diff --git a/modules-minimum.conf b/modules-minimum.conf
index 80e65eb..c104d67 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1024,6 +1024,13 @@ nsplugin = module
#
modemmanager = module
+# Layer: services
+# Module: mpd
+#
+# mpd - daemon for playing music
+#
+mpd = module
+
# Layer: apps
# Module: mplayer
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 910c8b2..7d0d335 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1024,6 +1024,13 @@ nsplugin = module
#
modemmanager = module
+# Layer: services
+# Module: mpd
+#
+# mpd - daemon for playing music
+#
+mpd = module
+
# Layer: apps
# Module: mplayer
#
diff --git a/policy-F13.patch b/policy-F13.patch
index 9faaa0f..9ca5bb7 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -616,7 +616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.19/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-05-28 09:41:59.954610969 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-06-14 11:19:18.240056520 +0200
@@ -44,6 +44,7 @@
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
@@ -625,7 +625,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
-@@ -85,6 +86,7 @@
+@@ -51,6 +52,8 @@
+
+ kernel_search_proc(netutils_t)
+ kernel_read_all_sysctls(netutils_t)
++kernel_read_network_state(netutils_t)
++kernel_request_load_module(netutils_t)
+
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
+@@ -66,6 +69,7 @@
+ corenet_sendrecv_all_client_packets(netutils_t)
+ corenet_udp_bind_generic_node(netutils_t)
+
++dev_read_usbmon_dev(netutils_t)
+ dev_read_sysfs(netutils_t)
+
+ fs_getattr_xattr_fs(netutils_t)
+@@ -85,6 +89,7 @@
miscfiles_read_localization(netutils_t)
@@ -633,7 +650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
-@@ -142,15 +144,27 @@
+@@ -142,15 +147,27 @@
init_dontaudit_use_fds(ping_t)
optional_policy(`
@@ -661,7 +678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -211,3 +225,10 @@
+@@ -211,3 +228,10 @@
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)
@@ -5693,16 +5710,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
optional_policy(`
dbus_system_bus_client(podsleuth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc
---- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc 2010-05-28 09:41:59.997610803 +0200
-@@ -3,5 +3,6 @@
-
- /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
-
-+/var/lib/mpd(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
- /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
- /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-05-28 09:41:59.998610877 +0200
@@ -5784,7 +5791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-06-08 14:18:19.967627028 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-06-14 18:32:15.573218388 +0200
@@ -41,9 +41,11 @@
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -5797,7 +5804,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-@@ -128,6 +130,7 @@
+@@ -118,6 +120,10 @@
+ ')
+
+ optional_policy(`
++ mpd_read_tmpfs_files(pulseaudio_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(pulseaudio_t)
+ ')
+
+@@ -128,6 +134,7 @@
')
optional_policy(`
@@ -5805,7 +5823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
udev_read_db(pulseaudio_t)
')
-@@ -138,3 +141,7 @@
+@@ -138,3 +145,7 @@
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -7530,7 +7548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-05-28 09:42:00.019610687 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-06-14 18:31:28.287218510 +0200
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -7590,7 +7608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-@@ -125,13 +133,15 @@
+@@ -125,39 +133,52 @@
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -7607,7 +7625,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
-@@ -140,24 +150,34 @@
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+ network_port(monopd, tcp,1234,s0)
++network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
network_port(munin, tcp,4949,s0, udp,4949,s0)
@@ -7643,12 +7663,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,18 +197,21 @@
+@@ -177,18 +198,22 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
++network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
@@ -7666,7 +7687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,13 +224,13 @@
+@@ -201,13 +226,13 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -12762,19 +12783,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
corenet_tcp_sendrecv_generic_if(afs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.19/policy/modules/services/aiccu.fc
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/aiccu.fc 2010-05-28 09:42:00.054610627 +0200
-@@ -0,0 +1,5 @@
++++ serefpolicy-3.7.19/policy/modules/services/aiccu.fc 2010-06-14 11:26:52.511056371 +0200
+@@ -0,0 +1,6 @@
++/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
++/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
-+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
++/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
-+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
-+/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
++/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.19/policy/modules/services/aiccu.if
--- nsaserefpolicy/policy/modules/services/aiccu.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/aiccu.if 2010-05-28 09:42:00.054610627 +0200
-@@ -0,0 +1,119 @@
-+
-+## policy for aiccu
++++ serefpolicy-3.7.19/policy/modules/services/aiccu.if 2010-06-14 11:26:09.814056575 +0200
+@@ -0,0 +1,118 @@
++## Automatic IPv6 Connectivity Client Utility.
+
+########################################
+##
@@ -12792,6 +12813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ ')
+
+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
++ corecmd_search_bin($1)
+')
+
+
@@ -12801,7 +12823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+##
+##
+##
-+## The type of the process performing this action.
++## Domain allowed to transition.
+##
+##
+#
@@ -12828,13 +12850,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ type aiccu_var_run_t;
+ ')
+
-+ files_search_pids($1)
+ allow $1 aiccu_var_run_t:file read_file_perms;
++ files_search_pids($1)
+')
+
+########################################
+##
-+## Manage aiccu var_run files.
++## Manage aiccu PID files.
+##
+##
+##
@@ -12847,9 +12869,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ type aiccu_var_run_t;
+ ')
+
-+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ files_search_pids($1)
+')
+
+
@@ -12872,31 +12895,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+#
+interface(`aiccu_admin',`
+ gen_require(`
-+ type aiccu_t;
++ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
++ type aiccu_var_run_t;
+ ')
+
-+ allow $1 aiccu_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, aiccu_t, aiccu_t)
-+
-+
-+ gen_require(`
-+ type aiccu_initrc_exec_t;
-+ ')
++ allow $1 aiccu_t:process { ptrace signal_perms };
++ ps_process_pattern($1, aiccu_t)
+
-+ # Allow aiccu_t to restart the apache service
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ aiccu_manage_var_run($1)
++ admin_pattern($1, aiccu_etc_t)
++ files_search_etc($1)
+
++ admin_pattern($1, aiccu_var_run_t)
++ files_search_pids($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.19/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-05-28 09:42:00.055610771 +0200
-@@ -0,0 +1,44 @@
-+policy_module(aiccu,1.0.0)
++++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-06-14 11:26:09.815056510 +0200
+@@ -0,0 +1,71 @@
++
++policy_module(aiccu, 1.0.0)
+
+########################################
+#
@@ -12907,11 +12929,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
-+permissive aiccu_t;
-+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
++type aiccu_etc_t;
++files_config_file(aiccu_etc_t)
++
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
@@ -12920,25 +12943,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+# aiccu local policy
+#
+
-+allow aiccu_t self:capability { kill };
-+allow aiccu_t self:process { fork signal };
++allow aiccu_t self:capability { kill net_admin };
++allow aiccu_t self:process signal;
++allow aiccu_t self:fifo_file rw_file_perms;
++allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
++allow aiccu_t self:tcp_socket create_stream_socket_perms;
++allow aiccu_t self:tun_socket create_socket_perms;
++allow aiccu_t self:udp_socket create_stream_socket_perms;
++allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
++
++allow aiccu_t aiccu_etc_t:file read_file_perms;
++
++manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
++
++kernel_read_system_state(aiccu_t)
++
++corecmd_exec_shell(aiccu_t)
++
++corenet_all_recvfrom_netlabel(aiccu_t)
++corenet_all_recvfrom_unlabeled(aiccu_t)
++corenet_tcp_bind_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_if(aiccu_t)
++corenet_tcp_sendrecv_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_port(aiccu_t)
++corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
++corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
++corenet_tcp_connect_sixxsconfig_port(aiccu_t)
++corenet_rw_tun_tap_dev(aiccu_t)
+
-+# Init script handling
+domain_use_interactive_fds(aiccu_t)
+
-+# internal communication is often done using fifo and unix sockets.
-+allow aiccu_t self:fifo_file rw_file_perms;
-+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
++dev_read_rand(aiccu_t)
++dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
-+corenet_rw_tun_tap_dev(aiccu_t)
++logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
-+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
++modutils_domtrans_insmod(aiccu_t)
++
++sysnet_domtrans_ifconfig(aiccu_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.19/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1970-01-01 01:00:00.000000000 +0100
@@ -20606,6 +20654,413 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
+optional_policy(`
udev_read_db(modemmanager_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.7.19/policy/modules/services/mpd.fc
+--- nsaserefpolicy/policy/modules/services/mpd.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/mpd.fc 2010-06-14 18:34:39.866517713 +0200
+@@ -0,0 +1,10 @@
++
++
++/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
++/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
++
++/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0)
++
++/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
++/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
++/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if
+--- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-14 18:37:18.471468823 +0200
+@@ -0,0 +1,274 @@
++
++## policy for daemon for playing music
++
++########################################
++##
++## Execute a domain transition to run mpd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mpd_domtrans',`
++ gen_require(`
++ type mpd_t, mpd_exec_t;
++ ')
++
++ domtrans_pattern($1, mpd_exec_t, mpd_t)
++')
++
++
++########################################
++##
++## Execute mpd server in the mpd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_initrc_domtrans',`
++ gen_require(`
++ type mpd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, mpd_initrc_exec_t)
++')
++
++#######################################
++##
++## Read mpd data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_read_data_files',`
++ gen_require(`
++ type mpd_data_t;
++ ')
++
++ files_search_var_lib($1)
++ mpd_search_lib($1)
++ read_files_pattern($1, mpd_data_t, mpd_data_t)
++')
++
++#######################################
++##
++## Read mpd tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_read_tmpfs_files',`
++ gen_require(`
++ type mpd_tmpfs_t;
++ ')
++
++ files_search_var_lib($1)
++ mpd_search_lib($1)
++ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++')
++
++###################################
++##
++## Manage mpd tmpfs files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`mpd_manage_tmpfs_files',`
++ gen_require(`
++ type mpd_tmpfs_t;
++ ')
++
++ files_search_var_lib($1)
++ mpd_search_lib($1)
++ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++')
++
++######################################
++##
++## Manage mpd data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_manage_data_files',`
++ gen_require(`
++ type mpd_data_t;
++ ')
++
++ files_search_var_lib($1)
++ mpd_search_lib($1)
++ manage_files_pattern($1, mpd_data_t, mpd_data_t)
++')
++
++########################################
++##
++## Search mpd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_search_lib',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ allow $1 mpd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read mpd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_read_lib_files',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## mpd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_manage_lib_files',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++')
++
++#######################################
++##
++## Create an object in the root directory, with a private
++## type using a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++#
++interface(`mpd_var_lib_filetrans',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ filetrans_pattern($1, mpd_var_lib_t, $2, $3)
++')
++
++########################################
++##
++## Manage mpd lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_manage_lib_dirs',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an mpd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`mpd_admin',`
++ gen_require(`
++ type mpd_t;
++ type mpd_initrc_exec_t;
++ type mpd_data_t;
++ type mpd_etc_t;
++ type mpd_log_t;
++ type mpd_var_lib_t;
++ ')
++
++ allow $1 mpd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mpd_t)
++
++ mpd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 mpd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ admin_pattern($1, mpd_etc_t)
++ files_search_etc($1)
++
++ files_search_var_lib($1)
++ admin_pattern($1, mpd_var_lib_t)
++
++ mpd_search_lib($1)
++ admin_pattern($1, mpd_data_t)
++
++ admin_pattern($1, mpd_log_t)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te
+--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-06-14 18:36:19.117468437 +0200
+@@ -0,0 +1,111 @@
++
++policy_module(mpd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mpd_t;
++type mpd_exec_t;
++init_daemon_domain(mpd_t, mpd_exec_t)
++
++permissive mpd_t;
++
++type mpd_initrc_exec_t;
++init_script_file(mpd_initrc_exec_t)
++
++type mpd_etc_t;
++files_config_file(mpd_etc_t)
++
++# type for music content
++type mpd_data_t;
++files_type(mpd_data_t)
++
++type mpd_log_t;
++logging_log_file(mpd_log_t)
++
++type mpd_tmp_t;
++files_tmp_file(mpd_tmp_t)
++
++type mpd_tmpfs_t;
++files_tmpfs_file(mpd_tmpfs_t)
++
++type mpd_var_lib_t;
++files_type(mpd_var_lib_t)
++
++########################################
++#
++# mpd local policy
++#
++
++#cjp: dac_override bug in mpd relating to mpd.log file
++allow mpd_t self:capability { dac_override kill setgid setuid };
++allow mpd_t self:process { getsched setsched setrlimit signal signull };
++
++allow mpd_t self:fifo_file rw_fifo_file_perms;
++allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow mpd_t self:tcp_socket create_stream_socket_perms;
++allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
++
++read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
++
++manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
++manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
++
++manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
++manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
++manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
++files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
++
++manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
++manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
++fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
++
++manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
++manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
++manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
++files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
++
++kernel_read_system_state(mpd_t)
++kernel_read_kernel_sysctls(mpd_t)
++
++corecmd_exec_bin(mpd_t)
++
++corenet_sendrecv_pulseaudio_client_packets(mpd_t)
++corenet_tcp_connect_http_port(mpd_t)
++corenet_tcp_connect_pulseaudio_port(mpd_t)
++corenet_tcp_bind_mpd_port(mpd_t)
++corenet_tcp_bind_soundd_port(mpd_t)
++
++dev_read_sysfs(mpd_t)
++
++files_read_etc_files(mpd_t)
++files_read_usr_files(mpd_t)
++
++fs_getattr_tmpfs(mpd_t)
++fs_list_inotifyfs(mpd_t)
++fs_rw_anon_inodefs_files(mpd_t)
++
++auth_use_nsswitch(mpd_t)
++
++logging_send_syslog_msg(mpd_t)
++
++miscfiles_read_localization(mpd_t)
++
++userdom_read_user_tmpfs_files(mpd_t)
++
++optional_policy(`
++ dbus_system_bus_client(mpd_t)
++')
++
++optional_policy(`
++ pulseaudio_exec(mpd_t)
++ pulseaudio_stream_connect(mpd_t)
++ pulseaudio_signull(mpd_t)
++')
++
++optional_policy(`
++ udev_read_db(mpd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.19/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-05-28 09:42:00.125610532 +0200
@@ -30869,7 +31324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-06-08 14:36:03.433610464 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-06-14 11:32:09.363806498 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -31392,7 +31847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +640,11 @@
+@@ -477,6 +640,12 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -31401,10 +31856,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+userdom_manage_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_dontaudit_getattr_user_home_content(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +676,17 @@
+@@ -508,11 +677,17 @@
')
optional_policy(`
@@ -31422,7 +31878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +694,50 @@
+@@ -520,12 +695,50 @@
')
optional_policy(`
@@ -31473,7 +31929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +755,59 @@
+@@ -543,20 +756,59 @@
')
optional_policy(`
@@ -31535,7 +31991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +816,6 @@
+@@ -565,7 +817,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -31543,7 +31999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +826,10 @@
+@@ -576,6 +827,10 @@
')
optional_policy(`
@@ -31554,7 +32010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +854,9 @@
+@@ -600,10 +855,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -31566,7 +32022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +868,18 @@
+@@ -615,6 +869,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -31585,7 +32041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +899,19 @@
+@@ -634,12 +900,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -31607,7 +32063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +945,6 @@
+@@ -673,7 +946,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -31615,7 +32071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +954,12 @@
+@@ -683,9 +955,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -31629,7 +32085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +974,13 @@
+@@ -700,8 +975,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -31643,7 +32099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1002,14 @@
+@@ -723,11 +1003,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -31658,7 +32114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1061,28 @@
+@@ -779,12 +1062,28 @@
')
optional_policy(`
@@ -31688,7 +32144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1109,7 @@
+@@ -811,7 +1110,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -31697,7 +32153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1130,14 @@
+@@ -832,9 +1131,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -31712,7 +32168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1152,14 @@
+@@ -849,11 +1153,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -31729,7 +32185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1305,33 @@
+@@ -999,3 +1306,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -36743,7 +37199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-06-01 17:31:14.105409578 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-06-14 18:44:14.626468321 +0200
@@ -30,8 +30,9 @@
')
@@ -38050,7 +38506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1692,6 +1965,7 @@
+@@ -1692,10 +1965,30 @@
type user_home_dir_t, user_home_t;
')
@@ -38058,7 +38514,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1982,14 @@
+
++#######################################
++##
++## Do not audit attempts to getattr user home files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_getattr_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:dir getattr;
++ dontaudit $1 user_home_type:file getattr;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to read user home files.
+@@ -1708,11 +2001,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -38076,7 +38555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1802,8 +2079,7 @@
+@@ -1802,8 +2098,7 @@
type user_home_dir_t, user_home_t;
')
@@ -38086,7 +38565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1815,25 +2091,18 @@
+@@ -1815,25 +2110,18 @@
## Domain allowed access.
##
##
@@ -38116,7 +38595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Do not audit attempts to execute user home files.
-@@ -1866,6 +2135,7 @@
+@@ -1866,6 +2154,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -38124,53 +38603,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,7 +2372,7 @@
+@@ -2102,6 +2391,25 @@
########################################
##
--## Do not audit attempts to list user
+## Do not audit attempts to search user
- ## temporary directories.
- ##
- ##
-@@ -2111,17 +2381,17 @@
- ##
- ##
- #
--interface(`userdom_dontaudit_list_user_tmp',`
-+interface(`userdom_dontaudit_search_user_tmp',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- dontaudit $1 user_tmp_t:dir list_dir_perms;
-+ dontaudit $1 user_tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to manage users
-+## Do not audit attempts to list user
- ## temporary directories.
- ##
- ##
-@@ -2130,12 +2400,31 @@
- ##
- ##
- #
--interface(`userdom_dontaudit_manage_user_tmp_dirs',`
-+interface(`userdom_dontaudit_list_user_tmp',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- dontaudit $1 user_tmp_t:dir manage_dir_perms;
-+ dontaudit $1 user_tmp_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to manage users
+## temporary directories.
+##
+##
@@ -38179,16 +38616,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+interface(`userdom_dontaudit_manage_user_tmp_dirs',`
++interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:dir manage_dir_perms;
- ')
-
- ########################################
-@@ -2218,6 +2507,25 @@
++ dontaudit $1 user_tmp_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to list user
+ ## temporary directories.
+ ##
+@@ -2218,6 +2526,25 @@
########################################
##
@@ -38214,7 +38655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2427,13 +2735,14 @@
+@@ -2427,13 +2754,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -38230,7 +38671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2454,6 +2763,24 @@
+@@ -2454,6 +2782,24 @@
########################################
##
@@ -38255,7 +38696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
##
##
-@@ -2747,6 +3074,25 @@
+@@ -2747,6 +3093,25 @@
########################################
##
@@ -38281,7 +38722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3133,7 @@
+@@ -2787,7 +3152,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -38290,7 +38731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3149,13 @@
+@@ -2803,11 +3168,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -38306,7 +38747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3292,7 @@
+@@ -2944,7 +3311,7 @@
type user_tmp_t;
')
@@ -38315,7 +38756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3329,7 @@
+@@ -2981,6 +3348,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -38323,7 +38764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3460,702 @@
+@@ -3111,3 +3479,702 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 61b6986..6abd395 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 27%{?dist}
+Release: 28%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Mon Jun 14 2010 Miroslav Grepl 3.7.19-28
+- Fixes for netutils
+- Cleanup of aiccu policy
+- Add mpd policy
+
* Wed Jun 9 2010 Miroslav Grepl 3.7.19-27
- Allow ftpd ipc_lock capability
- Allow audisp-remote to getcap and setcap