diff --git a/policy-F15.patch b/policy-F15.patch
index 4663488..eac1b70 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2196,6 +2196,21 @@ index ebf4b26..f663276 100644
optional_policy(`
dbus_system_bus_client(vpnc_t)
+diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
+index 1f42250..3d36ae2 100644
+--- a/policy/modules/apps/awstats.te
++++ b/policy/modules/apps/awstats.te
+@@ -70,6 +70,10 @@ optional_policy(`
+ nscd_dontaudit_search_pid(awstats_t)
+ ')
+
++optional_policy(`
++ squid_read_log(awstats_t)
++')
++
+ ########################################
+ #
+ # awstats cgi script policy
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 1403835..2e9a72c 100644
--- a/policy/modules/apps/cdrecord.te
@@ -4697,7 +4712,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..76caa60 100644
+index 9a6d67d..dba7755 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -4828,7 +4843,7 @@ index 9a6d67d..76caa60 100644
## Send and receive messages from
## mozilla over dbus.
## </summary>
-@@ -204,3 +295,22 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +295,40 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -4851,6 +4866,24 @@ index 9a6d67d..76caa60 100644
+ allow $1 mozilla_plugin_tmpfs_t:file unlink;
+')
+
++########################################
++## <summary>
++## Dontaudit read/write to a mozilla_plugin leaks
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_dontaudit_leaks',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
++')
++
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 2a91fa8..2fad053 100644
--- a/policy/modules/apps/mozilla.te
@@ -7064,10 +7097,10 @@ index 0000000..5f09eb9
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..5259647
+index 0000000..f29f417
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,451 @@
+@@ -0,0 +1,452 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7517,6 +7550,7 @@ index 0000000..5259647
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
++ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
@@ -7629,10 +7663,10 @@ index 1dc7a85..7455c19 100644
+ ')
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..e5ef7b3 100644
+index 7590165..63db4fd 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,45 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,47 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -7668,6 +7702,7 @@ index 7590165..e5ef7b3 100644
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
++files_manage_generic_tmp_dirs(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
@@ -7692,6 +7727,7 @@ index 7590165..e5ef7b3 100644
optional_policy(`
- mozilla_dontaudit_manage_user_home_files(seunshare_t)
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
++ mozilla_plugin_dontaudit_leaks(seunshare_domain)
')
')
+
@@ -16690,6 +16726,15 @@ index 08dfa0c..61f340d 100644
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
')
+diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
+index cd07b96..a87d1dd 100644
+--- a/policy/modules/services/apcupsd.fc
++++ b/policy/modules/services/apcupsd.fc
+@@ -13,3 +13,4 @@
+ /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+ /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+ /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index d052bf0..8478eca 100644
--- a/policy/modules/services/apcupsd.te
@@ -21077,9 +21122,18 @@ index 0d5711c..bbc1a8f 100644
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 98e5af6..3c13628 100644
+index 98e5af6..a7472fc 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
+@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
+
+ # dac_override: /var/run/dbus is owned by messagebus on Debian
+ # cjp: dac_override should probably go in a distro_debian
+-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
++allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+ dontaudit system_dbusd_t self:capability sys_tty_config;
+ allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+ allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -34881,7 +34935,7 @@ index f7826f9..3128dd8 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..29e7311 100644
+index 33e72e8..052a1ff 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -34938,6 +34992,15 @@ index 33e72e8..29e7311 100644
unconfined_use_fds(ricci_t)
')
+@@ -193,7 +202,7 @@ corecmd_exec_shell(ricci_modcluster_t)
+ corecmd_exec_bin(ricci_modcluster_t)
+
+ corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+-corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
++corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
+
+ domain_read_all_domains_state(ricci_modcluster_t)
+
@@ -241,8 +250,7 @@ optional_policy(`
')
@@ -50195,7 +50258,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..97b04f2 100644
+index 28b88de..bc98180 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -50763,7 +50826,7 @@ index 28b88de..97b04f2 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +647,110 @@ template(`userdom_common_user_template',`
+@@ -574,67 +647,114 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -50872,6 +50935,10 @@ index 28b88de..97b04f2 100644
optional_policy(`
- locate_read_lib_files($1_t)
++ lircd_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
@@ -50879,20 +50946,20 @@ index 28b88de..97b04f2 100644
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
++ ')
++
++ optional_policy(`
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -650,41 +766,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +770,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -50954,7 +51021,7 @@ index 28b88de..97b04f2 100644
')
#######################################
-@@ -712,13 +837,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +841,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -50963,12 +51030,12 @@ index 28b88de..97b04f2 100644
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -50986,7 +51053,7 @@ index 28b88de..97b04f2 100644
userdom_change_password_template($1)
-@@ -736,72 +874,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +878,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -51053,49 +51120,49 @@ index 28b88de..97b04f2 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
++ optional_policy(`
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
++ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
++ kerberos_use($1_usertype)
++ kerberos_connect_524($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_connect_524($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -833,6 +970,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +974,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -51105,7 +51172,7 @@ index 28b88de..97b04f2 100644
##############################
#
# Local policy
-@@ -874,45 +1014,107 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1018,107 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -51224,7 +51291,7 @@ index 28b88de..97b04f2 100644
')
')
-@@ -947,7 +1149,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1153,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -51233,7 +51300,7 @@ index 28b88de..97b04f2 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1158,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1162,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -51314,20 +51381,20 @@ index 28b88de..97b04f2 100644
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ mono_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ mount_run_fusermount($1_t, $1_r)
++ mono_role_template($1, $1_r, $1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ mount_run_fusermount($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -51341,7 +51408,7 @@ index 28b88de..97b04f2 100644
')
')
-@@ -1039,7 +1264,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1268,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -51350,7 +51417,7 @@ index 28b88de..97b04f2 100644
')
##############################
-@@ -1074,6 +1299,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1303,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -51360,7 +51427,7 @@ index 28b88de..97b04f2 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1316,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1320,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -51368,7 +51435,7 @@ index 28b88de..97b04f2 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1119,10 +1348,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1352,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -51382,7 +51449,7 @@ index 28b88de..97b04f2 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1142,6 +1374,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1378,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -51390,7 +51457,7 @@ index 28b88de..97b04f2 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1443,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1447,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -51399,7 +51466,7 @@ index 28b88de..97b04f2 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1237,6 +1472,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1476,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -51407,7 +51474,7 @@ index 28b88de..97b04f2 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1515,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1519,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -51445,7 +51512,7 @@ index 28b88de..97b04f2 100644
ubac_constrained($1)
')
-@@ -1395,6 +1657,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1661,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -51453,7 +51520,7 @@ index 28b88de..97b04f2 100644
files_search_home($1)
')
-@@ -1441,6 +1704,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1708,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -51468,7 +51535,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -1456,9 +1727,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1731,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -51480,31 +51547,73 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -1515,6 +1788,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1792,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create directories in the home dir root with
+-## the user home directory type.
+## Relabel to user home files.
-+## </summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1526,35 +1803,71 @@ interface(`userdom_relabelto_user_home_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_home_filetrans_user_home_dir',`
++interface(`userdom_relabelto_user_home_files',`
+ gen_require(`
+- type user_home_dir_t;
++ type user_home_t;
+ ')
+
+- files_home_filetrans($1, user_home_dir_t, dir)
++ allow $1 user_home_t:file relabelto;
+ ')
+-
+ ########################################
+ ## <summary>
+-## Do a domain transition to the specified
+-## domain when executing a program in the
+-## user home directory.
++## Relabel user home files.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Do a domain transition to the specified
+-## domain when executing a program in the
+-## user home directory.
+-## </p>
+-## <p>
+-## No interprocess communication (signals, pipes,
+-## etc.) is provided by this interface since
+-## the domains are not owned by this module.
+-## </p>
+-## </desc>
+-## <param name="source_domain">
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_relabelto_user_home_files',`
++interface(`userdom_relabel_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
-+ allow $1 user_home_t:file relabelto;
++ allow $1 user_home_t:file relabel_file_perms;
+')
++
+########################################
+## <summary>
-+## Relabel user home files.
++## Create directories in the home dir root with
++## the user home directory type.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -51512,18 +51621,39 @@ index 28b88de..97b04f2 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_relabel_user_home_files',`
++interface(`userdom_home_filetrans_user_home_dir',`
+ gen_require(`
-+ type user_home_t;
++ type user_home_dir_t;
+ ')
+
-+ allow $1 user_home_t:file relabel_file_perms;
++ files_home_filetrans($1, user_home_dir_t, dir)
+')
+
- ########################################
- ## <summary>
- ## Create directories in the home dir root with
-@@ -1589,6 +1898,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
++########################################
++## <summary>
++## Do a domain transition to the specified
++## domain when executing a program in the
++## user home directory.
++## </summary>
++## <desc>
++## <p>
++## Do a domain transition to the specified
++## domain when executing a program in the
++## user home directory.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
++## <param name="source_domain">
++## <summary>
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ ## <param name="target_domain">
+@@ -1589,6 +1902,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -51532,7 +51662,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -1603,10 +1914,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1918,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -51547,7 +51677,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -1649,6 +1962,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1966,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -51573,7 +51703,7 @@ index 28b88de..97b04f2 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2032,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2036,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -51606,7 +51736,7 @@ index 28b88de..97b04f2 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2068,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2072,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -51624,7 +51754,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -1810,8 +2165,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2169,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -51634,7 +51764,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -1827,20 +2181,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2185,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -51659,7 +51789,7 @@ index 28b88de..97b04f2 100644
########################################
## <summary>
-@@ -2182,7 +2530,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2534,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -51668,7 +51798,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -2435,13 +2783,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2787,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -51684,7 +51814,7 @@ index 28b88de..97b04f2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2811,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2815,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -51711,7 +51841,7 @@ index 28b88de..97b04f2 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3144,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3148,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -51720,7 +51850,7 @@ index 28b88de..97b04f2 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3160,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3164,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -51736,7 +51866,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -2917,7 +3248,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3252,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -51745,7 +51875,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -2972,7 +3303,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3307,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -51792,7 +51922,7 @@ index 28b88de..97b04f2 100644
')
########################################
-@@ -3009,6 +3378,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3382,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -51800,7 +51930,7 @@ index 28b88de..97b04f2 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3509,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3513,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b0ebb21..f4c17bd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.13
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,15 @@ exit 0
%endif
%changelog
+* Tue Feb 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-7
+- ricci_modclusterd_t needs to bind to rpc ports 500-1023
+- Allow dbus to use setrlimit to increase resoueces
+- Mozilla_plugin is leaking to sandbox
+- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control
+- Allow awstats to read squid logs
+- seunshare needs to manage tmp_t
+- apcupsd cgi scripts have a new directory
+
* Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6
- Fix xserver_dontaudit_read_xdm_pid
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite