diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 39cfd0c..3e7696a 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -174,6 +174,10 @@ spamd_enable_home_dirs = false
#
user_direct_mouse = false
+# Allow regular users direct dri access
+#
+user_direct_dri = true
+
# Allow users to read system messages.
#
user_dmesg = false
diff --git a/policy-F12.patch b/policy-F12.patch
index d78a57d..31522dc 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -641,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-20 10:47:48.000000000 -0400
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -689,7 +689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,35 @@
+@@ -146,6 +174,36 @@
########################################
##
@@ -718,6 +718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
++ dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
+')
+
+########################################
@@ -725,7 +726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## rpm over dbus.
##
-@@ -167,6 +224,48 @@
+@@ -167,6 +225,48 @@
########################################
##
@@ -774,7 +775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete the RPM log.
##
##
-@@ -186,6 +285,24 @@
+@@ -186,6 +286,24 @@
########################################
##
@@ -799,7 +800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Inherit and use file descriptors from RPM scripts.
##
##
-@@ -219,7 +336,51 @@
+@@ -219,7 +337,51 @@
')
files_search_tmp($1)
@@ -851,7 +852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -241,6 +402,25 @@
+@@ -241,6 +403,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -877,7 +878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -265,6 +445,47 @@
+@@ -265,6 +446,47 @@
########################################
##
@@ -925,7 +926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
-@@ -283,3 +504,46 @@
+@@ -283,3 +505,46 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -7310,7 +7311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-13 18:05:04.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-20 18:45:22.000000000 -0400
@@ -196,7 +196,7 @@
dev_list_all_dev_nodes($1)
@@ -12649,7 +12650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-14 10:29:26.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-20 18:48:38.000000000 -0400
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -12703,7 +12704,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -327,7 +338,7 @@
+@@ -317,6 +328,10 @@
+ ')
+
+ optional_policy(`
++ snmp_read_snmp_var_lib_files(cupsd_t)
++')
++
++optional_policy(`
+ udev_read_db(cupsd_t)
+ ')
+
+@@ -327,7 +342,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -12712,7 +12724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -407,6 +418,7 @@
+@@ -407,6 +422,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -12720,7 +12732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +431,15 @@
+@@ -419,12 +435,15 @@
')
optional_policy(`
@@ -12738,7 +12750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +461,10 @@
+@@ -446,6 +465,10 @@
')
optional_policy(`
@@ -12749,7 +12761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_read_db(cupsd_config_t)
')
-@@ -542,6 +561,8 @@
+@@ -542,6 +565,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -12758,7 +12770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +577,15 @@
+@@ -556,11 +581,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -12774,7 +12786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +626,9 @@
+@@ -601,6 +630,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -13304,7 +13316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-10-05 09:17:34.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-10-20 14:55:45.000000000 -0400
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -13347,6 +13359,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# dovecot deliver local policy
+@@ -260,3 +267,14 @@
+ optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+ ')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(dovecot_t)
++ fs_manage_nfs_symlinks(dovecot_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(dovecot_t)
++ fs_manage_cifs_symlinks(dovecot_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/exim.te 2009-09-30 16:12:48.000000000 -0400
@@ -13858,6 +13885,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.6.32/policy/modules/services/inetd.fc
+--- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/inetd.fc 2009-10-20 08:54:47.000000000 -0400
+@@ -9,4 +9,4 @@
+
+ /var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
+
+-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
++/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.32/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-09-30 16:12:48.000000000 -0400
@@ -18949,7 +18985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-10-20 15:50:54.000000000 -0400
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -21199,7 +21235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-20 18:38:58.000000000 -0400
@@ -136,7 +136,7 @@
')
@@ -21364,7 +21400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-01 16:59:54.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-20 18:29:08.000000000 -0400
@@ -20,6 +20,28 @@
##
gen_tunable(virt_use_samba, false)
@@ -21471,7 +21507,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,7 +144,8 @@
+@@ -76,6 +134,7 @@
+
+ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
++manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+ files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+
+ manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -86,7 +145,8 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -21481,7 +21525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -97,30 +156,55 @@
+@@ -97,30 +157,55 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -21540,7 +21584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -130,7 +214,14 @@
+@@ -130,7 +215,14 @@
logging_send_syslog_msg(virtd_t)
@@ -21555,7 +21599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +259,36 @@
+@@ -168,22 +260,36 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -21597,7 +21641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -196,8 +301,162 @@
+@@ -196,8 +302,162 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -24656,7 +24700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-10-20 11:08:58.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -24699,7 +24743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process { signal setsched };
-+allow ipsec_t self:process { getsched signal setsched };
++allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
@@ -24718,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,7 +97,7 @@
+@@ -82,16 +97,17 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
@@ -24726,8 +24770,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
- kernel_read_kernel_sysctls(ipsec_t)
-@@ -120,7 +135,9 @@
+-kernel_read_kernel_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
++kernel_read_kernel_sysctls(ipsec_t)
+ kernel_read_proc_symlinks(ipsec_t)
+ # allow pluto to access /proc/net/ipsec_eroute;
+ kernel_read_system_state(ipsec_t)
+ kernel_read_network_state(ipsec_t)
+ kernel_read_software_raid_state(ipsec_t)
++kernel_request_load_module(ipsec_t)
+ kernel_getattr_core_if(ipsec_t)
+ kernel_getattr_message_if(ipsec_t)
+
+@@ -120,7 +136,9 @@
domain_use_interactive_fds(ipsec_t)
@@ -24737,7 +24792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -154,12 +171,12 @@
+@@ -154,12 +172,12 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -24752,7 +24807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -241,6 +258,7 @@
+@@ -241,6 +259,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -24760,7 +24815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -280,6 +298,13 @@
+@@ -280,6 +299,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
@@ -24774,7 +24829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +322,13 @@
+@@ -297,6 +323,13 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -24788,7 +24843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +346,8 @@
+@@ -314,6 +347,8 @@
files_read_etc_files(racoon_t)
@@ -24797,7 +24852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
-@@ -328,6 +362,14 @@
+@@ -328,6 +363,14 @@
miscfiles_read_localization(racoon_t)
@@ -24812,7 +24867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Setkey local policy
-@@ -347,6 +389,7 @@
+@@ -347,6 +390,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -24957,7 +25012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-10-20 11:08:22.000000000 -0400
@@ -11,6 +11,12 @@
init_system_domain(iptables_t, iptables_exec_t)
role system_r types iptables_t;
@@ -25373,8 +25428,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-15 15:48:13.000000000 -0400
-@@ -247,7 +247,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-20 14:41:55.000000000 -0400
+@@ -17,6 +17,7 @@
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
++ allow $1 ldconfig_t:process noatsecure;
+ ')
+
+ ########################################
+@@ -247,7 +248,7 @@
type lib_t;
')
@@ -25383,7 +25446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
list_dirs_pattern($1, lib_t, lib_t)
read_files_pattern($1, lib_t, lib_t)
read_lnk_files_pattern($1, lib_t, lib_t)
-@@ -401,7 +401,7 @@
+@@ -401,7 +402,7 @@
type lib_t, textrel_shlib_t;
')
@@ -25394,7 +25457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.32/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-10-20 18:45:39.000000000 -0400
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -25409,7 +25472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -76,16 +76,21 @@
+@@ -76,21 +76,27 @@
fs_getattr_xattr_fs(ldconfig_t)
@@ -25431,7 +25494,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(ldconfig_t)
-@@ -100,6 +105,10 @@
+ logging_send_syslog_msg(ldconfig_t)
+
++term_use_console(ldconfig_t)
+ userdom_use_user_terminals(ldconfig_t)
+ userdom_use_all_users_fds(ldconfig_t)
+
+@@ -100,6 +106,10 @@
')
')
@@ -25442,7 +25511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -123,3 +132,7 @@
+@@ -123,3 +133,7 @@
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -25777,7 +25846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-10-20 18:39:22.000000000 -0400
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -25886,6 +25955,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
modutils_domtrans_insmod(lvm_t)
+@@ -329,6 +352,10 @@
+ ')
+
+ optional_policy(`
++ virt_manage_images(lvm_t)
++')
++
++optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-10-09 09:06:59.000000000 -0400
@@ -28652,7 +28732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 08:04:43.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 14:59:26.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -29022,7 +29102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -420,35 +414,48 @@
+@@ -420,35 +414,54 @@
## is the prefix for user_t).
##
##
@@ -29052,7 +29132,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
+ dev_getattr_agp_dev($1)
-+ dev_dontaudit_rw_dri($1)
++
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($1)
++ ',`
++ dev_dontaudit_rw_dri($1)
++ ')
++
# GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
+ dev_rw_usbfs($1)
@@ -29090,7 +29176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -498,7 +505,7 @@
+@@ -498,7 +511,7 @@
attribute unpriv_userdomain;
')
@@ -29099,7 +29185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -508,182 +515,213 @@
+@@ -508,182 +521,213 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -29386,7 +29472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -711,13 +749,26 @@
+@@ -711,13 +755,26 @@
userdom_base_user_template($1)
@@ -29418,7 +29504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1)
-@@ -735,70 +786,72 @@
+@@ -735,70 +792,72 @@
allow $1_t self:context contains;
@@ -29524,7 +29610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -826,6 +879,8 @@
+@@ -826,6 +885,8 @@
')
userdom_login_user_template($1)
@@ -29533,18 +29619,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
-@@ -835,6 +890,32 @@
- # Local policy
+@@ -836,6 +897,25 @@
#
-+ tunable_policy(`user_rw_noexattrfile',`
-+ fs_manage_noxattr_fs_files($1_usertype)
-+ fs_manage_noxattr_fs_dirs($1_usertype)
-+ fs_manage_dos_dirs($1_usertype)
-+ fs_manage_dos_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ optional_policy(`
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -29563,10 +29641,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ ')
+
- optional_policy(`
++ optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +946,84 @@
+ ')
+@@ -865,51 +945,93 @@
userdom_restricted_user_template($1)
@@ -29583,12 +29662,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
-+
-+ xserver_role($1_r, $1_t)
-+ xserver_communicate($1_usertype, $1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
++ xserver_role($1_r, $1_t)
++ xserver_communicate($1_usertype, $1_usertype)
++
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -29601,6 +29680,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+
++ tunable_policy(`user_rw_noexattrfile',`
++ fs_manage_noxattr_fs_files($1_usertype)
++ fs_manage_noxattr_fs_dirs($1_usertype)
++ fs_manage_dos_dirs($1_usertype)
++ fs_manage_dos_files($1_usertype)
++ storage_raw_read_removable_device($1_usertype)
++ storage_raw_write_removable_device($1_usertype)
++ ')
++
+ logging_send_syslog_msg($1_usertype)
logging_dontaudit_send_audit_msgs($1_t)
@@ -29664,7 +29752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -943,8 +1057,8 @@
+@@ -943,8 +1065,8 @@
# Declarations
#
@@ -29674,7 +29762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -953,58 +1067,67 @@
+@@ -953,58 +1075,67 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -29772,7 +29860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1040,7 +1163,7 @@
+@@ -1040,7 +1171,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -29781,7 +29869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1049,8 +1172,7 @@
+@@ -1049,8 +1180,7 @@
#
# Inherit rules for ordinary users.
@@ -29791,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1197,9 @@
+@@ -1075,6 +1205,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -29801,7 +29889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1214,7 @@
+@@ -1089,6 +1222,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -29809,7 +29897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1222,6 @@
+@@ -1096,8 +1230,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -29818,7 +29906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1248,8 @@
+@@ -1124,12 +1256,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -29827,7 +29915,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1278,6 @@
+- storage_raw_read_removable_device($1_t)
+- storage_raw_write_removable_device($1_t)
+-
+ term_use_all_terms($1_t)
+
+ auth_getattr_shadow($1_t)
+@@ -1152,20 +1283,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -29848,7 +29942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1323,7 @@
+@@ -1211,6 +1328,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -29856,7 +29950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1389,15 @@
+@@ -1276,11 +1394,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -29872,7 +29966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1391,12 +1508,13 @@
+@@ -1391,12 +1513,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -29887,7 +29981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1429,6 +1547,14 @@
+@@ -1429,6 +1552,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -29902,7 +29996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1444,9 +1570,11 @@
+@@ -1444,9 +1575,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -29914,7 +30008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1503,6 +1631,25 @@
+@@ -1503,6 +1636,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -29940,7 +30034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1577,6 +1724,8 @@
+@@ -1577,6 +1729,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -29949,7 +30043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1670,6 +1819,7 @@
+@@ -1670,6 +1824,7 @@
type user_home_dir_t, user_home_t;
')
@@ -29957,7 +30051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1947,32 @@
+@@ -1797,19 +1952,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -29997,7 +30091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1844,6 +2007,7 @@
+@@ -1844,6 +2012,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -30005,7 +30099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2555,7 @@
+@@ -2391,27 +2560,7 @@
########################################
##
@@ -30034,7 +30128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2749,7 +2893,7 @@
+@@ -2749,7 +2898,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -30043,7 +30137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +2909,32 @@
+@@ -2765,11 +2914,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -30078,17 +30172,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,7 +3062,25 @@
+@@ -2897,12 +3067,12 @@
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to use user ttys.
++## Delete all users files in /tmp
+ ##
+ ##
+ ##
+@@ -2910,17 +3080,17 @@
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_delete_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ allow $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read the process state of all user domains.
++## Do not audit attempts to use user ttys.
+ ##
+ ##
+ ##
+@@ -2928,12 +3098,31 @@
+ ##
+ ##
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_use_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
-+## Delete all users files in /tmp
++## Read the process state of all user domains.
+##
+##
+##
@@ -30096,16 +30232,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`userdom_delete_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
-@@ -2934,6 +3117,7 @@
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
')
read_files_pattern($1, userdomain, userdomain)
@@ -30113,7 +30242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3248,559 @@
+@@ -3064,3 +3253,559 @@
allow $1 userdomain:dbus send_msg;
')
@@ -30675,7 +30804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.32/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-10-20 14:58:48.000000000 -0400
@@ -8,13 +8,6 @@
##
@@ -30690,21 +30819,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow users to connect to PostgreSQL
##
##
-@@ -29,13 +22,6 @@
+@@ -29,10 +22,10 @@
##
##
-## Allow users to read system messages.
--##
--##
--gen_tunable(user_dmesg, false)
--
--##
--##
- ## Allow user to r/w files on filesystems
- ## that do not have extended attributes (FAT, CDROM, FLOPPY)
++## Allow regular users direct dri device access
##
-@@ -54,11 +40,20 @@
+ ##
+-gen_tunable(user_dmesg, false)
++gen_tunable(user_direct_dri, false)
+
+ ##
+ ##
+@@ -54,11 +47,20 @@
# all user domains
attribute userdomain;
@@ -30727,7 +30855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
-@@ -72,6 +67,7 @@
+@@ -72,6 +74,7 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -30735,7 +30863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +93,25 @@
+@@ -97,3 +100,25 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6590467..e2bca5d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 29%{?dist}
+Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Tue Oct 20 2009 Dan Walsh 3.6.32-30
+- Fixes found for confined users day
+
* Sat Oct 17 2009 Dan Walsh 3.6.32-29
- Allow ccs to communicate with userdomains, and create tmpfs_t
- Add /dev/noz* as a modem_device_t and allow modemmanager to rw it.