From 95e4e016d0a19cefb0e2458a0987c00550a64307 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 19 2009 19:51:42 +0000
Subject: - Allow ccs to communicate with userdomains, and create tmpfs_t

- Add /dev/noz* as a modem_device_t and allow modemmanager to rw it.
- Add mapping for /var/run/lircd

---

diff --git a/modules-mls.conf b/modules-mls.conf
index 7e20376..e332e52 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1833,3 +1833,31 @@ milter = module
 # 
 wm = module
 
+# Layer: services
+# Module: aisexec
+#
+# RHCS - Red Hat Cluster Suite
+#
+aisexec = module
+ 
+# Layer: services
+# Module: rgmanager
+#
+# rgmanager
+# 
+rgmanager = module
+
+# Layer: services
+# Module: clogd
+#
+# clogd - clustered mirror log server
+# 
+clogd = module
+
+# Layer: services
+# Module: ricci
+#
+# policy for ricci
+# 
+ricci = module
+
diff --git a/policy-F12.patch b/policy-F12.patch
index 9eca084..723d568 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -2913,7 +2913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mono.if	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/mono.if	2009-10-17 07:22:40.000000000 -0400
 @@ -21,6 +21,105 @@
  
  ########################################
@@ -4347,8 +4347,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
 --- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te	2009-09-30 16:12:48.000000000 -0400
-@@ -0,0 +1,56 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te	2009-10-19 09:18:38.000000000 -0400
+@@ -0,0 +1,57 @@
 +policy_module(sambagui,1.0.0)
 +
 +########################################
@@ -4366,6 +4366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +
 +allow sambagui_t self:fifo_file rw_fifo_file_perms;
++allow sambagui_t self:unix_dgram_socket create_socket_perms;
 +
 +# handling with samba conf files
 +samba_append_log(sambagui_t)
@@ -5548,7 +5549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2009-10-19 09:11:30.000000000 -0400
 @@ -47,8 +47,10 @@
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5577,7 +5578,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -148,6 +151,8 @@
+@@ -139,8 +142,11 @@
+ 
+ /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
+ 
++/dev/modem -c	gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ 
++/dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
++
+ /dev/pts(/.*)?			<<none>>
+ 
+ /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -148,6 +154,8 @@
  /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  
@@ -5586,7 +5599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -168,6 +173,7 @@
+@@ -168,6 +176,7 @@
  
  ifdef(`distro_redhat',`
  # originally from named.fc
@@ -5596,7 +5609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2009-10-14 11:17:02.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2009-10-19 09:10:56.000000000 -0400
 @@ -1692,6 +1692,78 @@
  
  ########################################
@@ -5764,7 +5777,86 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	dontaudit getattr raw memory devices (e.g. /dev/mem).
  ## </summary>
  ## <param name="domain">
-@@ -2305,6 +2451,25 @@
+@@ -2046,6 +2192,78 @@
+ 
+ ########################################
+ ## <summary>
++##	Get the attributes of the modem devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_modem_dev',`
++	gen_require(`
++		type device_t, modem_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
++##	Set the attributes of the modem devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_modem_dev',`
++	gen_require(`
++		type device_t, modem_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
++##	Read the modem devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_modem',`
++	gen_require(`
++		type device_t, modem_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
++##	Read and write to modem devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_modem',`
++	gen_require(`
++		type device_t, modem_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, modem_device_t)
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of the mouse devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -2305,6 +2523,25 @@
  
  ########################################
  ## <summary>
@@ -5790,7 +5882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write to the null device (/dev/null).
  ## </summary>
  ## <param name="domain">
-@@ -3599,6 +3764,24 @@
+@@ -3599,6 +3836,24 @@
  
  ########################################
  ## <summary>
@@ -5817,7 +5909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te	2009-10-19 09:09:54.000000000 -0400
 @@ -84,6 +84,13 @@
  dev_node(kmsg_device_t)
  
@@ -5845,7 +5937,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Type for /dev/mapper/control
  #
  type lvm_control_t;
-@@ -224,6 +237,12 @@
+@@ -110,6 +123,12 @@
+ dev_node(misc_device_t)
+ 
+ #
++# A general type for modem devices.
++#
++type modem_device_t;
++dev_node(modem_device_t)
++
++#
+ # A more general type for mouse devices.
+ #
+ type mouse_device_t;
+@@ -224,6 +243,12 @@
  type watchdog_device_t;
  dev_node(watchdog_device_t)
  
@@ -8465,8 +8570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-10-08 15:41:51.000000000 -0400
-@@ -0,0 +1,410 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-10-17 07:22:57.000000000 -0400
+@@ -0,0 +1,411 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -8504,6 +8609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_manage_tmp_role(unconfined_r, unconfined_t)
 +userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
 +userdom_execmod_user_home_files(unconfined_t)
++userdom_unpriv_usertype(unconfined, unconfined_t)
 +
 +type unconfined_exec_t;
 +init_system_domain(unconfined_t, unconfined_exec_t)
@@ -9171,7 +9277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-10-06 10:15:23.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-10-19 14:55:25.000000000 -0400
 @@ -75,6 +75,7 @@
  
  corecmd_exec_bin(abrt_t)
@@ -9180,10 +9286,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_tcp_connect_http_port(abrt_t)
  
-@@ -105,13 +106,29 @@
- 	dbus_system_bus_client(abrt_t)
- ')
+@@ -101,17 +102,32 @@
+ userdom_read_user_home_content_files(abrt_t)
  
+ optional_policy(`
+-	dbus_connect_system_bus(abrt_t)
+-	dbus_system_bus_client(abrt_t)
++	dbus_system_domain(abrt_t, abrt_exec_t)
++')
++
 +optional_policy(`
 +	nsplugin_read_rw_files(abrt_t)
 +')
@@ -9193,8 +9304,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	policykit_domtrans_auth(abrt_t)
 +	policykit_read_lib(abrt_t)
 +	policykit_read_reload(abrt_t)
-+')
-+
+ ')
+ 
  # to install debuginfo packages 
  optional_policy(`
 -	rpm_manage_db(abrt_t)
@@ -11140,6 +11251,92 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -/var/run/cman_.*	-s	gen_context(system_u:object_r:ccs_var_run_t,s0)
 +/var/run/cluster/ccsd\.pid      --      gen_context(system_u:object_r:ccs_var_run_t,s0)
 +/var/run/cluster/ccsd\.sock     -s      gen_context(system_u:object_r:ccs_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te
+--- nsaserefpolicy/policy/modules/services/ccs.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ccs.te	2009-10-17 06:50:43.000000000 -0400
+@@ -10,23 +10,21 @@
+ type ccs_exec_t;
+ init_daemon_domain(ccs_t, ccs_exec_t)
+ 
+-# conf files
+ type cluster_conf_t;
+ files_type(cluster_conf_t)
+ 
+-# tmp files
+ type ccs_tmp_t;
+ files_tmp_file(ccs_tmp_t)
+ 
+-# log files
+-type ccs_var_log_t;
+-logging_log_file(ccs_var_log_t)
++type ccs_tmpfs_t;
++files_tmpfs_file(ccs_tmpfs_t)
+ 
+-# var lib files
+ type ccs_var_lib_t;
+ logging_log_file(ccs_var_lib_t)
+ 
+-# pid files
++type ccs_var_log_t;
++logging_log_file(ccs_var_log_t)
++
+ type ccs_var_run_t;
+ files_pid_file(ccs_var_run_t)
+ 
+@@ -35,7 +33,7 @@
+ # ccs local policy
+ #
+ 
+-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
++allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+ allow ccs_t self:process { signal setrlimit setsched };
+ dontaudit ccs_t self:process ptrace;
+ allow ccs_t self:fifo_file rw_fifo_file_perms;
+@@ -55,23 +53,29 @@
+ manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
+ files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+ 
+-# log files
+-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+-allow ccs_t ccs_var_log_t:dir setattr;
+-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
++manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
++manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
++fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t,{ dir file })
+ 
+ # var lib files
+ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+ files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+ 
++# log files
++manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
++manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
++allow ccs_t ccs_var_log_t:dir setattr;
++logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
++
+ # pid file
+ manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+ files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+ 
++aisexec_stream_connect(ccs_t)
++
+ kernel_read_kernel_sysctls(ccs_t)
+ 
+ corecmd_list_bin(ccs_t)
+@@ -104,6 +108,9 @@
+ 
+ sysnet_dns_name_resolve(ccs_t)
+ 
++userdom_manage_unpriv_user_shared_mem(ccs_t)
++userdom_manage_unpriv_user_semaphores(ccs_t)
++
+ ifdef(`hide_broken_symptoms', `
+ 	corecmd_dontaudit_write_bin_dirs(ccs_t)
+ 	files_manage_isid_type_files(ccs_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.32/policy/modules/services/certmaster.te
 --- nsaserefpolicy/policy/modules/services/certmaster.te	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/services/certmaster.te	2009-09-30 16:12:48.000000000 -0400
@@ -13755,10 +13952,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(ktalkd_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.32/policy/modules/services/lircd.fc
+--- nsaserefpolicy/policy/modules/services/lircd.fc	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/lircd.fc	2009-10-19 09:13:19.000000000 -0400
+@@ -6,3 +6,4 @@
+ /usr/sbin/lircd		--	gen_context(system_u:object_r:lircd_exec_t,s0)
+ 
+ /var/run/lircd\.pid		gen_context(system_u:object_r:lircd_var_run_t,s0)
++/var/run/lircd(/.*)?		gen_context(system_u:object_r:lircd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/lircd.te	2009-09-30 16:12:48.000000000 -0400
-@@ -42,7 +42,18 @@
++++ serefpolicy-3.6.32/policy/modules/services/lircd.te	2009-10-19 09:14:01.000000000 -0400
+@@ -37,12 +37,24 @@
+ # pid file
+ manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+ manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
++manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+ 
  # /dev/lircd socket
  manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
  dev_filetrans(lircd_t, lircd_sock_t, sock_file )
@@ -13815,6 +14026,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	miscfiles_read_localization($1_milter_t)
  
  	logging_send_syslog_msg($1_milter_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te
+--- nsaserefpolicy/policy/modules/services/modemmanager.te	2009-09-16 09:09:20.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te	2009-10-19 09:11:09.000000000 -0400
+@@ -24,6 +24,7 @@
+ kernel_read_system_state(modemmanager_t)
+ 
+ dev_read_sysfs(modemmanager_t)
++dev_rw_modem(modemmanager_t)
+ 
+ files_read_etc_files(modemmanager_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.32/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2009-07-29 15:15:33.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/services/mta.fc	2009-09-30 16:12:48.000000000 -0400
@@ -13826,8 +14048,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root/\.forward		--	gen_context(system_u:object_r:mail_forward_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.if	2009-10-07 16:49:03.000000000 -0400
-@@ -311,6 +311,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/mta.if	2009-10-19 14:29:57.000000000 -0400
+@@ -69,6 +69,7 @@
+ 	can_exec($1_mail_t, sendmail_exec_t)
+ 	allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+ 
++	kernel_read_system_state($1_mail_t)
+ 	kernel_read_kernel_sysctls($1_mail_t)
+ 
+ 	corenet_all_recvfrom_unlabeled($1_mail_t)
+@@ -87,6 +88,8 @@
+ 	# It wants to check for nscd
+ 	files_dontaudit_search_pids($1_mail_t)
+ 
++	init_dontaudit_rw_utmp($1_mail_t)
++
+ 	auth_use_nsswitch($1_mail_t)
+ 
+ 	logging_send_syslog_msg($1_mail_t)
+@@ -311,6 +314,7 @@
  	allow $1 mail_spool_t:dir list_dir_perms;
  	create_files_pattern($1, mail_spool_t, mail_spool_t)
  	read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -13835,7 +14074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  
-@@ -351,6 +352,7 @@
+@@ -351,6 +355,7 @@
  		# apache should set close-on-exec
  		apache_dontaudit_rw_stream_sockets($1)
  		apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -13843,7 +14082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -470,7 +472,8 @@
+@@ -470,7 +475,8 @@
  		type etc_mail_t;
  	')
  
@@ -13853,7 +14092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -694,7 +697,7 @@
+@@ -694,7 +700,7 @@
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
  	allow $1 mail_spool_t:file setattr;
@@ -13864,7 +14103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mta.te	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/mta.te	2009-10-19 14:29:50.000000000 -0400
 @@ -27,6 +27,9 @@
  type mail_spool_t;
  files_mountpoint(mail_spool_t)
@@ -13875,19 +14114,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type sendmail_exec_t;
  mta_agent_executable(sendmail_exec_t)
  
-@@ -57,8 +60,11 @@
+@@ -57,8 +60,10 @@
  
  can_exec(system_mail_t, mta_exec_type)
  
+-kernel_read_system_state(system_mail_t)
 +files_read_all_tmp_files(system_mail_t)
 +
- kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
 +kernel_request_load_module(system_mail_t)
  
  dev_read_sysfs(system_mail_t)
  dev_read_rand(system_mail_t)
-@@ -72,16 +78,21 @@
+@@ -72,16 +77,21 @@
  
  userdom_use_user_terminals(system_mail_t)
  userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -13909,7 +14148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -100,6 +111,7 @@
+@@ -100,6 +110,7 @@
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
  	cron_dontaudit_write_pipes(system_mail_t)
@@ -13917,7 +14156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -178,6 +190,10 @@
+@@ -178,6 +189,10 @@
  ')
  
  optional_policy(`
@@ -13928,7 +14167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -197,6 +213,25 @@
+@@ -197,6 +212,25 @@
  	')
  ')
  
@@ -15729,8 +15968,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
 --- nsaserefpolicy/policy/modules/services/plymouth.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2009-10-14 11:18:02.000000000 -0400
-@@ -0,0 +1,95 @@
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2009-10-18 12:52:36.000000000 -0400
+@@ -0,0 +1,96 @@
 +policy_module(plymouthd, 1.0.0)
 +
 +########################################
@@ -15776,6 +16015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +kernel_read_system_state(plymouthd_t)
 +kernel_request_load_module(plymouthd_t)
++kernel_change_ring_buffer_level(plymouthd_t)
 +
 +dev_rw_dri(plymouthd_t)
 +dev_read_sysfs(plymouthd_t)
@@ -20896,6 +21136,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
  
  # get info from /proc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.6.32/policy/modules/services/tftp.fc
+--- nsaserefpolicy/policy/modules/services/tftp.fc	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/tftp.fc	2009-10-16 08:44:49.000000000 -0400
+@@ -5,4 +5,4 @@
+ /tftpboot		-d	gen_context(system_u:object_r:tftpdir_t,s0)
+ /tftpboot/.*			gen_context(system_u:object_r:tftpdir_t,s0)
+ 
+-/var/lib/tftpboot(/.*)?		gen_context(system_u:object_r:tftpdir_t,s0)
++/var/lib/tftpboot(/.*)?		gen_context(system_u:object_r:tftpdir_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.32/policy/modules/services/uucp.te
 --- nsaserefpolicy/policy/modules/services/uucp.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/services/uucp.te	2009-09-30 16:12:48.000000000 -0400
@@ -23542,7 +23791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # /var
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.if	2009-10-01 17:11:27.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/init.if	2009-10-19 14:27:28.000000000 -0400
 @@ -174,6 +174,7 @@
  	role system_r types $1;
  
@@ -26644,7 +26893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te	2009-10-08 12:25:39.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te	2009-10-18 12:56:30.000000000 -0400
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -26742,7 +26991,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # for some PAM modules and for cwd
  userdom_dontaudit_search_user_home_content(newrole_t)
  userdom_search_user_home_dirs(newrole_t)
-@@ -336,6 +342,8 @@
+@@ -313,6 +319,8 @@
+ kernel_rw_pipes(restorecond_t)
+ kernel_read_system_state(restorecond_t)
+ 
++files_dontaudit_read_all_symlinks(restorecond_t)
++
+ fs_relabelfrom_noxattr_fs(restorecond_t)
+ fs_dontaudit_list_nfs(restorecond_t)
+ fs_getattr_xattr_fs(restorecond_t)
+@@ -336,6 +344,8 @@
  
  seutil_libselinux_linked(restorecond_t)
  
@@ -26751,7 +27009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -354,7 +362,7 @@
+@@ -354,7 +364,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -26760,7 +27018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +391,6 @@
+@@ -383,7 +393,6 @@
  
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
@@ -26768,7 +27026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  auth_dontaudit_read_shadow(run_init_t)
  
  init_spec_domtrans_script(run_init_t)
-@@ -406,6 +413,10 @@
+@@ -406,6 +415,10 @@
  	')
  ')
  
@@ -26779,7 +27037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -421,61 +432,22 @@
+@@ -421,61 +434,22 @@
  # semodule local policy
  #
  
@@ -26787,13 +27045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 -allow semanage_t self:unix_dgram_socket create_socket_perms;
 -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
- 
+-
 -allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
- 
+-
 -allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 -allow semanage_t semanage_tmp_t:file manage_file_perms;
 -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -26804,9 +27058,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -corecmd_exec_bin(semanage_t)
 -
 -dev_read_urand(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+ 
 -domain_use_interactive_fds(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
+ 
 -files_read_etc_files(semanage_t)
 -files_read_etc_runtime_files(semanage_t)
 -files_read_usr_files(semanage_t)
@@ -26828,13 +27086,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
- 
+-
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+ 
 -seutil_libselinux_linked(semanage_t)
  seutil_manage_file_contexts(semanage_t)
  seutil_manage_config(semanage_t)
@@ -26849,7 +27107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -484,12 +456,23 @@
+@@ -484,12 +458,23 @@
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -26873,7 +27131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -499,111 +482,41 @@
+@@ -499,111 +484,41 @@
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
@@ -28394,7 +28652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-10-15 12:42:02.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2009-10-19 14:14:08.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -29266,15 +29524,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -826,6 +879,7 @@
+@@ -826,6 +879,8 @@
  	')
  
  	userdom_login_user_template($1)
 +	allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
++	dontaudit $1_t self:netlink_audit_socket create_socket_perms;
  
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
-@@ -835,6 +889,32 @@
+@@ -835,6 +890,32 @@
  	# Local policy
  	#
  
@@ -29307,7 +29566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	optional_policy(`
  		loadkeys_run($1_t,$1_r)
  	')
-@@ -865,51 +945,83 @@
+@@ -865,51 +946,83 @@
  
  	userdom_restricted_user_template($1)
  
@@ -29404,7 +29663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -943,8 +1055,8 @@
+@@ -943,8 +1056,8 @@
  	# Declarations
  	#
  
@@ -29414,7 +29673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_common_user_template($1)
  
  	##############################
-@@ -953,58 +1065,67 @@
+@@ -953,58 +1066,67 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -29512,7 +29771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -1040,7 +1161,7 @@
+@@ -1040,7 +1162,7 @@
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -29521,7 +29780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	##############################
-@@ -1049,8 +1170,7 @@
+@@ -1049,8 +1171,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -29531,7 +29790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	domain_obj_id_change_exemption($1_t)
  	role system_r types $1_t;
-@@ -1075,6 +1195,9 @@
+@@ -1075,6 +1196,9 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -29541,7 +29800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1089,6 +1212,7 @@
+@@ -1089,6 +1213,7 @@
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -29549,7 +29808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1096,8 +1220,6 @@
+@@ -1096,8 +1221,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -29558,7 +29817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1124,6 +1246,8 @@
+@@ -1124,6 +1247,8 @@
  	files_exec_usr_src_files($1_t)
  
  	fs_getattr_all_fs($1_t)
@@ -29567,7 +29826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_set_all_quotas($1_t)
  	fs_exec_noxattr($1_t)
  
-@@ -1152,20 +1276,6 @@
+@@ -1152,20 +1277,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -29588,7 +29847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1211,6 +1321,7 @@
+@@ -1211,6 +1322,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -29596,7 +29855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1276,11 +1387,15 @@
+@@ -1276,11 +1388,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -29612,7 +29871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1391,12 +1506,13 @@
+@@ -1391,12 +1507,13 @@
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -29627,7 +29886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1429,6 +1545,14 @@
+@@ -1429,6 +1546,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -29642,7 +29901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1444,9 +1568,11 @@
+@@ -1444,9 +1569,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -29654,7 +29913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1503,6 +1629,25 @@
+@@ -1503,6 +1630,25 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -29680,7 +29939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1577,6 +1722,8 @@
+@@ -1577,6 +1723,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -29689,7 +29948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1670,6 +1817,7 @@
+@@ -1670,6 +1818,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -29697,7 +29956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
  	files_search_home($1)
  ')
-@@ -1797,19 +1945,32 @@
+@@ -1797,19 +1946,32 @@
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -29737,7 +29996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1844,6 +2005,7 @@
+@@ -1844,6 +2006,7 @@
  interface(`userdom_manage_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -29745,7 +30004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2553,7 @@
+@@ -2391,27 +2554,7 @@
  
  ########################################
  ## <summary>
@@ -29774,7 +30033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2749,7 +2891,7 @@
+@@ -2749,7 +2892,7 @@
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -29783,7 +30042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2765,11 +2907,32 @@
+@@ -2765,11 +2908,32 @@
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -29818,7 +30077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2897,7 +3060,25 @@
+@@ -2897,7 +3061,25 @@
  		type user_tmp_t;
  	')
  
@@ -29845,7 +30104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -2934,6 +3115,7 @@
+@@ -2934,6 +3116,7 @@
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -29853,7 +30112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kernel_search_proc($1)
  ')
  
-@@ -3064,3 +3246,559 @@
+@@ -3064,3 +3247,559 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ea1391e..6590467 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,11 @@ exit 0
 %endif
 
 %changelog
+* Sat Oct 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-29
+- Allow ccs to communicate with userdomains, and create tmpfs_t
+- Add /dev/noz* as a modem_device_t and allow modemmanager to rw it.
+- Add mapping for /var/run/lircd
+
 * Thu Oct 15 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-28
 - Allow sandbox_domain to interact with userdomain fifo_files