diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index f87f43c..7d598f8 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -72,7 +72,7 @@ httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = false
+httpd_dbus_avahi = true
#
# allow httpd to network relay
@@ -140,7 +140,7 @@ samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
-squid_connect_any = true
+squid_connect_any = false
# Allow privoxy to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
@@ -258,3 +258,11 @@ init_upstart = true
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true
+
+# Allow confined domains to communicate with ncsd via shared memory
+#
+nscd_use_shm = true
+
+# Allow fenced domain to connect to the network using TCP.
+#
+fenced_can_network_connect=false
diff --git a/policy-F13.patch b/policy-F13.patch
index 7e5259c..8890092 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -6187,7 +6187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.14/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/kernel/devices.if 2010-03-12 14:23:05.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/kernel/devices.if 2010-03-13 09:47:14.000000000 -0500
@@ -934,6 +934,42 @@
########################################
@@ -6283,18 +6283,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.14/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/kernel/devices.te 2010-03-12 12:16:46.000000000 -0500
-@@ -210,7 +210,8 @@
++++ serefpolicy-3.7.14/policy/modules/kernel/devices.te 2010-03-13 09:46:53.000000000 -0500
+@@ -210,7 +210,7 @@
files_mountpoint(sysfs_t)
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
-
-+fs_use_xattr sysfs gen_context(system_u:object_r:sysfs_t,s0);
+
#
# Type for /dev/tpm
#
-@@ -239,6 +240,12 @@
+@@ -239,6 +239,12 @@
dev_node(usb_device_t)
#
@@ -6307,13 +6306,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
# userio_device_t is the type for /dev/uio[0-9]+
#
type userio_device_t;
-@@ -289,5 +296,5 @@
+@@ -289,5 +295,6 @@
#
allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.14/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-03 23:26:37.000000000 -0500
+++ serefpolicy-3.7.14/policy/modules/kernel/domain.if 2010-03-12 09:30:00.000000000 -0500
@@ -7542,7 +7542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.14/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/kernel/files.te 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/kernel/files.te 2010-03-13 09:49:26.000000000 -0500
@@ -12,6 +12,7 @@
attribute mountpoint;
attribute pidfile;
@@ -7631,17 +7631,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.14/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/kernel/filesystem.te 2010-03-12 11:59:26.000000000 -0500
-@@ -94,6 +94,8 @@
- type hugetlbfs_t;
- fs_type(hugetlbfs_t)
- files_mountpoint(hugetlbfs_t)
-+files_type(hugetlbfs_t)
-+files_poly_parent(hugetlbfs_t)
- fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
-
- type ibmasmfs_t;
-@@ -172,6 +174,7 @@
++++ serefpolicy-3.7.14/policy/modules/kernel/filesystem.te 2010-03-13 09:53:41.000000000 -0500
+@@ -172,6 +172,7 @@
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
@@ -7649,7 +7640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
allow tmpfs_t noxattrfs:filesystem associate;
-@@ -242,6 +245,7 @@
+@@ -242,6 +243,7 @@
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -14626,7 +14617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.14/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/services/cron.te 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/services/cron.te 2010-03-12 14:47:55.000000000 -0500
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -14667,21 +14658,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -110,6 +117,13 @@
+@@ -109,6 +116,14 @@
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
-
++mta_system_content(user_cron_spool_t)
++
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
-+
+
########################################
#
- # Admin crontab local policy
-@@ -139,7 +153,7 @@
+@@ -139,7 +154,7 @@
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
@@ -14690,7 +14682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -194,6 +208,8 @@
+@@ -194,6 +209,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -14699,7 +14691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -209,7 +225,9 @@
+@@ -209,7 +226,9 @@
auth_use_nsswitch(crond_t)
@@ -14709,7 +14701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -220,8 +238,10 @@
+@@ -220,8 +239,10 @@
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -14720,7 +14712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`distro_debian',`
# pam_limits is used
-@@ -241,8 +261,17 @@
+@@ -241,8 +262,17 @@
')
')
@@ -14740,7 +14732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -251,6 +280,20 @@
+@@ -251,6 +281,20 @@
')
optional_policy(`
@@ -14761,7 +14753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
amanda_search_var_lib(crond_t)
')
-@@ -260,6 +303,8 @@
+@@ -260,6 +304,8 @@
optional_policy(`
hal_dbus_chat(crond_t)
@@ -14770,7 +14762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -302,10 +347,17 @@
+@@ -302,10 +348,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -14789,7 +14781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -325,6 +377,7 @@
+@@ -325,6 +378,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -14797,7 +14789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -336,9 +389,13 @@
+@@ -336,9 +390,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -14812,7 +14804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -361,6 +418,7 @@
+@@ -361,6 +419,7 @@
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -14820,7 +14812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +445,7 @@
+@@ -387,6 +446,7 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -14828,7 +14820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -411,6 +470,8 @@
+@@ -411,6 +471,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -14837,7 +14829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -435,6 +496,7 @@
+@@ -435,6 +497,7 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -14845,7 +14837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -442,6 +504,14 @@
+@@ -442,6 +505,14 @@
')
optional_policy(`
@@ -14860,7 +14852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ftp_read_log(system_cronjob_t)
')
-@@ -456,11 +526,16 @@
+@@ -456,11 +527,16 @@
')
optional_policy(`
@@ -14877,7 +14869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -476,7 +551,7 @@
+@@ -476,7 +552,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -14886,7 +14878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -491,6 +566,7 @@
+@@ -491,6 +567,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -14894,7 +14886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -498,6 +574,9 @@
+@@ -498,6 +575,9 @@
')
optional_policy(`
@@ -30255,7 +30247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.14/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/system/ipsec.te 2010-03-12 09:30:01.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/ipsec.te 2010-03-12 15:16:06.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
@@ -30272,15 +30264,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
-@@ -66,7 +72,7 @@
+@@ -66,8 +72,8 @@
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
+-dontaudit ipsec_t self:capability sys_tty_config;
+allow ipsec_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
- dontaudit ipsec_t self:capability sys_tty_config;
++dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_t self:udp_socket create_socket_perms;
@@ -85,6 +91,10 @@
manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -31178,7 +31172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.14/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/system/logging.te 2010-03-12 09:30:01.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/logging.te 2010-03-13 09:50:12.000000000 -0500
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -33279,7 +33273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.14/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/system/udev.te 2010-03-12 09:30:01.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/udev.te 2010-03-13 09:50:22.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -34104,7 +34098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.14/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/system/userdomain.if 2010-03-12 09:30:01.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/userdomain.if 2010-03-13 10:26:50.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -34944,7 +34938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +955,76 @@
+@@ -871,45 +955,80 @@
#
auth_role($1_r, $1_t)
@@ -35032,11 +35026,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ optional_policy(`
++ udev_read_db($1_usertype)
++ ')
++
++ optional_policy(`
+ wm_role_template($1, $1_r, $1_t)
')
')
-@@ -944,7 +1059,7 @@
+@@ -944,7 +1063,7 @@
#
# Inherit rules for ordinary users.
@@ -35045,7 +35043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1068,73 @@
+@@ -953,54 +1072,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -35130,26 +35128,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ postfix_run_postdrop($1_t, $1_r)
++ wine_role_template($1, $1_r, $1_t)
')
-+ # Run pppd in pppd_t by default for user
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ postfix_run_postdrop($1_t, $1_r)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1036,7 +1170,7 @@
+@@ -1036,7 +1174,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -35158,7 +35156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1071,6 +1205,9 @@
+@@ -1071,6 +1209,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -35168,7 +35166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1222,7 @@
+@@ -1085,6 +1226,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -35176,7 +35174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1120,6 +1258,8 @@
+@@ -1120,6 +1262,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -35185,7 +35183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1207,6 +1347,8 @@
+@@ -1207,6 +1351,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -35194,7 +35192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1272,11 +1414,15 @@
+@@ -1272,11 +1418,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -35210,7 +35208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1533,7 @@
+@@ -1387,6 +1537,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -35218,7 +35216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1580,14 @@
+@@ -1433,6 +1584,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -35233,7 +35231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1603,11 @@
+@@ -1448,9 +1607,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -35245,7 +35243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1664,42 @@
+@@ -1507,6 +1668,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -35288,7 +35286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1581,6 +1774,8 @@
+@@ -1581,6 +1778,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -35297,7 +35295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1790,12 @@
+@@ -1595,10 +1794,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -35312,7 +35310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1838,24 @@
+@@ -1641,6 +1842,24 @@
########################################
##
@@ -35337,7 +35335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1692,6 +1907,7 @@
+@@ -1692,6 +1911,7 @@
type user_home_dir_t, user_home_t;
')
@@ -35345,7 +35343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1924,14 @@
+@@ -1708,11 +1928,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -35363,7 +35361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1819,21 +2038,15 @@
+@@ -1819,20 +2042,14 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -35377,19 +35375,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
##
- ## Do not audit attempts to execute user home files.
-@@ -1866,6 +2079,7 @@
+@@ -1866,6 +2083,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -35397,7 +35394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2316,25 @@
+@@ -2102,6 +2320,25 @@
########################################
##
@@ -35423,7 +35420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
##
-@@ -2218,6 +2451,25 @@
+@@ -2218,6 +2455,25 @@
########################################
##
@@ -35449,7 +35446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2427,13 +2679,14 @@
+@@ -2427,13 +2683,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -35465,7 +35462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2787,7 +3040,7 @@
+@@ -2787,7 +3044,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -35474,7 +35471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3056,13 @@
+@@ -2803,11 +3060,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -35490,7 +35487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3199,7 @@
+@@ -2944,7 +3203,7 @@
type user_tmp_t;
')
@@ -35499,7 +35496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3236,7 @@
+@@ -2981,6 +3240,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -35507,7 +35504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3367,745 @@
+@@ -3111,3 +3371,745 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4a5e436..b24ba52 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.14
-Release: 1%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,15 @@ exit 0
%endif
%changelog
+* Sat Mar 13 2010 Dan Walsh 3.7.14-3
+- Add device_t as a file system
+- Fix sysfs association
+
+* Fri Mar 12 2010 Dan Walsh 3.7.14-2
+- Dontaudit ipsec_mgmt sys_ptrace
+- Allow at to mail its spool files
+- Allow nsplugin to search in .pulse directory
+
* Fri Mar 12 2010 Dan Walsh 3.7.14-1
- Update to upstream