diff --git a/policy-20080710.patch b/policy-20080710.patch
index cce5e88..b570c5c 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -6953,7 +6953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## all protocols (TCP, UDP, etc)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-21 11:21:45.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-24 08:28:13.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -6983,7 +6983,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# create child processes in the domain
allow domain self:process { fork sigchld };
-@@ -131,6 +141,9 @@
+@@ -113,6 +123,7 @@
+ optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
++ xserver_dontaudit_rw_xdm_home_files(domain)
+ ')
+
+ ########################################
+@@ -131,6 +142,9 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -6993,7 +7001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -140,7 +153,7 @@
+@@ -140,7 +154,7 @@
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -7002,7 +7010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -148,3 +161,39 @@
+@@ -148,3 +162,39 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7063,7 +7071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-10-24 08:41:49.000000000 -0400
@@ -110,6 +110,11 @@
##
#
@@ -7076,7 +7084,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_type($1)
')
-@@ -1303,6 +1308,24 @@
+@@ -1060,6 +1065,24 @@
+ ##
+ ##
+ #
++interface(`files_relabel_all_file_type_fs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:filesystem { relabelfrom relabelto };
++')
++
++########################################
++##
++## Relabel a filesystem to the type of a file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+ interface(`files_relabelto_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+@@ -1303,6 +1326,24 @@
########################################
##
@@ -7101,7 +7134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Unmount a rootfs filesystem.
##
##
-@@ -1889,6 +1912,26 @@
+@@ -1889,6 +1930,26 @@
########################################
##
@@ -7128,7 +7161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write generic files in /etc.
##
##
-@@ -2224,6 +2267,49 @@
+@@ -2224,6 +2285,49 @@
########################################
##
@@ -7178,7 +7211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
-@@ -2744,6 +2830,24 @@
+@@ -2744,6 +2848,24 @@
########################################
##
@@ -7203,7 +7236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete symbolic links in /mnt.
##
##
-@@ -3394,6 +3498,8 @@
+@@ -3394,6 +3516,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -7212,7 +7245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3471,6 +3577,47 @@
+@@ -3471,6 +3595,47 @@
########################################
##
@@ -7260,7 +7293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Get the attributes of files in /usr.
##
##
-@@ -3547,6 +3694,24 @@
+@@ -3547,6 +3712,24 @@
########################################
##
@@ -7285,7 +7318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Relabel a file to the type used in /usr.
##
##
-@@ -4433,6 +4598,25 @@
+@@ -4433,6 +4616,25 @@
########################################
##
@@ -7311,7 +7344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write generic process ID files.
##
##
-@@ -4761,12 +4945,14 @@
+@@ -4761,12 +4963,14 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -7327,7 +7360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -4787,3 +4973,71 @@
+@@ -4787,3 +4991,71 @@
typeattribute $1 files_unconfined_type;
')
@@ -7894,7 +7927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-14 11:58:07.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-10-24 08:34:16.000000000 -0400
@@ -21,7 +21,6 @@
# Use xattrs for the following filesystem types.
@@ -7915,15 +7948,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
-@@ -141,6 +145,7 @@
+@@ -141,6 +145,8 @@
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
++genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
type vxfs_t;
fs_noxattr_type(vxfs_t)
-@@ -241,6 +246,7 @@
+@@ -241,6 +247,7 @@
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -12391,7 +12425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-23 17:00:09.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-24 08:57:55.000000000 -0400
@@ -35,39 +35,24 @@
#
template(`cron_per_role_template',`
@@ -12744,7 +12778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
-+## Manage lib files used by cron
++## Manage pid files used by cron
+##
+##
+##
@@ -12752,13 +12786,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`cron_manage_lib_files',`
++interface(`cron_manage_pid_files',`
+ gen_require(`
-+ type crond_var_lib_t;
++ type crond_var_run_t;
+ ')
+
+
-+ manage_files_pattern($1, crond_var_lib_t, crond_var_lib_t)
++ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400
@@ -13652,7 +13686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-17 17:55:07.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-24 09:08:08.000000000 -0400
@@ -53,19 +53,19 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -13881,7 +13915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read dbus configuration.
##
##
-@@ -366,3 +440,99 @@
+@@ -366,3 +440,120 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -13936,6 +13970,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dbus_system_bus_client_template($1, $1)
+ dbus_connect_system_bus($1)
+
++ ifdef(`hide_broken_symptoms', `
++ dbus_dontaudit_rw_system_selinux_socket($1)
++ ');
+')
+
+########################################
@@ -13981,6 +14018,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $2 dbusd_userbus:unix_stream_socket connectto;
+')
++
++########################################
++##
++## dontaudit attempts to use system_dbus_t selinux_socket
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_dontaudit_rw_system_selinux_socket',`
++ gen_require(`
++ type system_dbusd_t;
++ ')
++
++ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dbus.te 2008-10-17 17:54:43.000000000 -0400
@@ -14622,7 +14677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-23 16:59:49.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-24 08:57:28.000000000 -0400
@@ -10,6 +10,9 @@
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
@@ -14682,7 +14737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- nis_use_ypbind(dnsmasq_t)
-+ cron_manage_lib_files(crond_var_lib_t)
++ cron_manage_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -17899,7 +17954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te
--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/pads.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/pads.te 2008-10-24 08:49:04.000000000 -0400
@@ -0,0 +1,68 @@
+
+policy_module(pads, 0.0.1)
@@ -17940,7 +17995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow pads_t pads_var_run_t:file manage_file_perms;
+files_pid_filetrans(pads_t, pads_var_run_t, file)
+
-+corecmd_search_sbin(pads_t)
++corecmd_search_bin(pads_t)
+
+corenet_all_recvfrom_unlabeled(pads_t)
+corenet_all_recvfrom_netlabel(pads_t)
@@ -19691,7 +19746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-23 14:47:03.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-24 09:28:30.000000000 -0400
@@ -13,25 +13,57 @@
type prelude_spool_t;
files_type(prelude_spool_t)
@@ -19785,6 +19840,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(prelude_t)
+@@ -89,7 +132,7 @@
+ #
+ # prelude_audisp local policy
+ #
+-
++allow prelude_audisp_t self:capability dac_override;
+ allow prelude_audisp_t self:fifo_file rw_file_perms;
+ allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+ allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
@@ -110,6 +153,7 @@
corenet_tcp_sendrecv_all_if(prelude_audisp_t)
corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
@@ -19793,7 +19857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
-@@ -117,15 +161,143 @@
+@@ -117,15 +161,139 @@
# Init script handling
domain_use_interactive_fds(prelude_audisp_t)
@@ -19817,7 +19881,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+allow prelude_correlator_t self:capability dac_override;
-+
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
@@ -19827,7 +19890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+prelude_manage_spool(prelude_correlator_t)
+
-+corecmd_search_sbin(prelude_correlator_t)
++corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
@@ -19844,8 +19907,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
-+kernel_read_sysctl(prelude_correlator_t)
-+
+libs_use_ld_so(prelude_correlator_t)
+libs_use_shared_libs(prelude_correlator_t)
+
@@ -19910,8 +19971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+fs_list_inotifyfs(prelude_lml_t)
+fs_read_anon_inodefs_files(prelude_lml_t)
-+
-+kernel_read_sysctl(prelude_lml_t)
++fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
@@ -19937,12 +19997,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# prewikka_cgi Declarations
-@@ -134,6 +306,17 @@
+@@ -134,6 +302,20 @@
optional_policy(`
apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t)
+ files_search_tmp(httpd_prewikka_script_t)
+
++ kernel_read_sysctl(httpd_prewikka_script_t)
++ kernel_search_network_sysctl(httpd_prewikka_script_t)
++
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
@@ -23701,6 +23764,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.13/policy/modules/services/tor.te
+--- nsaserefpolicy/policy/modules/services/tor.te 2008-10-16 17:21:16.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/tor.te 2008-10-24 08:19:01.000000000 -0400
+@@ -34,7 +34,7 @@
+ # tor local policy
+ #
+
+-allow tor_t self:capability { setgid setuid };
++allow tor_t self:capability { setgid setuid sys_tty_config };
+ allow tor_t self:fifo_file rw_fifo_file_perms;
+ allow tor_t self:unix_stream_socket create_stream_socket_perms;
+ allow tor_t self:netlink_route_socket r_netlink_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-10-17 10:31:27.000000000 -0400
@@ -24039,7 +24114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-23 17:14:25.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-24 08:25:44.000000000 -0400
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26652,7 +26727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-20 14:36:54.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-24 08:50:27.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart,false)
@@ -26755,7 +26830,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t,initrc_tmp_t)
allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -276,7 +305,7 @@
+@@ -253,6 +282,7 @@
+ kernel_dontaudit_getattr_message_if(initrc_t)
+
+ files_read_kernel_symbol_table(initrc_t)
++files_exec_etc_files(initrc_t)
+
+ corenet_all_recvfrom_unlabeled(initrc_t)
+ corenet_all_recvfrom_netlabel(initrc_t)
+@@ -276,7 +306,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@@ -26764,7 +26847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -330,7 +359,7 @@
+@@ -330,7 +360,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -26773,7 +26856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -371,6 +400,7 @@
+@@ -371,6 +401,7 @@
libs_use_shared_libs(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -26781,7 +26864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -503,6 +533,7 @@
+@@ -503,6 +534,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -26789,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -521,6 +552,31 @@
+@@ -521,6 +553,31 @@
')
')
@@ -26821,18 +26904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -536,6 +592,10 @@
- ')
-
- optional_policy(`
-+ automount_exec_config(initrc_t)
-+')
-+
-+optional_policy(`
- bind_read_config(initrc_t)
-
- # for chmod in start script
-@@ -575,6 +635,10 @@
+@@ -575,6 +632,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -26843,7 +26915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -660,12 +724,6 @@
+@@ -660,12 +721,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -26856,7 +26928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -726,6 +784,9 @@
+@@ -726,6 +781,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -26866,7 +26938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -738,10 +799,12 @@
+@@ -738,10 +796,12 @@
squid_manage_logs(initrc_t)
')
@@ -26879,7 +26951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -759,6 +822,11 @@
+@@ -759,6 +819,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -26891,7 +26963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_domain(initrc_t)
-@@ -773,6 +841,10 @@
+@@ -773,6 +838,10 @@
')
optional_policy(`
@@ -26902,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -795,3 +867,11 @@
+@@ -795,3 +864,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -27753,7 +27825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
samba_run_smbmount($1, $2, $3)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-20 11:20:42.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-24 08:40:39.000000000 -0400
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -27835,6 +27907,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_all(mount_t)
files_read_etc_files(mount_t)
+@@ -87,7 +98,7 @@
+ files_mounton_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
+ # These rules need to be generalized. Only admin, initrc should have it:
+-files_relabelto_all_file_type_fs(mount_t)
++files_relabel_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+ files_unmount_all_file_type_fs(mount_t)
+ # for when /etc/mtab loses its type
@@ -100,6 +111,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
@@ -33169,15 +33250,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-24 08:13:54.000000000 -0400
-@@ -181,8 +181,8 @@
++++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-24 09:40:08.000000000 -0400
+@@ -181,8 +181,7 @@
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
@test -d $(@D) || mkdir -p $(@D)
- $(call peruser-expansion,$(basename $(@F)),$@.role)
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+# $(call peruser-expansion,$(basename $(@F)),$@.role)
-+# $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(m4support) %.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a4ee6cb..85971d3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@ exit 0
%endif
%changelog
+* Thu Oct 23 2008 Dan Walsh 3.5.13-7
+- Dontaudit domains trying to write to .xsession-errors
+
* Thu Oct 23 2008 Dan Walsh 3.5.13-6
- Allow nsplugin to look at autofs_t directory