From 1b2986a43e84bb0fcbc422ee328a3011cc108ae2 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Apr 30 2009 11:51:04 +0000
Subject: - Additional rules for fprintd and sssd


---

diff --git a/policy-20090105.patch b/policy-20090105.patch
index 368a7bc..bffe5d2 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -1833,9 +1833,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive cpufreqselector_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.12/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc	2009-04-30 07:42:25.000000000 -0400
 @@ -1,8 +1,16 @@
- HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
+-HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
  HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 +HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
@@ -5234,7 +5235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-04-27 11:30:40.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-04-29 10:47:24.000000000 -0400
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -5305,7 +5306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -153,3 +172,46 @@
+@@ -153,3 +172,50 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5338,6 +5339,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
++	ssh_rw_pipes(domain)
++')
++
++optional_policy(`
 +	unconfined_dontaudit_rw_pipes(domain)
 +	unconfined_sigchld(domain)
 +')
@@ -8336,7 +8341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/apache.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/apache.if	2009-04-29 14:18:52.000000000 -0400
 @@ -13,21 +13,16 @@
  #
  template(`apache_content_template',`
@@ -8558,7 +8563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	optional_policy(`
  		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
  			nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -227,10 +170,6 @@
+@@ -227,15 +170,13 @@
  
  	optional_policy(`
  		postgresql_unpriv_client(httpd_$1_script_t)
@@ -8569,7 +8574,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	optional_policy(`
-@@ -504,6 +443,47 @@
+ 		nscd_socket_use(httpd_$1_script_t)
+ 	')
++
++	dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+ ')
+ 
+ ########################################
+@@ -504,6 +445,47 @@
  ########################################
  ## <summary>
  ##	Allow the specified domain to read
@@ -8617,7 +8629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	apache configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -579,7 +559,7 @@
+@@ -579,7 +561,7 @@
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -8626,7 +8638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -715,6 +695,7 @@
+@@ -715,6 +697,7 @@
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -8634,7 +8646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -782,6 +763,32 @@
+@@ -782,6 +765,32 @@
  
  ########################################
  ## <summary>
@@ -8667,7 +8679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Execute all web scripts in the system
  ##	script domain.
  ## </summary>
-@@ -791,16 +798,18 @@
+@@ -791,16 +800,18 @@
  ##	</summary>
  ## </param>
  #
@@ -8690,7 +8702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -859,6 +868,8 @@
+@@ -859,6 +870,8 @@
  ##	</summary>
  ## </param>
  #
@@ -8699,7 +8711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  interface(`apache_run_all_scripts',`
  	gen_require(`
  		attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +895,7 @@
+@@ -884,7 +897,7 @@
  		type httpd_squirrelmail_t;
  	')
  
@@ -8708,7 +8720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1040,3 +1051,160 @@
+@@ -1040,3 +1053,160 @@
  
  	allow httpd_t $1:process signal;
  ')
@@ -10360,7 +10372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-04-29 13:51:27.000000000 -0400
 @@ -13,6 +13,9 @@
  type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
@@ -10400,7 +10412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # needs to read /var/lib/dbus/machine-id
  files_read_var_lib_files(consolekit_t)
  
-@@ -47,13 +57,35 @@
+@@ -47,13 +57,36 @@
  
  auth_use_nsswitch(consolekit_t)
  
@@ -10409,6 +10421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +init_chat(consolekit_t)
 +
 +logging_send_syslog_msg(consolekit_t)
++logging_send_audit_msgs(consolekit_t)
 +
  miscfiles_read_localization(consolekit_t)
  
@@ -10438,7 +10451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		unconfined_dbus_chat(consolekit_t)
-@@ -61,6 +93,32 @@
+@@ -61,6 +94,32 @@
  ')
  
  optional_policy(`
@@ -11834,7 +11847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/cvs.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cvs.te	2009-04-29 12:56:25.000000000 -0400
 @@ -112,4 +112,5 @@
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -13431,8 +13444,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-28 16:07:25.000000000 -0400
-@@ -0,0 +1,36 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-29 10:10:42.000000000 -0400
+@@ -0,0 +1,41 @@
 +policy_module(fprintd,1.0.0)
 +
 +########################################
@@ -13463,8 +13476,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_read_all_users_state(fprintd_t)
 +
 +optional_policy(`
++	consolekit_dbus_chat(fprintd_t)
++')
++
++optional_policy(`
 +	polkit_read_reload(fprintd_t)
 +	polkit_read_lib(fprintd_t)
++	polkit_domtrans_auth(fprintd_t)
 +')
 +
 +permissive fprintd_t;
@@ -14533,6 +14551,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive ifplugd_t;
 +
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.6.12/policy/modules/services/inetd.if
+--- nsaserefpolicy/policy/modules/services/inetd.if	2008-09-03 07:59:15.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/inetd.if	2009-04-29 14:44:12.000000000 -0400
+@@ -36,8 +36,7 @@
+ 	role system_r types $1;
+ 
+ 	domtrans_pattern(inetd_t, $2, $1)
+-
+-	allow inetd_t $1:process sigkill;
++	allow inetd_t $1:process { siginh sigkill };
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
 --- nsaserefpolicy/policy/modules/services/kerneloops.if	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if	2009-04-23 09:44:57.000000000 -0400
@@ -14959,8 +14990,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
 --- nsaserefpolicy/policy/modules/services/milter.fc	2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-27 11:46:55.000000000 -0400
-@@ -1,6 +1,9 @@
++++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-29 10:14:21.000000000 -0400
+@@ -1,6 +1,10 @@
 -/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 -/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
  
@@ -14969,6 +15000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_state_t,s0)
  /var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
  /var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/milter.*				--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
 +/var/lib/miltermilter.*					gen_context(system_u:object_r:spamass_milter_state_t,s0)
 +
 +/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
@@ -20441,6 +20473,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_login_pgm_domain(rshd_t)
  auth_write_login_records(rshd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te	2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rsync.te	2009-04-29 13:19:21.000000000 -0400
+@@ -8,6 +8,13 @@
+ 
+ ## <desc>
+ ## <p>
++## Allow rsync to run as a client
++## </p>
++## </desc>
++gen_tunable(rsync_client, false)
++
++## <desc>
++## <p>
+ ## Allow rsync to export any files/directories read only.
+ ## </p>
+ ## </desc>
+@@ -124,4 +131,12 @@
+ 	auth_read_all_symlinks_except_shadow(rsync_t)
+ 	auth_tunable_read_shadow(rsync_t)
+ ')
++
++tunable_policy(`rsync_client',`
++	corenet_tcp_connect_rsync_port(rsync_t)
++	manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
++	manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++	manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++')
++
+ auth_can_read_shadow_passwords(rsync_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/samba.fc	2009-04-23 09:44:57.000000000 -0400
@@ -21363,7 +21425,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/sendmail.if	2009-04-29 13:03:31.000000000 -0400
+@@ -89,7 +89,7 @@
+ 		type sendmail_t;
+ 	')
+ 
+-	allow $1 sendmail_t:unix_stream_socket { read write };
++	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+ ')
+ 
+ ########################################
 @@ -149,3 +149,92 @@
  
  	logging_log_filetrans($1, sendmail_log_t, file)
@@ -22406,7 +22477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-04-29 10:46:37.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -22607,7 +22678,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read a ssh server unnamed pipe.
  ## </summary>
  ## <param name="domain">
-@@ -611,3 +630,42 @@
+@@ -469,6 +488,23 @@
+ 
+ 	allow $1 sshd_t:fifo_file { getattr read };
+ ')
++########################################
++## <summary>
++##	Read/write a ssh server unnamed pipe.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ssh_rw_pipes',`
++	gen_require(`
++		type sshd_t;
++	')
++
++	allow $1 sshd_t:fifo_file { write read getattr ioctl };
++')
+ 
+ ########################################
+ ## <summary>
+@@ -611,3 +647,42 @@
  
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')
@@ -23085,8 +23180,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-28 15:43:36.000000000 -0400
-@@ -0,0 +1,72 @@
++++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-29 10:01:55.000000000 -0400
+@@ -0,0 +1,74 @@
 +policy_module(sssd,1.0.0)
 +
 +########################################
@@ -23150,6 +23245,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +auth_domtrans_chk_passwd(sssd_t)
 +auth_domtrans_upd_passwd(sssd_t)
 +
++init_read_utmp(sssd_t)
++
 +logging_send_syslog_msg(sssd_t)
 +logging_send_audit_msgs(sssd_t)
 +
@@ -25930,8 +26027,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-23 09:44:57.000000000 -0400
-@@ -280,6 +280,36 @@
++++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-29 14:42:44.000000000 -0400
+@@ -174,6 +174,7 @@
+ 	role system_r types $1;
+ 
+ 	domtrans_pattern(initrc_t,$2,$1)
++	allow initrc_t $1:process siginh;
+ 
+ 	# daemons started from init will
+ 	# inherit fds from init for the console
+@@ -272,6 +273,7 @@
+ 	role system_r types $1;
+ 
+ 	domtrans_pattern(initrc_t,$2,$1)
++	allow initrc_t $1:process siginh;
+ 
+ 	ifdef(`hide_broken_symptoms',`
+ 		# RHEL4 systems seem to have a stray
+@@ -280,6 +282,36 @@
  			kernel_dontaudit_use_fds($1)
  		')
  	')
@@ -25968,7 +26081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -546,7 +576,7 @@
+@@ -546,7 +578,7 @@
  
  		# upstart uses a datagram socket instead of initctl pipe
  		allow $1 self:unix_dgram_socket create_socket_perms;
@@ -25977,7 +26090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -619,18 +649,19 @@
+@@ -619,18 +651,19 @@
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -26001,7 +26114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -646,23 +677,43 @@
+@@ -646,19 +679,39 @@
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -26022,11 +26135,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -26039,17 +26152,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
+ 	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -1291,6 +1342,25 @@
+ ')
+ 
+ ########################################
+@@ -1291,6 +1344,25 @@
  
  ########################################
  ## <summary>
@@ -26075,7 +26184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1521,3 +1591,51 @@
+@@ -1521,3 +1593,51 @@
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 21ccbb0..981eb9a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -480,6 +480,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25
+- Additional rules for fprintd and sssd
+
 * Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
 - Allow nsplugin to unix_read unix_write sem for unconfined_java