diff --git a/policy-20090105.patch b/policy-20090105.patch
index 49fb286..553f80c 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -5130,7 +5130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.3/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/files.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/files.if 2009-01-21 17:33:03.000000000 -0500
@@ -110,6 +110,11 @@
## </param>
#
@@ -5340,7 +5340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -4921,3 +5036,71 @@
+@@ -4921,3 +5036,95 @@
typeattribute $1 files_unconfined_type;
')
@@ -5412,6 +5412,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
++
++########################################
++## <summary>
++## manage generic symbolic links
++## in the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_boot',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:blk_file manage_blk_file_perms;
++ allow $1 root_t:chr_file manage_chr_file_perms;
++ manage_dirs_pattern($1, root_t, root_t)
++ manage_files_pattern($1, root_t, root_t)
++ manage_lnk_files_pattern($1, root_t, root_t)
++ can_exec(kernel_t, root_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.3/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/files.te 2009-01-19 13:10:02.000000000 -0500
@@ -5890,7 +5914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-20 16:17:37.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-21 17:29:54.000000000 -0500
@@ -1197,6 +1197,7 @@
')
@@ -5997,7 +6021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.3/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-20 17:15:33.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-21 17:46:13.000000000 -0500
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -6061,11 +6085,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_process_set_categories(kernel_t)
-@@ -267,12 +287,17 @@
+@@ -267,12 +287,18 @@
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
++mls_fd_share_all_levels(kernel_t)
+
+logging_manage_generic_logs(kernel_t)
@@ -6079,7 +6104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
-@@ -357,6 +382,10 @@
+@@ -357,6 +383,10 @@
unconfined_domain(kernel_t)
')
@@ -6090,6 +6115,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Unlabeled process local policy
+@@ -386,3 +416,5 @@
+ allow kern_unconfined unlabeled_t:association *;
+ allow kern_unconfined unlabeled_t:packet *;
+ allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
++
++files_boot(kernel_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.3/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/selinux.if 2009-01-19 13:32:33.000000000 -0500
@@ -6197,8 +6228,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.3/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/roles/auditadm.te 2009-01-19 13:10:02.000000000 -0500
-@@ -32,158 +32,18 @@
++++ serefpolicy-3.6.3/policy/modules/roles/auditadm.te 2009-01-21 17:30:16.000000000 -0500
+@@ -17,6 +17,8 @@
+
+ allow auditadm_t self:capability { dac_read_search dac_override };
+
++kernel_read_ring_buffer(auditadm_t)
++
+ corecmd_exec_shell(auditadm_t)
+
+ domain_kill_all_domains(auditadm_t)
+@@ -32,158 +34,18 @@
seutil_read_bin_policy(auditadm_t)
optional_policy(`
@@ -21808,13 +21848,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 13:00:55.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 16:53:49.000000000 -0500
@@ -53,7 +53,7 @@
# virtd local policy
#
-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-+allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_nice sys_ptrace };
++allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
allow virtd_t self:process { getsched sigkill signal execmem };
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
@@ -23974,7 +24014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-20 17:11:43.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-21 17:45:29.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -24077,11 +24117,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t,initrc_tmp_t)
allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -249,15 +278,18 @@
+@@ -249,15 +278,19 @@
kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
+kernel_stream_connect(initrc_t)
++files_read_kernel_modules(initrc_t)
files_read_kernel_symbol_table(initrc_t)
+files_exec_etc_files(initrc_t)
@@ -24100,7 +24141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -274,7 +306,7 @@
+@@ -274,7 +307,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@@ -24109,7 +24150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -328,7 +360,7 @@
+@@ -328,7 +361,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -24118,7 +24159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -367,6 +399,7 @@
+@@ -367,6 +400,7 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -24126,7 +24167,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -498,6 +531,7 @@
+@@ -451,7 +485,7 @@
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+- kernel_dontaudit_use_fds(initrc_t)
++ kernel_use_fds(initrc_t)
+ files_dontaudit_read_root_files(initrc_t)
+
+ selinux_set_enforce_mode(initrc_t)
+@@ -498,6 +532,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -24134,7 +24184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -516,6 +550,31 @@
+@@ -516,6 +551,31 @@
')
')
@@ -24166,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +629,10 @@
+@@ -570,6 +630,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -24177,7 +24227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -655,12 +718,6 @@
+@@ -655,12 +719,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -24190,7 +24240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +778,9 @@
+@@ -721,6 +779,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -24200,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -733,10 +793,12 @@
+@@ -733,10 +794,12 @@
squid_manage_logs(initrc_t)
')
@@ -24213,7 +24263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +816,11 @@
+@@ -754,6 +817,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -24225,7 +24275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_domain(initrc_t)
-@@ -768,6 +835,10 @@
+@@ -768,6 +836,10 @@
')
optional_policy(`
@@ -24236,7 +24286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +861,11 @@
+@@ -790,3 +862,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -25246,7 +25296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/mount.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/mount.te 2009-01-21 17:47:52.000000000 -0500
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -25279,7 +25329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,12 +49,18 @@
+@@ -47,12 +49,19 @@
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
@@ -25291,6 +25341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
+kernel_setsched(mount_t)
++kernel_use_fds(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
@@ -25298,7 +25349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +70,19 @@
+@@ -62,16 +71,19 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -25321,7 +25372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_terms(mount_t)
-@@ -79,6 +90,7 @@
+@@ -79,6 +91,7 @@
corecmd_exec_bin(mount_t)
domain_use_interactive_fds(mount_t)
@@ -25329,7 +25380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_all(mount_t)
files_read_etc_files(mount_t)
-@@ -87,7 +99,7 @@
+@@ -87,7 +100,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -25338,7 +25389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -100,6 +112,8 @@
+@@ -100,6 +113,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -25347,7 +25398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(mount_t)
-@@ -116,6 +130,7 @@
+@@ -116,6 +131,7 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -25355,7 +25406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,7 +148,7 @@
+@@ -133,7 +149,7 @@
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
@@ -25364,7 +25415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_mounton_non_security(mount_t)
')
-@@ -141,16 +156,16 @@
+@@ -141,16 +157,16 @@
# for nfs
corenet_all_recvfrom_unlabeled(mount_t)
corenet_all_recvfrom_netlabel(mount_t)
@@ -25389,7 +25440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -164,6 +179,8 @@
+@@ -164,6 +180,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -25398,7 +25449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -171,6 +188,15 @@
+@@ -171,6 +189,15 @@
')
optional_policy(`
@@ -25414,7 +25465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +204,11 @@
+@@ -178,6 +205,11 @@
')
')
@@ -25426,7 +25477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,6 +216,7 @@
+@@ -185,6 +217,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -25434,7 +25485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -195,4 +227,26 @@
+@@ -195,4 +228,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9ea2280..4a8d7b3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,7 +445,7 @@ exit 0
%endif
%changelog
-* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-5
+* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-6
- Add wm policy
- Make mls work in graphics mode