diff --git a/policy-F13.patch b/policy-F13.patch
index a072ef2..3356b8f 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -239,8 +239,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.17/policy/modules/admin/accountsd.te
--- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/admin/accountsd.te 2010-03-29 15:35:14.000000000 -0400
-@@ -0,0 +1,48 @@
++++ serefpolicy-3.7.17/policy/modules/admin/accountsd.te 2010-03-31 08:46:30.000000000 -0400
+@@ -0,0 +1,53 @@
+policy_module(accountsd,1.0.0)
+
+########################################
@@ -286,9 +286,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+optional_policy(`
+ consolekit_read_log(accountsd_t)
+')
++
+optional_policy(`
+ policykit_dbus_chat(accountsd_t)
+')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(accountsd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.17/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.17/policy/modules/admin/acct.te 2010-03-29 15:35:14.000000000 -0400
@@ -2282,8 +2287,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.17/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/apps/execmem.fc 2010-03-29 15:35:14.000000000 -0400
-@@ -0,0 +1,45 @@
++++ serefpolicy-3.7.17/policy/modules/apps/execmem.fc 2010-03-31 10:10:21.000000000 -0400
+@@ -0,0 +1,46 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2321,6 +2326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -6675,8 +6681,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.17/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/kernel/corecommands.fc 2010-03-29 15:35:14.000000000 -0400
-@@ -147,6 +147,9 @@
++++ serefpolicy-3.7.17/policy/modules/kernel/corecommands.fc 2010-03-31 08:51:15.000000000 -0400
+@@ -49,7 +49,8 @@
+ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+
+-/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/ConsoleKit/run-seat\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -147,6 +148,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6686,7 +6702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -217,10 +220,13 @@
+@@ -217,10 +221,13 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -6700,7 +6716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +337,21 @@
+@@ -331,3 +338,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6879,7 +6895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.17/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/kernel/devices.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/kernel/devices.if 2010-03-31 10:30:44.000000000 -0400
@@ -934,6 +934,42 @@
########################################
@@ -8223,7 +8239,130 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.17/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/kernel/filesystem.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/kernel/filesystem.if 2010-03-30 16:19:34.000000000 -0400
+@@ -569,10 +569,10 @@
+ #
+ interface(`fs_mount_cgroup', `
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+ ')
+
+- allow $1 cgroup_t:filesystem mount;
++ allow $1 cgroupfs_t:filesystem mount;
+ ')
+
+ ########################################
+@@ -588,10 +588,10 @@
+ #
+ interface(`fs_remount_cgroup', `
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+ ')
+
+- allow $1 cgroup_t:filesystem remount;
++ allow $1 cgroupfs_t:filesystem remount;
+ ')
+
+ ########################################
+@@ -606,10 +606,10 @@
+ #
+ interface(`fs_unmount_cgroup', `
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+ ')
+
+- allow $1 cgroup_t:filesystem unmount;
++ allow $1 cgroupfs_t:filesystem unmount;
+ ')
+
+ ########################################
+@@ -644,11 +644,11 @@
+ #
+ interface(`fs_list_cgroup_dirs', `
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+
+ ')
+
+- list_dirs_pattern($1, cgroup_t, cgroup_t)
++ list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
+ ')
+
+ ########################################
+@@ -682,11 +682,11 @@
+ #
+ interface(`fs_manage_cgroup_dirs',`
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+
+ ')
+
+- manage_dirs_pattern($1, cgroup_t, cgroup_t)
++ manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
+ ')
+
+ ########################################
+@@ -702,11 +702,11 @@
+ #
+ interface(`fs_setattr_cgroup_files',`
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+
+ ')
+
+- setattr_files_pattern($1, cgroup_t, cgroup_t)
++ setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
+ ')
+
+ ########################################
+@@ -722,11 +722,11 @@
+ #
+ interface(`fs_read_cgroup_files',`
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+
+ ')
+
+- read_files_pattern($1, cgroup_t, cgroup_t)
++ read_files_pattern($1, cgroupfs_t, cgroupfs_t)
+ ')
+
+ ########################################
+@@ -742,11 +742,11 @@
+ #
+ interface(`fs_write_cgroup_files', `
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+
+ ')
+
+- write_files_pattern($1, cgroup_t, cgroup_t)
++ write_files_pattern($1, cgroupfs_t, cgroupfs_t)
+ ')
+
+ ########################################
+@@ -762,11 +762,11 @@
+ #
+ interface(`fs_rw_cgroup_files',`
+ gen_require(`
+- type cgroup_t;
++ type cgroupfs_t;
+
+ ')
+
+- rw_files_pattern($1, cgroup_t, cgroup_t)
++ rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
+ ')
+
+ ########################################
@@ -1141,7 +1141,7 @@
type cifs_t;
')
@@ -8347,7 +8486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.17/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/kernel/filesystem.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/kernel/filesystem.te 2010-03-30 16:19:12.000000000 -0400
@@ -53,6 +53,7 @@
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
@@ -8356,7 +8495,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
type bdev_t;
fs_type(bdev_t)
-@@ -172,6 +173,7 @@
+@@ -68,6 +69,15 @@
+ files_mountpoint(capifs_t)
+ genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
++#
++# cgroup fs
++#
++
++type cgroupfs_t;
++fs_type(cgroupfs_t)
++allow cgroupfs_t self:filesystem associate;
++genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
++
+ type configfs_t;
+ fs_type(configfs_t)
+ genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+@@ -172,6 +182,7 @@
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
@@ -8364,7 +8519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
allow tmpfs_t noxattrfs:filesystem associate;
-@@ -242,6 +244,7 @@
+@@ -242,6 +253,7 @@
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -8374,7 +8529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.17/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/kernel/kernel.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/kernel/kernel.if 2010-03-30 16:20:46.000000000 -0400
@@ -1959,7 +1959,7 @@
')
@@ -8434,8 +8589,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.17/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/kernel/kernel.te 2010-03-29 15:35:14.000000000 -0400
-@@ -64,6 +64,15 @@
++++ serefpolicy-3.7.17/policy/modules/kernel/kernel.te 2010-03-30 16:18:49.000000000 -0400
+@@ -46,15 +46,6 @@
+ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+ #
+-# cgroup fs
+-#
+-
+-type cgroup_t;
+-fs_type(cgroup_t)
+-allow cgroup_t self:filesystem associate;
+-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+-
+-#
+ # DebugFS
+ #
+
+@@ -64,6 +55,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
#
@@ -8451,7 +8622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# kvmFS
#
-@@ -166,6 +175,7 @@
+@@ -166,6 +166,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -8459,7 +8630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -256,7 +266,8 @@
+@@ -256,7 +257,8 @@
selinux_load_policy(kernel_t)
@@ -8469,7 +8640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -270,6 +281,8 @@
+@@ -270,6 +272,8 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -8478,7 +8649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
mcs_process_set_categories(kernel_t)
-@@ -277,12 +290,18 @@
+@@ -277,12 +281,18 @@
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -8497,7 +8668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -359,6 +378,10 @@
+@@ -359,6 +369,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -8683,7 +8854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.17/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/roles/staff.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/roles/staff.te 2010-03-31 08:54:06.000000000 -0400
@@ -9,25 +9,52 @@
role staff_r;
@@ -8792,7 +8963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
thunderbird_role(staff_r, staff_t)
')
-@@ -169,6 +208,75 @@
+@@ -169,6 +208,77 @@
wireshark_role(staff_r, staff_t)
')
@@ -8867,7 +9038,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+ virt_stream_connect(staff_t)
+')
+
-+userhelper_console_role_template(staff, staff_t, staff_usertype)
++optional_policy(`
++ userhelper_console_role_template(staff, staff_r, staff_usertype)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.17/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
+++ serefpolicy-3.7.17/policy/modules/roles/sysadm.te 2010-03-29 15:35:14.000000000 -0400
@@ -11229,7 +11402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.17/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/aisexec.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/aisexec.te 2010-03-31 08:47:52.000000000 -0400
@@ -0,0 +1,115 @@
+
+policy_module(aisexec,1.0.0)
@@ -14069,8 +14242,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.17/policy/modules/services/cgroup.fc
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cgroup.fc 2010-03-29 15:35:14.000000000 -0400
-@@ -0,0 +1,7 @@
++++ serefpolicy-3.7.17/policy/modules/services/cgroup.fc 2010-03-30 16:23:29.000000000 -0400
+@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
+
@@ -14078,6 +14251,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
++
++/cgroup(.*)? gen_context(system_u:object_r:cgroup_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.17/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.17/policy/modules/services/cgroup.if 2010-03-29 15:35:14.000000000 -0400
@@ -14119,7 +14294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.17/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cgroup.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/cgroup.te 2010-03-30 16:22:28.000000000 -0400
@@ -0,0 +1,87 @@
+policy_module(cgroup, 1.0.0)
+
@@ -14138,6 +14313,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
++type cgroup_t;
++files_mountpoint(cgroup_t)
++
+########################################
+#
+# cgconfig personal declarations.
@@ -14192,22 +14370,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+#
+# cgconfig personal policy.
+#
++manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
++manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
++allow cgconfigparser_t cgroup_t:dir mounton;
+
-+optional_policy(`
-+ fs_manage_cgroup_dirs(cgconfigparser_t)
-+ fs_rw_cgroup_files(cgconfigparser_t)
-+ fs_setattr_cgroup_files(cgconfigparser_t)
-+ fs_mount_cgroup(cgconfigparser_t)
-+')
-+
-+files_mounton_mnt(cgconfigparser_t)
-+files_manage_mnt_dirs(cgconfigparser_t)
++kernel_list_unlabeled(cgconfigparser_t)
++kernel_read_system_state(cgconfigparser_t)
+
+files_read_etc_files(cgconfigparser_t)
+
-+# /mnt/cgroups/cpu
-+kernel_list_unlabeled(cgconfigparser_t)
-+kernel_read_system_state(cgconfigparser_t)
++fs_manage_cgroup_dirs(cgconfigparser_t)
++fs_rw_cgroup_files(cgconfigparser_t)
++fs_setattr_cgroup_files(cgconfigparser_t)
++fs_mount_cgroup(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.17/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.17/policy/modules/services/clamav.te 2010-03-29 15:35:14.000000000 -0400
@@ -14475,7 +14650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.17/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/consolekit.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/consolekit.fc 2010-03-31 09:50:46.000000000 -0400
@@ -1,5 +1,7 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
@@ -14535,7 +14710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.17/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/consolekit.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/consolekit.te 2010-03-31 09:06:51.000000000 -0400
@@ -16,12 +16,15 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -15080,7 +15255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.17/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cron.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/cron.te 2010-03-31 10:09:23.000000000 -0400
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -15359,11 +15534,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,7 +670,7 @@
- userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -591,6 +671,7 @@
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
--list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -16204,7 +16378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.17/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/devicekit.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/devicekit.te 2010-03-31 10:24:28.000000000 -0400
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -16226,7 +16400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -71,29 +75,62 @@
+@@ -71,29 +75,63 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -16235,6 +16409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+
++kernel_list_unlabeled(devicekit_disk_t)
+kernel_getattr_message_if(devicekit_disk_t)
+kernel_read_fs_sysctls(devicekit_disk_t)
+kernel_read_network_state(devicekit_disk_t)
@@ -16291,7 +16466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -102,6 +139,16 @@
+@@ -102,6 +140,16 @@
userdom_search_user_home_dirs(devicekit_disk_t)
optional_policy(`
@@ -16308,7 +16483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
fstools_domtrans(devicekit_disk_t)
')
-@@ -110,28 +157,27 @@
+@@ -110,28 +158,33 @@
')
optional_policy(`
@@ -16331,22 +16506,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
- dbus_system_bus_client(devicekit_disk_t)
-
- allow devicekit_disk_t devicekit_t:dbus send_msg;
--
++ udev_domtrans(devicekit_disk_t)
++ udev_read_db(devicekit_disk_t)
++')
+
- optional_policy(`
- consolekit_dbus_chat(devicekit_disk_t)
- ')
-+ udev_domtrans(devicekit_disk_t)
-+ udev_read_db(devicekit_disk_t)
++optional_policy(`
++ virt_manage_images(devicekit_disk_t)
')
optional_policy(`
- udev_domtrans(devicekit_disk_t)
- udev_read_db(devicekit_disk_t)
-+ virt_manage_images(devicekit_disk_t)
++ unconfined_domain(devicekit_t)
++ unconfined_domain(devicekit_power_t)
++ unconfined_domain(devicekit_disk_t)
')
########################################
-@@ -139,9 +185,11 @@
+@@ -139,9 +192,11 @@
# DeviceKit-Power local policy
#
@@ -16359,7 +16539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +199,8 @@
+@@ -151,6 +206,8 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -16368,7 +16548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,7 +209,9 @@
+@@ -159,7 +216,9 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -16378,7 +16558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +219,17 @@
+@@ -167,12 +226,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -16396,7 +16576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,6 +237,10 @@
+@@ -180,6 +244,10 @@
')
optional_policy(`
@@ -16407,7 +16587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -203,17 +264,23 @@
+@@ -203,17 +271,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -16604,12 +16784,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.17/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/dovecot.fc 2010-03-30 09:36:50.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/dovecot.fc 2010-03-30 14:48:23.000000000 -0400
@@ -3,6 +3,7 @@
# /etc
#
/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
-+/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0)
++/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
@@ -17908,7 +18088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.17/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/hal.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/hal.te 2010-03-31 10:30:52.000000000 -0400
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17944,7 +18124,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
dev_read_urand(hald_t)
dev_read_input(hald_t)
dev_read_mouse(hald_t)
-@@ -161,6 +166,7 @@
+@@ -124,6 +129,7 @@
+ dev_read_lvm_control(hald_t)
+ dev_getattr_all_chr_files(hald_t)
+ dev_manage_generic_chr_files(hald_t)
++dev_manage_generic_blk_files(hald_t)
+ dev_rw_generic_usb_dev(hald_t)
+ dev_setattr_generic_usb_dev(hald_t)
+ dev_setattr_usbfs_files(hald_t)
+@@ -161,6 +167,7 @@
fs_unmount_dos_fs(hald_t)
fs_manage_dos_files(hald_t)
fs_manage_fusefs_dirs(hald_t)
@@ -17952,7 +18140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
files_getattr_all_mountpoints(hald_t)
-@@ -180,7 +186,7 @@
+@@ -180,7 +187,7 @@
# hal_probe_serial causes these
term_setattr_unallocated_ttys(hald_t)
@@ -17961,7 +18149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
auth_use_nsswitch(hald_t)
-@@ -266,6 +272,10 @@
+@@ -266,6 +273,10 @@
')
optional_policy(`
@@ -17972,7 +18160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -295,6 +305,7 @@
+@@ -295,6 +306,7 @@
')
optional_policy(`
@@ -17980,7 +18168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
ppp_read_rw_config(hald_t)
')
-@@ -315,11 +326,19 @@
+@@ -315,11 +327,19 @@
')
optional_policy(`
@@ -18000,7 +18188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
updfstab_domtrans(hald_t)
')
-@@ -331,6 +350,10 @@
+@@ -331,6 +351,10 @@
virt_manage_images(hald_t)
')
@@ -18011,7 +18199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Hal acl local policy
-@@ -351,6 +374,7 @@
+@@ -351,6 +375,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -18019,7 +18207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
corecmd_exec_bin(hald_acl_t)
-@@ -463,6 +487,10 @@
+@@ -463,6 +488,10 @@
miscfiles_read_localization(hald_keymap_t)
@@ -19585,7 +19773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.17/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/networkmanager.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/networkmanager.if 2010-03-31 10:22:48.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@@ -26997,7 +27185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.17/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/xserver.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/xserver.if 2010-03-31 08:46:09.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -28740,7 +28928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.17/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/system/init.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/system/init.if 2010-03-31 10:17:10.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -28795,13 +28983,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +368,36 @@
+@@ -353,6 +368,37 @@
kernel_dontaudit_use_fds($1)
')
')
+
+ userdom_dontaudit_search_user_home_dirs($1)
+ userdom_dontaudit_rw_stream($1)
++ userdom_dontaudit_write_user_tmp_files($1)
+
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_ttys($1)
@@ -28832,7 +29021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -682,6 +727,8 @@
+@@ -682,6 +728,8 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
@@ -28841,7 +29030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -754,18 +801,19 @@
+@@ -754,18 +802,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -28865,7 +29054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -781,23 +829,45 @@
+@@ -781,19 +830,41 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -28888,11 +29077,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ##
++ ')
++')
++
++########################################
++##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -28905,17 +29094,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+##
- ## Execute a init script in a specified domain.
- ##
- ##
-@@ -849,8 +919,10 @@
+ ')
+
+ ########################################
+@@ -849,8 +920,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -28926,7 +29111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1637,7 +1709,7 @@
+@@ -1637,7 +1710,7 @@
type initrc_var_run_t;
')
@@ -28935,7 +29120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1784,56 @@
+@@ -1712,3 +1785,56 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -28994,7 +29179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.17/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/system/init.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/system/init.te 2010-03-31 10:16:04.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -29219,7 +29404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -542,6 +604,34 @@
+@@ -542,6 +604,35 @@
')
')
@@ -29249,12 +29434,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ unconfined_dontaudit_rw_pipes(daemon)
+ unconfined_dontaudit_rw_stream(daemon)
+ userdom_dontaudit_read_user_tmp_files(daemon)
++ userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +644,8 @@
+@@ -554,6 +645,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29263,7 +29449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -594,6 +686,7 @@
+@@ -594,6 +687,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29271,7 +29457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -647,11 +740,6 @@
+@@ -647,11 +741,6 @@
')
optional_policy(`
@@ -29283,7 +29469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
kerberos_use(initrc_t)
')
-@@ -690,12 +778,18 @@
+@@ -690,12 +779,18 @@
')
optional_policy(`
@@ -29302,7 +29488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +812,10 @@
+@@ -718,6 +813,10 @@
')
optional_policy(`
@@ -29313,7 +29499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +858,6 @@
+@@ -760,8 +859,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29322,7 +29508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -774,10 +870,12 @@
+@@ -774,10 +871,12 @@
squid_manage_logs(initrc_t)
')
@@ -29335,7 +29521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +888,7 @@
+@@ -790,6 +889,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -29343,7 +29529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -801,8 +900,15 @@
+@@ -801,8 +901,15 @@
virt_manage_svirt_cache(initrc_t)
')
@@ -29359,7 +29545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +918,25 @@
+@@ -812,6 +919,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29385,7 +29571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +962,34 @@
+@@ -837,3 +963,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31973,7 +32159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.17/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/system/udev.te 2010-03-29 15:35:15.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/system/udev.te 2010-03-31 10:23:08.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -31993,7 +32179,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
consoletype_exec(udev_t)
')
-@@ -268,6 +273,10 @@
+@@ -254,6 +259,10 @@
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(udev_t)
++')
++
++optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
+ ')
+@@ -268,6 +277,10 @@
')
optional_policy(`
@@ -32770,7 +32967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.17/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/system/userdomain.if 2010-03-30 11:02:42.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/system/userdomain.if 2010-03-31 10:15:57.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -32782,7 +32979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,87 @@
+@@ -43,69 +44,89 @@
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -32828,8 +33025,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
+
+ application_exec_all($1_usertype)
-+
-+ files_exec_usr_files($1_t)
- kernel_read_kernel_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
@@ -32893,13 +33088,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
--
-- libs_exec_ld_so($1_t)
--
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
--
-- sysnet_read_config($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype)
@@ -32907,10 +33095,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
+
-+ storage_rw_fuse($1_usertype)
++ files_exec_usr_files($1_t)
+
++ fs_list_cgroup_dirs($1_usertype)
+
+- libs_exec_ld_so($1_t)
++ storage_rw_fuse($1_usertype)
+
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
+ auth_use_nsswitch($1_usertype)
-+
+
+- sysnet_read_config($1_t)
+ libs_exec_ld_so($1_usertype)
+
+ miscfiles_read_certs($1_usertype)
@@ -32920,7 +33116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +135,12 @@
+@@ -116,6 +137,12 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -32933,7 +33129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -147,6 +172,7 @@
+@@ -147,6 +174,7 @@
interface(`userdom_ro_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -32941,7 +33137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
role $1 types { user_home_t user_home_dir_t };
-@@ -157,6 +183,7 @@
+@@ -157,6 +185,7 @@
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
@@ -32949,7 +33145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
-@@ -168,27 +195,6 @@
+@@ -168,27 +197,6 @@
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -32977,7 +33173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -220,9 +226,10 @@
+@@ -220,9 +228,10 @@
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -32989,7 +33185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -232,17 +239,20 @@
+@@ -232,17 +241,20 @@
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -33020,7 +33216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -250,25 +260,23 @@
+@@ -250,25 +262,23 @@
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -33050,7 +33246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -303,6 +311,7 @@
+@@ -303,6 +313,7 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -33058,7 +33254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -322,6 +331,7 @@
+@@ -322,6 +333,7 @@
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -33066,7 +33262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($1)
')
-@@ -368,46 +378,41 @@
+@@ -368,46 +380,41 @@
#######################################
##
@@ -33088,10 +33284,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- gen_require(`
- type $1_t;
- ')
--
++interface(`userdom_basic_networking',`
+
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -33103,9 +33301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
+-
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
@@ -33133,7 +33329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -438,6 +443,7 @@
+@@ -438,6 +445,7 @@
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -33141,7 +33337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -498,7 +504,7 @@
+@@ -498,7 +506,7 @@
attribute unpriv_userdomain;
')
@@ -33150,7 +33346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -508,71 +514,77 @@
+@@ -508,71 +516,77 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -33171,27 +33367,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -33266,7 +33462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
tunable_policy(`user_ttyfile_stat',`
-@@ -580,65 +592,100 @@
+@@ -580,65 +594,100 @@
')
optional_policy(`
@@ -33306,43 +33502,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_var_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_var_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ vpnc_dbus_chat($1_usertype)
')
')
@@ -33385,7 +33581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -649,41 +696,50 @@
+@@ -649,41 +698,50 @@
optional_policy(`
# to allow monitoring of pcmcia status
@@ -33412,58 +33608,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ rpc_dontaudit_getattr_exports($1_usertype)
++ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
+
+ optional_policy(`
++ seunshare_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ slrnpull_search_spool($1_usertype)
+ ')
+
')
#######################################
-@@ -711,13 +767,26 @@
+@@ -711,13 +769,26 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
-+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -33479,7 +33675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_change_password_template($1)
-@@ -735,70 +804,73 @@
+@@ -735,70 +806,73 @@
allow $1_t self:context contains;
@@ -33544,49 +33740,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
++ optional_policy(`
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
++ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
++ kerberos_use($1_usertype)
++ kerberos_connect_524($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_connect_524($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -830,12 +902,35 @@
+@@ -830,12 +904,35 @@
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -33622,7 +33818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +966,80 @@
+@@ -871,45 +968,83 @@
#
auth_role($1_r, $1_t)
@@ -33645,6 +33841,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- logging_send_syslog_msg($1_t)
+ tunable_policy(`user_rw_noexattrfile',`
++ dev_rw_usbfs($1_t)
++ dev_rw_generic_usb_dev($1_usertype)
++
+ fs_manage_noxattr_fs_files($1_usertype)
+ fs_manage_noxattr_fs_dirs($1_usertype)
+ fs_manage_dos_dirs($1_usertype)
@@ -33718,7 +33917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -944,7 +1074,7 @@
+@@ -944,7 +1079,7 @@
#
# Inherit rules for ordinary users.
@@ -33727,7 +33926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1083,73 @@
+@@ -953,54 +1088,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -33831,7 +34030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1036,7 +1185,7 @@
+@@ -1036,7 +1190,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -33840,7 +34039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1071,6 +1220,9 @@
+@@ -1071,6 +1225,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -33850,7 +34049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1237,7 @@
+@@ -1085,6 +1242,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -33858,7 +34057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1120,6 +1273,8 @@
+@@ -1120,6 +1278,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -33867,7 +34066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1207,6 +1362,8 @@
+@@ -1207,6 +1367,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -33876,7 +34075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1234,6 +1391,7 @@
+@@ -1234,6 +1396,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -33884,7 +34083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1272,11 +1430,15 @@
+@@ -1272,11 +1435,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -33900,7 +34099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1549,7 @@
+@@ -1387,6 +1554,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -33908,7 +34107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1596,14 @@
+@@ -1433,6 +1601,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -33923,7 +34122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1619,11 @@
+@@ -1448,9 +1624,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -33935,7 +34134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1680,42 @@
+@@ -1507,6 +1685,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -33978,7 +34177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1581,6 +1790,8 @@
+@@ -1581,6 +1795,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -33987,7 +34186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1806,12 @@
+@@ -1595,10 +1811,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -34002,7 +34201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1854,24 @@
+@@ -1641,6 +1859,24 @@
########################################
##
@@ -34027,7 +34226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1692,6 +1923,7 @@
+@@ -1692,6 +1928,7 @@
type user_home_dir_t, user_home_t;
')
@@ -34035,7 +34234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1940,14 @@
+@@ -1708,11 +1945,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -34053,7 +34252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1819,20 +2054,14 @@
+@@ -1819,20 +2059,14 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -34078,7 +34277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
-@@ -1866,6 +2095,7 @@
+@@ -1866,6 +2100,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -34086,7 +34285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2332,25 @@
+@@ -2102,6 +2337,25 @@
########################################
##
@@ -34112,7 +34311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
##
-@@ -2218,6 +2467,25 @@
+@@ -2218,6 +2472,25 @@
########################################
##
@@ -34138,7 +34337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2427,13 +2695,14 @@
+@@ -2427,13 +2700,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -34154,7 +34353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2454,6 +2723,24 @@
+@@ -2454,6 +2728,24 @@
########################################
##
@@ -34179,7 +34378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
##
##
-@@ -2787,7 +3074,7 @@
+@@ -2787,7 +3079,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -34188,7 +34387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3090,13 @@
+@@ -2803,11 +3095,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -34204,7 +34403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3233,7 @@
+@@ -2944,7 +3238,7 @@
type user_tmp_t;
')
@@ -34213,7 +34412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3270,7 @@
+@@ -2981,6 +3275,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -34221,7 +34420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3401,745 @@
+@@ -3111,3 +3406,745 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index da8c547..6c05368 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.17
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,11 +466,16 @@ exit 0
%endif
%changelog
+* Wed Mar 31 2010 Dan Walsh 3.7.17-3
+- Fix cgroup handling adding policy for /cgroup
+- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set
+
* Tue Mar 30 2010 Dan Walsh 3.7.17-2
-- Mege patches from dgrift
+- Merge patches from dgrift
* Mon Mar 29 2010 Dan Walsh 3.7.17-1
- Update upstream
+- Allow abrt to write to the /proc under any process
* Fri Mar 26 2010 Dan Walsh 3.7.16-2
- Fix ~/.fontconfig label