diff --git a/policy-20080710.patch b/policy-20080710.patch
index b570c5c..4fb9d26 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -11824,7 +11824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ndc_t named_conf_t:dir search;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.13/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc 2008-10-25 07:10:51.000000000 -0400
@@ -3,6 +3,9 @@
#
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
@@ -11835,7 +11835,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /usr
-@@ -22,3 +25,4 @@
+@@ -16,9 +19,11 @@
+ /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+ #
+ # /var
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
@@ -14517,8 +14524,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2008-10-23 17:21:21.000000000 -0400
-@@ -1 +1,156 @@
++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2008-10-24 11:31:46.000000000 -0400
+@@ -1 +1,175 @@
## dnsmasq DNS forwarder and DHCP server
+
+########################################
@@ -14621,7 +14628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
-+## Send dnsmasq a sigkill
++## Delete dnsmasq pid files
+##
+##
+##
@@ -14640,6 +14647,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Read dnsmasq pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++#
++interface(`dnsmasq_read_pid_files',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an dnsmasq environment
+##
@@ -16978,13 +17004,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-23 16:47:42.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-24 11:33:18.000000000 -0400
@@ -33,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@@ -17085,7 +17111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -151,8 +173,20 @@
+@@ -151,8 +173,21 @@
')
optional_policy(`
@@ -17095,6 +17121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
+ dnsmasq_initrc_domtrans(NetworkManager_t)
@@ -17108,7 +17135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -160,23 +194,48 @@
+@@ -160,23 +195,48 @@
')
optional_policy(`
@@ -17159,7 +17186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -194,7 +253,9 @@
+@@ -194,7 +254,9 @@
optional_policy(`
vpn_domtrans(NetworkManager_t)
@@ -29617,7 +29644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-23 10:34:43.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-24 10:26:04.000000000 -0400
@@ -6,35 +6,76 @@
# Declarations
#
@@ -29702,7 +29729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,28 +83,37 @@
+@@ -42,28 +83,39 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -29721,6 +29748,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ nsplugin_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
++ nsplugin_domtrans_user(unconfined, unconfined_execmem_t)
++ nsplugin_domtrans_user_config(unconfined, unconfined_execmem_t)
+ nsplugin_domtrans_user(unconfined, unconfined_t)
+ nsplugin_domtrans_user_config(unconfined, unconfined_t)
+ ')
@@ -29744,7 +29773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -75,12 +125,6 @@
+@@ -75,12 +127,6 @@
')
optional_policy(`
@@ -29757,7 +29786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
-@@ -106,12 +150,24 @@
+@@ -106,12 +152,24 @@
')
optional_policy(`
@@ -29782,7 +29811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -123,31 +179,33 @@
+@@ -123,31 +181,33 @@
')
optional_policy(`
@@ -29823,7 +29852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -159,43 +217,48 @@
+@@ -159,43 +219,48 @@
')
optional_policy(`
@@ -29832,9 +29861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
--
+ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
+-
-optional_policy(`
- pyzor_per_role_template(unconfined)
+ tunable_policy(`allow_unconfined_qemu_transition',`
@@ -29888,7 +29917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -203,7 +266,7 @@
+@@ -203,7 +268,7 @@
')
optional_policy(`
@@ -29897,7 +29926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -215,11 +278,12 @@
+@@ -215,11 +280,12 @@
')
optional_policy(`
@@ -29912,7 +29941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -229,14 +293,52 @@
+@@ -229,14 +295,50 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -29958,13 +29987,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+')
+
-+optional_policy(`
-+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
-+ gen_require(`
-+ type mozilla_exec_t;
-+ ')
-+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
++tunable_policy(`allow_unconfined_nsplugin_transition',`', `
++ gen_require(`
++ type mozilla_exec_t;
+ ')
++ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 85971d3..3268e2d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@ exit 0
%endif
%changelog
+* Fri Oct 24 2008 Dan Walsh 3.5.13-8
+- Allow mozilla to run with unconfined_execmem_t
+
* Thu Oct 23 2008 Dan Walsh 3.5.13-7
- Dontaudit domains trying to write to .xsession-errors