From b0991a2dfdca5db66757fc625a7daf1989ef2eda Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Apr 27 2009 14:45:15 +0000
Subject: - Fix labeling on /var/lib/misc/prelink*

- Allow xserver to rw_shm_perms with all x_clients
- Allow prelink to execute files in the users home directory

---

diff --git a/policy-20090105.patch b/policy-20090105.patch
index 94db5ca..2ea9a76 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -663,16 +663,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.12/policy/modules/admin/prelink.fc
 --- nsaserefpolicy/policy/modules/admin/prelink.fc	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc	2009-04-27 08:28:48.000000000 -0400
 @@ -5,3 +5,5 @@
  
  /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
  /var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
 +
-+/var/lib/misc/prelink\*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
++/var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.12/policy/modules/admin/prelink.if
 --- nsaserefpolicy/policy/modules/admin/prelink.if	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.if	2009-04-27 09:47:06.000000000 -0400
 @@ -120,3 +120,23 @@
  	logging_search_logs($1)
  	manage_files_pattern($1, prelink_log_t, prelink_log_t)
@@ -699,7 +699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-04-27 08:32:37.000000000 -0400
 @@ -21,12 +21,15 @@
  type prelink_tmp_t;
  files_tmp_file(prelink_tmp_t)
@@ -750,17 +750,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  fs_getattr_xattr_fs(prelink_t)
  
-@@ -81,6 +89,9 @@
+@@ -81,6 +89,10 @@
  
  userdom_use_user_terminals(prelink_t)
  
 +# prelink executables in the user homedir
 +userdom_manage_home_role(system_r, prelink_t)
++userdom_exec_user_home_content_files(prelink_t)
 +
  optional_policy(`
  	amanda_manage_lib(prelink_t)
  ')
-@@ -88,3 +99,7 @@
+@@ -88,3 +100,7 @@
  optional_policy(`
  	cron_system_entry(prelink_t, prelink_exec_t)
  ')
@@ -6425,7 +6426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	requiring the caller to use setexeccon().
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-24 00:02:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-27 09:47:43.000000000 -0400
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -6578,18 +6579,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	pcmcia_run_cardctl(sysadm_t, sysadm_r)
  ')
  
-@@ -308,10 +250,6 @@
+@@ -308,7 +250,7 @@
  ')
  
  optional_policy(`
 -	pyzor_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	quota_run(sysadm_t, sysadm_r)
++	prelink_run(sysadm_t, sysadm_r)
  ')
  
-@@ -320,10 +258,6 @@
+ optional_policy(`
+@@ -320,10 +262,6 @@
  ')
  
  optional_policy(`
@@ -6600,7 +6599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rpc_domtrans_nfsd(sysadm_t)
  ')
  
-@@ -332,10 +266,6 @@
+@@ -332,10 +270,6 @@
  ')
  
  optional_policy(`
@@ -6611,7 +6610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rsync_exec(sysadm_t)
  ')
  
-@@ -345,10 +275,6 @@
+@@ -345,10 +279,6 @@
  ')
  
  optional_policy(`
@@ -6622,7 +6621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	secadm_role_change(sysadm_r)
  ')
  
-@@ -358,35 +284,15 @@
+@@ -358,35 +288,15 @@
  ')
  
  optional_policy(`
@@ -6658,7 +6657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +300,10 @@
+@@ -394,18 +304,10 @@
  ')
  
  optional_policy(`
@@ -6677,7 +6676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_domtrans(sysadm_t)
  ')
  
-@@ -418,20 +316,12 @@
+@@ -418,20 +320,12 @@
  ')
  
  optional_policy(`
@@ -6698,7 +6697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	vpn_run(sysadm_t, sysadm_r)
  ')
  
-@@ -440,13 +330,7 @@
+@@ -440,13 +334,7 @@
  ')
  
  optional_policy(`
@@ -14840,7 +14839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
 --- nsaserefpolicy/policy/modules/services/milter.fc	2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-24 07:20:31.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-27 10:00:53.000000000 -0400
 @@ -1,6 +1,8 @@
 -/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 -/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
@@ -20707,7 +20706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/samba.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/samba.te	2009-04-27 08:59:49.000000000 -0400
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -20833,7 +20832,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -256,7 +278,7 @@
+@@ -250,13 +272,14 @@
+ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+ 
+ allow smbd_t nmbd_var_run_t:file rw_file_perms;
++allow smbd_t nmbd_t:process { signal signull };
+ 
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  files_pid_filetrans(smbd_t, smbd_var_run_t, file)
  
@@ -20842,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
-@@ -298,6 +320,7 @@
+@@ -298,6 +321,7 @@
  
  auth_use_nsswitch(smbd_t)
  auth_domtrans_chk_passwd(smbd_t)
@@ -20850,7 +20856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domain_use_interactive_fds(smbd_t)
  domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,6 +344,10 @@
+@@ -321,6 +345,10 @@
  userdom_use_unpriv_users_fds(smbd_t)
  userdom_dontaudit_search_user_home_dirs(smbd_t)
  
@@ -20861,7 +20867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`hide_broken_symptoms', `
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -333,25 +360,33 @@
+@@ -333,25 +361,33 @@
  
  tunable_policy(`samba_domain_controller',`
  	usermanage_domtrans_passwd(smbd_t)
@@ -20901,7 +20907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	cups_read_rw_config(smbd_t)
  	cups_stream_connect(smbd_t)
-@@ -359,6 +394,16 @@
+@@ -359,6 +395,16 @@
  
  optional_policy(`
  	kerberos_use(smbd_t)
@@ -20918,7 +20924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -376,13 +421,15 @@
+@@ -376,13 +422,15 @@
  tunable_policy(`samba_create_home_dirs',`
  	allow smbd_t self:capability chown;
  	userdom_create_user_home_dirs(smbd_t)
@@ -20935,7 +20941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	auth_read_all_files_except_shadow(nmbd_t)
  ')
  
-@@ -391,8 +438,8 @@
+@@ -391,8 +439,8 @@
  	auth_manage_all_files_except_shadow(smbd_t)
  	fs_read_noxattr_fs_files(nmbd_t) 
  	auth_manage_all_files_except_shadow(nmbd_t)
@@ -20945,7 +20951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  #
-@@ -417,14 +464,11 @@
+@@ -417,14 +465,11 @@
  files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
  
  read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -20961,7 +20967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
  
  allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -454,6 +498,7 @@
+@@ -454,6 +499,7 @@
  dev_getattr_mtrr_dev(nmbd_t)
  
  fs_getattr_all_fs(nmbd_t)
@@ -20969,7 +20975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_search_auto_mountpoints(nmbd_t)
  
  domain_use_interactive_fds(nmbd_t)
-@@ -553,21 +598,36 @@
+@@ -553,21 +599,36 @@
  userdom_use_user_terminals(smbmount_t)
  userdom_use_all_users_fds(smbmount_t)
  
@@ -21009,7 +21015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  append_files_pattern(swat_t, samba_log_t, samba_log_t)
  
-@@ -585,6 +645,9 @@
+@@ -585,6 +646,9 @@
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
  allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -21019,7 +21025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -609,15 +672,18 @@
+@@ -609,15 +673,18 @@
  
  dev_read_urand(swat_t)
  
@@ -21038,7 +21044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
-@@ -635,6 +701,17 @@
+@@ -635,6 +702,17 @@
  	kerberos_use(swat_t)
  ')
  
@@ -21056,7 +21062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Winbind local policy
-@@ -642,7 +719,7 @@
+@@ -642,7 +720,7 @@
  
  allow winbind_t self:capability { dac_override ipc_lock setuid };
  dontaudit winbind_t self:capability sys_tty_config;
@@ -21065,7 +21071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow winbind_t self:fifo_file rw_fifo_file_perms;
  allow winbind_t self:unix_dgram_socket create_socket_perms;
  allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +760,10 @@
+@@ -683,9 +761,10 @@
  manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
  files_pid_filetrans(winbind_t, winbind_var_run_t, file)
  
@@ -21078,7 +21084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_all_recvfrom_unlabeled(winbind_t)
  corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +787,12 @@
+@@ -709,10 +788,12 @@
  
  auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
@@ -21091,7 +21097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  logging_send_syslog_msg(winbind_t)
  
-@@ -768,8 +848,13 @@
+@@ -768,8 +849,13 @@
  userdom_use_user_terminals(winbind_helper_t)
  
  optional_policy(`
@@ -21105,7 +21111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -778,6 +863,16 @@
+@@ -778,6 +864,16 @@
  #
  
  optional_policy(`
@@ -21122,7 +21128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -788,9 +883,43 @@
+@@ -788,9 +884,43 @@
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -24450,7 +24456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-04-27 08:35:28.000000000 -0400
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -24946,7 +24952,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
  
-@@ -622,7 +746,7 @@
+@@ -616,13 +740,14 @@
+ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
+ 
+ allow xserver_t { rootwindow_t x_domain }:x_drawable send;
++allow xserver_t x_domain:shm rw_shm_perms;
+ 
+ manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
@@ -24955,7 +24968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +759,19 @@
+@@ -635,9 +760,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -24975,7 +24988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +814,14 @@
+@@ -680,9 +815,14 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -24990,7 +25003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +836,13 @@
+@@ -697,8 +837,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -25004,7 +25017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -720,6 +864,7 @@
+@@ -720,6 +865,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -25012,7 +25025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -742,7 +887,7 @@
+@@ -742,7 +888,7 @@
  ')
  
  ifdef(`enable_mls',`
@@ -25021,7 +25034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
  ')
  
-@@ -774,12 +919,16 @@
+@@ -774,12 +920,16 @@
  ')
  
  optional_policy(`
@@ -25039,7 +25052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -806,7 +955,7 @@
+@@ -806,7 +956,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -25048,7 +25061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +976,14 @@
+@@ -827,9 +977,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -25063,7 +25076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +998,14 @@
+@@ -844,11 +999,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -25079,7 +25092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -856,6 +1013,11 @@
+@@ -856,6 +1014,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -25091,7 +25104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Rules common to all X window domains
-@@ -881,6 +1043,8 @@
+@@ -881,6 +1044,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -25100,7 +25113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -905,6 +1069,8 @@
+@@ -905,6 +1070,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -25109,7 +25122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1138,49 @@
+@@ -972,17 +1139,49 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -29642,7 +29655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-23 23:55:27.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-27 08:32:47.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7c3e4f7..ec354f6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,11 @@ exit 0
 %endif
 
 %changelog
+* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
+- Fix labeling on /var/lib/misc/prelink*
+- Allow xserver to rw_shm_perms with all x_clients
+- Allow prelink to execute files in the users home directory
+
 * Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-19
 - Allow initrc_t to delete dev_null
 - Allow readahead to configure auditing