From a88b486824a66dc39ffd72f855be823b5cf8c20d Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jul 08 2009 15:37:57 +0000
Subject: - Fixes for xguest


---

diff --git a/policy-F12.patch b/policy-F12.patch
index 50bc00f..1c7923e 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -2833,8 +2833,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.21/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.if	2009-07-01 10:43:35.000000000 -0400
-@@ -64,6 +64,7 @@
++++ serefpolicy-3.6.21/policy/modules/apps/mozilla.if	2009-07-08 11:19:59.000000000 -0400
+@@ -45,6 +45,18 @@
+ 	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
++
++	mozilla_dbus_chat($2)
++
++	userdom_manage_tmp_role($1, mozilla_t)
++
++	optional_policy(`
++		nsplugin_role($1, mozilla_t)
++	')
++
++	optional_policy(`
++		pulseaudio_role($1, mozilla_t)
++	')
+ ')
+ 
+ ########################################
+@@ -64,6 +76,7 @@
  
  	allow $1 mozilla_home_t:dir list_dir_perms;
  	allow $1 mozilla_home_t:file read_file_perms;
@@ -2842,7 +2861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_search_user_home_dirs($1)
  ')
  
-@@ -83,7 +84,7 @@
+@@ -83,7 +96,7 @@
  	')
  
  	allow $1 mozilla_home_t:dir list_dir_perms;
@@ -2853,8 +2872,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.21/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.21/policy/modules/apps/mozilla.te	2009-07-01 10:43:35.000000000 -0400
-@@ -105,6 +105,7 @@
++++ serefpolicy-3.6.21/policy/modules/apps/mozilla.te	2009-07-08 11:32:50.000000000 -0400
+@@ -59,6 +59,7 @@
+ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs(mozilla_t)
++userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+ 
+ # Mozpluggerrc
+ allow mozilla_t mozilla_conf_t:file read_file_perms;
+@@ -97,6 +98,7 @@
+ corenet_tcp_connect_ftp_port(mozilla_t)
+ corenet_tcp_connect_ipp_port(mozilla_t)
+ corenet_tcp_connect_generic_port(mozilla_t)
++corenet_tcp_connect_soundd_port(mozilla_t)
+ corenet_sendrecv_http_client_packets(mozilla_t)
+ corenet_sendrecv_http_cache_client_packets(mozilla_t)
+ corenet_sendrecv_ftp_client_packets(mozilla_t)
+@@ -105,6 +107,7 @@
  # Should not need other ports
  corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
  corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
@@ -2862,7 +2897,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  dev_read_urand(mozilla_t)
  dev_read_rand(mozilla_t)
-@@ -128,6 +129,7 @@
+@@ -113,6 +116,8 @@
+ dev_dontaudit_rw_dri(mozilla_t)
+ dev_getattr_sysfs_dirs(mozilla_t)
+ 
++domain_dontaudit_read_all_domains_state(mozilla_t)
++
+ files_read_etc_runtime_files(mozilla_t)
+ files_read_usr_files(mozilla_t)
+ files_read_etc_files(mozilla_t)
+@@ -128,6 +133,7 @@
  fs_rw_tmpfs_files(mozilla_t)
  
  term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -2870,15 +2914,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  logging_send_syslog_msg(mozilla_t)
  
-@@ -143,6 +145,7 @@
- userdom_manage_user_tmp_dirs(mozilla_t)
- userdom_manage_user_tmp_files(mozilla_t)
- userdom_manage_user_tmp_sockets(mozilla_t)
+@@ -137,12 +143,7 @@
+ # Browse the web, connect to printer
+ sysnet_dns_name_resolve(mozilla_t)
+ 
+-userdom_manage_user_home_content_dirs(mozilla_t)
+-userdom_manage_user_home_content_files(mozilla_t)
+-userdom_manage_user_home_content_symlinks(mozilla_t)
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+-userdom_manage_user_tmp_sockets(mozilla_t)
 +userdom_use_user_ptys(mozilla_t)
  
  xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
  xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -243,6 +246,8 @@
+@@ -239,10 +240,15 @@
+ optional_policy(`
+ 	dbus_system_bus_client(mozilla_t)
+ 	dbus_session_bus_client(mozilla_t)
++	optional_policy(`
++		networkmanager_dbus_chat(mozilla_t)
++	')
+ ')
  
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
@@ -2887,7 +2944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -263,5 +268,10 @@
+@@ -263,5 +269,10 @@
  ')
  
  optional_policy(`
@@ -2916,7 +2973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.21/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.21/policy/modules/apps/nsplugin.if	2009-07-06 15:10:59.000000000 -0400
++++ serefpolicy-3.6.21/policy/modules/apps/nsplugin.if	2009-07-08 10:43:18.000000000 -0400
 @@ -0,0 +1,313 @@
 +
 +## <summary>policy for nsplugin</summary>
@@ -3784,7 +3841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if	2009-07-01 10:43:35.000000000 -0400
++++ serefpolicy-3.6.21/policy/modules/apps/pulseaudio.if	2009-07-08 10:50:31.000000000 -0400
 @@ -0,0 +1,148 @@
 +
 +## <summary>policy for pulseaudio</summary>
@@ -8612,8 +8669,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_manage_user_home_content_files(webadm_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.21/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.21/policy/modules/roles/xguest.te	2009-07-01 10:43:35.000000000 -0400
-@@ -67,7 +67,11 @@
++++ serefpolicy-3.6.21/policy/modules/roles/xguest.te	2009-07-08 11:32:12.000000000 -0400
+@@ -36,11 +36,17 @@
+ # Local policy
+ #
+ 
++# Dontaudit fusermount
++dontaudit xguest_t self:capability sys_admin;
++
+ # Allow mounting of file systems
+ optional_policy(`
+ 	tunable_policy(`xguest_mount_media',`
+ 		kernel_read_fs_sysctls(xguest_t)
+ 
++		# allow fusermount
++		allow xguest_t self:capability sys_admin;
++
+ 		files_dontaudit_getattr_boot_dirs(xguest_t)
+ 		files_search_mnt(xguest_t)
+ 
+@@ -67,7 +73,11 @@
  ')
  
  optional_policy(`
@@ -8626,7 +8701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -75,9 +79,13 @@
+@@ -75,9 +85,13 @@
  ')
  
  optional_policy(`
@@ -10209,15 +10284,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.21/policy/modules/services/apm.te
 --- nsaserefpolicy/policy/modules/services/apm.te	2009-06-26 13:59:19.000000000 -0400
-+++ serefpolicy-3.6.21/policy/modules/services/apm.te	2009-07-01 10:43:35.000000000 -0400
-@@ -39,6 +39,7 @@
- #
- 
- allow apm_t self:capability { dac_override sys_admin };
-+dontaudit apm_t self:capability sys_ptrace;
- 
- kernel_read_system_state(apm_t)
- 
++++ serefpolicy-3.6.21/policy/modules/services/apm.te	2009-07-08 10:40:06.000000000 -0400
+@@ -60,7 +60,7 @@
+ # mknod: controlling an orderly resume of PCMCIA requires creating device
+ # nodes 254,{0,1,2} for some reason.
+ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+ allow apmd_t self:process { signal_perms getsession };
+ allow apmd_t self:fifo_file rw_fifo_file_perms;
+ allow apmd_t self:unix_dgram_socket create_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.21/policy/modules/services/automount.if
 --- nsaserefpolicy/policy/modules/services/automount.if	2008-10-14 11:58:09.000000000 -0400
 +++ serefpolicy-3.6.21/policy/modules/services/automount.if	2009-07-01 10:43:35.000000000 -0400
@@ -17486,7 +17562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.21/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2009-06-26 13:59:19.000000000 -0400
-+++ serefpolicy-3.6.21/policy/modules/services/postgresql.te	2009-07-01 10:43:36.000000000 -0400
++++ serefpolicy-3.6.21/policy/modules/services/postgresql.te	2009-07-07 16:27:00.000000000 -0400
 @@ -32,6 +32,9 @@
  type postgresql_etc_t;
  files_config_file(postgresql_etc_t)
@@ -17517,6 +17593,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_sendrecv_postgresql_server_packets(postgresql_t)
  corenet_sendrecv_auth_client_packets(postgresql_t)
  
+@@ -247,6 +253,7 @@
+ init_read_utmp(postgresql_t)
+ 
+ logging_send_syslog_msg(postgresql_t)
++logging_send_audit_msgs(postgresql_t)
+ 
+ miscfiles_read_localization(postgresql_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.21/policy/modules/services/ppp.fc
 --- nsaserefpolicy/policy/modules/services/ppp.fc	2008-09-11 11:28:34.000000000 -0400
 +++ serefpolicy-3.6.21/policy/modules/services/ppp.fc	2009-07-01 10:43:36.000000000 -0400
@@ -19565,7 +19649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.21/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.21/policy/modules/services/sendmail.te	2009-07-01 10:43:36.000000000 -0400
++++ serefpolicy-3.6.21/policy/modules/services/sendmail.te	2009-07-07 17:16:43.000000000 -0400
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -19732,7 +19816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	mta_etc_filetrans_aliases(unconfined_sendmail_t)
-+	unconfined_domain(unconfined_sendmail_t)
++	unconfined_domain_noaudit(unconfined_sendmail_t)
 +')
  
 -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
@@ -22746,7 +22830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.21/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-06-26 13:59:19.000000000 -0400
-+++ serefpolicy-3.6.21/policy/modules/services/xserver.te	2009-07-07 15:47:58.000000000 -0400
++++ serefpolicy-3.6.21/policy/modules/services/xserver.te	2009-07-08 10:50:38.000000000 -0400
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -23173,7 +23257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,6 +650,28 @@
+@@ -542,6 +650,29 @@
  ')
  
  optional_policy(`
@@ -23185,6 +23269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	pulseaudio_exec(xdm_t)
++	pulseaudio_dbus_chat(xdm_t)
 +')
 +
 +# On crash gdm execs gdb to dump stack
@@ -23202,7 +23287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +680,9 @@
+@@ -550,8 +681,9 @@
  ')
  
  optional_policy(`
@@ -23214,7 +23299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +691,6 @@
+@@ -560,7 +692,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -23222,7 +23307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +701,10 @@
+@@ -571,6 +702,10 @@
  ')
  
  optional_policy(`
@@ -23233,7 +23318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -587,7 +721,7 @@
+@@ -587,7 +722,7 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -23242,7 +23327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +736,11 @@
+@@ -602,9 +737,11 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -23254,7 +23339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
  
-@@ -616,13 +752,14 @@
+@@ -616,13 +753,14 @@
  type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
  
  allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -23270,7 +23355,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +772,19 @@
+@@ -635,9 +773,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -23290,7 +23375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +827,14 @@
+@@ -680,9 +828,14 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -23305,7 +23390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +849,12 @@
+@@ -697,8 +850,12 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -23318,7 +23403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -720,6 +876,7 @@
+@@ -720,6 +877,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -23326,7 +23411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -742,7 +899,7 @@
+@@ -742,7 +900,7 @@
  ')
  
  ifdef(`enable_mls',`
@@ -23335,7 +23420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
  ')
  
-@@ -774,12 +931,20 @@
+@@ -774,12 +932,20 @@
  ')
  
  optional_policy(`
@@ -23357,7 +23442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -806,7 +971,7 @@
+@@ -806,7 +972,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -23366,7 +23451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +992,14 @@
+@@ -827,9 +993,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -23381,7 +23466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1014,14 @@
+@@ -844,11 +1015,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -23397,7 +23482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -856,6 +1029,11 @@
+@@ -856,6 +1030,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -23409,7 +23494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Rules common to all X window domains
-@@ -881,6 +1059,8 @@
+@@ -881,6 +1060,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -23418,7 +23503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -905,6 +1085,8 @@
+@@ -905,6 +1086,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -23427,7 +23512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1154,49 @@
+@@ -972,17 +1155,49 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -27864,7 +27949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.21/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-06-26 13:59:21.000000000 -0400
-+++ serefpolicy-3.6.21/policy/modules/system/userdomain.if	2009-07-01 10:43:36.000000000 -0400
++++ serefpolicy-3.6.21/policy/modules/system/userdomain.if	2009-07-08 11:19:36.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2d0e05c..cd84301 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.21
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Jul 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.21-3
+- Fixes for xguest
+
 * Tue Jul  7 2009 Tom "spot" Callaway <tcallawa@redhat.com> 3.6.21-2
 - fix multiple directory ownership of mandirs