diff --git a/modules-targeted.conf b/modules-targeted.conf
index 1078d16..199a810 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -413,6 +413,13 @@ domain = base
dovecot = module
# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
+# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
diff --git a/policy-20090521.patch b/policy-20090521.patch
index 383b1ba..670421b 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -115,6 +115,159 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
+--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc 2009-06-20 07:16:05.000000000 -0400
+@@ -0,0 +1,4 @@
++
++/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
++
++/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if
+--- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if 2009-06-20 07:16:05.000000000 -0400
+@@ -0,0 +1,94 @@
++## gitosis interface
++
++#######################################
++##
++## Execute a domain transition to run gitosis.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gitosis_domtrans',`
++ gen_require(`
++ type gitosis_t, gitosis_exec_t;
++ ')
++
++ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
++')
++
++#######################################
++##
++## Execute gitosis-serve in the gitosis domain, and
++## allow the specified role the gitosis domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the gpsd domain.
++##
++##
++##
++##
++## The type of the role's terminal.
++##
++##
++#
++interface(`gitosis_run',`
++ gen_require(`
++ type gitosis_t;
++ ')
++
++ gitosis_domtrans($1)
++ role $2 types gitosis_t;
++ allow gitosis_t $3:chr_file rw_term_perms;
++')
++
++#######################################
++##
++## Allow the specified domain to read
++## gitosis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gitosis_read_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
++
++######################################
++##
++## Allow the specified domain to manage
++## gitosis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gitosis_manage_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te
+--- nsaserefpolicy/policy/modules/apps/gitosis.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te 2009-06-20 07:16:05.000000000 -0400
+@@ -0,0 +1,43 @@
++policy_module(gitosis,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gitosis_t;
++type gitosis_exec_t;
++application_domain(gitosis_t, gitosis_exec_t)
++role system_r types gitosis_t;
++
++type gitosis_var_lib_t;
++files_type(gitosis_var_lib_t)
++
++########################################
++#
++# gitosis local policy
++#
++
++allow gitosis_t self:fifo_file rw_fifo_file_perms;
++
++exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++
++corecmd_exec_bin(gitosis_t)
++corecmd_exec_shell(gitosis_t)
++
++kernel_read_system_state(gitosis_t)
++
++files_read_usr_files(gitosis_t)
++files_search_var_lib(gitosis_t)
++
++libs_use_ld_so(gitosis_t)
++libs_use_shared_libs(gitosis_t)
++
++miscfiles_read_localization(gitosis_t)
++
++optional_policy(`
++ ssh_rw_pipes(gitosis_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-06-08 13:49:44.000000000 -0400
@@ -680,6 +833,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
gen_require(`
class dbus send_msg;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
+--- nsaserefpolicy/policy/modules/services/cups.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-06-19 14:21:26.000000000 -0400
+@@ -36,6 +36,8 @@
+ # keep as separate lines to ensure proper sorting
+ /usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+ /usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib64/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+ /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-09 07:21:39.000000000 -0400
@@ -746,7 +911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-11 08:32:09.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-20 06:24:36.000000000 -0400
@@ -55,7 +55,7 @@
#
# DeviceKit-Power local policy
@@ -764,6 +929,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+@@ -107,6 +108,7 @@
+ ')
+
+ optional_policy(`
++ polkit_dbus_chat(devicekit_power_t)
+ polkit_domtrans_auth(devicekit_power_t)
+ polkit_read_lib(devicekit_power_t)
+ polkit_read_reload(devicekit_power_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-06-19 07:12:28.000000000 -0400
@@ -823,6 +996,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te
+--- nsaserefpolicy/policy/modules/services/gnomeclock.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-06-20 06:24:32.000000000 -0400
+@@ -44,6 +44,7 @@
+ ')
+
+ optional_policy(`
++ polkit_dbus_chat(gnomeclock_t)
+ polkit_domtrans_auth(gnomeclock_t)
+ polkit_read_lib(gnomeclock_t)
+ polkit_read_reload(gnomeclock_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-27 07:02:29.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b948ab9..ce77693 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 55%{?dist}
+Release: 56%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Sat Jun 20 2009 Dan Walsh 3.6.12-56
+- Add gitosis policy
+
* Fri Jun 19 2009 Dan Walsh 3.6.12-55
- Add boolean to allow svirt to use usb devices