diff --git a/policy-F12.patch b/policy-F12.patch
index be1c56b..f1501f4 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -3454,8 +3454,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.31/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/apps/sandbox.if 2009-09-09 15:38:24.000000000 -0400
-@@ -0,0 +1,167 @@
++++ serefpolicy-3.6.31/policy/modules/apps/sandbox.if 2009-09-10 11:44:49.000000000 -0400
+@@ -0,0 +1,171 @@
+
+## policy for sandbox
+
@@ -3603,6 +3603,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
++
++ optional_policy(`
++ xserver_common_app($1_t)
++ ')
+')
+
+########################################
@@ -3625,8 +3629,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.31/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/apps/sandbox.te 2009-09-09 15:38:24.000000000 -0400
-@@ -0,0 +1,304 @@
++++ serefpolicy-3.6.31/policy/modules/apps/sandbox.te 2009-09-10 11:48:11.000000000 -0400
+@@ -0,0 +1,315 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -3696,8 +3700,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+kernel_read_system_state(sandbox_xserver_t)
+
++selinux_validate_context(sandbox_xserver_t)
++selinux_compute_access_vector(sandbox_xserver_t)
++selinux_compute_create_context(sandbox_xserver_t)
++
+auth_use_nsswitch(sandbox_xserver_t)
+
++logging_send_syslog_msg(sandbox_xserver_t)
++logging_send_audit_msgs(sandbox_xserver_t)
++
+userdom_use_user_terminals(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
@@ -3710,6 +3721,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+')
+
++optional_policy(`
++ xserver_common_app(sandbox_xserver_t)
++')
++
+########################################
+#
+# sandbox local policy
@@ -4308,7 +4323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.31/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/kernel/corecommands.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/kernel/corecommands.if 2009-09-11 16:04:06.000000000 -0400
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -4317,7 +4332,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -973,6 +974,7 @@
+@@ -918,6 +919,25 @@
+
+ ########################################
+ ##
++## Read all executable files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`corecmd_read_all_executables',`
++ gen_require(`
++ attribute exec_type;
++ ')
++
++ read_files_pattern($1, exec_type, exec_type)
++')
++
++########################################
++##
+ ## Execute all executable files.
+ ##
+ ##
+@@ -973,6 +993,7 @@
type bin_t;
')
@@ -8040,8 +8081,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.31/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/services/abrt.te 2009-09-09 15:38:24.000000000 -0400
-@@ -0,0 +1,120 @@
++++ serefpolicy-3.6.31/policy/modules/services/abrt.te 2009-09-11 16:04:15.000000000 -0400
+@@ -0,0 +1,121 @@
+
+policy_module(abrt,1.0.0)
+
@@ -8117,6 +8158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+corecmd_exec_bin(abrt_t)
+corecmd_exec_shell(abrt_t)
++corecmd_read_all_executables(abrt_t)
+
+kernel_read_ring_buffer(abrt_t)
+kernel_read_system_state(abrt_t)
@@ -8198,7 +8240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.31/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/apache.fc 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/apache.fc 2009-09-10 12:01:23.000000000 -0400
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8234,7 +8276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
-+
++/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -8874,7 +8916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.31/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/apache.te 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/apache.te 2009-09-11 09:48:03.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -8932,7 +8974,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
##
##
-@@ -108,6 +131,29 @@
+@@ -94,6 +117,13 @@
+
+ ##
+ ##
++## Allow Apache to execute tmp content.
++##
++##
++gen_tunable(httpd_tmp_exec, false)
++
++##
++##
+ ## Unify HTTPD to communicate with the terminal.
+ ## Needed for entering the passphrase for certificates at
+ ## the terminal.
+@@ -108,6 +138,29 @@
##
gen_tunable(httpd_unified, false)
@@ -8962,7 +9018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -140,6 +186,9 @@
+@@ -140,6 +193,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
@@ -8972,7 +9028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -180,6 +229,10 @@
+@@ -180,6 +236,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -8983,7 +9039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -187,28 +240,28 @@
+@@ -187,28 +247,28 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
@@ -9025,7 +9081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for apache2 memory mapped files
type httpd_var_lib_t;
-@@ -230,7 +283,7 @@
+@@ -230,7 +290,7 @@
# Apache server local policy
#
@@ -9034,7 +9090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -272,6 +325,7 @@
+@@ -272,6 +332,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -9042,7 +9098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +337,9 @@
+@@ -283,9 +344,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -9055,7 +9111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,6 +355,7 @@
+@@ -301,6 +362,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -9063,7 +9119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-@@ -312,16 +367,18 @@
+@@ -312,16 +374,18 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -9087,7 +9143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +392,11 @@
+@@ -335,12 +399,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -9102,7 +9158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -358,6 +414,10 @@
+@@ -358,6 +421,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -9113,7 +9169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_read_lib_files(httpd_t)
-@@ -372,18 +432,33 @@
+@@ -372,18 +439,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -9134,8 +9190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -9146,12 +9201,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ samba_domtrans_winbind_helper(httpd_t)
')
')
-@@ -391,20 +466,54 @@
+@@ -391,32 +473,70 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -9207,16 +9263,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -415,20 +524,28 @@
- corenet_tcp_bind_ftp_port(httpd_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ ')
+
+-tunable_policy(`httpd_enable_ftp_server',`
+- corenet_tcp_bind_ftp_port(httpd_t)
++tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
++ can_exec(httpd_t, httpd_tmp_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_user_home_content_files(httpd_t)
--')
--
++tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
++ can_exec(httpd_sys_script_t, httpd_tmp_t)
++')
++
++tunable_policy(`httpd_enable_ftp_server',`
++ corenet_tcp_bind_ftp_port(httpd_t)
+ ')
+
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_read_nfs_files(httpd_t)
+@@ -424,11 +544,23 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -9240,7 +9307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,6 +568,10 @@
+@@ -451,6 +583,10 @@
')
optional_policy(`
@@ -9251,7 +9318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(httpd_t, httpd_exec_t)
')
-@@ -459,8 +580,13 @@
+@@ -459,8 +595,13 @@
')
optional_policy(`
@@ -9267,7 +9334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -468,22 +594,18 @@
+@@ -468,22 +609,18 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@@ -9292,7 +9359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -494,12 +616,23 @@
+@@ -494,12 +631,23 @@
')
optional_policy(`
@@ -9316,7 +9383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -508,6 +641,7 @@
+@@ -508,6 +656,7 @@
')
optional_policy(`
@@ -9324,7 +9391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +669,22 @@
+@@ -535,6 +684,22 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -9347,7 +9414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -564,20 +714,25 @@
+@@ -564,20 +729,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -9379,7 +9446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -595,23 +750,24 @@
+@@ -595,23 +765,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -9408,7 +9475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +780,7 @@
+@@ -624,6 +795,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -9416,7 +9483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -631,22 +788,30 @@
+@@ -631,22 +803,30 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -9454,7 +9521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +837,14 @@
+@@ -672,15 +852,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -9473,7 +9540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +863,24 @@
+@@ -699,12 +878,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -9500,7 +9567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +888,35 @@
+@@ -712,6 +903,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -9536,7 +9603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +929,10 @@
+@@ -724,6 +944,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -9547,7 +9614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -735,6 +944,8 @@
+@@ -735,6 +959,8 @@
# httpd_rotatelogs local policy
#
@@ -9556,7 +9623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +965,12 @@
+@@ -754,6 +980,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -9569,7 +9636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# allow accessing files/dirs below the users home dir
-@@ -762,3 +979,74 @@
+@@ -762,3 +994,74 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
@@ -18808,7 +18875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.31/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/virt.te 2009-09-10 11:38:03.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/virt.te 2009-09-11 10:18:49.000000000 -0400
@@ -20,6 +20,28 @@
##
gen_tunable(virt_use_samba, false)
@@ -18923,7 +18990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -97,30 +156,52 @@
+@@ -97,30 +156,54 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -18967,6 +19034,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
++modutils_manage_module_config(virtd_t)
++
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
storage_raw_write_removable_device(virtd_t)
@@ -18979,7 +19048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -130,7 +211,14 @@
+@@ -130,7 +213,14 @@
logging_send_syslog_msg(virtd_t)
@@ -18994,7 +19063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +256,35 @@
+@@ -168,22 +258,35 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -19035,7 +19104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -196,8 +297,159 @@
+@@ -196,8 +299,159 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -19979,7 +20048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.31/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/xserver.te 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/xserver.te 2009-09-10 11:49:20.000000000 -0400
@@ -34,6 +34,13 @@
##
@@ -23047,6 +23116,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write fonts.
##
##
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.31/policy/modules/system/modutils.fc
+--- nsaserefpolicy/policy/modules/system/modutils.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/system/modutils.fc 2009-09-11 10:15:04.000000000 -0400
+@@ -1,6 +1,7 @@
+
+ /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+ /etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
++/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0)
+
+ ifdef(`distro_gentoo',`
+ # gentoo init scripts still manage this file
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.31/policy/modules/system/modutils.if
+--- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/system/modutils.if 2009-09-11 10:18:38.000000000 -0400
+@@ -41,8 +41,8 @@
+ files_search_etc($1)
+ files_search_boot($1)
+
+- allow $1 modules_conf_t:file read_file_perms;
+- allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
++ read_files_pattern($1, modules_conf_t, modules_conf_t)
++ read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+ ')
+
+ ########################################
+@@ -61,7 +61,7 @@
+ type modules_conf_t;
+ ')
+
+- allow $1 modules_conf_t:file rename_file_perms;
++ rename_files_pattern($1, modules_conf_t, modules_conf_t)
+ ')
+
+ ########################################
+@@ -80,7 +80,26 @@
+ type modules_conf_t;
+ ')
+
+- allow $1 modules_conf_t:file unlink;
++ delete_files_pattern($1, modules_conf_t, modules_conf_t)
++')
++
++########################################
++##
++## Manage files with the configuration options used when
++## loading modules.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modutils_manage_module_config',`
++ gen_require(`
++ type modules_conf_t;
++ ')
++
++ manage_files_pattern($1, modules_conf_t, modules_conf_t)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.31/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/system/modutils.te 2009-09-09 15:47:14.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c9ca41b..77b2c4c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.31
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -443,6 +443,10 @@ exit 0
%endif
%changelog
+* Thu Sep 10 2009 Dan Walsh 3.6.31-3
+- Add wordpress/wp-content/uploads label
+- Fixes for sandbox when run from staff_t
+
* Thu Sep 10 2009 Dan Walsh 3.6.31-2
- Update to upstream
- Fixes for devicekit_disk