diff --git a/modules-targeted.conf b/modules-targeted.conf
index 199a810..6581e79 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -836,6 +836,13 @@ mount = base
#
mozilla = module
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+#
+nslcd = module
+
# Layer: apps
# Module: nsplugin
#
diff --git a/policy-F12.patch b/policy-F12.patch
index dadf3e9..652aaf1 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -2832,7 +2832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.18/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te 2009-06-24 08:35:55.000000000 -0400
@@ -105,6 +105,7 @@
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@@ -2849,7 +2849,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(mozilla_t)
-@@ -243,6 +245,8 @@
+@@ -143,6 +145,7 @@
+ userdom_manage_user_tmp_dirs(mozilla_t)
+ userdom_manage_user_tmp_files(mozilla_t)
+ userdom_manage_user_tmp_sockets(mozilla_t)
++userdom_use_user_ptys(mozilla_t)
+
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+@@ -243,6 +246,8 @@
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -2858,7 +2866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -263,5 +267,10 @@
+@@ -263,5 +268,10 @@
')
optional_policy(`
@@ -14343,7 +14351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.18/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/services/kerberos.te 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/kerberos.te 2009-06-23 16:51:48.000000000 -0400
@@ -33,6 +33,7 @@
type kpropd_t;
type kpropd_exec_t;
@@ -14362,13 +14370,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# kadmind local policy
-@@ -281,7 +285,9 @@
+@@ -281,7 +285,13 @@
allow kpropd_t krb5_keytab_t:file read_file_perms;
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
++
++manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
++manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
++files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -16949,8 +16961,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,241 @@
++++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-24 08:29:05.000000000 -0400
+@@ -0,0 +1,242 @@
+
+## policy for polkit_auth
+
@@ -17170,6 +17182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ polkit_run_grant($2, $1)
+ polkit_read_lib($2)
+ polkit_read_reload($2)
++ polkit_dbus_chat($2)
+')
+
+########################################
@@ -23396,7 +23409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.18/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/xserver.if 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/services/xserver.if 2009-06-24 08:47:55.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -23689,7 +23702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1263,275 @@
+@@ -1159,6 +1263,276 @@
########################################
##
@@ -23859,6 +23872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_read_xdm_tmp_files($1)
+ xserver_xdm_stream_connect($1)
+ xserver_setattr_xdm_tmp_dirs($1)
++ xserver_read_xdm_pid($1)
+
+ allow $1 xdm_t:x_client { getattr destroy };
+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
@@ -23965,7 +23979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1172,7 +1545,103 @@
+@@ -1172,7 +1546,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -29177,7 +29191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.18/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/system/userdomain.if 2009-06-20 06:49:47.000000000 -0400
++++ serefpolicy-3.6.18/policy/modules/system/userdomain.if 2009-06-24 08:35:26.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30100,19 +30114,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +961,33 @@
+@@ -899,28 +961,43 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
++ ')
++
++ optional_policy(`
++ apache_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_power_dbus_chat($1_usertype)
++ devicekit_disk_dbus_chat($1_usertype)
')
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
-+ apache_role($1_r, $1_usertype)
-+ ')
++ gnomeclock_dbus_chat($1_t)
++ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
@@ -30141,7 +30165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -954,8 +1021,8 @@
+@@ -954,8 +1031,8 @@
# Declarations
#
@@ -30151,7 +30175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -964,11 +1031,12 @@
+@@ -964,11 +1041,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -30166,7 +30190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1054,55 @@
+@@ -986,37 +1064,55 @@
')
')
@@ -30236,7 +30260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -1050,7 +1136,7 @@
+@@ -1050,7 +1146,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -30245,7 +30269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1059,8 +1145,7 @@
+@@ -1059,8 +1155,7 @@
#
# Inherit rules for ordinary users.
@@ -30255,7 +30279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1168,8 @@
+@@ -1083,7 +1178,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -30265,7 +30289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1185,7 @@
+@@ -1099,6 +1195,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -30273,7 +30297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1193,6 @@
+@@ -1106,8 +1203,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -30282,7 +30306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1247,6 @@
+@@ -1162,20 +1257,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -30303,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1292,7 @@
+@@ -1221,6 +1302,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -30311,7 +30335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1358,15 @@
+@@ -1286,11 +1368,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -30327,7 +30351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1387,7 +1463,7 @@
+@@ -1387,7 +1473,7 @@
########################################
##
@@ -30336,7 +30360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1420,6 +1496,14 @@
+@@ -1420,6 +1506,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -30351,7 +30375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1435,9 +1519,11 @@
+@@ -1435,9 +1529,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -30363,7 +30387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1494,6 +1580,25 @@
+@@ -1494,6 +1590,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -30389,7 +30413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1568,6 +1673,8 @@
+@@ -1568,6 +1683,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -30398,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1643,6 +1750,7 @@
+@@ -1643,6 +1760,7 @@
type user_home_dir_t, user_home_t;
')
@@ -30406,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,30 +1849,80 @@
+@@ -1741,30 +1859,80 @@
########################################
##
@@ -30497,7 +30521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1787,6 +1945,46 @@
+@@ -1787,6 +1955,46 @@
########################################
##
@@ -30544,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
##
-@@ -1799,6 +1997,7 @@
+@@ -1799,6 +2007,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -30552,7 +30576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2527,7 @@
+@@ -2328,7 +2537,7 @@
########################################
##
@@ -30561,7 +30585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2682,16 +2881,17 @@
+@@ -2682,11 +2891,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -30573,35 +30597,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Send general signals to unprivileged user domains.
-+## List users home directories.
- ##
- ##
- ##
-@@ -2699,12 +2899,32 @@
- ##
- ##
- #
--interface(`userdom_signal_unpriv_users',`
-+interface(`userdom_list_user_home_content',`
- gen_require(`
-- attribute unpriv_userdomain;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
-- allow $1 unpriv_userdomain:process signal;
-+ files_list_home($1)
-+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
+')
+
+########################################
+##
-+## Send general signals to unprivileged user domains.
++## List users home directories.
+##
+##
+##
@@ -30609,16 +30609,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`userdom_signal_unpriv_users',`
++interface(`userdom_list_user_home_content',`
+ gen_require(`
-+ attribute unpriv_userdomain;
++ type user_home_dir_t;
++ attribute user_home_type;
+ ')
+
-+ allow $1 unpriv_userdomain:process signal;
++ files_list_home($1)
++ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
')
########################################
-@@ -2814,7 +3034,25 @@
+@@ -2814,7 +3044,25 @@
type user_tmp_t;
')
@@ -30645,7 +30647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2851,6 +3089,7 @@
+@@ -2851,6 +3099,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -30653,7 +30655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -2981,3 +3220,481 @@
+@@ -2981,3 +3230,481 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 02f6305..bd8a784 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.19
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -295,7 +295,7 @@ Summary: SELinux targeted base policy
Provides: selinux-policy-base
Group: System Environment/Base
Obsoletes: selinux-policy-targeted-sources < 2
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: audispd-plugins <= 1.7.7-1
@@ -381,7 +381,7 @@ exit 0
Summary: SELinux minimum base policy
Provides: selinux-policy-base
Group: System Environment/Base
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@@ -415,7 +415,7 @@ exit 0
Summary: SELinux olpc base policy
Group: System Environment/Base
Provides: selinux-policy-base
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@@ -446,7 +446,7 @@ Group: System Environment/Base
Provides: selinux-policy-base
Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@@ -473,6 +473,9 @@ exit 0
%endif
%changelog
+* Tue Jun 23 2009 Dan Walsh 3.6.19-3
+- Allow kpropd to create tmp files
+
* Tue Jun 23 2009 Dan Walsh 3.6.19-2
- Fix last duplicate /var/log/rpmpkgs