diff --git a/modules-minimum.conf b/modules-minimum.conf
index c104d67..1e2dc16 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1074,6 +1074,13 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
diff --git a/modules-mls.conf b/modules-mls.conf
index 6caf71e..4bdf45c 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1012,6 +1012,13 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 7d0d335..b811559 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1074,6 +1074,13 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
diff --git a/policy-F13.patch b/policy-F13.patch
index 9ca5bb7..a889915 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -383,7 +383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.19/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-06-01 14:04:47.354160745 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-06-15 07:03:31.488859559 +0200
@@ -10,7 +10,6 @@
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
@@ -392,11 +392,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
role system_r types consoletype_t;
########################################
-@@ -85,6 +84,7 @@
+@@ -85,6 +84,8 @@
hal_dontaudit_use_fds(consoletype_t)
hal_dontaudit_rw_pipes(consoletype_t)
hal_dontaudit_rw_dgram_sockets(consoletype_t)
+ hal_dontaudit_write_log(consoletype_t)
++ hal_dontaudit_read_pid_files(consoletype_t)
')
optional_policy(`
@@ -602,6 +603,172 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
netutils_domtrans_ping(mrtg_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.7.19/policy/modules/admin/ncftool.fc
+--- nsaserefpolicy/policy/modules/admin/ncftool.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.fc 2010-06-15 18:40:03.048768063 +0200
+@@ -0,0 +1,2 @@
++
++/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.7.19/policy/modules/admin/ncftool.if
+--- nsaserefpolicy/policy/modules/admin/ncftool.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.if 2010-06-15 18:40:03.049767991 +0200
+@@ -0,0 +1,74 @@
++
++## policy for ncftool
++
++########################################
++##
++## Execute a domain transition to run ncftool.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ncftool_domtrans',`
++ gen_require(`
++ type ncftool_t, ncftool_exec_t;
++ ')
++
++ domtrans_pattern($1, ncftool_exec_t, ncftool_t)
++')
++
++########################################
++##
++## Execute ncftool in the ncftool domain, and
++## allow the specified role the ncftool domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the ncftool domain.
++##
++##
++#
++interface(`ncftool_run',`
++ gen_require(`
++ type ncftool_t;
++ ')
++
++ ncftool_domtrans($1)
++ role $2 types ncftool_t;
++')
++
++########################################
++##
++## Role access for ncftool
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`ncftool_role',`
++ gen_require(`
++ type ncftool_t;
++ ')
++
++ role $1 types ncftool_t;
++
++ ncftool_domtrans($2)
++
++ ps_process_pattern($2, ncftool_t)
++ allow $2 ncftool_t:process signal;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te
+--- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-06-15 18:46:57.405767946 +0200
+@@ -0,0 +1,78 @@
++
++policy_module(ncftool,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ncftool_t;
++type ncftool_exec_t;
++application_domain(ncftool_t, ncftool_exec_t)
++domain_obj_id_change_exemption(ncftool_t)
++domain_system_change_exemption(ncftool_t)
++role system_r types ncftool_t;
++
++permissive ncftool_t;
++
++########################################
++#
++# ncftool local policy
++#
++
++allow ncftool_t self:capability { net_admin sys_ptrace };
++
++allow ncftool_t self:process signal;
++
++allow ncftool_t self:fifo_file manage_fifo_file_perms;
++allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
++
++allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
++allow ncftool_t self:tcp_socket { create ioctl };
++
++kernel_read_system_state(ncftool_t)
++kernel_read_network_state(ncftool_t)
++kernel_read_kernel_sysctls(ncftool_t)
++kernel_request_load_module(ncftool_t)
++kernel_read_modprobe_sysctls(ncftool_t)
++kernel_rw_net_sysctls(ncftool_t)
++
++corecmd_exec_bin(ncftool_t)
++corecmd_exec_shell(ncftool_t)
++consoletype_exec(ncftool_t)
++
++domain_read_all_domains_state(ncftool_t)
++
++dev_read_sysfs(ncftool_t)
++
++files_read_etc_files(ncftool_t)
++files_read_etc_runtime_files(ncftool_t)
++files_read_usr_files(ncftool_t)
++
++modutils_read_module_config(ncftool_t)
++
++term_use_all_terms(ncftool_t)
++
++miscfiles_read_localization(ncftool_t)
++
++modutils_domtrans_insmod(ncftool_t)
++
++sysnet_delete_dhcpc_pid(ncftool_t)
++sysnet_domtrans_dhcpc(ncftool_t)
++sysnet_domtrans_ifconfig(ncftool_t)
++sysnet_etc_filetrans_config(ncftool_t)
++sysnet_manage_config(ncftool_t)
++sysnet_read_dhcpc_state(ncftool_t)
++sysnet_relabelfrom_net_conf(ncftool_t)
++sysnet_relabelto_net_conf(ncftool_t)
++
++userdom_read_user_tmp_files(ncftool_t)
++
++optional_policy(`
++ brctl_domtrans(ncftool_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(ncftool_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-28 09:41:59.953610894 +0200
@@ -614,6 +781,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.7.19/policy/modules/admin/netutils.if
+--- nsaserefpolicy/policy/modules/admin/netutils.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/netutils.if 2010-06-15 18:40:03.058768889 +0200
+@@ -299,3 +299,4 @@
+
+ can_exec($1, traceroute_exec_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.19/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-06-14 11:19:18.240056520 +0200
@@ -1725,8 +1900,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.19/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-05-28 09:41:59.961611278 +0200
-@@ -87,7 +87,11 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-06-14 20:23:23.332218554 +0200
+@@ -81,13 +81,18 @@
+
+ init_rw_utmp(shorewall_t)
+
++logging_read_generic_logs(shorewall_t)
+ logging_send_syslog_msg(shorewall_t)
+
+ miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
@@ -10578,7 +10760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-05-28 09:42:00.046610802 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-06-15 18:40:03.060767978 +0200
@@ -28,17 +28,29 @@
corecmd_exec_shell(sysadm_t)
@@ -10725,10 +10907,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +246,18 @@
+@@ -212,12 +246,22 @@
')
optional_policy(`
++ iptables_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ kerberos_exec_kadmind(sysadm_t)
+')
+
@@ -10744,7 +10930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +267,11 @@
+@@ -227,9 +271,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -10756,7 +10942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +294,10 @@
+@@ -252,8 +298,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -10767,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +305,7 @@
+@@ -261,6 +309,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -10775,7 +10961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -308,8 +353,14 @@
+@@ -308,8 +357,14 @@
')
optional_policy(`
@@ -10790,7 +10976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +370,11 @@
+@@ -319,9 +374,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -10802,7 +10988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +384,11 @@
+@@ -331,9 +388,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -10814,7 +11000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -358,8 +413,14 @@
+@@ -358,8 +417,14 @@
')
optional_policy(`
@@ -10829,7 +11015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +443,11 @@
+@@ -382,9 +447,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -10841,7 +11027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +456,21 @@
+@@ -393,17 +460,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -10863,7 +11049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +484,11 @@
+@@ -417,9 +488,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -10875,7 +11061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +496,15 @@
+@@ -427,9 +500,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -10891,7 +11077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +515,30 @@
+@@ -440,13 +519,30 @@
')
optional_policy(`
@@ -11609,8 +11795,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-05-28 09:42:00.049610676 +0200
-@@ -0,0 +1,439 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-06-15 18:40:03.061767907 +0200
+@@ -0,0 +1,443 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -11770,6 +11956,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ ')
+
+ optional_policy(`
++ ncftool_run(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
@@ -12522,7 +12712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
admin_pattern($1, abrt_var_cache_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-09 16:27:06.470757212 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-15 06:54:27.545609592 +0200
@@ -1,5 +1,5 @@
-policy_module(abrt, 1.0.1)
@@ -12530,7 +12720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
########################################
#
-@@ -33,12 +33,24 @@
+@@ -33,13 +33,25 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -12551,11 +12741,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
#
-allow abrt_t self:capability { setuid setgid sys_nice dac_override };
+-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+dontaudit abrt_t self:capability sys_rawio;
- allow abrt_t self:process { signal signull setsched getsched };
++allow abrt_t self:process { signal signull sigkill setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
+ allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -54,20 +66,25 @@
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -13114,8 +13306,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.19/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-05-28 09:42:00.056610845 +0200
-@@ -0,0 +1,118 @@
++++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-06-15 18:40:09.962020397 +0200
+@@ -0,0 +1,114 @@
+
+policy_module(aisexec,1.0.0)
+
@@ -13216,20 +13408,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+')
+
+optional_policy(`
-+ # to communication with RHCS
-+ dlm_controld_manage_tmpfs_files(aisexec_t)
-+ dlm_controld_rw_semaphores(aisexec_t)
++ # to communication with RHCS
++ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
-+ fenced_manage_tmpfs_files(aisexec_t)
-+ fenced_rw_semaphores(aisexec_t)
++ rhcs_rw_fenced_semaphores(aisexec_t)
+
-+ gfs_controld_manage_tmpfs_files(aisexec_t)
-+ gfs_controld_rw_semaphores(aisexec_t)
-+ gfs_controld_t_rw_shm(aisexec_t)
++ rhcs_rw_gfs_controld_semaphores(aisexec_t)
++ rhcs_rw_gfs_controld_shm(aisexec_t)
+
-+ groupd_manage_tmpfs_files(aisexec_t)
-+ groupd_rw_semaphores(aisexec_t)
-+ groupd_rw_shm(aisexec_t)
++ rhcs_rw_groupd_semaphores(aisexec_t)
++ rhcs_rw_groupd_shm(aisexec_t)
+')
+
+userdom_rw_semaphores(aisexec_t)
@@ -14440,6 +14628,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.19/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/avahi.te 2010-06-15 18:00:13.770018228 +0200
+@@ -104,6 +104,10 @@
+ ')
+
+ optional_policy(`
++ mpd_dbus_chat(avahi_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(avahi_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-06-09 23:44:39.315208775 +0200
@@ -16485,7 +16687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.19/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-05-28 09:42:00.086610824 +0200
++++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-06-15 18:01:58.476767291 +0200
@@ -16,12 +16,15 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -16541,7 +16743,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
')
optional_policy(`
-@@ -100,19 +110,37 @@
+@@ -91,6 +101,10 @@
+ ')
+
+ optional_policy(`
++ mpd_dbus_chat(consolekit_t)
++ ')
++
++ optional_policy(`
+ rpm_dbus_chat(consolekit_t)
+ ')
+
+@@ -100,19 +114,37 @@
')
optional_policy(`
@@ -16712,8 +16925,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-05-28 12:24:51.498860537 +0200
-@@ -0,0 +1,126 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-06-15 18:40:09.963018230 +0200
+@@ -0,0 +1,120 @@
+
+policy_module(corosync,1.0.0)
+
@@ -16826,14 +17039,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
+optional_policy(`
+ # to communication with RHCS
-+ dlm_controld_manage_tmpfs_files(corosync_t)
-+ dlm_controld_rw_semaphores(corosync_t)
-+
-+ fenced_manage_tmpfs_files(corosync_t)
-+ fenced_rw_semaphores(corosync_t)
-+
-+ gfs_controld_manage_tmpfs_files(corosync_t)
-+ gfs_controld_rw_semaphores(corosync_t)
++ rhcs_rw_cluster_shm(corosync_t)
++ rhcs_rw_cluster_semaphores(corosync_t)
+')
+
+optional_policy(`
@@ -20670,8 +20877,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if
--- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-14 18:37:18.471468823 +0200
-@@ -0,0 +1,274 @@
++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-15 17:58:09.853018142 +0200
+@@ -0,0 +1,295 @@
+
+## policy for daemon for playing music
+
@@ -20899,6 +21106,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
++#######################################
++##
++## Send and receive messages from
++## mpd over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_dbus_chat',`
++ gen_require(`
++ type mpd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 mpd_t:dbus send_msg;
++ allow mpd_t $1:dbus send_msg;
++')
++
+########################################
+##
+## All of the rules required to administrate
@@ -25238,7 +25466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-05-28 09:42:00.158610990 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-06-15 07:28:56.615609284 +0200
@@ -6,6 +6,15 @@
# Declarations
#
@@ -25567,10 +25795,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
#######################################
-@@ -451,6 +525,15 @@
+@@ -451,6 +525,17 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
++mta_mailserver_user_agent(postfix_postqueue_t)
++
+optional_policy(`
+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
@@ -25583,7 +25813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +547,7 @@
+@@ -464,6 +549,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -25591,7 +25821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +583,14 @@
+@@ -499,13 +585,14 @@
#
# connect to master process
@@ -25607,7 +25837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +620,18 @@
+@@ -535,9 +622,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -25626,7 +25856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +653,22 @@
+@@ -559,20 +655,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -26526,7 +26756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-05-28 09:42:00.169610746 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-06-15 18:40:09.964045327 +0200
@@ -0,0 +1,223 @@
+
+policy_module(rgmanager, 1.0.0)
@@ -26668,7 +26898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
+
+optional_policy(`
-+ groupd_stream_connect(rgmanager_t)
++ rhcs_stream_connect_groupd(rgmanager_t)
+')
+
+optional_policy(`
@@ -26678,7 +26908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
-+ gfs_controld_stream_connect(rgmanager_t)
++ rhcs_stream_connect_gfs_controld(rgmanager_t)
+')
+
+optional_policy(`
@@ -26753,463 +26983,454 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-05-28 09:42:00.169610746 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-06-15 18:40:09.966019131 +0200
@@ -0,0 +1,23 @@
-+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
-+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
-+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
-+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
++/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
-+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
++/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
++/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
++/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
++/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
-+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
++/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
++/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
++/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
++/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-05-28 09:42:00.170610889 +0200
-@@ -0,0 +1,424 @@
-+## SELinux policy for RHCS - Red Hat Cluster Suite
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-06-15 18:40:09.967767835 +0200
+@@ -0,0 +1,415 @@
++## RHCS - Red Hat Cluster Suite
+
+#######################################
+##
-+## Creates types and rules for a basic
-+## rhcs init daemon domain.
++## Creates types and rules for a basic
++## rhcs init daemon domain.
+##
+##
-+##
-+## Prefix for the domain.
-+##
++##
++## Prefix for the domain.
++##
+##
+#
+template(`rhcs_domain_template',`
-+
+ gen_require(`
-+ attribute cluster_domain;
++ attribute cluster_domain;
++ attribute cluster_tmpfs;
+ ')
+
+ ##############################
-+ #
-+ # $1_t declarations
-+ #
++ #
++ # Declarations
++ #
+
+ type $1_t, cluster_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
-+ type $1_tmpfs_t;
++ type $1_tmpfs_t, cluster_tmpfs;
+ files_tmpfs_file($1_tmpfs_t)
+
-+ # log files
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
-+ # pid files
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ ##############################
-+ #
-+ # $1_t local policy
-+ #
++ #
++ # Local policy
++ #
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file })
++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
++
++ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
++ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
++ logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+
-+ manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
-+ manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
-+ logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file })
-+
+')
+
+######################################
+##
-+## Execute a domain transition to run groupd.
++## Execute a domain transition to run dlm_controld.
+##
+##
+##
-+## Domain allowed to transition.
++## Domain allowed to transition.
+##
+##
+#
-+interface(`groupd_domtrans',`
-+ gen_require(`
-+ type groupd_t, groupd_exec_t;
-+ ')
++interface(`rhcs_domtrans_dlm_controld',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_exec_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,groupd_exec_t,groupd_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
+')
+
+#####################################
+##
-+## Connect to groupd over a unix domain
-+## stream socket.
++## Connect to dlm_controld over a unix domain
++## stream socket.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`groupd_stream_connect',`
-+ gen_require(`
-+ type groupd_t, groupd_var_run_t;
-+ ')
++interface(`rhcs_stream_connect_dlm_controld',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_var_run_t;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
++ files_search_pids($1)
++ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+##
-+## Manage groupd tmpfs files.
++## Allow read and write access to dlm_controld semaphores.
+##
+##
-+##
-+## The type of the process performing this action.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`groupd_manage_tmpfs_files',`
-+ gen_require(`
-+ type groupd_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+ manage_lnk_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+')
++interface(`rhcs_rw_dlm_controld_semaphores',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_tmpfs_t;
++ ')
+
-+#####################################
-+##
-+## Allow read and write access to groupd semaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`groupd_rw_semaphores',`
-+ gen_require(`
-+ type groupd_t;
-+ ')
++ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+
-+ allow $1 groupd_t:sem { rw_sem_perms destroy };
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
-+########################################
++######################################
+##
-+## Read and write to group shared memory.
++## Execute a domain transition to run fenced.
+##
+##
-+##
-+## The type of the process performing this action.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`groupd_rw_shm',`
-+ gen_require(`
-+ type groupd_t;
-+ ')
++interface(`rhcs_domtrans_fenced',`
++ gen_require(`
++ type fenced_t, fenced_exec_t;
++ ')
+
-+ allow $1 groupd_t:shm { rw_shm_perms destroy };
++ corecmd_search_bin($1)
++ domtrans_pattern($1, fenced_exec_t, fenced_t)
+')
+
+######################################
+##
-+## Execute a domain transition to run dlm_controld.
++## Allow read and write access to fenced semaphores.
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`dlm_controld_domtrans',`
-+ gen_require(`
-+ type dlm_controld_t, dlm_controld_exec_t;
-+ ')
++interface(`rhcs_rw_fenced_semaphores',`
++ gen_require(`
++ type fenced_t, fenced_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,dlm_controld_exec_t,dlm_controld_t)
++ allow $1 fenced_t:sem { rw_sem_perms destroy };
+
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
-+#####################################
++######################################
+##
-+## Connect to dlm_controld over a unix domain
-+## stream socket.
++## Connect to fenced over an unix domain stream socket.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`dlm_controld_stream_connect',`
-+ gen_require(`
-+ type dlm_controld_t, dlm_controld_var_run_t;
-+ ')
++interface(`rhcs_stream_connect_fenced',`
++ gen_require(`
++ type fenced_var_run_t, fenced_t;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
++ allow $1 fenced_t:unix_stream_socket connectto;
++ allow $1 fenced_var_run_t:sock_file { getattr write };
++ files_search_pids($1)
+')
+
+#####################################
+##
-+## Manage dlm_controld tmpfs files.
++## Execute a domain transition to run gfs_controld.
+##
+##
-+##
-+## The type of the process performing this action.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`dlm_controld_manage_tmpfs_files',`
-+ gen_require(`
-+ type dlm_controld_tmpfs_t;
-+ ')
++interface(`rhcs_domtrans_gfs_controld',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_exec_t;
++ ')
+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-+ manage_lnk_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
+')
+
-+#####################################
++####################################
+##
-+## Allow read and write access to dlm_controld semaphores.
++## Allow read and write access to gfs_controld semaphores.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`dlm_controld_rw_semaphores',`
-+ gen_require(`
-+ type dlm_controld_t;
-+ ')
++interface(`rhcs_rw_gfs_controld_semaphores',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_tmpfs_t;
++ ')
++
++ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+
-+ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
-+######################################
++########################################
+##
-+## Execute a domain transition to run fenced.
++## Read and write to gfs_controld_t shared memory.
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`fenced_domtrans',`
-+ gen_require(`
-+ type fenced_t, fenced_exec_t;
-+ ')
++interface(`rhcs_rw_gfs_controld_shm',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,fenced_exec_t,fenced_t)
++ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
-+######################################
++#####################################
+##
-+## Connect to fenced over an unix domain stream socket.
++## Connect to gfs_controld_t over an unix domain stream socket.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`fenced_stream_connect',`
-+ gen_require(`
-+ type fenced_var_run_t, fenced_t;
-+ ')
++interface(`rhcs_stream_connect_gfs_controld',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_var_run_t;
++ ')
+
-+ allow $1 fenced_t:unix_stream_socket connectto;
-+ allow $1 fenced_var_run_t:sock_file { getattr write };
-+ files_search_pids($1)
++ files_search_pids($1)
++ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
-+#####################################
++######################################
+##
-+## Managed fenced tmpfs files.
++## Execute a domain transition to run groupd.
+##
+##
-+##
-+## The type of the process performing this action.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`fenced_manage_tmpfs_files',`
-+ gen_require(`
-+ type fenced_tmpfs_t;
-+ ')
++interface(`rhcs_domtrans_groupd',`
++ gen_require(`
++ type groupd_t, groupd_exec_t;
++ ')
+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
-+ manage_lnk_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, groupd_exec_t, groupd_t)
+')
+
-+######################################
++#####################################
+##
-+## Allow read and write access to fenced semaphores.
++## Connect to groupd over a unix domain
++## stream socket.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`fenced_rw_semaphores',`
-+ gen_require(`
-+ type fenced_t;
-+ ')
++interface(`rhcs_stream_connect_groupd',`
++ gen_require(`
++ type groupd_t, groupd_var_run_t;
++ ')
+
-+ allow $1 fenced_t:sem { rw_sem_perms destroy };
++ files_search_pids($1)
++ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+##
-+## Execute a domain transition to run gfs_controld.
++## Allow read and write access to groupd semaphores.
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`gfs_controld_domtrans',`
-+ gen_require(`
-+ type gfs_controld_t, gfs_controld_exec_t;
-+ ')
++interface(`rhcs_rw_groupd_semaphores',`
++ gen_require(`
++ type groupd_t, groupd_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,gfs_controld_exec_t,gfs_controld_t)
++ allow $1 groupd_t:sem { rw_sem_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
-+###################################
++########################################
+##
-+## Manage gfs_controld tmpfs files.
++## Read and write to group shared memory.
+##
+##
-+##
-+## The type of the process performing this action.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`gfs_controld_manage_tmpfs_files',`
-+ gen_require(`
-+ type gfs_controld_tmpfs_t;
-+ ')
++interface(`rhcs_rw_groupd_shm',`
++ gen_require(`
++ type groupd_t, groupd_tmpfs_t;
++ ')
+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-+ manage_lnk_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
++ allow $1 groupd_t:shm { rw_shm_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
-+####################################
++########################################
+##
-+## Allow read and write access to gfs_controld semaphores.
++## Read and write to cluster domains shared memory.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`gfs_controld_rw_semaphores',`
-+ gen_require(`
-+ type gfs_controld_t;
-+ ')
++interface(`rhcs_rw_cluster_shm',`
++ gen_require(`
++ attribute cluster_domain;
++ attribute cluster_tmpfs;
++ ')
+
-+ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
++ allow $1 cluster_domain:shm { rw_shm_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
++ manage_lnk_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
-+########################################
++####################################
+##
-+## Read and write to gfs_controld_t shared memory.
++## Read and write access to cluster domains semaphores.
+##
+##
+##
-+## The type of the process performing this action.
++## Domain allowed access.
+##
+##
+#
-+interface(`gfs_controld_t_rw_shm',`
++interface(`rhcs_rw_cluster_semaphores',`
+ gen_require(`
-+ type gfs_controld_t;
++ type cluster_domain;
+ ')
+
-+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
++ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
+
-+#####################################
++######################################
+##
-+## Connect to gfs_controld_t over an unix domain stream socket.
++## Execute a domain transition to run qdiskd.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`gfs_controld_stream_connect',`
-+ gen_require(`
-+ type gfs_controld_t, gfs_controld_var_run_t;
-+ ')
++interface(`rhcs_domtrans_qdiskd',`
++ gen_require(`
++ type qdiskd_t, qdiskd_exec_t;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+')
+
-+######################################
++########################################
+##
-+## Execute a domain transition to run qdiskd.
++## Allow domain to read qdiskd tmpfs files
+##
+##
-+##
-+## Domain allowed to transition.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`qdiskd_domtrans',`
-+ gen_require(`
-+ type qdiskd_t, qdiskd_exec_t;
-+ ')
++interface(`rhcs_read_qdiskd_tmpfs_files',`
++ gen_require(`
++ type qdiskd_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,qdiskd_exec_t,qdiskd_t)
++ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
-+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-05-28 12:24:14.508611285 +0200
-@@ -0,0 +1,242 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-06-15 18:40:09.968779078 +0200
+@@ -0,0 +1,243 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -27226,6 +27447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+gen_tunable(fenced_can_network_connect, false)
+
+attribute cluster_domain;
++attribute cluster_tmpfs;
+
+rhcs_domain_template(dlm_controld)
+
@@ -27897,6 +28119,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
## Allow rtkit to control scheduling for your process
##
##
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.19/policy/modules/services/rtkit.te
+--- nsaserefpolicy/policy/modules/services/rtkit.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rtkit.te 2010-06-15 18:00:58.428018646 +0200
+@@ -32,5 +32,9 @@
+ miscfiles_read_localization(rtkit_daemon_t)
+
+ optional_policy(`
++ mpd_dbus_chat(rtkit_daemon_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-05-28 09:42:00.178610776 +0200
@@ -32654,7 +32889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-05-28 09:42:00.216612297 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-06-15 17:06:19.819626772 +0200
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -32747,7 +32982,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -682,6 +728,8 @@
+@@ -674,6 +720,8 @@
+
+ init_exec($1)
+
++ corecmd_exec_bin($1)
++
+ tunable_policy(`init_upstart',`
+ gen_require(`
+ type init_t;
+@@ -682,6 +730,8 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
@@ -32756,7 +33000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -754,18 +802,19 @@
+@@ -754,18 +804,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -32780,7 +33024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -781,19 +830,41 @@
+@@ -781,23 +832,45 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -32803,11 +33047,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+##
+ ')
+ ')
+
+ ########################################
+ ##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -32820,13 +33064,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -849,8 +920,10 @@
++')
++
++########################################
++##
+ ## Execute a init script in a specified domain.
+ ##
+ ##
+@@ -849,8 +922,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -32837,7 +33085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1637,7 +1710,7 @@
+@@ -1637,7 +1712,7 @@
type initrc_var_run_t;
')
@@ -32846,7 +33094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1785,56 @@
+@@ -1712,3 +1787,56 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -33483,8 +33731,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.19/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-05-28 09:42:00.220610773 +0200
-@@ -1,13 +1,18 @@
++++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-06-15 18:40:03.062767626 +0200
+@@ -1,13 +1,16 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -33503,8 +33751,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
-+/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.19/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-05-28 09:42:00.220610773 +0200
@@ -34088,7 +34334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-06-09 23:05:38.904506480 +0200
++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-06-15 17:07:51.140615800 +0200
@@ -61,6 +61,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -34129,27 +34375,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -252,6 +263,8 @@
+@@ -252,6 +263,9 @@
# Audit remote logger local policy
#
++allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:process { getcap setcap };
+
allow audisp_remote_t self:tcp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(audisp_remote_t)
-@@ -268,6 +281,10 @@
+@@ -266,6 +280,15 @@
- logging_send_syslog_msg(audisp_remote_t)
+ files_read_etc_files(audisp_remote_t)
+auth_use_nsswitch(audisp_remote_t)
++auth_dontaudit_write_login_records(audisp_remote_t)
+
++init_read_utmp(audisp_remote_t)
++init_dontaudit_write_utmp(audisp_remote_t)
+init_telinit(audisp_remote_t)
+
- miscfiles_read_localization(audisp_remote_t)
++logging_search_logs(audisp_remote_t)
++logging_send_audit_msgs(audisp_remote_t)
+ logging_send_syslog_msg(audisp_remote_t)
- sysnet_dns_name_resolve(audisp_remote_t)
-@@ -372,8 +389,10 @@
+ miscfiles_read_localization(audisp_remote_t)
+@@ -372,8 +395,10 @@
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
@@ -34162,7 +34414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -491,6 +510,10 @@
+@@ -491,6 +516,10 @@
')
optional_policy(`
@@ -34307,6 +34559,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.19/policy/modules/system/modutils.if
+--- nsaserefpolicy/policy/modules/system/modutils.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/modutils.if 2010-06-15 18:40:03.063767415 +0200
+@@ -59,6 +59,7 @@
+ files_search_etc($1)
+ files_search_boot($1)
+
++ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+ read_files_pattern($1, modules_conf_t, modules_conf_t)
+ read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-05-28 09:42:00.507610874 +0200
@@ -36057,7 +36320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-28 09:42:00.518610770 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-06-15 18:40:03.064777332 +0200
@@ -60,25 +60,24 @@
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
@@ -36143,7 +36406,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
#######################################
##
## Set the attributes of network config files.
-@@ -403,11 +439,8 @@
+@@ -270,6 +306,44 @@
+
+ #######################################
+ ##
++## Allow caller to relabel net_conf files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelfrom_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelfrom;
++')
++
++######################################
++##
++## Allow caller to relabel net_conf files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sysnet_relabelto_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelto;
++')
++
++#######################################
++##
+ ## Read network config files.
+ ##
+ ##
+@@ -403,11 +477,8 @@
type net_conf_t;
')
@@ -36157,7 +36465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
#######################################
-@@ -464,6 +497,10 @@
+@@ -464,6 +535,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -36168,7 +36476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -677,7 +714,10 @@
+@@ -677,7 +752,10 @@
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
@@ -36180,7 +36488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -709,5 +749,52 @@
+@@ -709,5 +787,52 @@
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
@@ -36236,7 +36544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-08 15:28:13.716610680 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-15 07:01:15.534609419 +0200
@@ -1,5 +1,5 @@
-policy_module(sysnetwork, 1.10.3)
@@ -36291,15 +36599,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -172,6 +184,7 @@
+@@ -172,6 +184,8 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_write_log(dhcpc_t)
++ hal_dontaudit_read_pid_files(dhcpc_t)
')
optional_policy(`
-@@ -193,6 +206,12 @@
+@@ -193,6 +207,12 @@
')
optional_policy(`
@@ -36312,7 +36621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -214,6 +233,7 @@
+@@ -214,6 +234,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -36320,7 +36629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -277,8 +297,11 @@
+@@ -277,8 +298,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -36332,7 +36641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -306,6 +329,8 @@
+@@ -306,6 +330,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -36341,7 +36650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +353,8 @@
+@@ -328,6 +354,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6abd395..b133944 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Tue Jun 15 2010 Miroslav Grepl 3.7.19-29
+- Allow abrt sigkill
+- Add ncftool policy
+- Add cluster fixes
+- Fixes for audisp-remote
+
* Mon Jun 14 2010 Miroslav Grepl 3.7.19-28
- Fixes for netutils
- Cleanup of aiccu policy