diff --git a/policy-F13.patch b/policy-F13.patch
index ca9c034..ba935e4 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -6357,8 +6357,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-28 09:42:00.005610977 +0200
-@@ -0,0 +1,385 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-09 13:14:00.641506056 +0200
+@@ -0,0 +1,386 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6700,6 +6700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_type)
++ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
+')
+
@@ -7707,7 +7708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-06-08 15:56:44.863609937 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-06-09 13:30:20.497756418 +0200
@@ -407,7 +407,7 @@
########################################
@@ -7978,7 +7979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
##
##
-@@ -3905,6 +4095,26 @@
+@@ -3905,6 +4095,24 @@
########################################
##
@@ -7992,12 +7993,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+#
+interface(`dev_rw_vhost',`
+ gen_require(`
-+ type vhost_device_t;
++ type device_t, vhost_device_t;
+ ')
+
-+ list_dirs_pattern($1, vhost_device_t, vhost_device_t)
-+ rw_files_pattern($1, vhost_device_t, vhost_device_t)
-+ read_lnk_files_pattern($1, vhost_device_t, vhost_device_t)
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
+########################################
@@ -12208,8 +12207,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.fc 2010-05-28 09:42:00.051610544 +0200
-@@ -1,11 +1,20 @@
++++ serefpolicy-3.7.19/policy/modules/services/abrt.fc 2010-06-09 16:26:51.087757629 +0200
+@@ -1,11 +1,21 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -12231,6 +12230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
-/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
@@ -12484,7 +12484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
admin_pattern($1, abrt_var_cache_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-03 16:30:53.967160939 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-09 16:27:06.470757212 +0200
@@ -1,5 +1,5 @@
-policy_module(abrt, 1.0.1)
@@ -12518,7 +12518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
allow abrt_t self:process { signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
-@@ -54,19 +66,24 @@
+@@ -54,20 +66,25 @@
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -12539,11 +12539,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
- files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
++files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
+ kernel_read_system_state(abrt_t)
@@ -75,25 +92,46 @@
corecmd_exec_bin(abrt_t)
@@ -13222,7 +13224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-28 09:42:00.059610718 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-06-09 16:37:21.838505993 +0200
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -13523,7 +13525,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1086,6 +1174,25 @@
+@@ -985,6 +1073,24 @@
+ allow $1 httpd_sys_content_t:dir search_dir_perms;
+ ')
+
++#######################################
++##
++## Getattr apache system content.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`apache_getattr_sys_content',`
++ gen_require(`
++ type httpd_sys_content_t;
++ ')
++
++ getattr_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++')
++
+ ########################################
+ ##
+ ## Read apache system content.
+@@ -1086,6 +1192,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -13549,7 +13576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
##
## Dontaudit attempts to write
-@@ -1102,7 +1209,7 @@
+@@ -1102,7 +1227,7 @@
type httpd_tmp_t;
')
@@ -13558,7 +13585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1279,7 @@
+@@ -1172,7 +1297,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -13567,7 +13594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1309,44 @@
+@@ -1202,12 +1327,44 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -19950,7 +19977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.19/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-05-28 09:42:00.116610713 +0200
++++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-06-09 13:12:04.850507212 +0200
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -20011,13 +20038,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
auth_use_nsswitch(hald_t)
-@@ -209,10 +216,12 @@
+@@ -209,10 +216,13 @@
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
-sysnet_read_config(hald_t)
+sysnet_delete_dhcpc_pid(hald_t)
sysnet_domtrans_dhcpc(hald_t)
++sysnet_signal_dhcpc(hald_t)
sysnet_domtrans_ifconfig(hald_t)
+sysnet_read_config(hald_t)
sysnet_read_dhcp_config(hald_t)
@@ -20025,7 +20053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -266,6 +275,10 @@
+@@ -266,6 +276,10 @@
')
optional_policy(`
@@ -20036,7 +20064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -295,6 +308,7 @@
+@@ -295,6 +309,7 @@
')
optional_policy(`
@@ -20044,7 +20072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
ppp_read_rw_config(hald_t)
')
-@@ -315,11 +329,19 @@
+@@ -315,11 +330,19 @@
')
optional_policy(`
@@ -20064,7 +20092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
updfstab_domtrans(hald_t)
')
-@@ -331,6 +353,10 @@
+@@ -331,6 +354,10 @@
virt_manage_images(hald_t)
')
@@ -20075,7 +20103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Hal acl local policy
-@@ -351,6 +377,7 @@
+@@ -351,6 +378,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -20083,7 +20111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
corecmd_exec_bin(hald_acl_t)
-@@ -463,6 +490,10 @@
+@@ -463,6 +491,10 @@
miscfiles_read_localization(hald_keymap_t)
@@ -20094,6 +20122,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Local hald dccm policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.19/policy/modules/services/icecast.te
+--- nsaserefpolicy/policy/modules/services/icecast.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-06-09 16:38:02.472756824 +0200
+@@ -38,6 +38,8 @@
+ manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+
++kernel_read_system_state(icecast_t)
++
+ corenet_tcp_bind_soundd_port(icecast_t)
+
+ # Init script handling
+@@ -52,5 +54,9 @@
+ sysnet_dns_name_resolve(icecast_t)
+
+ optional_policy(`
++ apache_getattr_sys_content(icecast_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(icecast_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.19/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/inn.te 2010-05-28 09:42:00.117610715 +0200
@@ -20130,7 +20180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow $1 self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2010-05-28 09:42:00.118610789 +0200
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2010-06-09 13:08:36.336506784 +0200
@@ -112,6 +112,7 @@
kernel_read_kernel_sysctls(kadmind_t)
@@ -20149,6 +20199,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
corenet_tcp_bind_reserved_port(kadmind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+@@ -198,7 +201,7 @@
+ allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
+ logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
+
+-allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
++allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
+ dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+
+ manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
@@ -283,7 +286,7 @@
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5d510e5..97ad98b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 25%{?dist}
+Release: 26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Wed Jun 9 2010 Miroslav Grepl 3.7.19-26
+- Allow krb5kdc to write krb5kdc_principal_t file
+- Allow hald to send generic signal to dhcp client
+- Fix dev_rw_vhost interface
+- Add /var/run/abrt.socket label
+
* Tue Jun 8 2010 Miroslav Grepl 3.7.19-25
- Fixes for cmirrord policy
- Dontaudit xauth to list inotifyfs filesystem.