diff --git a/policy-20100106.patch b/policy-20100106.patch
index aa12c15..863a19d 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -563,6 +563,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+class x_keyboard # userspace
+
# FLASK
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.32/policy/mcs
+--- nsaserefpolicy/policy/mcs 2010-01-18 18:24:22.535791555 +0100
++++ serefpolicy-3.6.32/policy/mcs 2010-04-22 18:07:54.688859476 +0200
+@@ -64,30 +64,33 @@
+ # the high range of the file. We use the high range of the process so
+ # that processes can always simply run at s0.
+ #
+-# Note that getattr on files is always permitted.
+-#
+-mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
+- (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
++# Note:
++# - getattr on dirs/files is not constrained.
++# - /proc/pid operations are not constrained.
++
++mlsconstrain file { read ioctl lock execute execute_no_trans }
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++
++mlsconstrain file { write setattr append unlink link rename }
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++
++mlsconstrain dir { search read ioctl lock }
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+-mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
+- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
++mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+- ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
+-
+-# At this time we do not restrict "ps" type operations via MCS. This
+-# will probably change in future.
+-mlsconstrain file { read }
+- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
++ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+- (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
++ ( h1 dom h2 );
+
+ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+- ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
++ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+ mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) or ( t1 == mcssetcats ));
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.32/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2010-01-18 18:24:22.536797130 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/alsa.te 2010-03-30 09:07:39.038611245 +0200
@@ -1735,6 +1786,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_domtrans_setfiles_mac(livecd_t)
-allow livecd_t self:passwd { passwd chfn chsh };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
+--- nsaserefpolicy/policy/modules/apps/mono.if 2010-01-18 18:24:22.615530188 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2010-04-22 18:24:07.182611127 +0200
+@@ -113,6 +113,10 @@
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+
++ ifdef(`hide_broken_symptoms', `
++ dontaudit $1_t $1_mono_t:socket_class_set { read write };
++ ')
++
+ optional_policy(`
+ xserver_role($1_r, $1_mono_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-18 18:24:22.616539953 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-18 18:27:02.741544960 +0100
@@ -2051,7 +2116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-03-08 12:59:06.980892887 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-04-21 14:10:04.244409189 +0200
@@ -1,5 +1,5 @@
-policy_module(pulseaudio, 1.0.1)
@@ -2137,7 +2202,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
-@@ -108,7 +139,9 @@
+@@ -105,10 +136,13 @@
+
+ optional_policy(`
+ udev_read_db(pulseaudio_t)
++ udev_read_state(pulseaudio_t)
')
optional_policy(`
@@ -5273,6 +5342,65 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 kernel_t:process sigkill;
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if serefpolicy-3.6.32/policy/modules/kernel/mcs.if
+--- nsaserefpolicy/policy/modules/kernel/mcs.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/mcs.if 2010-04-22 18:28:30.008859987 +0200
+@@ -3,6 +3,46 @@
+ ## Contains attributes used in MCS policy.
+ ##
+
++#######################################
++##
++## This domain is allowed to read files and directories
++## regardless of their MCS category set.
++##
++##
++##
++## Domain target for user exemption.
++##
++##
++##
++#
++interface(`mcs_file_read_all',`
++ gen_require(`
++ attribute mcsreadall;
++ ')
++
++ typeattribute $1 mcsreadall;
++')
++
++#######################################
++##
++## This domain is allowed to write files and directories
++## regardless of their MCS category set.
++##
++##
++##
++## Domain target for user exemption.
++##
++##
++##
++#
++interface(`mcs_file_write_all',`
++ gen_require(`
++ attribute mcswriteall;
++ ')
++
++ typeattribute $1 mcswriteall;
++')
++
+ ########################################
+ ##
+ ## This domain is allowed to sigkill and sigstop
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-3.6.32/policy/modules/kernel/mcs.te
+--- nsaserefpolicy/policy/modules/kernel/mcs.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/mcs.te 2010-04-22 18:28:45.940609483 +0200
+@@ -9,3 +9,5 @@
+ attribute mcskillall;
+ attribute mcsptraceall;
+ attribute mcssetcats;
++attribute mcswriteall;
++attribute mcsreadall;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-01-18 18:24:22.714539638 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/storage.if 2010-04-08 11:06:41.815365567 +0200
@@ -9114,6 +9242,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
+
+/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if
+--- nsaserefpolicy/policy/modules/services/hal.if 2010-01-18 18:24:22.794542550 +0100
++++ serefpolicy-3.6.32/policy/modules/services/hal.if 2010-04-21 14:18:06.698657484 +0200
+@@ -357,6 +357,24 @@
+ allow $1 hald_var_run_t:file read_file_perms;
+ ')
+
++#######################################
++##
++## dontaudit read hald PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hal_dontaudit_read_pid_files',`
++ gen_require(`
++ type hald_var_run_t;
++ ')
++
++ dontaudit $1 hald_var_run_t:file read_file_perms;
++')
++
+ ########################################
+ ##
+ ## Read/Write hald PID files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100
+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-04-02 10:03:49.167852833 +0200
@@ -9320,6 +9476,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.6.32/policy/modules/services/ldap.if
+--- nsaserefpolicy/policy/modules/services/ldap.if 2010-01-18 18:24:22.804529993 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ldap.if 2010-04-22 18:18:40.382610878 +0200
+@@ -109,6 +109,30 @@
+ files_search_pids($1)
+ allow $1 slapd_var_run_t:sock_file write;
+ allow $1 slapd_t:unix_stream_socket connectto;
++
++ optional_policy(`
++ ldap_stream_connect_dirsrv($1)
++ ')
++')
++
++#######################################
++##
++## Connect to dirsrv over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ldap_stream_connect_dirsrv',`
++ gen_require(`
++ type dirsrv_t, dirsrv_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 dirsrv_var_run_t:sock_file write;
++ allow $1 dirsrv_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-03-09 15:08:52.333753712 +0100
@@ -10777,7 +10967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read nx home directory content
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-03-30 16:18:00.117861110 +0200
++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-04-21 14:15:29.816658068 +0200
@@ -36,6 +36,9 @@
type openvpn_var_run_t;
files_pid_file(openvpn_var_run_t)
@@ -10816,6 +11006,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
+@@ -112,6 +122,7 @@
+ sysnet_manage_config(openvpn_t)
+ sysnet_etc_filetrans_config(openvpn_t)
+
++userdom_read_home_certs(openvpn_t)
+ userdom_use_user_terminals(openvpn_t)
+
+ tunable_policy(`openvpn_enable_homedirs',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.6.32/policy/modules/services/plymouthd.fc
--- nsaserefpolicy/policy/modules/services/plymouthd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouthd.fc 2010-03-03 10:39:47.602620848 +0100
@@ -11690,7 +11888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-03-26 07:58:03.235601446 +0100
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-04-22 18:10:13.476860158 +0200
@@ -1,5 +1,5 @@
-policy_module(policykit, 1.0.1)
@@ -11741,16 +11939,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -115,6 +119,8 @@
+@@ -115,6 +119,10 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
++kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
++
+dev_read_video_dev(policykit_auth_t)
+
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
files_search_home(policykit_auth_t)
-@@ -129,8 +135,11 @@
+@@ -129,8 +137,11 @@
miscfiles_read_localization(policykit_auth_t)
miscfiles_read_fonts(policykit_auth_t)
@@ -17557,7 +17757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-03-05 09:36:36.314559997 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-04-16 14:59:03.256613224 +0200
@@ -41,6 +41,14 @@
type mount_var_run_t;
files_pid_file(mount_var_run_t)
@@ -17573,6 +17773,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# mount local policy
+@@ -48,7 +56,7 @@
+
+ # setuid/setgid needed to mount cifs
+ allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
+-allow mount_t self:process { getsched ptrace signal };
++allow mount_t self:process { getcap getsched ptrace setcap signal };
+ allow mount_t self:fifo_file rw_fifo_file_perms;
+ allow mount_t self:unix_stream_socket create_stream_socket_perms;
+ allow mount_t self:unix_dgram_socket create_socket_perms;
@@ -155,6 +163,8 @@
seutil_read_config(mount_t)
@@ -17991,7 +18200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-02-21 19:46:42.369309573 +0100
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-04-21 14:18:56.424659141 +0200
@@ -87,6 +87,7 @@
kernel_read_system_state(dhcpc_t)
@@ -18009,6 +18218,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+@@ -374,6 +375,7 @@
+
+ optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
++ hal_dontaudit_read_pid_files(ifconfig_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
+ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100
+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-09 09:59:57.514626722 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 123ce62..a2ba15d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 112%{?dist}
+Release: 113%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Thu Apr 22 2010 Miroslav Grepl 3.6.32-113
+- Allow pulseaudio to read udev process state.
+- Dontaudit hal leaks
+
* Fri Apr 16 2010 Miroslav Grepl 3.6.32-112
- Fix label for /usr/share/system-config-services/gui.py
- Allow snort to read network state information