--##
+##
+##
+## Domain allowed access.
@@ -57369,11 +57462,10 @@ index 28b88de..d0697c5 100644
+## user home directory.
+##
+##
-+##
+ ##
## Do a domain transition to the specified
## domain when executing a program in the
- ## user home directory.
-@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57382,7 +57474,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -57397,7 +57489,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -57423,7 +57515,7 @@ index 28b88de..d0697c5 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -57456,7 +57548,7 @@ index 28b88de..d0697c5 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -57474,7 +57566,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57484,7 +57576,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57498,18 +57590,19 @@ index 28b88de..d0697c5 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ## Do not audit attempts to execute user home files.
+@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57518,7 +57611,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57534,7 +57627,7 @@ index 28b88de..d0697c5 100644
##
##
##
-@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -57561,7 +57654,7 @@ index 28b88de..d0697c5 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2572,6 +2935,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2937,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -57586,7 +57679,7 @@ index 28b88de..d0697c5 100644
## Read and write a user domain pty.
##
##
-@@ -2590,22 +2971,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2973,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -57629,7 +57722,7 @@ index 28b88de..d0697c5 100644
##
##
##
-@@ -2614,14 +3007,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3009,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -57667,7 +57760,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2815,7 +3227,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3229,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57676,7 +57769,7 @@ index 28b88de..d0697c5 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3243,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3245,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57692,7 +57785,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2917,7 +3331,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3333,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57701,7 +57794,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2972,7 +3386,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3388,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57748,7 +57841,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -3009,6 +3461,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3463,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57756,7 +57849,7 @@ index 28b88de..d0697c5 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3540,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3542,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -57781,7 +57874,7 @@ index 28b88de..d0697c5 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3610,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3612,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9fd0ac3..9b6dd51 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,16 @@ exit 0
%endif
%changelog
+* Mon Apr 4 2011 Miroslav Grepl 3.9.16-12
+- Add /var/run/lock /var/lock definition to file_contexts.subs
+- nslcd_t is looking for kerberos cc files
+- SSH_USE_STRONG_RNG is 1 which requires /dev/random
+- Fix auth_rw_faillog definition
+- Allow sysadm_t to set attributes on fixed disks
+- allow user domains to execute lsof and look at application sockets
+- prelink_cron job calls telinit -u if init is rewritten
+- Fixes to run qemu_t from staff_t
+
* Mon Apr 4 2011 Miroslav Grepl 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state