diff --git a/policy-F15.patch b/policy-F15.patch
index bb4daba..6f8d414 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -10411,10 +10411,18 @@ index 3994e57..ee146ae 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 492bf76..87a6942 100644
+index 492bf76..a177011 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
-@@ -292,9 +292,11 @@ interface(`term_use_console',`
+@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`term_use_console',`
+ gen_require(`
+@@ -292,9 +291,11 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -10427,7 +10435,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -334,7 +336,7 @@ interface(`term_relabel_console',`
+@@ -334,7 +335,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
@@ -10436,7 +10444,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -848,7 +849,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -10445,7 +10453,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1116,7 +1117,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -10454,7 +10462,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1215,7 +1216,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -10463,7 +10471,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1231,11 +1232,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -10477,7 +10485,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1252,10 +1255,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -10490,7 +10498,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1294,7 +1299,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -10499,7 +10507,7 @@ index 492bf76..87a6942 100644
')
########################################
-@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1352,7 +1357,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -13304,7 +13312,7 @@ index ceb2142..e31d92a 100644
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index c3a1903..ec40291 100644
+index c3a1903..b0e48c6 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
@@ -13325,6 +13333,14 @@ index c3a1903..ec40291 100644
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
+@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
+
+ # find perl
+ corecmd_exec_bin(amavis_t)
++corecmd_exec_shell(amavis_t)
+
+ corenet_all_recvfrom_unlabeled(amavis_t)
+ corenet_all_recvfrom_netlabel(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..3bfac20 100644
--- a/policy/modules/services/apache.fc
@@ -16148,10 +16164,10 @@ index fa62787..ffd0da5 100644
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
-index 73f03ff..dbfd0a6 100644
+index 73f03ff..d5c4c94 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
-@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
@@ -16166,7 +16182,12 @@ index 73f03ff..dbfd0a6 100644
# read meminfo
kernel_read_system_state(certmaster_t)
-@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
+
+-corecmd_search_bin(certmaster_t)
+-corecmd_getattr_bin_files(certmaster_t)
++corecmd_exec_bin(certmaster_t)
+
+ corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
files_search_etc(certmaster_t)
@@ -18940,7 +18961,7 @@ index 0a1a61b..da508f4 100644
allow $1 ddclient_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
-index 24ba98a..0910356 100644
+index 24ba98a..41559cf 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
@@ -18953,13 +18974,15 @@ index 24ba98a..0910356 100644
type ddclient_var_t;
files_type(ddclient_var_t)
-@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
+@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
allow ddclient_t self:tcp_socket create_socket_perms;
allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
- allow ddclient_t ddclient_etc_t:file read_file_perms;
+-allow ddclient_t ddclient_etc_t:file read_file_perms;
++read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
++setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
allow ddclient_t ddclient_log_t:file manage_file_perms;
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
@@ -18970,7 +18993,7 @@ index 24ba98a..0910356 100644
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
-@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
@@ -18979,7 +19002,7 @@ index 24ba98a..0910356 100644
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
-@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
+@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
@@ -23191,6 +23214,18 @@ index ae9d49f..65e6d81 100644
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc
+index 49e04e5..69db026 100644
+--- a/policy/modules/services/lircd.fc
++++ b/policy/modules/services/lircd.fc
+@@ -2,6 +2,7 @@
+
+ /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+ /etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
++/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0)
+
+ /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
index 6a78de1..b229ba0 100644
--- a/policy/modules/services/lircd.te
@@ -31725,6 +31760,16 @@ index 779fa44..0155ca7 100644
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
+diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
+index 5c70c0c..6842295 100644
+--- a/policy/modules/services/rpc.fc
++++ b/policy/modules/services/rpc.fc
+@@ -29,3 +29,5 @@
+
+ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
++
++/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index cda37bb..484e552 100644
--- a/policy/modules/services/rpc.if
@@ -40449,7 +40494,7 @@ index 9775375..41a244a 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index df3fa64..852a6ad 100644
+index df3fa64..b123b4a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -40476,7 +40521,7 @@ index df3fa64..852a6ad 100644
')
typeattribute $1 daemon;
-@@ -205,6 +211,20 @@ interface(`init_daemon_domain',`
+@@ -205,6 +211,21 @@ interface(`init_daemon_domain',`
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -40493,11 +40538,12 @@ index df3fa64..852a6ad 100644
+ tunable_policy(`init_systemd',`
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
++ dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
+ ')
# daemons started from init will
# inherit fds from init for the console
-@@ -285,7 +305,7 @@ interface(`init_ranged_daemon_domain',`
+@@ -285,7 +306,7 @@ interface(`init_ranged_daemon_domain',`
type initrc_t;
')
@@ -40506,7 +40552,7 @@ index df3fa64..852a6ad 100644
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
-@@ -336,8 +356,10 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,8 +357,10 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -40517,7 +40563,7 @@ index df3fa64..852a6ad 100644
')
application_domain($1,$2)
-@@ -345,6 +367,19 @@ interface(`init_system_domain',`
+@@ -345,6 +368,19 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -40537,7 +40583,7 @@ index df3fa64..852a6ad 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +388,37 @@ interface(`init_system_domain',`
+@@ -353,6 +389,37 @@ interface(`init_system_domain',`
kernel_dontaudit_use_fds($1)
')
')
@@ -40575,7 +40621,7 @@ index df3fa64..852a6ad 100644
')
########################################
-@@ -687,19 +753,24 @@ interface(`init_telinit',`
+@@ -687,19 +754,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -40601,7 +40647,7 @@ index df3fa64..852a6ad 100644
')
')
-@@ -772,18 +843,19 @@ interface(`init_script_file_entry_type',`
+@@ -772,18 +844,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -40625,7 +40671,7 @@ index df3fa64..852a6ad 100644
')
')
-@@ -799,23 +871,45 @@ interface(`init_spec_domtrans_script',`
+@@ -799,23 +872,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -40675,7 +40721,7 @@ index df3fa64..852a6ad 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -867,8 +961,12 @@ interface(`init_script_file_domtrans',`
+@@ -867,8 +962,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -40688,7 +40734,7 @@ index df3fa64..852a6ad 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1129,12 +1227,7 @@ interface(`init_read_script_state',`
+@@ -1129,12 +1228,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -40702,7 +40748,7 @@ index df3fa64..852a6ad 100644
')
########################################
-@@ -1374,6 +1467,27 @@ interface(`init_dbus_send_script',`
+@@ -1374,6 +1468,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -40730,7 +40776,7 @@ index df3fa64..852a6ad 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1460,6 +1574,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1460,6 +1575,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -40756,7 +40802,7 @@ index df3fa64..852a6ad 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1673,7 +1806,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1673,7 +1807,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -40765,7 +40811,7 @@ index df3fa64..852a6ad 100644
')
########################################
-@@ -1748,3 +1881,74 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1748,3 +1882,74 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c1d405..0c5a81d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.9
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Mon Nov 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-4
+- Allow ddclient to fix file mode bits of ddclient conf file
+- init leaks file descriptors to daemons
+- Add labels for /etc/lirc/ and
+- Allow amavis_t to exec shell
+- Add label for gssd_tmp_t for /var/tmp/nfs_0
+
* Thu Nov 18 2010 Dan Walsh <dwalsh@redhat.com> 3.9.9-3
- Put back in lircd_etc_t so policy will install