diff --git a/policy-F13.patch b/policy-F13.patch
index ba9488d..a51a2d8 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -631,6 +631,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.8/policy/modules/admin/quota.te
+--- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/admin/quota.te 2010-02-11 15:13:50.000000000 -0500
+@@ -39,6 +39,7 @@
+ kernel_list_proc(quota_t)
+ kernel_read_proc_symlinks(quota_t)
+ kernel_read_kernel_sysctls(quota_t)
++kernel_setsched(quota_t)
+
+ dev_read_sysfs(quota_t)
+ dev_getattr_all_blk_files(quota_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.8/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-02-08 15:48:06.000000000 -0500
@@ -3545,7 +3556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-09 10:11:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-11 08:44:05.000000000 -0500
@@ -91,6 +91,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3982,7 +3993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-11 08:51:41.000000000 -0500
@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -5059,8 +5070,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-05 16:08:07.000000000 -0500
-@@ -0,0 +1,225 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-11 15:07:54.000000000 -0500
+@@ -0,0 +1,230 @@
+
+## policy for sandbox
+
@@ -5186,6 +5197,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
++ type $1_devpts_t;
++ term_pty($1_devpts_t)
++ term_create_pty($1_t, $1_devpts_t)
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
@@ -5288,8 +5304,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,349 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-02-11 12:13:25.000000000 -0500
+@@ -0,0 +1,364 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5392,9 +5408,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
++allow sandbox_domain self:sem create_sem_perms;
++allow sandbox_domain self:shm create_shm_perms;
++allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+
++dev_rw_all_inherited_chr_files(sandbox_domain)
++dev_rw_all_inherited_blk_files(sandbox_domain)
++
+gen_require(`
+ type usr_t, lib_t, locale_t;
+ attribute exec_type;
@@ -5414,8 +5436,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+# sandbox_x_domain local policy
+#
-+## internal communication is often done using fifo and unix sockets.
+allow sandbox_x_domain self:fifo_file manage_file_perms;
++allow sandbox_x_domain self:sem create_sem_perms;
++allow sandbox_x_domain self:shm create_shm_perms;
++allow sandbox_x_domain self:msgq create_msgq_perms;
++allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
++
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
@@ -5554,10 +5581,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_http_port(sandbox_web_client_t)
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
++corenet_tcp_connect_flash_port(sandbox_web_client_t)
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_streaming_port(sandbox_web_client_t)
++corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_soundd_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
@@ -5566,7 +5598,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
-+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
@@ -5791,30 +5822,167 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.8/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-02-02 10:31:03.000000000 -0500
-@@ -44,6 +44,8 @@
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-02-11 16:52:18.000000000 -0500
+@@ -2,59 +2,14 @@
+
+ ########################################
+ ##
+-## Execute a domain transition to run seunshare.
++## The role template for the seunshare module.
+ ##
+-##
+-##
+-## Domain allowed to transition.
+-##
+-##
+-#
+-interface(`seunshare_domtrans',`
+- gen_require(`
+- type seunshare_t, seunshare_exec_t;
+- ')
+-
+- domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+-')
+-
+-########################################
+-##
+-## Execute seunshare in the seunshare domain, and
+-## allow the specified role the seunshare domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-##
++##
+ ##
+-## Role allowed access.
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
+ ##
+ ##
+-#
+-interface(`seunshare_run',`
+- gen_require(`
+- type seunshare_t;
+- ')
+-
+- seunshare_domtrans($1)
+- role $2 types seunshare_t;
+-
+- allow $1 seunshare_t:process signal_perms;
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+- ')
+-')
+-
+-########################################
+-##
+-## Role access for seunshare
+-##
+ ##
+ ##
+ ## Role allowed access.
+@@ -66,15 +21,28 @@
+ ##
+ ##
+ #
+-interface(`seunshare_role',`
++interface(`seunshare_role_template',`
+ gen_require(`
+- type seunshare_t;
++ attribute seunshare_domain;
++ type seunshare_exec_t;
+ ')
- allow $1 seunshare_t:process signal_perms;
+- role $2 types seunshare_t;
++ type $1_seunshare_t, seunshare_domain;
++ application_domain($1_seunshare_t, seunshare_exec_t)
++ role $2 types $1_seunshare_t;
-+ sandbox_transition(seunshare_t, $2)
+- seunshare_domtrans($1)
++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
++ sandbox_transition($1_seunshare_t, $2)
+
+- ps_process_pattern($2, seunshare_t)
+- allow $2 seunshare_t:process signal;
++ ps_process_pattern($3, $1_seunshare_t)
++ allow $3 $1_seunshare_t:process signal_perms;
+
- ifdef(`hide_broken_symptoms', `
- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
++ allow $1_seunshare_t $3:process transition;
++ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit $1_seunshare_t $3:tcp_socket rw_socket_perms;
++ dontaudit $1_seunshare_t $3:udp_socket rw_socket_perms;
++ dontaudit $1_seunshare_t $3:unix_stream_socket rw_socket_perms;
++ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-02-02 10:31:03.000000000 -0500
-@@ -15,9 +15,8 @@
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-02-11 16:49:25.000000000 -0500
+@@ -6,40 +6,39 @@
+ # Declarations
+ #
+
+-type seunshare_t;
++attribute seunshare_domain;
+ type seunshare_exec_t;
+-application_domain(seunshare_t, seunshare_exec_t)
+-role system_r types seunshare_t;
+
+ ########################################
#
# seunshare local policy
#
--
- allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
++allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin };
++allow seunshare_domain self:process { fork setexec signal getcap setcap };
+
+-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
-+allow seunshare_t self:process { fork setexec signal getcap setcap };
++allow seunshare_domain self:fifo_file rw_file_perms;
++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
+
+-allow seunshare_t self:fifo_file rw_file_perms;
+-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
+
+-corecmd_exec_shell(seunshare_t)
+-corecmd_exec_bin(seunshare_t)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
+
+-files_read_etc_files(seunshare_t)
+-files_mounton_all_poly_members(seunshare_t)
++auth_use_nsswitch(seunshare_domain)
+
+-auth_use_nsswitch(seunshare_t)
++logging_send_syslog_msg(seunshare_domain)
+
+-logging_send_syslog_msg(seunshare_t)
++miscfiles_read_localization(seunshare_domain)
+
+-miscfiles_read_localization(seunshare_t)
+-
+-userdom_use_user_terminals(seunshare_t)
++userdom_use_user_terminals(seunshare_domain)
- allow seunshare_t self:fifo_file rw_file_perms;
- allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+ ifdef(`hide_broken_symptoms', `
+- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
++ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
++ fs_dontaudit_list_inotifyfs(seunshare_domain)
+
+ optional_policy(`
+- mozilla_dontaudit_manage_user_home_files(seunshare_t)
++ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
+ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.8/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/apps/slocate.te 2010-02-02 10:31:03.000000000 -0500
@@ -6485,7 +6653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-09 16:10:20.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-11 11:47:56.000000000 -0500
@@ -801,6 +801,24 @@
########################################
@@ -6536,7 +6704,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Create all block device files.
##
##
-@@ -1380,6 +1416,42 @@
+@@ -855,6 +891,42 @@
+
+ ########################################
+ ##
++## rw all inherited character device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_chr_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++##
++## rw all inherited blk device files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_all_inherited_blk_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
++')
++
++########################################
++##
+ ## Delete all block device files.
+ ##
+ ##
+@@ -1380,6 +1452,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -6579,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
##
## getattr the dri devices.
-@@ -1710,6 +1782,24 @@
+@@ -1710,6 +1818,24 @@
########################################
##
@@ -6604,7 +6815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of the ksm devices.
##
##
-@@ -1999,6 +2089,24 @@
+@@ -1999,6 +2125,24 @@
########################################
##
@@ -6629,7 +6840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read raw memory devices (e.g. /dev/mem).
##
##
-@@ -2450,6 +2558,24 @@
+@@ -2450,6 +2594,24 @@
########################################
##
@@ -6654,7 +6865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of the network control device
##
##
-@@ -3515,6 +3641,24 @@
+@@ -3515,6 +3677,24 @@
########################################
##
@@ -6679,7 +6890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
##
##
-@@ -3703,6 +3847,24 @@
+@@ -3703,6 +3883,24 @@
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -7177,7 +7388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-09 14:24:24.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-11 11:49:05.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7875,7 +8086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-08 15:48:31.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-11 14:13:24.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
@@ -7911,7 +8122,69 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Create, read, write, and delete directories
## on a FUSEFS filesystem.
##
-@@ -2047,7 +2066,7 @@
+@@ -1613,6 +1632,36 @@
+
+ ########################################
+ ##
++## Create an object in a hugetlbfs filesystem, with a private
++## type using a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++#
++interface(`fs_hugetlbfs_filetrans',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $2 hugetlbfs_t:filesystem associate;
++ filetrans_pattern($1, hugetlbfs_t, $2, $3)
++')
++
++########################################
++##
+ ## Search inotifyfs filesystem.
+ ##
+ ##
+@@ -1649,6 +1698,24 @@
+
+ ########################################
+ ##
++## Dontaudit List inotifyfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_list_inotifyfs',`
++ gen_require(`
++ type inotifyfs_t;
++ ')
++
++ dontaudit $1 inotifyfs_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Mount an iso9660 filesystem, which
+ ## is usually used on CDs.
+ ##
+@@ -2047,7 +2114,7 @@
type nfs_t;
')
@@ -7920,7 +8193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2069,6 +2088,25 @@
+@@ -2069,6 +2136,25 @@
read_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -7946,7 +8219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#########################################
##
## Read named sockets on a NFS filesystem.
-@@ -3458,6 +3496,24 @@
+@@ -3458,6 +3544,24 @@
########################################
##
@@ -7971,7 +8244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write generic tmpfs files.
##
##
-@@ -3684,6 +3740,24 @@
+@@ -3684,6 +3788,24 @@
########################################
##
@@ -7996,7 +8269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount a XENFS filesystem.
##
##
-@@ -4181,3 +4255,214 @@
+@@ -4181,3 +4303,214 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -8273,7 +8546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
# nfs_t is the default type for NFS file systems
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-02-11 08:05:42.000000000 -0500
@@ -1849,7 +1849,7 @@
')
@@ -8814,7 +9087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.8/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-02-11 12:30:41.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8883,18 +9156,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -135,10 +129,6 @@
+@@ -135,7 +129,7 @@
')
optional_policy(`
- dbus_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- dcc_run_cdcc(sysadm_t, sysadm_r)
- dcc_run_client(sysadm_t, sysadm_r)
- dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +156,6 @@
++ daemonstools_run_start(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -166,10 +160,6 @@
')
optional_policy(`
@@ -8905,7 +9176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
firstboot_run(sysadm_t, sysadm_r)
')
-@@ -178,22 +164,6 @@
+@@ -178,22 +168,6 @@
')
optional_policy(`
@@ -8928,7 +9199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
hostname_run(sysadm_t, sysadm_r)
')
-@@ -205,6 +175,9 @@
+@@ -205,6 +179,9 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -8938,7 +9209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,11 +185,7 @@
+@@ -212,11 +189,7 @@
')
optional_policy(`
@@ -8951,7 +9222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -228,10 +197,6 @@
+@@ -228,10 +201,6 @@
')
optional_policy(`
@@ -8962,7 +9233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
logrotate_run(sysadm_t, sysadm_r)
')
-@@ -255,14 +220,6 @@
+@@ -255,14 +224,6 @@
')
optional_policy(`
@@ -8977,7 +9248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
mta_role(sysadm_r, sysadm_t)
')
-@@ -290,11 +247,6 @@
+@@ -290,11 +251,6 @@
')
optional_policy(`
@@ -8989,7 +9260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,7 +260,7 @@
+@@ -308,7 +264,7 @@
')
optional_policy(`
@@ -8998,7 +9269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -320,10 +272,6 @@
+@@ -320,10 +276,6 @@
')
optional_policy(`
@@ -9009,7 +9280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -332,10 +280,6 @@
+@@ -332,10 +284,6 @@
')
optional_policy(`
@@ -9020,7 +9291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
rsync_exec(sysadm_t)
')
-@@ -345,10 +289,6 @@
+@@ -345,10 +293,6 @@
')
optional_policy(`
@@ -9031,7 +9302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
secadm_role_change(sysadm_r)
')
-@@ -358,35 +298,15 @@
+@@ -358,35 +302,15 @@
')
optional_policy(`
@@ -9067,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +314,10 @@
+@@ -394,18 +318,10 @@
')
optional_policy(`
@@ -9086,7 +9357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
unconfined_domtrans(sysadm_t)
')
-@@ -418,17 +330,13 @@
+@@ -418,17 +334,13 @@
')
optional_policy(`
@@ -9105,7 +9376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -440,13 +348,16 @@
+@@ -440,13 +352,16 @@
')
optional_policy(`
@@ -13131,7 +13402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
xserver_domtrans(apmd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.8/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-02-11 14:04:49.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -13148,11 +13419,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
-@@ -62,6 +64,7 @@
+@@ -62,6 +64,8 @@
corenet_udp_sendrecv_all_ports(arpwatch_t)
dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
++dev_rw_generic_usb_dev(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
@@ -15394,7 +15666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-02-11 12:30:41.000000000 -0500
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -15488,7 +15760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`distro_debian',`
# pam_limits is used
-@@ -241,8 +261,12 @@
+@@ -241,8 +261,17 @@
')
')
@@ -15500,10 +15772,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
++')
++
++optional_policy(`
++ djbdns_search_key_tinydns(crond_t)
++ djbdns_link_key_tinydns(crond_t)
')
optional_policy(`
-@@ -251,6 +275,20 @@
+@@ -251,6 +280,20 @@
')
optional_policy(`
@@ -15524,7 +15801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
amanda_search_var_lib(crond_t)
')
-@@ -260,6 +298,8 @@
+@@ -260,6 +303,8 @@
optional_policy(`
hal_dbus_chat(crond_t)
@@ -15533,7 +15810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -302,10 +342,17 @@
+@@ -302,10 +347,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -15552,7 +15829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -325,6 +372,7 @@
+@@ -325,6 +377,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -15560,7 +15837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -336,9 +384,13 @@
+@@ -336,9 +389,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -15575,7 +15852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -361,6 +413,7 @@
+@@ -361,6 +418,7 @@
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -15583,7 +15860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +440,7 @@
+@@ -387,6 +445,7 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -15591,7 +15868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -411,6 +465,8 @@
+@@ -411,6 +470,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -15600,7 +15877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -435,6 +491,7 @@
+@@ -435,6 +496,7 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -15608,7 +15885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -442,6 +499,14 @@
+@@ -442,6 +504,14 @@
')
optional_policy(`
@@ -15623,7 +15900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ftp_read_log(system_cronjob_t)
')
-@@ -456,11 +521,16 @@
+@@ -456,11 +526,16 @@
')
optional_policy(`
@@ -15640,7 +15917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -476,7 +546,7 @@
+@@ -476,7 +551,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -15649,7 +15926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -491,6 +561,7 @@
+@@ -491,6 +566,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15657,7 +15934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -498,6 +569,9 @@
+@@ -498,6 +574,9 @@
')
optional_policy(`
@@ -15718,7 +15995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-02-11 13:29:01.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15913,6 +16190,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cups_stream_connect(cupsd_lpd_t)
+@@ -532,7 +572,7 @@
+ # cups_pdf local policy
+ #
+
+-allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
++allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+ allow cups_pdf_t self:fifo_file rw_file_perms;
+ allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -542,6 +582,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -16654,7 +16940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.8/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/djbdns.if 2010-02-10 13:04:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/djbdns.if 2010-02-11 12:30:41.000000000 -0500
@@ -26,6 +26,8 @@
daemontools_read_svc(djbdns_$1_t)
@@ -16664,6 +16950,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
allow djbdns_$1_t self:udp_socket create_socket_perms;
+@@ -50,3 +52,39 @@
+
+ files_search_var(djbdns_$1_t)
+ ')
++
++#####################################
++##
++## Allow search the djbdns-tinydns key ring.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`djbdns_search_key_tinydns',`
++ gen_require(`
++ type djbdns_tinydns_t;
++ ')
++
++ allow $1 djbdns_tinydns_t:key search;
++')
++
++#####################################
++##
++## Allow link to the djbdns-tinydns key ring.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`djbdns_link_key_tinydns',`
++ gen_require(`
++ type djbdns_tinydn_t;
++ ')
++
++ allow $1 djbdns_tinydn_t:key link;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.8/policy/modules/services/djbdns.te
+--- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/djbdns.te 2010-02-11 12:30:41.000000000 -0500
+@@ -42,3 +42,11 @@
+ files_search_var(djbdns_axfrdns_t)
+
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
++
++#####################################
++#
++# Local policy for djbdns_tinydns_t
++#
++
++init_dontaudit_use_script_fds(djbdns_tinydns_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-02-02 10:31:03.000000000 -0500
@@ -24645,7 +24986,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## Read NFS exported content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-02-11 15:23:21.000000000 -0500
+@@ -8,7 +8,7 @@
+
+ ##
+ ##
+-## Allow gssd to read temp directory. For access to kerberos tgt.
++## Allow gssd to read tep directory. For access to kerberos tgt.
+ ##
+ ##
+ gen_tunable(allow_gssd_read_tmp, true)
@@ -37,8 +37,14 @@
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@@ -24671,7 +25021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
-@@ -67,6 +74,7 @@
+@@ -67,12 +74,14 @@
kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
@@ -24679,7 +25029,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
-@@ -91,14 +99,21 @@
+
+ corecmd_exec_bin(rpcd_t)
+
++files_read_default_files(rpcd_t)
+ files_manage_mounttab(rpcd_t)
+ files_getattr_all_dirs(rpcd_t)
+
+@@ -91,14 +100,21 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -24701,7 +25058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
########################################
#
# NFSD local policy
-@@ -127,6 +142,7 @@
+@@ -127,6 +143,7 @@
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
@@ -24709,7 +25066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
-@@ -135,6 +151,7 @@
+@@ -135,6 +152,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -24717,7 +25074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +168,7 @@
+@@ -151,6 +169,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -24725,7 +25082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -182,6 +200,7 @@
+@@ -182,6 +201,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -24733,7 +25090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corecmd_exec_bin(gssd_t)
-@@ -189,8 +208,10 @@
+@@ -189,8 +209,10 @@
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -24744,7 +25101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,10 +220,14 @@
+@@ -199,10 +221,14 @@
mount_signal(gssd_t)
@@ -27173,6 +27530,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
dev_read_sysfs(tuned_t)
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.8/policy/modules/services/ucspitcp.te
+--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/ucspitcp.te 2010-02-11 12:30:41.000000000 -0500
+@@ -92,3 +92,8 @@
+ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ daemontools_read_svc(ucspitcp_t)
+ ')
++
++optional_policy(`
++ daemontools_sigchld_run(ucspitcp_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc 2010-02-03 14:20:04.000000000 -0500
@@ -27226,8 +27595,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.8/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,43 @@
++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te 2010-02-11 13:37:45.000000000 -0500
+@@ -0,0 +1,47 @@
+policy_module(usbmuxd,1.0.0)
+
+########################################
@@ -27264,6 +27633,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
++kernel_read_system_state(usbmuxd_t)
++
++dev_rw_generic_usb_dev(usbmuxd_t)
++
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
@@ -27660,7 +28033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.8/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-02-11 14:19:09.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -27916,7 +28289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-02-11 14:17:16.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -28179,7 +28552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -196,8 +312,159 @@
+@@ -196,8 +312,162 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -28208,6 +28581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
++fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -28215,6 +28589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+dontaudit svirt_t virt_content_t:dir write;
+
+userdom_search_user_home_content(svirt_t)
++userdom_read_user_home_content_symlinks(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
+allow svirt_t self:udp_socket create_socket_perms;
@@ -28240,6 +28615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
+tunable_policy(`virt_use_fusefs',`
+ fs_read_fusefs_files(svirt_t)
++ fs_read_fusefs_symlinks(svirt_t)
+')
+
+tunable_policy(`virt_use_nfs',`
@@ -30188,10 +30564,113 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.8/policy/modules/system/daemontools.if
+--- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/system/daemontools.if 2010-02-11 12:30:41.000000000 -0500
+@@ -71,6 +71,32 @@
+ domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+ ')
+
++######################################
++##
++## Execute svc_start in the svc_start domain, and
++## allow the specified role the svc_start domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the svc_start domain.
++##
++##
++##
++#
++interface(`daemonstools_run_start',`
++ gen_require(`
++ type svc_start_t;
++ ')
++
++ daemontools_domtrans_start($1)
++ role $2 types svc_start_t;
++')
++
+ ########################################
+ ##
+ ## Execute in the svc_run_t domain.
+@@ -127,6 +153,24 @@
+ allow $1 svc_svc_t:file read_file_perms;
+ ')
+
++######################################
++##
++## Search svc_svc_t directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`daemontools_search_svc_dir',`
++ gen_require(`
++ type svc_svc_t;
++ ')
++
++ allow $1 svc_svc_t:dir search_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Allow a domain to create svc_svc_t files.
+@@ -148,3 +192,21 @@
+ allow $1 svc_svc_t:file manage_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+ ')
++
++######################################
++##
++## Send a SIGCHLD signal to svc_run domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`daemontools_sigchld_run',`
++ gen_require(`
++ type svc_run_t;
++ ')
++
++ allow $1 svc_run_t:process sigchld;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.8/policy/modules/system/daemontools.te
--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/daemontools.te 2010-02-10 13:04:18.000000000 -0500
-@@ -65,6 +65,8 @@
++++ serefpolicy-3.7.8/policy/modules/system/daemontools.te 2010-02-11 12:30:41.000000000 -0500
+@@ -39,7 +39,10 @@
+ # multilog creates /service/*/log/status
+ manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+
++term_write_console(svc_multilog_t)
++
+ init_use_fds(svc_multilog_t)
++init_dontaudit_use_script_fds(svc_multilog_t)
+
+ # writes to /var/log/*/*
+ logging_manage_generic_logs(svc_multilog_t)
+@@ -53,7 +56,7 @@
+ # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+ #
+
+-allow svc_run_t self:capability { setgid setuid chown fsetid };
++allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+ allow svc_run_t self:process setrlimit;
+ allow svc_run_t self:fifo_file rw_fifo_file_perms;
+ allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+@@ -65,9 +68,13 @@
kernel_read_system_state(svc_run_t)
@@ -30200,7 +30679,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
-@@ -93,10 +95,14 @@
++term_write_console(svc_run_t)
++
+ files_read_etc_files(svc_run_t)
+ files_read_etc_runtime_files(svc_run_t)
+ files_search_pids(svc_run_t)
+@@ -89,21 +96,36 @@
+ # ie svc, svscan, supervise ...
+ #
+
+-allow svc_start_t svc_run_t:process signal;
++allow svc_start_t svc_run_t:process { signal setrlimit };
allow svc_start_t self:fifo_file rw_fifo_file_perms;
allow svc_start_t self:capability kill;
@@ -30209,13 +30698,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
can_exec(svc_start_t, svc_start_exec_t)
++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
++
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
-@@ -105,5 +111,9 @@
++corenet_tcp_bind_generic_node(svc_start_t)
++corenet_tcp_bind_generic_port(svc_start_t)
++
++term_write_console(svc_start_t)
++
+ files_read_etc_files(svc_start_t)
+ files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
@@ -32451,7 +32948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-09 08:53:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-11 12:30:41.000000000 -0500
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -32575,6 +33072,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
postgresql_stream_connect(syslogd_t)
')
+@@ -473,6 +502,10 @@
+ ')
+
+ optional_policy(`
++ daemontools_search_svc_dir(syslogd_t)
++')
++
++optional_policy(`
+ udev_read_db(syslogd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/system/lvm.te 2010-02-02 10:31:03.000000000 -0500
@@ -35304,7 +35812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 17:23:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-11 15:04:39.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36034,7 +36542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_run($1_t, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
@@ -37936,7 +38444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-08 12:51:47.000000000 -0500
++++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-11 12:08:23.000000000 -0500
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -37982,7 +38490,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -305,7 +308,8 @@
+@@ -271,7 +274,8 @@
+ define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
+ define(`create_blk_file_perms',`{ getattr create }')
+ define(`rename_blk_file_perms',`{ getattr rename }')
+ define(`delete_blk_file_perms',`{ getattr unlink }')
+@@ -288,7 +292,8 @@
+ define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
+ define(`create_chr_file_perms',`{ getattr create }')
+ define(`rename_chr_file_perms',`{ getattr rename }')
+ define(`delete_chr_file_perms',`{ getattr unlink }')
+@@ -305,7 +310,8 @@
#
# Use (read and write) terminals
#
@@ -37992,7 +38520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
#
# Sockets
-@@ -317,3 +321,14 @@
+@@ -317,3 +323,14 @@
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 075329c..4e40b6a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.8
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ exit 0
%endif
%changelog
+* Thu Feb 11 2010 Dan Walsh 3.7.8-11
+- Allow sandbox to work with MLS
+
* Tue Feb 9 2010 Dan Walsh 3.7.8-9
- Make Chrome work with staff user