diff --git a/.cvsignore b/.cvsignore
index 1cdef7f..fa83ea7 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -206,3 +206,8 @@ serefpolicy-3.7.12.tgz
serefpolicy-3.7.13.tgz
serefpolicy-3.7.14.tgz
serefpolicy-3.7.15.tgz
+serefpolicy-3.7.16.tgz
+serefpolicy-3.7.17.tgz
+serefpolicy-3.7.18.tgz
+serefpolicy-3.7.19.tgz
+serefpolicy-3.8.1.tgz
diff --git a/customizable_types b/customizable_types
index dbe706b..0edf31e 100644
--- a/customizable_types
+++ b/customizable_types
@@ -1,3 +1,4 @@
+sandbox_file_t
svirt_image_t
virt_content_t
httpd_user_htaccess_t
@@ -6,3 +7,4 @@ httpd_user_content_ra_t
httpd_user_content_rw_t
httpd_user_content_t
git_session_content_t
+home_bin_t
diff --git a/modules-minimum.conf b/modules-minimum.conf
index 117ca3f..967a530 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -12,6 +12,13 @@
#
# Layer: admin
+# Module: accountsd
+#
+# An application to view and modify user accounts information
+#
+accountsd = module
+
+# Layer: admin
# Module: acct
#
# Berkeley process accounting
@@ -181,6 +188,13 @@ boinc = module
bind = module
# Layer: services
+# Module: bugzilla
+#
+# Bugzilla server
+#
+bugzilla = module
+
+# Layer: services
# Module: dnsmasq
#
# A lightweight DHCP and caching DNS server.
@@ -1155,6 +1169,13 @@ pcmcia = base
pegasus = module
# Layer: services
+# Module: piranha
+#
+# piranha - various tools to administer and configure the Linux Virtual Server
+#
+piranha = module
+
+# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
@@ -1239,6 +1260,13 @@ pyzor = module
#
qmail = module
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+#
+qpidd = module
+
# Layer: admin
# Module: quota
#
@@ -1679,6 +1707,13 @@ vhostmd = module
#
wine = module
+# Layer: apps
+# Module: telepathy_sofiasip
+#
+# telepathy-sofiasip - Telepathy connection manager for SIP
+#
+telepathysofiasip = module
+
# Layer: admin
# Module: tzdata
#
@@ -2078,18 +2113,18 @@ guest = module
xguest = module
# Layer: services
-# Module: courier
+# Module: cgroup
#
-# IMAP and POP3 email servers
+# Tools and libraries to control and monitor control groups
#
-courier = module
+cgroup = module
# Layer: services
-# Module: cgroup
+# Module: courier
#
-# Tools and libraries to control and monitor control groups
+# IMAP and POP3 email servers
#
-cgroup = module
+courier = module
# Layer: services
# Module: denyhosts
diff --git a/modules-mls.conf b/modules-mls.conf
index 236334f..86a4270 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -12,6 +12,13 @@
#
# Layer: admin
+# Module: accountsd
+#
+# An application to view and modify user accounts information
+#
+accountsd = module
+
+# Layer: admin
# Module: acct
#
# Berkeley process accounting
@@ -160,6 +167,13 @@ boinc = module
bind = module
# Layer: services
+# Module: bugzilla
+#
+# Bugzilla server
+#
+bugzilla = module
+
+# Layer: services
# Module: dnsmasq
#
# A lightweight DHCP and caching DNS server.
@@ -1093,6 +1107,13 @@ pcmcia = base
pegasus = module
# Layer: services
+# Module: piranha
+#
+# piranha - various tools to administer and configure the Linux Virtual Server
+#
+piranha = module
+
+# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
@@ -1169,7 +1190,6 @@ pulseaudio = module
#
pyzor = module
-
# Layer: services
# Module: qmail
#
@@ -1177,6 +1197,13 @@ pyzor = module
#
qmail = module
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+#
+qpidd = module
+
# Layer: admin
# Module: quota
#
@@ -1483,7 +1510,6 @@ sudo = base
#
sysnetwork = base
-
# Layer: services
# Module: sysstat
#
@@ -1773,6 +1799,13 @@ portreserve = module
rpcbind = module
# Layer: apps
+# Module: telepathy_sofiasip
+#
+# telepathy-sofiasip - Telepathy connection manager for SIP
+#
+telepathysofiasip = module
+
+# Layer: apps
# Module: vmware
#
# VMWare Workstation virtual machines
@@ -1926,6 +1959,13 @@ guest = module
xguest = module
# Layer: services
+# Module: cgroup
+#
+# Tools and libraries to control and monitor control groups
+#
+cgroup = module
+
+# Layer: services
# Module: courier
#
# IMAP and POP3 email servers
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 117ca3f..967a530 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -12,6 +12,13 @@
#
# Layer: admin
+# Module: accountsd
+#
+# An application to view and modify user accounts information
+#
+accountsd = module
+
+# Layer: admin
# Module: acct
#
# Berkeley process accounting
@@ -181,6 +188,13 @@ boinc = module
bind = module
# Layer: services
+# Module: bugzilla
+#
+# Bugzilla server
+#
+bugzilla = module
+
+# Layer: services
# Module: dnsmasq
#
# A lightweight DHCP and caching DNS server.
@@ -1155,6 +1169,13 @@ pcmcia = base
pegasus = module
# Layer: services
+# Module: piranha
+#
+# piranha - various tools to administer and configure the Linux Virtual Server
+#
+piranha = module
+
+# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
@@ -1239,6 +1260,13 @@ pyzor = module
#
qmail = module
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+#
+qpidd = module
+
# Layer: admin
# Module: quota
#
@@ -1679,6 +1707,13 @@ vhostmd = module
#
wine = module
+# Layer: apps
+# Module: telepathy_sofiasip
+#
+# telepathy-sofiasip - Telepathy connection manager for SIP
+#
+telepathysofiasip = module
+
# Layer: admin
# Module: tzdata
#
@@ -2078,18 +2113,18 @@ guest = module
xguest = module
# Layer: services
-# Module: courier
+# Module: cgroup
#
-# IMAP and POP3 email servers
+# Tools and libraries to control and monitor control groups
#
-courier = module
+cgroup = module
# Layer: services
-# Module: cgroup
+# Module: courier
#
-# Tools and libraries to control and monitor control groups
+# IMAP and POP3 email servers
#
-cgroup = module
+courier = module
# Layer: services
# Module: denyhosts
diff --git a/nsadiff b/nsadiff
index 115cf3c..bdd7655 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.15 > /tmp/diff
+diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.8.1 > /tmp/diff
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3b87b5f..656b09b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,12 +19,12 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.7.15
+Version: 3.8.1
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-F13.patch
+patch: policy-F14.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -96,7 +96,9 @@ SELinux policy documentation package
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
%check
-/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null
+if /usr/sbin/selinuxenabled; then
+/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null
+fi
%define makeCmds() \
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \
@@ -314,6 +316,7 @@ Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
Conflicts: audispd-plugins <= 1.7.7-1
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
+Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
%description targeted
@@ -466,6 +469,222 @@ exit 0
%endif
%changelog
+* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-1
+- Update to upstream
+
+* Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-22
+- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
+- Fix /var/run/abrtd.lock label
+
+* Mon May 24 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-21
+- Allow login programs to read krb5_home_t
+Resolves: 594833
+- Add obsoletes for cachefilesfd-selinux package
+Resolves: #575084
+
+* Thu May 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-20
+- Allow mount to r/w abrt fifo file
+- Allow svirt_t to getattr on hugetlbfs
+- Allow abrt to create a directory under /var/spool
+
+* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-19
+- Add labels for /sys
+- Allow sshd to getattr on shutdown
+- Fixes for munin
+- Allow sssd to use the kernel key ring
+- Allow tor to send syslog messages
+- Allow iptabels to read usr files
+- allow policykit to read all domains state
+
+* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-17
+- Fix path for /var/spool/abrt
+- Allow nfs_t as an entrypoint for http_sys_script_t
+- Add policy for piranha
+- Lots of fixes for sosreport
+
+* Wed May 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-16
+- Allow xm_t to read network state and get and set capabilities
+- Allow policykit to getattr all processes
+- Allow denyhosts to connect to tcp port 9911
+- Allow pyranha to use raw ip sockets and ptrace itself
+- Allow unconfined_execmem_t and gconfsd mechanism to dbus
+- Allow staff to kill ping process
+- Add additional MLS rules
+
+* Mon May 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-15
+- Allow gdm to edit ~/.gconf dir
+Resolves: #590677
+- Allow dovecot to create directories in /var/lib/dovecot
+Partially resolves 590224
+- Allow avahi to dbus chat with NetworkManager
+- Fix cobbler labels
+- Dontaudit iceauth_t leaks
+- fix /var/lib/lxdm file context
+- Allow aiccu to use tun tap devices
+- Dontaudit shutdown using xserver.log
+
+* Fri May 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-14
+- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++
+- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
+- Add dontaudit interface for bluetooth dbus
+- Add chronyd_read_keys, append_keys for initrc_t
+- Add log support for ksmtuned
+Resolves: #586663
+
+* Thu May 6 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-13
+- Allow boinc to send mail
+
+* Wed May 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-12
+- Allow initrc_t to remove dhcpc_state_t
+- Fix label on sa-update.cron
+- Allow dhcpc to restart chrony initrc
+- Don't allow sandbox to send signals to its parent processes
+- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
+Resolves: #589136
+
+* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-11
+- Fix location of oddjob_mkhomedir
+Resolves: #587385
+- fix labeling on /root/.shosts and ~/.shosts
+- Allow ipsec_mgmt_t to manage net_conf_t
+Resolves: #586760
+
+* Fri Apr 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-10
+- Dontaudit sandbox trying to connect to netlink sockets
+Resolves: #587609
+- Add policy for piranha
+
+* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-9
+- Fixups for xguest policy
+- Fixes for running sandbox firefox
+
+* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-8
+- Allow ksmtuned to use terminals
+Resolves: #586663
+- Allow lircd to write to generic usb devices
+
+* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-7
+- Allow sandbox_xserver to connectto unconfined stream
+Resolves: #585171
+
+* Mon Apr 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-6
+- Allow initrc_t to read slapd_db_t
+Resolves: #585476
+- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf
+Resolves: #585963
+
+* Thu Apr 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-5
+- Allow rlogind_t to search /root for .rhosts
+Resolves: #582760
+- Fix path for cached_var_t
+- Fix prelink paths /var/lib/prelink
+- Allow confined users to direct_dri
+- Allow mls lvm/cryptosetup to work
+
+* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-4
+- Allow virtd_t to manage firewall/iptables config
+Resolves: #573585
+
+* Tue Apr 20 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-3
+- Fix label on /root/.rhosts
+Resolves: #582760
+- Add labels for Picasa
+- Allow openvpn to read home certs
+- Allow plymouthd_t to use tty_device_t
+- Run ncftool as iptables_t
+- Allow mount to unmount unlabeled_t
+- Dontaudit hal leaks
+
+* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-2
+- Allow livecd to transition to mount
+
+* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.19-1
+- Update to upstream
+- Allow abrt to delete sosreport
+Resolves: #579998
+- Allow snmp to setuid and gid
+Resolves: #582155
+- Allow smartd to use generic scsi devices
+Resolves: #582145
+
+* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-3
+- Allow ipsec_t to create /etc/resolv.conf with the correct label
+- Fix reserved port destination
+- Allow autofs to transition to showmount
+- Stop crashing tuned
+
+* Mon Apr 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-2
+- Add telepathysofiasip policy
+
+* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.18-1
+- Update to upstream
+- Fix label for /opt/google/chrome/chrome-sandbox
+- Allow modemmanager to dbus with policykit
+
+* Mon Apr 5 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-6
+- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t)
+- Allow accountsd to read shadow file
+- Allow apache to send audit messages when using pam
+- Allow asterisk to bind and connect to sip tcp ports
+- Fixes for dovecot 2.0
+- Allow initrc_t to setattr on milter directories
+- Add procmail_home_t for .procmailrc file
+
+
+* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-5
+- Fixes for labels during install from livecd
+
+* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-4
+- Fix /cgroup file context
+- Fix broken afs use of unlabled_t
+- Allow getty to use the console for s390
+
+* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-3
+- Fix cgroup handling adding policy for /cgroup
+- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set
+
+* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-2
+- Merge patches from dgrift
+
+* Mon Mar 29 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-1
+- Update upstream
+- Allow abrt to write to the /proc under any process
+
+* Fri Mar 26 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-2
+ - Fix ~/.fontconfig label
+- Add /root/.cert label
+- Allow reading of the fixed_file_disk_t:lnk_file if you can read file
+- Allow qemu_exec_t as an entrypoint to svirt_t
+
+* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.16-1
+- Update to upstream
+- Allow tmpreaper to delete sandbox sock files
+- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems
+- Fixes for gitosis
+- No transition on livecd to passwd or chfn
+- Fixes for denyhosts
+
+* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-4
+- Add label for /var/lib/upower
+- Allow logrotate to run sssd
+- dontaudit readahead on tmpfs blk files
+- Allow tmpreaper to setattr on sandbox files
+- Allow confined users to execute dos files
+- Allow sysadm_t to kill processes running within its clearance
+- Add accountsd policy
+- Fixes for corosync policy
+- Fixes from crontab policy
+- Allow svirt to manage svirt_image_t chr files
+- Fixes for qdisk policy
+- Fixes for sssd policy
+- Fixes for newrole policy
+
+* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-3
+- make libvirt work on an MLS platform
+
+* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-2
+- Add qpidd policy
+
* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-1
- Update to upstream
diff --git a/sources b/sources
index f23a132..da283cf 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
4c7d323036f1662a06a7a4f2a7da57a5 config.tgz
-aaaf54fcfe4fe4e0a906dca6c21fa7ed serefpolicy-3.7.15.tgz
+d9c54ebb76f5d986974def003ef2189d serefpolicy-3.8.1.tgz