diff --git a/modules-minimum.conf b/modules-minimum.conf
index c669727..4e489a2 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1700,6 +1700,13 @@ vhostmd = module
#
wine = module
+# Layer: apps
+# Module: telepathy_sofiasip
+#
+# telepathy-sofiasip - Telepathy connection manager for SIP
+#
+telepathysofiasip = module
+
# Layer: admin
# Module: tzdata
#
diff --git a/modules-mls.conf b/modules-mls.conf
index 5b37bad..914cb73 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1503,7 +1503,6 @@ sudo = base
#
sysnetwork = base
-
# Layer: services
# Module: sysstat
#
@@ -1793,6 +1792,13 @@ portreserve = module
rpcbind = module
# Layer: apps
+# Module: telepathy_sofiasip
+#
+# telepathy-sofiasip - Telepathy connection manager for SIP
+#
+telepathysofiasip = module
+
+# Layer: apps
# Module: vmware
#
# VMWare Workstation virtual machines
diff --git a/modules-targeted.conf b/modules-targeted.conf
index c669727..4e489a2 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1700,6 +1700,13 @@ vhostmd = module
#
wine = module
+# Layer: apps
+# Module: telepathy_sofiasip
+#
+# telepathy-sofiasip - Telepathy connection manager for SIP
+#
+telepathysofiasip = module
+
# Layer: admin
# Module: tzdata
#
diff --git a/policy-F13.patch b/policy-F13.patch
index f66b7b1..8556e40 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1607,13 +1607,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.18/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-03-08 14:49:44.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/admin/shorewall.te 2010-04-08 15:25:24.000000000 -0400
-@@ -87,7 +87,7 @@
++++ serefpolicy-3.7.18/policy/modules/admin/shorewall.te 2010-04-12 13:05:59.000000000 -0400
+@@ -87,7 +87,11 @@
sysnet_domtrans_ifconfig(shorewall_t)
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
++
++optional_policy(`
++ hostname_exec(shorewall_t)
++')
optional_policy(`
iptables_domtrans(shorewall_t)
@@ -2215,8 +2219,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.18/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/apps/chrome.te 2010-04-08 15:25:24.000000000 -0400
-@@ -0,0 +1,85 @@
++++ serefpolicy-3.7.18/policy/modules/apps/chrome.te 2010-04-12 13:31:36.000000000 -0400
+@@ -0,0 +1,86 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -2266,6 +2270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+dev_rwx_zero(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
++files_read_usr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
@@ -3363,7 +3368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.18/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/apps/gpg.te 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/apps/gpg.te 2010-04-11 08:33:43.000000000 -0400
@@ -20,6 +20,7 @@
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
@@ -3474,7 +3479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -202,10 +226,15 @@
+@@ -202,10 +226,16 @@
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
@@ -3483,6 +3488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
++corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
+corecmd_exec_shell(gpg_agent_t)
+
@@ -3490,7 +3496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
domain_use_interactive_fds(gpg_agent_t)
-@@ -237,31 +266,72 @@
+@@ -237,31 +267,72 @@
fs_manage_cifs_symlinks(gpg_agent_t)
')
@@ -3564,7 +3570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
')
-@@ -271,5 +341,24 @@
+@@ -271,5 +342,24 @@
')
optional_policy(`
@@ -5904,8 +5910,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.18/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/apps/sandbox.te 2010-04-08 15:25:24.000000000 -0400
-@@ -0,0 +1,367 @@
++++ serefpolicy-3.7.18/policy/modules/apps/sandbox.te 2010-04-12 14:47:39.000000000 -0400
+@@ -0,0 +1,368 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6027,6 +6033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+files_read_etc_files(sandbox_domain)
+files_read_usr_files(sandbox_domain)
++files_dontaudit_search_all_dirs(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
@@ -6463,6 +6470,134 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.
# getpwnam
auth_use_nsswitch(locate_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.fc serefpolicy-3.7.18/policy/modules/apps/telepathysofiasip.fc
+--- nsaserefpolicy/policy/modules/apps/telepathysofiasip.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.18/policy/modules/apps/telepathysofiasip.fc 2010-04-12 12:27:20.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathysofiasip_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.if serefpolicy-3.7.18/policy/modules/apps/telepathysofiasip.if
+--- nsaserefpolicy/policy/modules/apps/telepathysofiasip.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.18/policy/modules/apps/telepathysofiasip.if 2010-04-12 12:27:20.000000000 -0400
+@@ -0,0 +1,69 @@
++
++## policy for telepathy-sofiasip
++
++########################################
++##
++## Execute a domain transition to run telepathy-sofiasip.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`telepathysofiasip_domtrans',`
++ gen_require(`
++ type telepathysofiasip_t, telepathysofiasip_exec_t;
++ ')
++
++ domtrans_pattern($1, telepathysofiasip_exec_t, telepathysofiasip_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## telepathy-sofiasip over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`telepathysofiasip_dbus_chat',`
++ gen_require(`
++ type telepathysofiasip_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 telepathysofiasip_t:dbus send_msg;
++ allow telepathysofiasip_t $1:dbus send_msg;
++')
++
++#######################################
++##
++## Role access for telepathy-sofiasip
++## that executes via dbus-session
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`telepathysofiasip_role',`
++ gen_require(`
++ type telepathysofiasip_t;
++ type telepathysofiasip_exec_t;
++ ')
++
++ dbus_session_domain(telepathysofiasip_t, telepathysofiasip_exec_t)
++ role $1 types telepathysofiasip_t;
++
++ telepathysofiasip_dbus_chat($2)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.te serefpolicy-3.7.18/policy/modules/apps/telepathysofiasip.te
+--- nsaserefpolicy/policy/modules/apps/telepathysofiasip.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.18/policy/modules/apps/telepathysofiasip.te 2010-04-12 12:27:20.000000000 -0400
+@@ -0,0 +1,45 @@
++
++policy_module(telepathysofiasip,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type telepathysofiasip_t;
++type telepathysofiasip_exec_t;
++application_domain(telepathysofiasip_t, telepathysofiasip_exec_t)
++
++permissive telepathysofiasip_t;
++
++########################################
++#
++# telepathy-sofiasip local policy
++#
++
++allow telepathysofiasip_t self:process signal;
++
++allow telepathysofiasip_t self:netlink_route_socket r_netlink_socket_perms;
++allow telepathysofiasip_t self:tcp_socket create_stream_socket_perms;
++allow telepathysofiasip_t self:udp_socket create_socket_perms;
++allow telepathysofiasip_t self:rawip_socket { create_socket_perms listen };
++
++kernel_request_load_module(telepathysofiasip_t)
++
++corenet_all_recvfrom_unlabeled(telepathysofiasip_t)
++corenet_all_recvfrom_netlabel(telepathysofiasip_t)
++corenet_tcp_sendrecv_generic_if(telepathysofiasip_t)
++corenet_udp_sendrecv_generic_if(telepathysofiasip_t)
++corenet_raw_sendrecv_generic_if(telepathysofiasip_t)
++corenet_tcp_sendrecv_generic_node(telepathysofiasip_t)
++corenet_udp_sendrecv_generic_node(telepathysofiasip_t)
++corenet_raw_sendrecv_generic_node(telepathysofiasip_t)
++corenet_tcp_sendrecv_all_ports(telepathysofiasip_t)
++corenet_udp_sendrecv_all_ports(telepathysofiasip_t)
++corenet_tcp_bind_generic_node(telepathysofiasip_t)
++corenet_udp_bind_generic_node(telepathysofiasip_t)
++corenet_raw_bind_generic_node(telepathysofiasip_t)
++
++dev_read_urand(telepathysofiasip_t)
++
++sysnet_read_config(telepathysofiasip_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.7.18/policy/modules/apps/userhelper.fc
--- nsaserefpolicy/policy/modules/apps/userhelper.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.18/policy/modules/apps/userhelper.fc 2010-04-08 15:25:24.000000000 -0400
@@ -6609,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.18/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/apps/vmware.te 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/apps/vmware.te 2010-04-11 08:28:03.000000000 -0400
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -6634,6 +6769,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+@@ -87,6 +97,8 @@
+ manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+
++can_exec(vmware_host_t, vmware_host_exec_t)
++
+ kernel_read_kernel_sysctls(vmware_host_t)
+ kernel_read_system_state(vmware_host_t)
+
+@@ -114,6 +126,7 @@
+ dev_read_sysfs(vmware_host_t)
+ dev_read_urand(vmware_host_t)
+ dev_rw_vmware(vmware_host_t)
++dev_rw_generic_chr_files(vmware_host_t)
+
+ domain_use_interactive_fds(vmware_host_t)
+ domain_dontaudit_read_all_domains_state(vmware_host_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.18/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500
+++ serefpolicy-3.7.18/policy/modules/apps/wine.if 2010-04-08 15:25:24.000000000 -0400
@@ -6762,7 +6914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.18/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/kernel/corecommands.fc 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/kernel/corecommands.fc 2010-04-13 09:57:32.000000000 -0400
@@ -49,7 +49,8 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6797,7 +6949,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +338,21 @@
+@@ -297,6 +304,7 @@
+ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/system-config-services/gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
+@@ -331,3 +339,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6821,7 +6981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.18/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/kernel/corecommands.if 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/kernel/corecommands.if 2010-04-11 08:33:32.000000000 -0400
@@ -931,6 +931,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -6840,7 +7000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.18/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.18/policy/modules/kernel/corenetwork.te.in 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/kernel/corenetwork.te.in 2010-04-13 11:37:10.000000000 -0400
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -6890,7 +7050,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -132,6 +139,7 @@
+@@ -111,6 +118,7 @@
+ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+ network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
++
+ network_port(i18n_input, tcp,9010,s0)
+ network_port(imaze, tcp,5323,s0, udp,5323,s0)
+ network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+@@ -132,6 +140,7 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
@@ -6898,8 +7066,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
-@@ -144,21 +152,30 @@
- portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+@@ -140,25 +149,33 @@
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
+ network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
+ network_port(munin, tcp,4949,s0, udp,4949,s0)
+-network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+-portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
++network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
@@ -6949,15 +7122,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
-@@ -202,7 +221,7 @@
+@@ -201,8 +220,8 @@
+ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
- network_port(virt_migration, tcp,49152-49216,s0)
+-network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
++network_port(virt_migration, tcp,49152-492169,s0)
+network_port(vnc, tcp,5900-5999,s0)
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-3.7.18/policy/modules/kernel/corenetwork.te.m4
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/kernel/corenetwork.te.m4 2010-04-13 11:25:25.000000000 -0400
+@@ -6,6 +6,16 @@
+ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+ #
++# range_start(num)
++#
++# return the low port in a range.
++#
++# range_start(600) returns "600"
++# range_start(1200-1600) returns "1200"
++#
++define(`range_start',`ifelse(`-1',index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))')
++
++#
+ # build_option(option_name,true,[false])
+ #
+ # makes an ifdef. hacky quoting changes because with
+@@ -68,10 +78,10 @@
+ ')
+
+ define(`declare_ports',`dnl
+-ifelse(eval($3 < 1024),1,`
++ifelse(eval(range_start($3) < 1024),1,`
+ typeattribute $1 reserved_port_type;
+ #bindresvport in glibc starts searching for reserved ports at 600
+-ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
++ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+ ',`dnl')
+ portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.18/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500
+++ serefpolicy-3.7.18/policy/modules/kernel/devices.fc 2010-04-08 15:25:24.000000000 -0400
@@ -6971,7 +7179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.18/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/kernel/devices.if 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/kernel/devices.if 2010-04-13 08:41:17.000000000 -0400
@@ -934,6 +934,42 @@
########################################
@@ -7015,7 +7223,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
##
##
-@@ -2597,6 +2633,7 @@
+@@ -2042,6 +2078,24 @@
+
+ ########################################
+ ##
++## Get the attributes of the lvm comtrol device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_lvm_control',`
++ gen_require(`
++ type device_t, lvm_control_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, lvm_control_t)
++')
++
++########################################
++##
+ ## Read the lvm comtrol device.
+ ##
+ ##
+@@ -2597,6 +2651,7 @@
type mtrr_device_t;
')
@@ -7023,7 +7256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
dontaudit $1 mtrr_device_t:chr_file write;
')
-@@ -3440,6 +3477,24 @@
+@@ -3440,6 +3495,24 @@
########################################
##
@@ -7048,7 +7281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
##
##
-@@ -3733,6 +3788,24 @@
+@@ -3733,6 +3806,24 @@
########################################
##
@@ -7395,7 +7628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.18/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.18/policy/modules/kernel/files.fc 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/kernel/files.fc 2010-04-12 12:34:25.000000000 -0400
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7477,9 +7710,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
+@@ -254,3 +268,5 @@
+ ifdef(`distro_debian',`
+ /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ ')
++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.18/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.18/policy/modules/kernel/files.if 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/kernel/files.if 2010-04-12 14:46:57.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9099,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.18/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/roles/staff.te 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/roles/staff.te 2010-04-12 12:27:20.000000000 -0400
@@ -9,25 +9,52 @@
role staff_r;
@@ -9200,15 +9439,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
sudo_role_template(staff, staff_r, staff_t)
-@@ -145,6 +183,7 @@
- userdom_dontaudit_use_user_terminals(staff_t)
+@@ -146,6 +184,11 @@
')
-+ifndef(`distro_redhat',`
optional_policy(`
++ telepathysofiasip_role(staff_r, staff_t)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
thunderbird_role(staff_r, staff_t)
')
-@@ -169,6 +208,77 @@
+
+@@ -169,6 +212,77 @@
wireshark_role(staff_r, staff_t)
')
@@ -13942,7 +14185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+fs_mount_cgroup(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.18/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/services/clamav.te 2010-04-08 15:25:23.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/clamav.te 2010-04-12 13:24:57.000000000 -0400
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -13965,7 +14208,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -189,10 +197,14 @@
+@@ -177,6 +185,7 @@
+ corenet_tcp_sendrecv_all_ports(freshclam_t)
+ corenet_tcp_sendrecv_clamd_port(freshclam_t)
+ corenet_tcp_connect_http_port(freshclam_t)
++corenet_tcp_connect_clamd_port(freshclam_t)
+ corenet_sendrecv_http_client_packets(freshclam_t)
+
+ dev_read_rand(freshclam_t)
+@@ -189,10 +198,14 @@
auth_use_nsswitch(freshclam_t)
@@ -13980,7 +14231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-@@ -246,6 +258,12 @@
+@@ -246,6 +259,12 @@
mta_send_mail(clamscan_t)
@@ -17960,8 +18211,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.18/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.18/policy/modules/services/milter.if 2010-04-08 15:25:24.000000000 -0400
-@@ -82,6 +82,24 @@
++++ serefpolicy-3.7.18/policy/modules/services/milter.if 2010-04-12 07:47:34.000000000 -0400
+@@ -37,6 +37,8 @@
+
+ files_read_etc_files($1_milter_t)
+
++ kernel_dontaudit_read_system_state($1_milter_t)
++
+ miscfiles_read_localization($1_milter_t)
+
+ logging_send_syslog_msg($1_milter_t)
+@@ -82,6 +84,24 @@
########################################
##
@@ -17986,6 +18246,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
## Manage spamassassin milter state
##
##
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.7.18/policy/modules/services/milter.te
+--- nsaserefpolicy/policy/modules/services/milter.te 2009-12-18 11:38:25.000000000 -0500
++++ serefpolicy-3.7.18/policy/modules/services/milter.te 2010-04-12 07:47:34.000000000 -0400
+@@ -81,13 +81,11 @@
+ allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+ files_search_var_lib(spamass_milter_t)
+
+-kernel_read_system_state(spamass_milter_t)
+-
+ # When used with -b or -B options, the milter invokes sendmail to send mail
+-# to a spamtrap address, using popen()
+-corecmd_exec_shell(spamass_milter_t)
++# to a spamtrap address, and with the -x option, it invokes sendmail to do
++# alias expansion. Since the sendmail binary is managed using alternatives,
++# it's a symlink that we need to be able to read.
+ corecmd_read_bin_symlinks(spamass_milter_t)
+-corecmd_search_bin(spamass_milter_t)
+
+ mta_send_mail(spamass_milter_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.18/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.18/policy/modules/services/modemmanager.te 2010-04-08 15:25:24.000000000 -0400
@@ -18388,7 +18668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.18/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.18/policy/modules/services/munin.te 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/munin.te 2010-04-12 13:32:55.000000000 -0400
@@ -28,12 +28,26 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -18449,7 +18729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -164,3 +185,146 @@
+@@ -164,3 +185,147 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -18472,6 +18752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+
+fs_getattr_all_fs(munin_disk_plugin_t)
+
++dev_getattr_lvm_control(munin_disk_plugin_t)
+dev_read_sysfs(munin_disk_plugin_t)
+dev_read_urand(munin_disk_plugin_t)
+
@@ -28780,7 +29061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.18/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
-+++ serefpolicy-3.7.18/policy/modules/system/libraries.fc 2010-04-08 15:25:24.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/system/libraries.fc 2010-04-12 12:35:07.000000000 -0400
@@ -208,6 +208,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -28805,7 +29086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +315,144 @@
+@@ -319,14 +315,146 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -28952,6 +29233,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.18/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2010-03-23 10:55:15.000000000 -0400
+++ serefpolicy-3.7.18/policy/modules/system/libraries.te 2010-04-08 15:25:24.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f4b9910..1198303 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.18
-Release: 1%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,12 @@ exit 0
%endif
%changelog
+* Tue Apr 13 2010 Dan Walsh 3.7.18-3
+- Fix reserved port desination
+
+* Mon Apr 12 2010 Dan Walsh 3.7.18-2
+- Add telepathysofiasip policy
+
* Mon Apr 5 2010 Dan Walsh 3.7.18-1
- Update to upstream
- Fix label for /opt/google/chrome/chrome-sandbox