diff --git a/policy-20090521.patch b/policy-20090521.patch
index a7a6e32..6a0de7e 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -1736,6 +1736,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2010-01-19 12:51:11.968607327 +0100
++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in 2010-02-15 11:55:04.801319350 +0100
+@@ -1703,6 +1703,24 @@
+ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ ')
+
++#######################################
++##
++## Dontaudit read and write the TUN/TAP virtual network device.
++##
++##
++##
++## The domain allowed access.
++##
++##
++#
++interface(`corenet_dontaudit_rw_tun_tap_dev',`
++ gen_require(`
++ type tun_tap_device_t;
++ ')
++
++ dontaudit $1 tun_tap_device_t:chr_file { read write };
++')
++
+ ########################################
+ ##
+ ## Getattr the point-to-point device.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:51:11.969607384 +0100
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:51:30.720620172 +0100
@@ -2527,7 +2555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-19 12:51:12.011613147 +0100
-+++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2010-01-19 12:51:30.753620389 +0100
++++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2010-02-19 16:26:20.062788152 +0100
@@ -24,7 +24,7 @@
# Local policy
#
@@ -2537,6 +2565,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
+@@ -32,6 +32,7 @@
+ allow avahi_t self:unix_dgram_socket create_socket_perms;
+ allow avahi_t self:tcp_socket create_stream_socket_perms;
+ allow avahi_t self:udp_socket create_socket_perms;
++allow avahi_t self:packet_socket create_socket_perms;
+
+ files_search_var_lib(avahi_t)
+ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-19 12:51:12.015607859 +0100
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2010-01-19 12:51:30.754620516 +0100
@@ -5071,7 +5107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-01-19 12:51:12.172608000 +0100
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2010-01-19 12:51:30.870608939 +0100
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2010-02-19 17:06:55.362786312 +0100
@@ -263,6 +263,7 @@
corenet_tcp_sendrecv_generic_node(spamc_t)
corenet_tcp_connect_spamd_port(spamc_t)
@@ -5088,6 +5124,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -469,6 +471,10 @@
+ userdom_search_user_home_dirs(spamd_t)
+
+ optional_policy(`
++ dcc_domtrans_cdcc(spamd_t)
++')
++
++optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2010-01-19 12:51:12.176608090 +0100
+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2010-01-19 12:51:30.871608089 +0100
@@ -6104,6 +6151,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2010-01-19 12:51:12.215617940 +0100
++++ serefpolicy-3.6.12/policy/modules/system/init.if 2010-02-19 17:14:08.890786923 +0100
+@@ -1641,3 +1641,26 @@
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+ ')
++
++#######################################
++##
++## Dontaudit read and write an leaked init scrip file descriptors
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`init_dontaudit_script_leaks',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ dontaudit $1 initrc_t:tcp_socket { read write };
++ dontaudit $1 initrc_t:unix_dgram_socket { read write };
++ dontaudit $1 initrc_t:unix_stream_socket { read write };
++ dontaudit $1 initrc_t:shm rw_shm_perms;
++ init_dontaudit_use_script_ptys($1)
++ init_dontaudit_use_script_fds($1)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-19 12:51:12.218608055 +0100
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2010-01-19 12:51:30.897609022 +0100
@@ -6328,8 +6405,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-19 12:51:12.220618087 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2010-01-19 12:51:30.899617658 +0100
-@@ -101,10 +101,18 @@
++++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2010-02-19 17:01:13.929787818 +0100
+@@ -43,6 +43,7 @@
+ kernel_use_fds(iptables_t)
+
+ corenet_relabelto_all_packets(iptables_t)
++corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+ dev_read_sysfs(iptables_t)
+
+@@ -67,6 +68,7 @@
+ # to allow rules to be saved on reboot:
+ init_rw_script_tmp_files(iptables_t)
+ init_rw_script_stream_sockets(iptables_t)
++init_dontaudit_script_leaks(iptables_t)
+
+ logging_send_syslog_msg(iptables_t)
+
+@@ -101,10 +103,18 @@
')
optional_policy(`
@@ -6461,7 +6554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-19 12:51:12.227608292 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2010-01-19 12:51:30.903607202 +0100
++++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2010-02-16 17:57:57.974848550 +0100
@@ -50,6 +50,7 @@
')
@@ -6470,6 +6563,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
+@@ -62,6 +63,7 @@
+ /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
++/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+ /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-19 12:51:12.230617963 +0100
+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2010-01-19 12:51:30.903607202 +0100
@@ -6525,8 +6626,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to search man pages.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-01-19 12:51:12.236617958 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/mount.if 2010-01-19 12:51:30.907607780 +0100
-@@ -175,7 +175,9 @@
++++ serefpolicy-3.6.12/policy/modules/system/mount.if 2010-02-15 11:50:23.579325271 +0100
+@@ -16,6 +16,12 @@
+ ')
+
+ domtrans_pattern($1,mount_exec_t,mount_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit mount_t $1:unix_stream_socket { read write };
++ dontaudit mount_t $1:tcp_socket { read write };
++ dontaudit mount_t $1:udp_socket { read write };
++ ')
+ ')
+
+ ########################################
+@@ -175,7 +181,9 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 440fbac..a2fde53 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 94%{?dist}
+Release: 95%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -442,6 +442,9 @@ exit 0
%endif
%changelog
+* Fri Feb 19 2010 Miroslav Grepl 3.6.12-95
+- Fixes for avahi policy
+
* Tue Jan 19 2010 Miroslav Grepl 3.6.12-94
- Allow hotplug to transition to brctl domain
- Allow sendmail to read and write to an fail2ban unix stream socket