diff --git a/policy-F13.patch b/policy-F13.patch
index 12b0e7c..9539051 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -244,8 +244,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.19/policy/modules/admin/accountsd.te
--- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-04-20 14:17:59.000000000 -0400
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-05-07 09:58:51.000000000 -0400
+@@ -0,0 +1,56 @@
+policy_module(accountsd,1.0.0)
+
+########################################
@@ -299,6 +299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+')
+
+optional_policy(`
++ xserver_manage_xdm_etc_files(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.19/policy/modules/admin/acct.te
@@ -5754,8 +5755,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-05 11:21:32.000000000 -0400
-@@ -0,0 +1,290 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-07 09:45:49.000000000 -0400
+@@ -0,0 +1,293 @@
+
+## policy for sandbox
+
@@ -5781,6 +5782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ attribute sandbox_domain;
+ attribute sandbox_x_domain;
+ attribute sandbox_file_type;
++ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_domain:process transition;
@@ -5806,6 +5808,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+
++ allow $1 sandbox_tmpfs_type:file read_file_perms;
++
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -5868,7 +5872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
-+ attribute sandbox_file_type;
++ attribute sandbox_file_type, sandbox_tmpfs_type;
+ ')
+
+ type $1_t, sandbox_x_domain;
@@ -5896,7 +5900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ type $1_client_t, sandbox_x_domain;
+ domain_type($1_client_t)
+
-+ type $1_client_tmpfs_t;
++ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ term_search_ptys($1_t)
@@ -6048,13 +6052,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-04-30 09:06:38.000000000 -0400
-@@ -0,0 +1,383 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-07 10:09:38.000000000 -0400
+@@ -0,0 +1,369 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
+attribute sandbox_file_type;
++attribute sandbox_web_type;
++attribute sandbox_tmpfs_type;
+
+########################################
+#
@@ -6302,99 +6308,102 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+# sandbox_web_client_t local policy
+#
-+allow sandbox_web_client_t self:capability { setuid setgid };
-+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
-+allow sandbox_web_client_t self:process setsched;
-+dontaudit sandbox_web_client_t self:process setrlimit;
++typeattribute sandbox_web_client_t sandbox_web_type;
+
-+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
-+allow sandbox_web_client_t self:udp_socket create_socket_perms;
-+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
-+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
++allow sandbox_web_type self:capability { setuid setgid };
++allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
++allow sandbox_web_type self:process setsched;
++dontaudit sandbox_web_type self:process setrlimit;
+
-+kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
++allow sandbox_web_type self:tcp_socket create_socket_perms;
++allow sandbox_web_type self:udp_socket create_socket_perms;
++allow sandbox_web_type self:dbus { acquire_svc send_msg };
++allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
+
-+dev_read_rand(sandbox_web_client_t)
-+dev_write_sound(sandbox_web_client_t)
-+dev_read_sound(sandbox_web_client_t)
++kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
++
++dev_read_rand(sandbox_web_type)
++dev_write_sound(sandbox_web_type)
++dev_read_sound(sandbox_web_type)
+
+# Browse the web, connect to printer
-+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
-+corenet_all_recvfrom_netlabel(sandbox_web_client_t)
-+corenet_tcp_sendrecv_all_if(sandbox_web_client_t)
-+corenet_raw_sendrecv_all_if(sandbox_web_client_t)
-+corenet_tcp_sendrecv_all_nodes(sandbox_web_client_t)
-+corenet_raw_sendrecv_all_nodes(sandbox_web_client_t)
-+corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
-+corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
-+corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
-+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
-+corenet_tcp_connect_http_port(sandbox_web_client_t)
-+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
-+corenet_tcp_connect_flash_port(sandbox_web_client_t)
-+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
-+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
-+corenet_tcp_connect_streaming_port(sandbox_web_client_t)
-+corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t)
-+corenet_tcp_connect_speech_port(sandbox_web_client_t)
-+corenet_tcp_connect_generic_port(sandbox_web_client_t)
-+corenet_tcp_connect_soundd_port(sandbox_web_client_t)
-+corenet_tcp_connect_speech_port(sandbox_web_client_t)
-+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
-+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
-+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
-+corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
-+corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
++corenet_all_recvfrom_unlabeled(sandbox_web_type)
++corenet_all_recvfrom_netlabel(sandbox_web_type)
++corenet_tcp_sendrecv_all_if(sandbox_web_type)
++corenet_raw_sendrecv_all_if(sandbox_web_type)
++corenet_tcp_sendrecv_all_nodes(sandbox_web_type)
++corenet_raw_sendrecv_all_nodes(sandbox_web_type)
++corenet_tcp_sendrecv_http_port(sandbox_web_type)
++corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
++corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
++corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
++corenet_tcp_connect_http_port(sandbox_web_type)
++corenet_tcp_connect_http_cache_port(sandbox_web_type)
++corenet_tcp_connect_flash_port(sandbox_web_type)
++corenet_tcp_connect_ftp_port(sandbox_web_type)
++corenet_tcp_connect_ipp_port(sandbox_web_type)
++corenet_tcp_connect_streaming_port(sandbox_web_type)
++corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
++corenet_tcp_connect_speech_port(sandbox_web_type)
++corenet_tcp_connect_generic_port(sandbox_web_type)
++corenet_tcp_connect_soundd_port(sandbox_web_type)
++corenet_tcp_connect_speech_port(sandbox_web_type)
++corenet_sendrecv_http_client_packets(sandbox_web_type)
++corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
++corenet_sendrecv_ftp_client_packets(sandbox_web_type)
++corenet_sendrecv_ipp_client_packets(sandbox_web_type)
++corenet_sendrecv_generic_client_packets(sandbox_web_type)
+# Should not need other ports
-+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
-+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
++corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
++corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
++
++fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+
-+auth_use_nsswitch(sandbox_web_client_t)
++auth_use_nsswitch(sandbox_web_type)
+
-+dbus_system_bus_client(sandbox_web_client_t)
-+dbus_read_config(sandbox_web_client_t)
-+selinux_get_fs_mount(sandbox_web_client_t)
-+selinux_validate_context(sandbox_web_client_t)
-+selinux_compute_access_vector(sandbox_web_client_t)
-+selinux_compute_create_context(sandbox_web_client_t)
-+selinux_compute_relabel_context(sandbox_web_client_t)
-+selinux_compute_user_contexts(sandbox_web_client_t)
-+seutil_read_default_contexts(sandbox_web_client_t)
++dbus_system_bus_client(sandbox_web_type)
++dbus_read_config(sandbox_web_type)
++selinux_get_fs_mount(sandbox_web_type)
++selinux_validate_context(sandbox_web_type)
++selinux_compute_access_vector(sandbox_web_type)
++selinux_compute_create_context(sandbox_web_type)
++selinux_compute_relabel_context(sandbox_web_type)
++selinux_compute_user_contexts(sandbox_web_type)
++seutil_read_default_contexts(sandbox_web_type)
+
-+userdom_rw_user_tmpfs_files(sandbox_web_client_t)
++userdom_rw_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
-+ hal_dbus_chat(sandbox_web_client_t)
++ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
-+ nsplugin_read_rw_files(sandbox_web_client_t)
-+ nsplugin_rw_exec(sandbox_web_client_t)
++ hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
-+ pulseaudio_stream_connect(sandbox_web_client_t)
-+ allow sandbox_web_client_t self:netlink_kobject_uevent_socket create_socket_perms;
++ nsplugin_read_rw_files(sandbox_web_type)
++ nsplugin_rw_exec(sandbox_web_type)
+')
+
+optional_policy(`
-+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_client_t)
++ pulseaudio_stream_connect(sandbox_web_type)
++ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+optional_policy(`
-+ networkmanager_dontaudit_dbus_chat(sandbox_web_client_t)
++ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
++ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
-+allow sandbox_net_client_t self:tcp_socket create_socket_perms;
-+allow sandbox_net_client_t self:udp_socket create_socket_perms;
-+allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
-+allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
-+
-+dev_read_rand(sandbox_net_client_t)
++typeattribute sandbox_net_client_t sandbox_web_type;
+
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
@@ -6407,32 +6416,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
-+auth_use_nsswitch(sandbox_net_client_t)
-+
-+dbus_system_bus_client(sandbox_net_client_t)
-+dbus_read_config(sandbox_net_client_t)
-+selinux_get_fs_mount(sandbox_net_client_t)
-+selinux_validate_context(sandbox_net_client_t)
-+selinux_compute_access_vector(sandbox_net_client_t)
-+selinux_compute_create_context(sandbox_net_client_t)
-+selinux_compute_relabel_context(sandbox_net_client_t)
-+selinux_compute_user_contexts(sandbox_net_client_t)
-+seutil_read_default_contexts(sandbox_net_client_t)
-+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
+
-+optional_policy(`
-+ nsplugin_read_rw_files(sandbox_web_client_t)
-+ nsplugin_rw_exec(sandbox_web_client_t)
-+')
+
-+optional_policy(`
-+ hal_dbus_chat(sandbox_net_client_t)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-04-14 10:48:18.000000000 -0400
@@ -7627,7 +7617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.19/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2010-05-06 15:05:28.000000000 -0400
@@ -5,6 +5,21 @@
#
# Declarations
@@ -7720,7 +7710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +187,76 @@
+@@ -153,3 +187,75 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7736,7 +7726,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+
+ifdef(`distro_redhat',`
+ files_search_mnt(domain)
-+ files_search_default(domain)
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
@@ -7890,7 +7879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-04-22 09:13:23.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-07 09:36:54.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8785,7 +8774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-04-26 14:05:06.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-07 09:50:32.000000000 -0400
@@ -569,10 +569,10 @@
#
interface(`fs_mount_cgroup', `
@@ -12364,7 +12353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-04-30 09:52:59.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-06 15:41:04.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -12708,7 +12697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-06 08:29:44.000000000 -0400
@@ -19,11 +19,13 @@
# Declarations
#
@@ -13429,6 +13418,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.19/policy/modules/services/bluetooth.if
+--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-01-07 14:53:53.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/services/bluetooth.if 2010-05-07 09:48:49.000000000 -0400
+@@ -117,6 +117,27 @@
+
+ ########################################
+ ##
++## dontaudit Send and receive messages from
++## bluetooth over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bluetooth_dontaudit_dbus_chat',`
++ gen_require(`
++ type bluetooth_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 bluetooth_t:dbus send_msg;
++ dontaudit bluetooth_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+ ##
+ ##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-04-14 10:48:18.000000000 -0400
@@ -13596,8 +13616,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-04-26 10:13:28.000000000 -0400
-@@ -0,0 +1,92 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-05-06 08:30:08.000000000 -0400
+@@ -0,0 +1,93 @@
+
+policy_module(boinc,1.0.0)
+
@@ -13690,6 +13710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+
+sysnet_dns_name_resolve(boinc_t)
+
++mta_send_mail(boinc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc
--- nsaserefpolicy/policy/modules/services/bugzilla.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/bugzilla.fc 2010-04-14 10:48:18.000000000 -0400
@@ -14504,7 +14525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+fs_mount_cgroup(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.19/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-05-05 08:17:35.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-05-07 09:36:10.000000000 -0400
@@ -19,6 +19,24 @@
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
@@ -14530,7 +14551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
####################################
##
## Execute chronyd
-@@ -56,6 +74,28 @@
+@@ -56,6 +74,64 @@
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
@@ -14556,17 +14577,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+ fs_search_tmpfs($1)
+')
+
++########################################
++##
++## Read chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_read_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
++########################################
++##
++## Append chronyd keys files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_append_keys',`
++ gen_require(`
++ type chronyd_keys_t;
++ ')
++
++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++')
++
####################################
##
## All of the rules required to administrate
-@@ -103,3 +143,4 @@
+@@ -103,3 +179,4 @@
files_search_tmp($1)
admin_pattern($1, chronyd_tmp_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.19/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2010-04-30 09:00:30.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2010-05-07 09:53:28.000000000 -0400
@@ -16,6 +16,9 @@
type chronyd_keys_t;
files_type(chronyd_keys_t)
@@ -14596,6 +14653,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+@@ -51,7 +59,9 @@
+ manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+ files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+
++corenet_udp_bind_generic_node(chronyd_t)
+ corenet_udp_bind_ntp_port(chronyd_t)
++
+ # bind to udp/323
+ corenet_udp_bind_chronyd_port(chronyd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-04-14 10:48:18.000000000 -0400
@@ -18673,10 +18740,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow kpropd_t krb5_keytab_t:file read_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc
+--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-03-29 15:04:22.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc 2010-05-07 11:18:55.000000000 -0400
+@@ -3,3 +3,5 @@
+ /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+ /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
++
++/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-04-28 09:53:51.000000000 -0400
-@@ -37,4 +37,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-05-07 11:19:16.000000000 -0400
+@@ -10,6 +10,9 @@
+ type ksmtuned_exec_t;
+ init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+
++type ksmtuned_log_t;
++logging_log_file(ksmtuned_log_t)
++
+ type ksmtuned_initrc_exec_t;
+ init_script_file(ksmtuned_initrc_exec_t)
+
+@@ -24,6 +27,10 @@
+ allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+ allow ksmtuned_t self:fifo_file rw_file_perms;
+
++manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
++manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
++logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
++
+ manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
+ files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
+
+@@ -37,4 +44,7 @@
files_read_etc_files(ksmtuned_t)
@@ -19116,7 +19213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-05-06 15:41:16.000000000 -0400
@@ -63,6 +63,9 @@
can_exec(system_mail_t, mta_exec_type)
@@ -19143,7 +19240,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -100,6 +108,11 @@
+@@ -89,6 +97,7 @@
+ apache_dontaudit_rw_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tcp_sockets(system_mail_t)
+ apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
++ apache_dontaudit_write_tmp_files(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -100,6 +109,11 @@
')
optional_policy(`
@@ -19155,7 +19260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -107,6 +120,7 @@
+@@ -107,6 +121,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -19163,7 +19268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -126,6 +140,7 @@
+@@ -126,6 +141,7 @@
optional_policy(`
fail2ban_append_log(system_mail_t)
@@ -19171,7 +19276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -142,6 +157,10 @@
+@@ -142,6 +158,10 @@
')
optional_policy(`
@@ -19182,7 +19287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -185,6 +204,10 @@
+@@ -185,6 +205,10 @@
')
optional_policy(`
@@ -19193,7 +19298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,6 +239,7 @@
+@@ -216,6 +240,7 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -28216,7 +28321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.19/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-07 09:56:35.000000000 -0400
@@ -2,13 +2,23 @@
# HOME_DIR
#
@@ -28241,7 +28346,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
#
# /dev
#
-@@ -32,11 +42,6 @@
+@@ -20,6 +30,8 @@
+
+ /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
++/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
++
+ /etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+@@ -32,11 +44,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -28253,7 +28367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
#
# /opt
#
-@@ -47,21 +52,23 @@
+@@ -47,21 +54,23 @@
# /tmp
#
@@ -28282,7 +28396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,17 +96,42 @@
+@@ -89,17 +98,42 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -28330,7 +28444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-04-23 09:46:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-05-07 10:02:24.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -28447,8 +28561,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
class x_synthetic_event all_x_synthetic_event_perms;
+ class x_client destroy;
+ class x_server manage;
-+ class x_screen { saver_hide saver_show };
-+ class x_pointer manage;
++ class x_screen { saver_setattr saver_hide saver_show };
++ class x_pointer { get_property set_property manage };
+ class x_keyboard { read manage };
+ type xdm_t, xserver_t;
')
@@ -28464,8 +28578,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ allow $2 root_xdrawable_t:x_drawable write;
+ allow $2 xserver_t:x_server manage;
-+ allow $2 xserver_t:x_screen { saver_hide saver_show };
-+ allow $2 xserver_t:x_pointer manage;
++ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
++ allow $2 xserver_t:x_pointer { get_property set_property manage };
+ allow $2 xserver_t:x_keyboard { read manage };
')
@@ -28505,7 +28619,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1224,9 +1260,20 @@
+@@ -964,6 +1000,44 @@
+
+ ########################################
+ ##
++## Read xdm config files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_read_xdm_etc_files',`
++ gen_require(`
++ type xdm_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
++')
++
++########################################
++##
++## Manage xdm config files.
++##
++##
++##
++## Domain to not audit
++##
++##
++#
++interface(`xserver_manage_xdm_etc_files',`
++ gen_require(`
++ type xdm_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
++')
++
++########################################
++##
+ ## Read xdm temporary files.
+ ##
+ ##
+@@ -1224,9 +1298,20 @@
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -28526,7 +28685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1297,329 @@
+@@ -1250,3 +1335,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -28858,7 +29017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-04 10:22:41.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-07 09:59:15.000000000 -0400
@@ -36,6 +36,13 @@
##
@@ -28946,7 +29105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -164,16 +190,18 @@
+@@ -164,16 +190,21 @@
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -28959,6 +29118,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xdm_lock_t;
files_lock_file(xdm_lock_t)
++type xdm_etc_t;
++files_config_file(xdm_etc_t)
++
type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
+files_config_file(xdm_rw_etc_t)
@@ -28968,7 +29130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -181,13 +209,27 @@
+@@ -181,13 +212,27 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -28997,7 +29159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -200,15 +242,9 @@
+@@ -200,15 +245,9 @@
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -29015,7 +29177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -238,9 +274,13 @@
+@@ -238,9 +277,13 @@
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -29029,7 +29191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +290,60 @@
+@@ -250,30 +293,60 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -29093,7 +29255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +353,36 @@
+@@ -283,17 +356,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -29130,7 +29292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +394,32 @@
+@@ -305,20 +397,32 @@
# XDM Local policy
#
@@ -29166,7 +29328,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -332,26 +433,45 @@
+@@ -326,32 +430,52 @@
+ allow xdm_t xdm_lock_t:file manage_file_perms;
+ files_lock_filetrans(xdm_t, xdm_lock_t, file)
+
++read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+ # wdm has its own config dir /etc/X11/wdm
+ # this is ugly, daemons should not create files under /etc!
+ manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -29217,7 +29386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +479,13 @@
+@@ -359,10 +483,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -29231,7 +29400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +494,21 @@
+@@ -371,15 +498,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -29254,7 +29423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +523,14 @@
+@@ -394,11 +527,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -29269,7 +29438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +538,7 @@
+@@ -406,6 +542,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -29277,7 +29446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +547,22 @@
+@@ -414,18 +551,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -29303,7 +29472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +573,17 @@
+@@ -436,9 +577,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -29321,7 +29490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +592,19 @@
+@@ -447,14 +596,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -29341,7 +29510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +615,12 @@
+@@ -465,10 +619,12 @@
logging_read_generic_logs(xdm_t)
@@ -29356,7 +29525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +629,11 @@
+@@ -477,6 +633,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -29368,7 +29537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +666,12 @@
+@@ -509,10 +670,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -29381,7 +29550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +679,50 @@
+@@ -520,12 +683,50 @@
')
optional_policy(`
@@ -29432,7 +29601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +740,59 @@
+@@ -543,20 +744,59 @@
')
optional_policy(`
@@ -29494,7 +29663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +801,6 @@
+@@ -565,7 +805,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -29502,7 +29671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +811,10 @@
+@@ -576,6 +815,10 @@
')
optional_policy(`
@@ -29513,7 +29682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +839,9 @@
+@@ -600,10 +843,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -29525,7 +29694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +853,18 @@
+@@ -615,6 +857,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -29544,7 +29713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +884,19 @@
+@@ -634,12 +888,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -29566,7 +29735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +930,6 @@
+@@ -673,7 +934,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -29574,7 +29743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +939,12 @@
+@@ -683,9 +943,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -29588,7 +29757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +959,13 @@
+@@ -700,8 +963,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -29602,7 +29771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +987,14 @@
+@@ -723,11 +991,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -29617,7 +29786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1046,24 @@
+@@ -779,12 +1050,24 @@
')
optional_policy(`
@@ -29643,7 +29812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1090,7 @@
+@@ -811,7 +1094,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29652,7 +29821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1111,14 @@
+@@ -832,9 +1115,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29667,7 +29836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1133,14 @@
+@@ -849,11 +1137,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29684,7 +29853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1286,33 @@
+@@ -999,3 +1290,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -30388,7 +30557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-05 09:51:59.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-07 09:54:35.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -30691,7 +30860,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -594,6 +699,7 @@
+@@ -578,6 +683,11 @@
+ ')
+
+ optional_policy(`
++ chronyd_append_keys(initrc_t)
++ chronyd_read_keys(initrc_t)
++')
++
++optional_policy(`
+ dev_getattr_printer_dev(initrc_t)
+
+ cups_read_log(initrc_t)
+@@ -594,6 +704,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30699,7 +30880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -647,11 +753,6 @@
+@@ -647,11 +758,6 @@
')
optional_policy(`
@@ -30711,7 +30892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
kerberos_use(initrc_t)
')
-@@ -690,12 +791,22 @@
+@@ -690,12 +796,22 @@
')
optional_policy(`
@@ -30734,7 +30915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +829,10 @@
+@@ -718,6 +834,10 @@
')
optional_policy(`
@@ -30745,7 +30926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +875,6 @@
+@@ -760,8 +880,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30754,7 +30935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -774,10 +887,12 @@
+@@ -774,10 +892,12 @@
squid_manage_logs(initrc_t)
')
@@ -30767,7 +30948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +905,7 @@
+@@ -790,6 +910,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -30775,7 +30956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +914,18 @@
+@@ -798,11 +919,18 @@
')
optional_policy(`
@@ -30795,7 +30976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +935,25 @@
+@@ -812,6 +940,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30821,7 +31002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +979,34 @@
+@@ -837,3 +984,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2f9a185..f90f950 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,10 +468,16 @@ exit 0
%endif
%changelog
+* Fri May 6 2010 Dan Walsh 3.7.19-14
+- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++
+- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
+- Add dontaudit interface for bluetooth dbus
+- Add chronyd_read_keys, append_keys for initrc_t
+- Add log support for ksmtuned
+Resolves: #586663
+
* Thu May 6 2010 Dan Walsh 3.7.19-13
- Allow boinc to send mail
-- Fixes for MLS Xserver
-- Dontaudit leaked apache tmp file to sendmail
* Wed May 5 2010 Dan Walsh 3.7.19-12
- Allow initrc_t to remove dhcpc_state_t