diff --git a/policy-20090105.patch b/policy-20090105.patch
index 2ea9a76..25f4405 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -782,7 +782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 13:45:16.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-27 11:01:26.000000000 -0400
@@ -11,8 +11,8 @@
init_daemon_domain(readahead_t, readahead_exec_t)
application_domain(readahead_t, readahead_exec_t)
@@ -808,7 +808,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
-@@ -58,6 +60,7 @@
+@@ -46,6 +48,7 @@
+ storage_raw_read_fixed_disk(readahead_t)
+
+ domain_use_interactive_fds(readahead_t)
++domain_read_all_domains_state(readahead_t)
+
+ files_dontaudit_getattr_all_sockets(readahead_t)
+ files_list_non_security(readahead_t)
+@@ -58,6 +61,7 @@
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
@@ -816,7 +824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
-@@ -72,6 +75,7 @@
+@@ -72,6 +76,7 @@
init_getattr_initctl(readahead_t)
logging_send_syslog_msg(readahead_t)
@@ -5184,7 +5192,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-27 11:30:40.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5255,7 +5263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -153,3 +172,45 @@
+@@ -153,3 +172,46 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5280,6 +5288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rpm_rw_pipes(domain)
+ rpm_dontaudit_use_script_fds(domain)
+ rpm_dontaudit_write_pid_files(domain)
++ rpm_read_script_tmp_files(domain)
+')
+
+optional_policy(`
@@ -14839,8 +14848,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 10:00:53.000000000 -0400
-@@ -1,6 +1,8 @@
++++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 11:46:55.000000000 -0400
+@@ -1,6 +1,9 @@
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
@@ -14849,6 +14858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
@@ -21885,7 +21895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 08:31:39.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-27 11:45:25.000000000 -0400
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -21982,7 +21992,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -255,9 +308,15 @@
+@@ -239,6 +292,7 @@
+ corenet_sendrecv_all_client_packets(spamc_t)
+
+ fs_search_auto_mountpoints(spamc_t)
++fs_list_inotifyfs(spamc_t)
+
+ # cjp: these should probably be removed:
+ corecmd_list_bin(spamc_t)
+@@ -255,9 +309,15 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -21998,7 +22016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,13 +324,16 @@
+@@ -265,13 +325,16 @@
sysnet_read_config(spamc_t)
@@ -22022,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -280,16 +342,21 @@
+@@ -280,16 +343,21 @@
')
optional_policy(`
@@ -22046,7 +22064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -301,7 +368,7 @@
+@@ -301,7 +369,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -22055,7 +22073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +384,13 @@
+@@ -317,10 +385,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -22070,7 +22088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +399,11 @@
+@@ -329,10 +400,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -22083,7 +22101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +453,27 @@
+@@ -382,22 +454,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -22115,7 +22133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +491,7 @@
+@@ -415,6 +492,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -22123,7 +22141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +501,6 @@
+@@ -424,10 +502,6 @@
')
optional_policy(`
@@ -22134,7 +22152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postfix_read_config(spamd_t)
')
-@@ -442,6 +515,10 @@
+@@ -442,6 +516,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -22145,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -454,5 +531,9 @@
+@@ -454,5 +532,9 @@
')
optional_policy(`
@@ -23420,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-27 11:40:19.000000000 -0400
@@ -8,19 +8,24 @@
##
@@ -23449,7 +23467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -29,8 +34,12 @@
+@@ -29,8 +34,13 @@
files_type(virt_etc_rw_t)
# virt Image files
@@ -23461,10 +23479,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# virt Image files
+type virt_content_t;
+virtual_image(virt_content_t)
++userdom_user_home_content(virt_content_t)
type virt_log_t;
logging_log_file(virt_log_t)
-@@ -48,17 +57,39 @@
+@@ -48,17 +58,39 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -23506,7 +23525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +98,11 @@
+@@ -67,7 +99,11 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -23519,7 +23538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +121,7 @@
+@@ -86,6 +122,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@@ -23527,7 +23546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,7 +132,7 @@
+@@ -96,7 +133,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -23536,7 +23555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -104,21 +140,39 @@
+@@ -104,21 +141,39 @@
dev_read_sysfs(virtd_t)
dev_read_rand(virtd_t)
@@ -23577,7 +23596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,6 +183,13 @@
+@@ -129,6 +184,13 @@
logging_send_syslog_msg(virtd_t)
@@ -23591,7 +23610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_all_users_state(virtd_t)
tunable_policy(`virt_use_nfs',`
-@@ -167,22 +228,34 @@
+@@ -167,22 +229,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -23631,7 +23650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -198,5 +271,80 @@
+@@ -198,5 +272,80 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ec354f6..e6aaa9d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,10 @@ exit 0
%endif
%changelog
+* Mon Apr 27 2009 Dan Walsh 3.6.12-21
+- Allow confined users to manace virt_content_t, since this is home dir content
+- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
+
* Mon Apr 27 2009 Dan Walsh 3.6.12-20
- Fix labeling on /var/lib/misc/prelink*
- Allow xserver to rw_shm_perms with all x_clients