-+##
-+## Allow postfix_local domain full write access to mail_spool directories
-+##
++##
++## Allow postfix_local domain full write access to mail_spool directories
++##
+##
+gen_tunable(postfix_local_write_mail_spool, true)
+
@@ -48357,6 +48458,15 @@ index a1e0f60..22a3efd 100644
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+@@ -195,7 +216,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+-# for postalias
++# for postalias
+ mailman_manage_data_files(postfix_master_t)
+ ')
+
@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
@@ -48621,7 +48731,7 @@ index a1e0f60..22a3efd 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +648,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -48629,15 +48739,16 @@ index a1e0f60..22a3efd 100644
+
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
++corenet_tcp_bind_spamd_port(postfix_master_t)
+
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +660,14 @@ optional_policy(`
+@@ -565,6 +661,14 @@ optional_policy(`
')
optional_policy(`
-+ dovecot_stream_connect(postfix_smtp_t)
++ dovecot_stream_connect(postfix_smtp_t)
+')
+
+optional_policy(`
@@ -48648,7 +48759,7 @@ index a1e0f60..22a3efd 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +684,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -48675,7 +48786,7 @@ index a1e0f60..22a3efd 100644
')
optional_policy(`
-@@ -599,6 +710,11 @@ optional_policy(`
+@@ -599,6 +711,11 @@ optional_policy(`
')
optional_policy(`
@@ -48687,7 +48798,7 @@ index a1e0f60..22a3efd 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +727,6 @@ optional_policy(`
+@@ -611,7 +728,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -48695,7 +48806,7 @@ index a1e0f60..22a3efd 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +737,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -48703,7 +48814,7 @@ index a1e0f60..22a3efd 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +744,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -49095,7 +49206,7 @@ index de4bdb7..a4cad0b 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..c4607d4 100644
+index bcbf9ac..5a550bb 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
@@ -49141,7 +49252,7 @@ index bcbf9ac..c4607d4 100644
#
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
-+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched signal };
+allow pppd_t self:process { getsched setsched signal };
@@ -61642,7 +61753,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..3ec58d6 100644
+index 086cd5f..08ef0c7 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -61767,13 +61878,15 @@ index 086cd5f..3ec58d6 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,10 +176,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
-
++corecmd_getattr_all_executables(setroubleshoot_fixit_t)
++
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
-+
+
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
@@ -61783,7 +61896,7 @@ index 086cd5f..3ec58d6 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,7 +191,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -68163,7 +68276,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..8843888 100644
+index db9d2a5..6c25856 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -68179,7 +68292,7 @@ index db9d2a5..8843888 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -22,42 +28,73 @@ files_pid_file(tuned_var_run_t)
+@@ -22,43 +28,80 @@ files_pid_file(tuned_var_run_t)
#
# tuned local policy
#
@@ -68191,8 +68304,10 @@ index db9d2a5..8843888 100644
+allow tuned_t self:udp_socket create_socket_perms;
+
+read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
++exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
+
+manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
++files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -68232,10 +68347,10 @@ index db9d2a5..8843888 100644
-logging_send_syslog_msg(tuned_t)
+fs_getattr_all_fs(tuned_t)
++
++auth_use_nsswitch(tuned_t)
-miscfiles_read_localization(tuned_t)
-+auth_use_nsswitch(tuned_t)
-+
+logging_send_syslog_msg(tuned_t)
userdom_dontaudit_search_user_home_dirs(tuned_t)
@@ -68261,6 +68376,11 @@ index db9d2a5..8843888 100644
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
+ ')
++
++optional_policy(`
++ unconfined_dbus_send(tuned_t)
++')
diff --git a/tvtime.te b/tvtime.te
index 531b1f1..7455f78 100644
--- a/tvtime.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3dcfb3c..09d7359 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 59%{?dist}
+Release: 60%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,35 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 5 2012 Miroslav Grepl