From f8f277753c37a82395f8f67c5e26e10a3a155e68 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Jun 03 2010 14:59:24 +0000
Subject: - Add support for /dev/vhost-net

- Allow psad to read files in /usr
- Allow systat to use nscd socket
- Fixes for boinc policy

---

diff --git a/policy-F13.patch b/policy-F13.patch
index 4ab7696..166c362 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2113,7 +2113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te	2010-05-28 09:41:59.967610815 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te	2010-06-03 16:34:29.977161309 +0200
 @@ -209,6 +209,7 @@
  files_manage_etc_files(groupadd_t)
  files_relabel_etc_files(groupadd_t)
@@ -2122,16 +2122,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
  corecmd_exec_bin(groupadd_t)
-@@ -256,7 +257,7 @@
+@@ -256,7 +257,8 @@
  # Passwd local policy
  #
  
 -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
 +allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
++dontaudit passwd_t self:capability sys_tty_config;
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
  allow passwd_t self:fd use;
-@@ -294,6 +295,7 @@
+@@ -294,6 +296,7 @@
  
  term_use_all_ttys(passwd_t)
  term_use_all_ptys(passwd_t)
@@ -2139,7 +2140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  auth_domtrans_chk_passwd(passwd_t)
  auth_manage_shadow(passwd_t)
-@@ -303,6 +305,9 @@
+@@ -303,6 +306,9 @@
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(passwd_t)
@@ -2149,7 +2150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  domain_use_interactive_fds(passwd_t)
  
-@@ -333,6 +338,7 @@
+@@ -333,6 +339,7 @@
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2157,7 +2158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -427,7 +433,7 @@
+@@ -427,7 +434,7 @@
  # Useradd local policy
  #
  
@@ -2166,7 +2167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -450,6 +456,7 @@
+@@ -450,6 +457,7 @@
  corecmd_exec_bin(useradd_t)
  
  domain_use_interactive_fds(useradd_t)
@@ -2174,7 +2175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  files_manage_etc_files(useradd_t)
  files_search_var_lib(useradd_t)
-@@ -498,12 +505,8 @@
+@@ -498,12 +506,8 @@
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -2188,7 +2189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  mta_manage_spool(useradd_t)
  
-@@ -527,6 +530,12 @@
+@@ -527,6 +531,12 @@
  ')
  
  optional_policy(`
@@ -7626,8 +7627,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc	2010-05-28 09:42:00.020633179 +0200
-@@ -108,6 +108,7 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc	2010-06-03 09:52:19.227159326 +0200
+@@ -70,6 +70,7 @@
+ /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
++/dev/net/vhost	-c	gen_context(system_u:object_r:vhost_device_t,s0)
+ /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
+@@ -108,10 +109,12 @@
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
  /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -7635,7 +7644,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -163,6 +164,7 @@
+ ')
++/dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
+ /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -163,6 +166,7 @@
  
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -7643,7 +7657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  
-@@ -186,3 +188,8 @@
+@@ -186,3 +190,8 @@
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
  ')
@@ -7654,8 +7668,127 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if	2010-05-28 09:42:00.022611259 +0200
-@@ -934,6 +934,42 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if	2010-06-03 09:52:19.243160045 +0200
+@@ -407,7 +407,7 @@
+ 
+ ########################################
+ ## <summary>
+-##	Allow read, write, and create for generic character device files.
++##	Create generic block device files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -415,12 +415,30 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_create_generic_chr_files',`
++interface(`dev_create_generic_blk_files',`
+ 	gen_require(`
+ 		type device_t;
+ 	')
+ 
+-	create_chr_files_pattern($1, device_t, device_t)
++	create_blk_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
++##	Delete generic block device files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_delete_generic_blk_files',`
++	gen_require(`
++		type device_t;
++	')
++
++	delete_blk_files_pattern($1, device_t, device_t)
+ ')
+ 
+ ########################################
+@@ -497,6 +515,42 @@
+ 
+ ########################################
+ ## <summary>
++##	Create generic character device files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_create_generic_chr_files',`
++	gen_require(`
++		type device_t;
++	')
++
++	create_chr_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
++##	Delete generic character device files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_delete_generic_chr_files',`
++	gen_require(`
++		type device_t;
++	')
++
++	delete_chr_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to set the attributes
+ ##	of symbolic links in device directories (/dev).
+ ## </summary>
+@@ -711,6 +765,33 @@
+ 
+ ########################################
+ ## <summary>
++##	Create, read, and write device nodes. The node
++##	will be transitioned to the type provided.  This is
++##	a temporary interface until devtmpfs functionality
++##	fixed.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="objectclass(es)">
++##	<summary>
++##	Object class(es) (single or set including {}) for which this
++##	the transition will occur.
++##	</summary>
++## </param>
++#
++interface(`dev_tmpfs_filetrans_dev',`
++	gen_require(`
++		type device_t;
++	')
++
++	fs_tmpfs_filetrans($1, device_t, $2)
++')
++
++########################################
++## <summary>
+ ##	Getattr on all block file device nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -934,6 +1015,42 @@
  
  ########################################
  ## <summary>
@@ -7698,7 +7831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Delete all block device files.
  ## </summary>
  ## <param name="domain">
-@@ -2042,6 +2078,24 @@
+@@ -2042,6 +2159,24 @@
  
  ########################################
  ## <summary>
@@ -7723,7 +7856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Read the lvm comtrol device.
  ## </summary>
  ## <param name="domain">
-@@ -2597,6 +2651,7 @@
+@@ -2597,6 +2732,7 @@
  		type mtrr_device_t;
  	')
  
@@ -7731,7 +7864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  	dontaudit $1 mtrr_device_t:chr_file write;
  ')
  
-@@ -3440,6 +3495,24 @@
+@@ -3440,6 +3576,24 @@
  
  ########################################
  ## <summary>
@@ -7756,7 +7889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3733,6 +3806,24 @@
+@@ -3733,6 +3887,24 @@
  
  ########################################
  ## <summary>
@@ -7781,9 +7914,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
+@@ -3905,6 +4077,26 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow read/write the vhost net device
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_vhost',`
++	gen_require(`
++		type vhost_device_t;
++	')
++
++	list_dirs_pattern($1, vhost_device_t, vhost_device_t)
++	rw_files_pattern($1, vhost_device_t, vhost_device_t)
++	read_lnk_files_pattern($1, vhost_device_t, vhost_device_t)
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of video4linux devices.
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.19/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.te	2010-05-28 09:42:00.024610918 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.te	2010-06-03 09:52:19.246160621 +0200
+@@ -1,5 +1,5 @@
+ 
+-policy_module(devices, 1.9.3)
++policy_module(devices, 1.10.0)
+ 
+ ########################################
+ #
 @@ -101,6 +101,7 @@
  #
  type kvm_device_t;
@@ -7792,16 +7959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  
  #
  # Type for /dev/lirc
-@@ -210,7 +211,7 @@
- files_mountpoint(sysfs_t)
- fs_type(sysfs_t)
- genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
--
-+ 
- #
- # Type for /dev/tpm
- #
-@@ -239,6 +240,12 @@
+@@ -239,6 +240,18 @@
  dev_node(usb_device_t)
  
  #
@@ -7811,10 +7969,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +dev_node(usbmon_device_t)
 +
 +#
++# vhost_device_t is the type for /dev/vhost-net
++#
++type vhost_device_t;
++dev_node(vhost_device_t)
++
++#
  # userio_device_t is the type for /dev/uio[0-9]+
  #
  type userio_device_t;
-@@ -289,5 +296,6 @@
+@@ -289,5 +302,6 @@
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -9105,7 +9269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if	2010-05-28 09:42:00.035610756 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if	2010-06-03 16:42:26.247159863 +0200
 @@ -559,7 +559,7 @@
  
  ########################################
@@ -12254,7 +12418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  	admin_pattern($1, abrt_var_cache_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te	2010-06-01 17:24:25.046412435 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te	2010-06-03 16:30:53.967160939 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(abrt, 1.0.1)
@@ -12364,7 +12528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  
  sysnet_read_config(abrt_t)
  
-@@ -103,22 +141,117 @@
+@@ -103,22 +141,121 @@
  miscfiles_read_certs(abrt_t)
  miscfiles_read_localization(abrt_t)
  
@@ -12375,10 +12539,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +userdom_dontaudit_read_user_home_content_files(abrt_t)
 +
 +optional_policy(`
-+	dbus_system_domain(abrt_t, abrt_exec_t)
++	afs_rw_udp_sockets(abrt_t)
 +')
 +
 +optional_policy(`
++	dbus_system_domain(abrt_t, abrt_exec_t)
++')
+ 
+ optional_policy(`
+-	dbus_connect_system_bus(abrt_t)
+-	dbus_system_bus_client(abrt_t)
 +	nis_use_ypbind(abrt_t)
 +')
 +
@@ -12393,10 +12563,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +	policykit_read_lib(abrt_t)
 +	policykit_read_reload(abrt_t)
 +')
- 
- optional_policy(`
--	dbus_connect_system_bus(abrt_t)
--	dbus_system_bus_client(abrt_t)
++
++optional_policy(`
 +	prelink_exec(abrt_t)
 +	libs_exec_ld_so(abrt_t)
 +	corecmd_exec_all_executables(abrt_t)
@@ -14312,7 +14480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-06-01 16:58:59.673160682 +0200
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-06-02 12:11:58.588387262 +0200
 @@ -0,0 +1,97 @@
 +
 +policy_module(boinc,1.0.0)
@@ -14346,7 +14514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +#
 +
 +allow boinc_t self:capability { kill };
-+allow boinc_t self:process { execmem fork setsched signal signull sigkill };
++allow boinc_t self:process { execmem ptrace fork setsched signal signull sigkill sigstop };
 +
 +allow boinc_t self:fifo_file rw_fifo_file_perms;
 +allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -21165,7 +21333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.19/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nagios.te	2010-05-28 09:42:00.133610558 +0200
++++ serefpolicy-3.7.19/policy/modules/services/nagios.te	2010-06-03 14:19:20.251161230 +0200
 @@ -6,17 +6,23 @@
  # Declarations
  #
@@ -21285,20 +21453,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
-@@ -105,12 +157,6 @@
+@@ -105,10 +157,9 @@
  mta_send_mail(nagios_t)
  
  optional_policy(`
 -	netutils_domtrans_ping(nagios_t)
 -	netutils_signal_ping(nagios_t)
--	netutils_kill_ping(nagios_t)
+ 	netutils_kill_ping(nagios_t)
 -')
--
--optional_policy(`
- 	seutil_sigchld_newrole(nagios_t)
- ')
++ ')
++
  
-@@ -118,61 +164,63 @@
+ optional_policy(`
+ 	seutil_sigchld_newrole(nagios_t)
+@@ -118,61 +169,63 @@
  	udev_read_db(nagios_t)
  ')
  
@@ -21317,48 +21485,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  
 -allow nagios_cgi_t self:process signal_perms;
 -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
--
++allow httpd_nagios_script_t self:process signal_perms;
+ 
 -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
 -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
--
++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+ 
 -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
 -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
 -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-+allow httpd_nagios_script_t self:process signal_perms;
++files_search_spool(httpd_nagios_script_t)
++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
  
 -allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
 -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
 -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
- 
--kernel_read_system_state(nagios_cgi_t)
-+files_search_spool(httpd_nagios_script_t)
-+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
- 
--corecmd_exec_bin(nagios_cgi_t)
 +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
 +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
 +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
  
--domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+-kernel_read_system_state(nagios_cgi_t)
 +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
 +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
 +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
  
--files_read_etc_files(nagios_cgi_t)
--files_read_etc_runtime_files(nagios_cgi_t)
--files_read_kernel_symbol_table(nagios_cgi_t)
+-corecmd_exec_bin(nagios_cgi_t)
 +kernel_read_system_state(httpd_nagios_script_t)
  
--logging_send_syslog_msg(nagios_cgi_t)
--logging_search_logs(nagios_cgi_t)
+-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
 +domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
  
--miscfiles_read_localization(nagios_cgi_t)
+-files_read_etc_files(nagios_cgi_t)
+-files_read_etc_runtime_files(nagios_cgi_t)
+-files_read_kernel_symbol_table(nagios_cgi_t)
 +files_read_etc_runtime_files(httpd_nagios_script_t)
 +files_read_kernel_symbol_table(httpd_nagios_script_t)
  
+-logging_send_syslog_msg(nagios_cgi_t)
+-logging_search_logs(nagios_cgi_t)
+-
+-miscfiles_read_localization(nagios_cgi_t)
+-
 -optional_policy(`
 -	apache_append_log(nagios_cgi_t)
 -')
@@ -21376,10 +21544,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
  allow nrpe_t self:fifo_file rw_fifo_file_perms;
 +allow nrpe_t self:tcp_socket create_stream_socket_perms;
++
++domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
  
 -allow nrpe_t nrpe_etc_t:file read_file_perms;
-+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
-+
 +read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
  files_search_etc(nrpe_t)
  
@@ -21394,7 +21562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  kernel_read_system_state(nrpe_t)
  kernel_read_kernel_sysctls(nrpe_t)
  
-@@ -183,11 +231,15 @@
+@@ -183,11 +236,15 @@
  dev_read_urand(nrpe_t)
  
  domain_use_interactive_fds(nrpe_t)
@@ -21410,7 +21578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  logging_send_syslog_msg(nrpe_t)
  
  miscfiles_read_localization(nrpe_t)
-@@ -199,6 +251,11 @@
+@@ -199,6 +256,11 @@
  ')
  
  optional_policy(`
@@ -21422,7 +21590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  	seutil_sigchld_newrole(nrpe_t)
  ')
  
-@@ -209,3 +266,151 @@
+@@ -209,3 +271,151 @@
  optional_policy(`
  	udev_read_db(nrpe_t)
  ')
@@ -24966,6 +25134,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.7.19/policy/modules/services/psad.te
+--- nsaserefpolicy/policy/modules/services/psad.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/psad.te	2010-06-03 10:24:19.786161096 +0200
+@@ -86,6 +86,7 @@
+ dev_read_urand(psad_t)
+ 
+ files_read_etc_runtime_files(psad_t)
++files_read_usr_files(psad_t)
+ 
+ fs_getattr_all_fs(psad_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te
 --- nsaserefpolicy/policy/modules/services/puppet.te	2010-04-13 20:44:36.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/puppet.te	2010-05-28 09:42:00.161610790 +0200
@@ -29202,6 +29381,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
  	dbus_connect_system_bus(sssd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.19/policy/modules/services/sysstat.te
+--- nsaserefpolicy/policy/modules/services/sysstat.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/sysstat.te	2010-06-03 10:31:07.194161404 +0200
+@@ -69,3 +69,7 @@
+ optional_policy(`
+ 	logging_send_syslog_msg(sysstat_t)
+ ')
++
++optional_policy(`
++	nscd_socket_use(sysstat_t)
++')   
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.19/policy/modules/services/tgtd.te
 --- nsaserefpolicy/policy/modules/services/tgtd.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/tgtd.te	2010-05-28 09:42:00.195610901 +0200
@@ -29474,7 +29664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te	2010-05-28 09:42:00.201610851 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te	2010-06-03 09:52:19.271161182 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(virt, 1.3.2)
@@ -29590,7 +29780,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -252,21 +270,36 @@
+@@ -248,25 +266,41 @@
+ dev_rw_kvm(virtd_t)
+ dev_getattr_all_chr_files(virtd_t)
+ dev_rw_mtrr(virtd_t)
++dev_rw_vhost(virtd_t)
+ 
  # Init script handling
  domain_use_interactive_fds(virtd_t)
  domain_read_all_domains_state(virtd_t)
@@ -29630,7 +29825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  mcs_process_set_categories(virtd_t)
  
-@@ -291,15 +324,22 @@
+@@ -291,15 +325,22 @@
  
  logging_send_syslog_msg(virtd_t)
  
@@ -29653,7 +29848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +410,7 @@
+@@ -370,6 +411,7 @@
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -29661,7 +29856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  optional_policy(`
-@@ -407,6 +448,19 @@
+@@ -407,6 +449,19 @@
  allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
  allow virt_domain self:tcp_socket create_stream_socket_perms;
  
@@ -29681,7 +29876,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -445,6 +499,11 @@
+@@ -434,6 +489,7 @@
+ dev_rw_ksm(virt_domain)
+ dev_rw_kvm(virt_domain)
+ dev_rw_qemu(virt_domain)
++dev_rw_vhost(virt_domain)
+ 
+ domain_use_interactive_fds(virt_domain)
+ 
+@@ -445,6 +501,11 @@
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -29693,7 +29896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -462,8 +521,13 @@
+@@ -462,8 +523,13 @@
  ')
  
  optional_policy(`
@@ -29855,7 +30058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if	2010-05-28 09:42:00.205610724 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if	2010-06-03 10:20:29.487175768 +0200
 @@ -19,9 +19,10 @@
  interface(`xserver_restricted_role',`
  	gen_require(`
@@ -30039,7 +30242,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -805,7 +859,7 @@
+@@ -724,11 +778,12 @@
+ #
+ interface(`xserver_stream_connect_xdm',`
+ 	gen_require(`
+-		type xdm_t, xdm_tmp_t;
++		type xdm_t, xdm_tmp_t, xdm_var_run_t;
+ 	')
+-
++	
+ 	files_search_tmp($1)
+ 	stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
++	stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
+ ')
+ 
+ ########################################
+@@ -805,7 +860,7 @@
  	')
  
  	files_search_pids($1)
@@ -30048,7 +30266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -916,7 +970,7 @@
+@@ -916,7 +971,7 @@
  		type xserver_log_t;
  	')
  
@@ -30057,7 +30275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -964,6 +1018,44 @@
+@@ -964,6 +1019,44 @@
  
  ########################################
  ## <summary>
@@ -30102,7 +30320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -1224,9 +1316,20 @@
+@@ -1224,9 +1317,20 @@
  		class x_device all_x_device_perms;
  		class x_pointer all_x_pointer_perms;
  		class x_keyboard all_x_keyboard_perms;
@@ -30123,7 +30341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1250,3 +1353,329 @@
+@@ -1250,3 +1354,329 @@
  	typeattribute $1 x_domain;
  	typeattribute $1 xserver_unconfined_type;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a207d6d..70a26a0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
 %endif
 
 %changelog
+* Thu Jun 3 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-24
+- Add support for /dev/vhost-net
+- Allow psad to read files in /usr
+- Allow systat to use nscd socket
+- Fixes for boinc policy
+
 * Tue Jun 1 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-23
 - Add cmirrord policy
 - Fixes for accountsd policy