
  allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
  allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -220,15 +225,23 @@
+@@ -220,15 +226,23 @@
  ')
  
  optional_policy(`
@@ -15542,7 +15603,7 @@ diff -b -B --ignore-all-space --exclude-
  allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
  
-@@ -260,3 +273,14 @@
+@@ -260,3 +274,14 @@
  optional_policy(`
  	mta_manage_spool(dovecot_deliver_t)
  ')
@@ -15644,7 +15705,7 @@ diff -b -B --ignore-all-space --exclude-
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.32/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/fprintd.te	2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/fprintd.te	2009-12-10 15:34:43.000000000 -0500
 @@ -37,6 +37,8 @@
  files_read_etc_files(fprintd_t)
  files_read_usr_files(fprintd_t)
@@ -15654,12 +15715,13 @@ diff -b -B --ignore-all-space --exclude-
  auth_use_nsswitch(fprintd_t)
  
  miscfiles_read_localization(fprintd_t)
-@@ -51,5 +53,7 @@
+@@ -51,5 +53,8 @@
  optional_policy(`
  	policykit_read_reload(fprintd_t)
  	policykit_read_lib(fprintd_t)
 +	policykit_dbus_chat(fprintd_t)
  	policykit_domtrans_auth(fprintd_t)
++	policykit_dbus_chat_auth(fprintd_t)
  ')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
@@ -16423,8 +16485,8 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te	2009-12-03 13:45:11.000000000 -0500
-@@ -55,6 +55,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/hal.te	2009-12-10 11:28:12.000000000 -0500
+@@ -55,13 +55,16 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
  
@@ -16434,6 +16496,14 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # Local policy
+ #
+ 
+ # execute openvt which needs setuid
+-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice sys_resource dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+ allow hald_t self:process { getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
 @@ -100,7 +103,9 @@
  kernel_rw_irq_sysctls(hald_t)
  kernel_rw_vm_sysctls(hald_t)
@@ -18289,10 +18359,31 @@ diff -b -B --ignore-all-space --exclude-
 +	manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
  ')
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.6.32/policy/modules/services/ntop.fc
+--- nsaserefpolicy/policy/modules/services/ntop.fc	2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ntop.fc	2009-12-10 11:04:30.000000000 -0500
+@@ -1,7 +1,6 @@
+ /etc/ntop(/.*)?			gen_context(system_u:object_r:ntop_etc_t,s0)
+ 
+ /usr/bin/ntop		--	gen_context(system_u:object_r:ntop_exec_t,s0)
+-/usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:ntop_http_content_t,s0)
+ 
+ /var/lib/ntop(/.*)?		gen_context(system_u:object_r:ntop_var_lib_t,s0)
+ /var/run/ntop\.pid	--	gen_context(system_u:object_r:ntop_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.6.32/policy/modules/services/ntop.te
 --- nsaserefpolicy/policy/modules/services/ntop.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ntop.te	2009-12-03 13:45:11.000000000 -0500
-@@ -37,7 +37,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/ntop.te	2009-12-10 11:04:34.000000000 -0500
+@@ -14,9 +14,6 @@
+ type ntop_etc_t;
+ files_config_file(ntop_etc_t)
+ 
+-type ntop_http_content_t;
+-files_type(ntop_http_content_t)
+-
+ type ntop_tmp_t;
+ files_tmp_file(ntop_tmp_t)
+ 
+@@ -37,15 +34,14 @@
  allow ntop_t self:fifo_file rw_fifo_file_perms;
  allow ntop_t self:tcp_socket create_stream_socket_perms;
  allow ntop_t self:udp_socket create_socket_perms;
@@ -18302,7 +18393,15 @@ diff -b -B --ignore-all-space --exclude-
  
  allow ntop_t ntop_etc_t:dir list_dir_perms;
  read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
-@@ -57,6 +59,8 @@
+ read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+ 
+-allow ntop_t ntop_http_content_t:dir list_dir_perms;
+-read_files_pattern(ntop_t, ntop_http_content_t, ntop_http_content_t)
+-
+ manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+ manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+ files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+@@ -57,6 +53,8 @@
  manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
  files_pid_filetrans(ntop_t, ntop_var_run_t, file)
  
@@ -18311,7 +18410,7 @@ diff -b -B --ignore-all-space --exclude-
  kernel_read_network_state(ntop_t)
  kernel_read_kernel_sysctls(ntop_t)
  kernel_list_proc(ntop_t)
-@@ -72,12 +76,17 @@
+@@ -72,12 +70,17 @@
  corenet_raw_sendrecv_generic_node(ntop_t)
  corenet_tcp_sendrecv_all_ports(ntop_t)
  corenet_udp_sendrecv_all_ports(ntop_t)
@@ -18329,7 +18428,7 @@ diff -b -B --ignore-all-space --exclude-
  
  fs_getattr_all_fs(ntop_t)
  fs_search_auto_mountpoints(ntop_t)
-@@ -85,6 +94,7 @@
+@@ -85,6 +88,7 @@
  logging_send_syslog_msg(ntop_t)
  
  miscfiles_read_localization(ntop_t)
@@ -18337,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-
  
  sysnet_read_config(ntop_t)
  
-@@ -92,6 +102,10 @@
+@@ -92,6 +96,10 @@
  userdom_dontaudit_search_user_home_dirs(ntop_t)
  
  optional_policy(`
@@ -18743,21 +18842,24 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc
 --- nsaserefpolicy/policy/modules/services/nx.fc	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/nx.fc	2009-12-03 13:45:11.000000000 -0500
-@@ -1,7 +1,12 @@
++++ serefpolicy-3.6.32/policy/modules/services/nx.fc	2009-12-10 11:22:15.000000000 -0500
+@@ -1,7 +1,15 @@
  /opt/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
-+/opt/NX/home/nx(/.*)?			gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
- 
--/opt/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-+/var/lib/nxserver/home/.ssh(/.*)?  	gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
-+/var/lib/nxserver(/.*)? 		gen_context(system_u:object_r:nx_server_var_lib_t,s0)
  
++/opt/NX/home(/.*)?				gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+ /opt/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+-
  /opt/NX/var(/.*)?			gen_context(system_u:object_r:nx_server_var_run_t,s0)
  
- /usr/libexec/nx/nxserver	--	gen_context(system_u:object_r:nx_server_exec_t,s0)
++/usr/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
++
++/usr/NX/home(/.*)?			gen_context(system_u:object_r:nx_server_var_lib_t,s0)
++/usr/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
 +
-+/usr/NX/home/nx(/.*)?			gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/var/lib/nxserver/home/.ssh(/.*)?  	gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/var/lib/nxserver(/.*)? 		gen_context(system_u:object_r:nx_server_var_lib_t,s0)
 +
+ /usr/libexec/nx/nxserver	--	gen_context(system_u:object_r:nx_server_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
 --- nsaserefpolicy/policy/modules/services/nx.if	2009-09-16 10:01:19.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/services/nx.if	2009-12-03 13:45:11.000000000 -0500
@@ -19075,8 +19177,8 @@ diff -b -B --ignore-all-space --exclude-
 +/var/run/plymouth(/.*)?				gen_context(system_u:object_r:plymouthd_var_run_t, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if
 --- nsaserefpolicy/policy/modules/services/plymouth.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if	2009-12-03 13:45:11.000000000 -0500
-@@ -0,0 +1,286 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.if	2009-12-10 15:27:49.000000000 -0500
+@@ -0,0 +1,304 @@
 +## <summary>policy for plymouthd</summary>
 +
 +########################################
@@ -19099,6 +19201,24 @@ diff -b -B --ignore-all-space --exclude-
 +
 +########################################
 +## <summary>
++##	Execute a plymoth in the current domain
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`plymouth_exec', `
++	gen_require(`
++		type plymouthd_exec_t;
++	')
++
++	can_exec($1, plymouthd_exec_t)
++')
++
++########################################
++## <summary>
 +##	Execute a domain transition to run plymouthd.
 +## </summary>
 +## <param name="domain">
@@ -19365,8 +19485,8 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
 --- nsaserefpolicy/policy/modules/services/plymouth.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2009-12-03 13:45:11.000000000 -0500
-@@ -0,0 +1,101 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2009-12-10 15:31:04.000000000 -0500
+@@ -0,0 +1,102 @@
 +policy_module(plymouthd, 1.0.0)
 +
 +########################################
@@ -19425,6 +19545,7 @@ diff -b -B --ignore-all-space --exclude-
 +files_read_usr_files(plymouthd_t)
 +
 +miscfiles_read_localization(plymouthd_t)
++miscfiles_read_fonts(plymouthd_t)
 +
 +manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
 +manage_files_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
@@ -19488,8 +19609,8 @@ diff -b -B --ignore-all-space --exclude-
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.32/policy/modules/services/policykit.if
 --- nsaserefpolicy/policy/modules/services/policykit.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.if	2009-12-03 13:45:11.000000000 -0500
-@@ -17,6 +17,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/policykit.if	2009-12-10 15:31:52.000000000 -0500
+@@ -17,12 +17,37 @@
  		class dbus send_msg;
  	')
  
@@ -19498,7 +19619,36 @@ diff -b -B --ignore-all-space --exclude-
  	allow $1 policykit_t:dbus send_msg;
  	allow policykit_t $1:dbus send_msg;
  ')
-@@ -62,6 +64,9 @@
+ 
+ ########################################
+ ## <summary>
++##	Send and receive messages from
++##	policykit over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`policykit_dbus_chat_auth',`
++	gen_require(`
++		type policykit_auth_t;
++		class dbus send_msg;
++	')
++
++	ps_process_pattern(policykit_auth_t, $1)
++
++	allow $1 policykit_auth_t:dbus send_msg;
++	allow policykit_auth_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ##	Execute a domain transition to run polkit_auth.
+ ## </summary>
+ ## <param name="domain">
+@@ -62,6 +87,9 @@
  
  	policykit_domtrans_auth($1)
  	role $2 types policykit_auth_t;
@@ -19508,7 +19658,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -206,4 +211,47 @@
+@@ -206,4 +234,47 @@
  
  	files_search_var_lib($1)
  	read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
@@ -19558,7 +19708,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te	2009-12-09 09:05:31.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te	2009-12-10 10:38:47.000000000 -0500
 @@ -36,11 +36,12 @@
  # policykit local policy
  #
@@ -19634,7 +19784,7 @@ diff -b -B --ignore-all-space --exclude-
  
  rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
  
-@@ -92,12 +114,14 @@
+@@ -92,21 +114,25 @@
  manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
  
@@ -19642,16 +19792,19 @@ diff -b -B --ignore-all-space --exclude-
 -
  files_read_etc_files(policykit_auth_t)
  files_read_usr_files(policykit_auth_t)
- 
++files_search_home(policykit_auth_t)
++
 +fs_getattr_all_fs(polkit_auth_t)
 +fs_search_tmpfs(polkit_auth_t)
-+
+ 
  auth_use_nsswitch(policykit_auth_t)
 +auth_domtrans_chk_passwd(policykit_auth_t)
  
  logging_send_syslog_msg(policykit_auth_t)
  
-@@ -106,7 +130,7 @@
+ miscfiles_read_localization(policykit_auth_t)
++miscfiles_read_fonts(policykit_auth_t)
+ 
  userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
  
  optional_policy(`
@@ -19660,7 +19813,7 @@ diff -b -B --ignore-all-space --exclude-
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -119,6 +143,14 @@
+@@ -119,6 +145,14 @@
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -19675,7 +19828,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # polkit_grant local policy
-@@ -126,7 +158,8 @@
+@@ -126,7 +160,8 @@
  
  allow policykit_grant_t self:capability setuid;
  allow policykit_grant_t self:process getattr;
@@ -19685,7 +19838,7 @@ diff -b -B --ignore-all-space --exclude-
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -156,9 +189,12 @@
+@@ -156,9 +191,12 @@
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -19699,7 +19852,7 @@ diff -b -B --ignore-all-space --exclude-
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -170,7 +206,8 @@
+@@ -170,7 +208,8 @@
  
  allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
  allow policykit_resolve_t self:process getattr;
@@ -26357,21 +26510,22 @@ diff -b -B --ignore-all-space --exclude-
 +/var/lib/nxserver/home/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if	2009-12-05 06:43:26.000000000 -0500
-@@ -74,6 +74,12 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if	2009-12-10 15:23:11.000000000 -0500
+@@ -74,6 +74,13 @@
  
  	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
  
 +ifdef(`hide_broken_symptoms', `
 +	dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
 +	dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
++	dontaudit iceauth_t $2:udp_socket rw_socket_perms;
 +	fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
 +')
 +
  	allow $2 iceauth_home_t:file read_file_perms;
  
  	domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -89,8 +95,8 @@
+@@ -89,8 +96,8 @@
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
  	allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -26382,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
  	# Client read xserver shm
-@@ -211,6 +217,7 @@
+@@ -211,6 +218,7 @@
  	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
  	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
  
@@ -26390,7 +26544,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  #######################################
-@@ -245,7 +252,7 @@
+@@ -245,7 +253,7 @@
  	allow $1 xserver_t:process signal;
  
  	# Read /tmp/.X0-lock
@@ -26399,7 +26553,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	# Client read xserver shm
  	allow $1 xserver_t:fd use;
-@@ -299,7 +306,7 @@
+@@ -299,7 +307,7 @@
  interface(`xserver_user_client',`
  	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
  	gen_require(`
@@ -26408,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-
  		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
  	')
  
-@@ -308,14 +315,14 @@
+@@ -308,14 +316,14 @@
  	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -26428,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-
  	dontaudit $1 xdm_t:tcp_socket { read write };
  
  	# Allow connections to X server.
-@@ -367,7 +374,6 @@
+@@ -367,7 +375,6 @@
  		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
  		type xevent_t, client_xevent_t;
  
@@ -26436,7 +26590,7 @@ diff -b -B --ignore-all-space --exclude-
  		attribute xproperty_type;
  		attribute xevent_type;
  		attribute input_xevent_type;
-@@ -376,6 +382,8 @@
+@@ -376,6 +383,8 @@
  		class x_property all_x_property_perms;
  		class x_event all_x_event_perms;
  		class x_synthetic_event all_x_synthetic_event_perms;
@@ -26445,7 +26599,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  
  	##############################
-@@ -383,20 +391,11 @@
+@@ -383,20 +392,11 @@
  	# Local Policy
  	#
  
@@ -26466,7 +26620,7 @@ diff -b -B --ignore-all-space --exclude-
  	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
  	allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
  	allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
-@@ -409,8 +408,10 @@
+@@ -409,8 +409,10 @@
  	type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
  	type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
  	type_transition $2 xevent_t:x_event $1_default_xevent_t;
@@ -26478,7 +26632,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  #######################################
-@@ -484,13 +485,14 @@
+@@ -484,13 +486,14 @@
  #
  template(`xserver_user_x_domain_template',`
  	gen_require(`
@@ -26497,7 +26651,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	# Read .Xauthority file
  	allow $2 xauth_home_t:file read_file_perms;
-@@ -498,9 +500,9 @@
+@@ -498,9 +501,9 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
@@ -26510,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
  	# Allow connections to X server.
-@@ -526,6 +528,10 @@
+@@ -526,6 +529,10 @@
  		allow $2 xserver_t:shm rw_shm_perms;
  		allow $2 xserver_tmpfs_t:file rw_file_perms;
  	')
@@ -26521,7 +26675,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -585,6 +591,12 @@
+@@ -585,6 +592,13 @@
  	')
  
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -26529,12 +26683,13 @@ diff -b -B --ignore-all-space --exclude-
 +ifdef(`hide_broken_symptoms', `
 +	dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
 +	dontaudit xauth_t $1:tcp_socket rw_socket_perms;
++	dontaudit xauth_t $1:udp_socket rw_socket_perms;
 +	fs_dontaudit_rw_anon_inodefs_files(xauth_t)
 +')
  ')
  
  ########################################
-@@ -728,7 +740,7 @@
+@@ -728,7 +742,7 @@
  		type xdm_t;
  	')
  
@@ -26543,7 +26698,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -764,11 +776,11 @@
+@@ -764,11 +778,11 @@
  #
  interface(`xserver_stream_connect_xdm',`
  	gen_require(`
@@ -26557,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -802,10 +814,10 @@
+@@ -802,10 +816,10 @@
  #
  interface(`xserver_setattr_xdm_tmp_dirs',`
  	gen_require(`
@@ -26570,7 +26725,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -821,12 +833,13 @@
+@@ -821,12 +835,13 @@
  #
  interface(`xserver_create_xdm_tmp_sockets',`
  	gen_require(`
@@ -26587,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -845,7 +858,44 @@
+@@ -845,7 +860,44 @@
  	')
  
  	files_search_pids($1)
@@ -26633,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -868,6 +918,75 @@
+@@ -868,6 +920,75 @@
  
  ########################################
  ## <summary>
@@ -26709,7 +26864,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -886,6 +1005,24 @@
+@@ -886,6 +1007,24 @@
  
  ########################################
  ## <summary>
@@ -26734,7 +26889,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Execute an X session in the target domain.  This
  ##	is an explicit transition, requiring the
  ##	caller to use setexeccon().
-@@ -961,6 +1098,27 @@
+@@ -961,6 +1100,27 @@
  
  ########################################
  ## <summary>
@@ -26762,7 +26917,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Do not audit attempts to write the X server
  ##	log files.
  ## </summary>
-@@ -1014,11 +1172,11 @@
+@@ -1014,11 +1174,11 @@
  #
  interface(`xserver_read_xdm_tmp_files',`
  	gen_require(`
@@ -26776,7 +26931,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1033,11 +1191,11 @@
+@@ -1033,11 +1193,11 @@
  #
  interface(`xserver_dontaudit_read_xdm_tmp_files',`
  	gen_require(`
@@ -26791,7 +26946,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1052,11 +1210,11 @@
+@@ -1052,11 +1212,11 @@
  #
  interface(`xserver_rw_xdm_tmp_files',`
  	gen_require(`
@@ -26806,7 +26961,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1071,10 +1229,10 @@
+@@ -1071,10 +1231,10 @@
  #
  interface(`xserver_manage_xdm_tmp_files',`
  	gen_require(`
@@ -26819,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1089,10 +1247,10 @@
+@@ -1089,10 +1249,10 @@
  #
  interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  	gen_require(`
@@ -26832,7 +26987,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -1107,10 +1265,11 @@
+@@ -1107,10 +1267,11 @@
  #
  interface(`xserver_domtrans',`
  	gen_require(`
@@ -26845,7 +27000,7 @@ diff -b -B --ignore-all-space --exclude-
  	domtrans_pattern($1, xserver_exec_t, xserver_t)
  ')
  
-@@ -1248,6 +1407,288 @@
+@@ -1248,6 +1409,288 @@
  
  ########################################
  ## <summary>
@@ -27134,7 +27289,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain complete control over the
  ##	display.
-@@ -1261,7 +1702,103 @@
+@@ -1261,7 +1704,103 @@
  interface(`xserver_unconfined',`
  	gen_require(`
  		attribute xserver_unconfined_type;
@@ -27240,7 +27395,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-12-09 11:40:19.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-12-10 15:28:03.000000000 -0500
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -27734,7 +27889,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -542,6 +677,38 @@
+@@ -542,6 +677,39 @@
  ')
  
  optional_policy(`
@@ -27751,6 +27906,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 +optional_policy(`
 +	plymouth_search_spool(xdm_t)
++	plymouth_exec(xdm_t)
 +')
 +
 +optional_policy(`
@@ -27773,7 +27929,7 @@ diff -b -B --ignore-all-space --exclude-
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +717,9 @@
+@@ -550,8 +718,9 @@
  ')
  
  optional_policy(`
@@ -27785,7 +27941,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +728,6 @@
+@@ -560,7 +729,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -27793,7 +27949,7 @@ diff -b -B --ignore-all-space --exclude-
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +738,10 @@
+@@ -571,6 +739,10 @@
  ')
  
  optional_policy(`
@@ -27804,7 +27960,7 @@ diff -b -B --ignore-all-space --exclude-
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -587,10 +758,9 @@
+@@ -587,10 +759,9 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -27816,7 +27972,7 @@ diff -b -B --ignore-all-space --exclude-
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
  allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +772,12 @@
+@@ -602,9 +773,12 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -27829,7 +27985,7 @@ diff -b -B --ignore-all-space --exclude-
  
  allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
  
-@@ -616,13 +789,14 @@
+@@ -616,13 +790,14 @@
  type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
  
  allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -27845,7 +28001,7 @@ diff -b -B --ignore-all-space --exclude-
  
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +809,19 @@
+@@ -635,9 +810,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -27865,7 +28021,7 @@ diff -b -B --ignore-all-space --exclude-
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +855,6 @@
+@@ -671,7 +856,6 @@
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -27873,7 +28029,7 @@ diff -b -B --ignore-all-space --exclude-
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -681,9 +864,12 @@
+@@ -681,9 +865,12 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -27887,7 +28043,7 @@ diff -b -B --ignore-all-space --exclude-
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +884,12 @@
+@@ -698,8 +885,12 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -27900,7 +28056,7 @@ diff -b -B --ignore-all-space --exclude-
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -721,6 +911,7 @@
+@@ -721,6 +912,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -27908,7 +28064,7 @@ diff -b -B --ignore-all-space --exclude-
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -743,7 +934,7 @@
+@@ -743,7 +935,7 @@
  ')
  
  ifdef(`enable_mls',`
@@ -27917,7 +28073,7 @@ diff -b -B --ignore-all-space --exclude-
  	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
  ')
  
-@@ -775,12 +966,20 @@
+@@ -775,12 +967,20 @@
  ')
  
  optional_policy(`
@@ -27939,7 +28095,7 @@ diff -b -B --ignore-all-space --exclude-
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -807,12 +1006,12 @@
+@@ -807,12 +1007,12 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -27956,7 +28112,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # Run xkbcomp.
  allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1027,14 @@
+@@ -828,9 +1028,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -27971,7 +28127,7 @@ diff -b -B --ignore-all-space --exclude-
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1049,14 @@
+@@ -845,11 +1050,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -27987,7 +28143,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -882,6 +1089,8 @@
+@@ -882,6 +1090,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -27996,7 +28152,7 @@ diff -b -B --ignore-all-space --exclude-
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -906,6 +1115,8 @@
+@@ -906,6 +1116,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -28005,7 +28161,7 @@ diff -b -B --ignore-all-space --exclude-
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1184,49 @@
+@@ -973,17 +1185,49 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -28184,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if	2009-12-07 15:55:13.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if	2009-12-10 15:35:58.000000000 -0500
 @@ -40,17 +40,76 @@
  ##	</summary>
  ## </param>
@@ -28502,16 +28658,19 @@ diff -b -B --ignore-all-space --exclude-
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/authlogin.te	2009-12-03 13:45:11.000000000 -0500
-@@ -103,6 +103,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.te	2009-12-10 13:28:10.000000000 -0500
+@@ -103,8 +103,10 @@
  
  fs_dontaudit_getattr_xattr_fs(chkpwd_t)
  
 +term_dontaudit_use_console(chkpwd_t)
  term_dontaudit_use_unallocated_ttys(chkpwd_t)
  term_dontaudit_use_generic_ptys(chkpwd_t)
++term_dontaudit_use_all_server_ptys(chkpwd_t)
+ 
+ auth_use_nsswitch(chkpwd_t)
  
-@@ -125,9 +126,18 @@
+@@ -125,9 +127,18 @@
  ')
  
  optional_policy(`
@@ -29537,7 +29696,7 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2009-12-10 11:41:15.000000000 -0500
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -29552,7 +29711,7 @@ diff -b -B --ignore-all-space --exclude-
  type ipsec_t;
  type ipsec_exec_t;
  init_daemon_domain(ipsec_t, ipsec_exec_t)
-@@ -15,6 +22,9 @@
+@@ -15,13 +22,22 @@
  type ipsec_conf_file_t;
  files_type(ipsec_conf_file_t)
  
@@ -29562,17 +29721,20 @@ diff -b -B --ignore-all-space --exclude-
  # type for file(s) containing ipsec keys - RSA or preshared
  type ipsec_key_file_t;
  files_type(ipsec_key_file_t)
-@@ -22,6 +32,9 @@
- # Default type for IPSEC SPD entries
- type ipsec_spd_t;
  
 +type ipsec_log_t;
 +logging_log_file(ipsec_log_t)
 +
+ # Default type for IPSEC SPD entries
+ type ipsec_spd_t;
+ 
++type ipsec_tmp_t;
++files_tmp_file(ipsec_tmp_t)
++
  # type for runtime files, including pluto.ctl
  type ipsec_var_run_t;
  files_pid_file(ipsec_var_run_t)
-@@ -43,6 +56,9 @@
+@@ -43,6 +59,9 @@
  init_daemon_domain(racoon_t, racoon_exec_t)
  role system_r types racoon_t;
  
@@ -29582,7 +29744,7 @@ diff -b -B --ignore-all-space --exclude-
  type setkey_t;
  type setkey_exec_t;
  init_system_domain(setkey_t, setkey_exec_t)
-@@ -53,21 +69,23 @@
+@@ -53,21 +72,23 @@
  # ipsec Local policy
  #
  
@@ -29609,7 +29771,7 @@ diff -b -B --ignore-all-space --exclude-
  read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  
  manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,16 +100,17 @@
+@@ -82,16 +103,17 @@
  # so try flipping back into the ipsec_mgmt_t domain
  corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
  allow ipsec_mgmt_t ipsec_t:fd use;
@@ -29629,7 +29791,7 @@ diff -b -B --ignore-all-space --exclude-
  kernel_getattr_core_if(ipsec_t)
  kernel_getattr_message_if(ipsec_t)
  
-@@ -120,7 +139,9 @@
+@@ -120,7 +142,9 @@
  
  domain_use_interactive_fds(ipsec_t)
  
@@ -29639,7 +29801,7 @@ diff -b -B --ignore-all-space --exclude-
  
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
-@@ -154,16 +175,19 @@
+@@ -154,16 +178,19 @@
  #
  
  allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -29661,7 +29823,18 @@ diff -b -B --ignore-all-space --exclude-
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
  
-@@ -241,6 +265,7 @@
+@@ -188,6 +215,10 @@
+ manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+ files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
+ 
++manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) 
++
+ # whack needs to connect to pluto
+ stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+ 
+@@ -241,6 +272,7 @@
  init_use_script_ptys(ipsec_mgmt_t)
  init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
@@ -29669,7 +29842,7 @@ diff -b -B --ignore-all-space --exclude-
  
  logging_send_syslog_msg(ipsec_mgmt_t)
  
-@@ -280,6 +305,13 @@
+@@ -280,6 +312,13 @@
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
  allow racoon_t self:key_socket create_socket_perms;
@@ -29683,7 +29856,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # manage pid file
  manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +329,13 @@
+@@ -297,6 +336,13 @@
  kernel_read_system_state(racoon_t)
  kernel_read_network_state(racoon_t)
  
@@ -29697,7 +29870,7 @@ diff -b -B --ignore-all-space --exclude-
  corenet_all_recvfrom_unlabeled(racoon_t)
  corenet_tcp_sendrecv_all_if(racoon_t)
  corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +353,8 @@
+@@ -314,6 +360,8 @@
  
  files_read_etc_files(racoon_t)
  
@@ -29706,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-
  # allow racoon to use avc_has_perm to check context on proposed SA
  selinux_compute_access_vector(racoon_t)
  
-@@ -328,6 +369,14 @@
+@@ -328,6 +376,14 @@
  
  miscfiles_read_localization(racoon_t)
  
@@ -29721,7 +29894,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # Setkey local policy
-@@ -341,12 +390,15 @@
+@@ -341,12 +397,15 @@
  read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
  read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
  
@@ -29737,6 +29910,12 @@ diff -b -B --ignore-all-space --exclude-
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
+@@ -358,3 +417,5 @@
+ seutil_read_config(setkey_t)
+ 
+ userdom_use_user_terminals(setkey_t)
++
++userdom_read_user_tmp_files(setkey_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2009-09-16 10:01:19.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/system/iptables.fc	2009-12-03 13:45:11.000000000 -0500
@@ -33838,7 +34017,7 @@ diff -b -B --ignore-all-space --exclude-
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-12-09 09:27:20.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-12-10 15:29:01.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.980
retrieving revision 1.981
diff -u -p -r1.980 -r1.981
--- selinux-policy.spec	9 Dec 2009 19:53:39 -0000	1.980
+++ selinux-policy.spec	10 Dec 2009 21:38:24 -0000	1.981
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 57%{?dist}
+Release: 58%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -449,8 +449,20 @@ exit 0
 %endif
 
 %changelog
+* Thu Dec 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-58
+- Dontaudit udp_socket leaks for xauth_t
+
 * Wed Dec 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-57
 - Allow unconfined_t to send dbus messages to setroubleshoot
+- Allow confined screen app to setattr on user ttys
+- remove wine_t from unconfined domain when unconfined.pp disabled
+- Allow sysadm_t to communicate with racoon
+- Allow xauth to be run from all unconfined user types
+- Fix labeling on all /var/cache/mod_* apps
+- Allow asterisk to communicate with postgresql
+- Fix labeling for /var/lib/certmaster
+- Add policy for ksmtuned and tgtd
+- Fixes fro vhostmd
 
 * Mon Dec 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-56
 - Dontaudit exec of fusermount from xguest

More information about the fedora-extras-commits mailing list