diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index da42381..67579c4 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -249,7 +249,7 @@ allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
-allow_unconfined_nsplugin_transition=false
+allow_unconfined_nsplugin_transition=true
# System uses init upstart program
#
diff --git a/modules-minimum.conf b/modules-minimum.conf
index 967a530..a90e16b 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1024,6 +1024,13 @@ nsplugin = module
#
modemmanager = module
+# Layer: services
+# Module: mpd
+#
+# mpd - daemon for playing music
+#
+mpd = module
+
# Layer: apps
# Module: mplayer
#
@@ -1345,6 +1352,13 @@ rgmanager = module
clogd = module
# Layer: services
+# Module: cmirrord
+#
+# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
+#
+cmirrord = module
+
+# Layer: services
# Module: rhgb
#
# X windows login display manager
diff --git a/modules-mls.conf b/modules-mls.conf
index 86a4270..6caf71e 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2042,6 +2042,13 @@ rgmanager = module
clogd = module
# Layer: services
+# Module: cmirrord
+#
+# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
+#
+cmirrord = module
+
+# Layer: services
# Module: ricci
#
# policy for ricci
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 967a530..a90e16b 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1024,6 +1024,13 @@ nsplugin = module
#
modemmanager = module
+# Layer: services
+# Module: mpd
+#
+# mpd - daemon for playing music
+#
+mpd = module
+
# Layer: apps
# Module: mplayer
#
@@ -1345,6 +1352,13 @@ rgmanager = module
clogd = module
# Layer: services
+# Module: cmirrord
+#
+# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
+#
+cmirrord = module
+
+# Layer: services
# Module: rhgb
#
# X windows login display manager
diff --git a/policy-F14.patch b/policy-F14.patch
index fbd2a85..fe28793 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -4790,16 +4790,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
optional_policy(`
dbus_system_bus_client(podsleuth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.8.1/policy/modules/apps/pulseaudio.fc
---- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/apps/pulseaudio.fc 2010-05-26 16:28:29.000000000 -0400
-@@ -3,5 +3,6 @@
-
- /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
-
-+/var/lib/mpd(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
- /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
- /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.8.1/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.1/policy/modules/apps/pulseaudio.if 2010-05-26 16:28:29.000000000 -0400
@@ -4881,7 +4871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.8.1/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/apps/pulseaudio.te 2010-05-28 11:59:46.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/apps/pulseaudio.te 2010-06-02 14:24:19.000000000 -0400
@@ -41,6 +41,7 @@
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -4890,16 +4880,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -78,7 +79,7 @@
+@@ -77,8 +78,8 @@
+ files_read_etc_files(pulseaudio_t)
files_read_usr_files(pulseaudio_t)
- fs_rw_anon_inodefs_files(pulseaudio_t)
--fs_getattr_tmpfs(pulseaudio_t)
-+fs_read_tmpfs_files(pulseaudio_t)
+-fs_rw_anon_inodefs_files(pulseaudio_t)
+ fs_getattr_tmpfs(pulseaudio_t)
++fs_rw_anon_inodefs_files(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
term_use_all_ttys(pulseaudio_t)
-@@ -128,6 +129,7 @@
+@@ -122,12 +123,17 @@
+ ')
+
+ optional_policy(`
++ mpd_read_tmpfs_files(pulseaudio_t)
++')
++
++optional_policy(`
+ policykit_domtrans_auth(pulseaudio_t)
+ policykit_read_lib(pulseaudio_t)
+ policykit_read_reload(pulseaudio_t)
')
optional_policy(`
@@ -4907,7 +4908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
udev_read_db(pulseaudio_t)
')
-@@ -138,3 +140,7 @@
+@@ -138,3 +144,7 @@
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -6646,7 +6647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/kernel/corenetwork.te.in 2010-05-26 16:57:15.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/kernel/corenetwork.te.in 2010-06-02 12:58:06.000000000 -0400
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -6708,7 +6709,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-@@ -141,7 +150,7 @@
+@@ -138,10 +147,11 @@
+ network_port(memcache, tcp,11211,s0, udp,11211,s0)
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+ network_port(monopd, tcp,1234,s0)
++network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
network_port(munin, tcp,4949,s0, udp,4949,s0)
@@ -6717,7 +6722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
-@@ -155,12 +164,20 @@
+@@ -155,12 +165,20 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -6738,7 +6743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -184,15 +201,17 @@
+@@ -184,15 +202,17 @@
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6757,7 +6762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -205,13 +224,13 @@
+@@ -205,13 +225,13 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -6775,8 +6780,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.8.1/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/kernel/devices.fc 2010-05-26 16:28:29.000000000 -0400
-@@ -108,6 +108,7 @@
++++ serefpolicy-3.8.1/policy/modules/kernel/devices.fc 2010-06-02 14:38:27.000000000 -0400
+@@ -70,6 +70,7 @@
+ /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
++/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
+ /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
+@@ -108,10 +109,12 @@
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -6784,7 +6797,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -163,6 +164,7 @@
+ ')
++/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
+ /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -163,6 +166,7 @@
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -6792,7 +6810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -186,3 +188,8 @@
+@@ -186,3 +190,8 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -6803,7 +6821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.1/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/kernel/devices.if 2010-05-26 16:28:29.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/kernel/devices.if 2010-06-02 13:55:33.000000000 -0400
@@ -1015,6 +1015,42 @@
########################################
@@ -6930,9 +6948,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
##
##
+@@ -3986,6 +4077,26 @@
+
+ ########################################
+ ##
++## Allow read/write the vhost net device
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_vhost',`
++ gen_require(`
++ type vhost_device_t;
++ ')
++
++ list_dirs_pattern($1, vhost_device_t, vhost_device_t)
++ rw_files_pattern($1, vhost_device_t, vhost_device_t)
++ read_lnk_files_pattern($1, vhost_device_t, vhost_device_t)
++')
++
++########################################
++##
+ ## Get the attributes of video4linux devices.
+ ##
+ ##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.8.1/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/kernel/devices.te 2010-05-26 16:28:29.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/kernel/devices.te 2010-06-02 13:36:34.000000000 -0400
@@ -101,6 +101,7 @@
#
type kvm_device_t;
@@ -6941,7 +6986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
#
# Type for /dev/lirc
-@@ -239,6 +240,12 @@
+@@ -239,6 +240,18 @@
dev_node(usb_device_t)
#
@@ -6951,10 +6996,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+dev_node(usbmon_device_t)
+
+#
++# vhost_device_t is the type for /dev/vhost-net
++#
++type vhost_device_t;
++dev_node(vhost_device_t)
++
++#
# userio_device_t is the type for /dev/uio[0-9]+
#
type userio_device_t;
-@@ -289,5 +296,6 @@
+@@ -289,5 +302,6 @@
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -7071,7 +7122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.8.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/kernel/domain.te 2010-05-26 16:28:29.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/kernel/domain.te 2010-06-02 15:33:31.000000000 -0400
@@ -5,6 +5,21 @@
#
# Declarations
@@ -7147,15 +7198,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
-@@ -118,6 +149,7 @@
+@@ -118,6 +149,8 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
++ xserver_dontaudit_write_log(domain)
')
########################################
-@@ -136,6 +168,8 @@
+@@ -136,6 +169,8 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -7164,7 +7216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +187,79 @@
+@@ -153,3 +188,79 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -11590,7 +11642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/services/apache.if 2010-05-26 16:28:29.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/services/apache.if 2010-06-02 12:13:47.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -13766,6 +13818,199 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.1/policy/modules/services/cmirrord.fc
+--- nsaserefpolicy/policy/modules/services/cmirrord.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.1/policy/modules/services/cmirrord.fc 2010-06-02 12:58:17.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
++
++/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
++
++/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.1/policy/modules/services/cmirrord.if
+--- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.1/policy/modules/services/cmirrord.if 2010-06-02 13:04:24.000000000 -0400
+@@ -0,0 +1,118 @@
++
++## policy for cmirrord
++
++########################################
++##
++## Execute a domain transition to run cmirrord.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cmirrord_domtrans',`
++ gen_require(`
++ type cmirrord_t, cmirrord_exec_t;
++ ')
++
++ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
++')
++
++########################################
++##
++## Execute cmirrord server in the cmirrord domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_initrc_domtrans',`
++ gen_require(`
++ type cmirrord_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
++')
++
++########################################
++##
++## Read cmirrord PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_read_pid_files',`
++ gen_require(`
++ type cmirrord_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 cmirrord_var_run_t:file read_file_perms;
++')
++
++#######################################
++##
++## Read and write to cmirrord shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cmirrord_rw_shm',`
++ gen_require(`
++ type cmirrord_t;
++ type cmirrord_tmpfs_t;
++ ')
++
++ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
++ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an cmirrord environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`cmirrord_admin',`
++ gen_require(`
++ type cmirrord_t;
++ type cmirrord_initrc_exec_t;
++ type cmirrord_var_run_t;
++ ')
++
++ allow $1 cmirrord_t:process { ptrace signal_perms };
++ ps_process_pattern($1, cmirrord_t)
++
++ cmirrord_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 cmirrord_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_pids($1)
++ admin_pattern($1, cmirrord_var_run_t)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.8.1/policy/modules/services/cmirrord.te
+--- nsaserefpolicy/policy/modules/services/cmirrord.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.1/policy/modules/services/cmirrord.te 2010-06-02 13:03:39.000000000 -0400
+@@ -0,0 +1,57 @@
++
++policy_module(cmirrord,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cmirrord_t;
++type cmirrord_exec_t;
++init_daemon_domain(cmirrord_t, cmirrord_exec_t)
++
++permissive cmirrord_t;
++
++type cmirrord_initrc_exec_t;
++init_script_file(cmirrord_initrc_exec_t)
++
++type cmirrord_tmpfs_t;
++files_tmpfs_file(cmirrord_tmpfs_t)
++
++type cmirrord_var_run_t;
++files_pid_file(cmirrord_var_run_t)
++
++########################################
++#
++# cmirrord local policy
++#
++
++allow cmirrord_t self:capability { net_admin kill };
++allow cmirrord_t self:process signal;
++
++allow cmirrord_t self:fifo_file rw_fifo_file_perms;
++
++allow cmirrord_t self:sem create_sem_perms;
++allow cmirrord_t self:shm create_shm_perms;
++allow cmirrord_t self:netlink_socket create_socket_perms;
++allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
++
++manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
++manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
++files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
++
++domain_use_interactive_fds(cmirrord_t)
++
++files_read_etc_files(cmirrord_t)
++
++logging_send_syslog_msg(cmirrord_t)
++
++miscfiles_read_localization(cmirrord_t)
++
++optional_policy(`
++ corosync_stream_connect(cmirrord_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.1/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.1/policy/modules/services/cobbler.te 2010-06-01 16:55:15.000000000 -0400
@@ -13877,7 +14122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.1/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/services/corosync.te 2010-05-26 16:28:29.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/services/corosync.te 2010-06-02 12:58:17.000000000 -0400
@@ -33,8 +33,8 @@
# corosync local policy
#
@@ -13925,6 +14170,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
+@@ -91,6 +97,10 @@
+ ')
+
+ optional_policy(`
++ cmirrord_rw_shm(corosync_t)
++')
++
++optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_dlm_controld_semaphores(corosync_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.1/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.8.1/policy/modules/services/cron.fc 2010-05-26 16:28:29.000000000 -0400
@@ -16318,6 +16574,383 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
+optional_policy(`
udev_read_db(modemmanager_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.1/policy/modules/services/mpd.fc
+--- nsaserefpolicy/policy/modules/services/mpd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.1/policy/modules/services/mpd.fc 2010-06-02 13:02:37.000000000 -0400
+@@ -0,0 +1,9 @@
++
++/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
++
++/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0)
++
++/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
++/var/lib/mpd/mpd\.log -- gen_context(system_u:object_r:mpd_log_t,s0)
++/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
++/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.8.1/policy/modules/services/mpd.if
+--- nsaserefpolicy/policy/modules/services/mpd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.1/policy/modules/services/mpd.if 2010-06-02 14:24:05.000000000 -0400
+@@ -0,0 +1,249 @@
++
++## policy for daemon for playing music
++
++########################################
++##
++## Execute a domain transition to run mpd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mpd_domtrans',`
++ gen_require(`
++ type mpd_t, mpd_exec_t;
++ ')
++
++ domtrans_pattern($1, mpd_exec_t, mpd_t)
++')
++
++
++########################################
++##
++## Execute mpd server in the mpd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_initrc_domtrans',`
++ gen_require(`
++ type mpd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, mpd_initrc_exec_t)
++')
++
++#######################################
++##
++## Read mpd data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_read_data_files',`
++ gen_require(`
++ type mpd_data_t;
++ ')
++
++ files_search_var_lib($1)
++ mpd_search_lib($1)
++ read_files_pattern($1, mpd_data_t, mpd_data_t)
++')
++
++#######################################
++##
++## Read mpd tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_read_tmpfs_files',`
++ gen_require(`
++ type mpd_tmpfs_t;
++ ')
++
++ files_search_var_lib($1)
++ mpd_search_lib($1)
++ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++')
++
++######################################
++##
++## Manage mpd data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_manage_data_files',`
++ gen_require(`
++ type mpd_data_t;
++ ')
++
++ files_search_var_lib($1)
++ mpd_search_lib($1)
++ manage_files_pattern($1, mpd_data_t, mpd_data_t)
++')
++
++########################################
++##
++## Search mpd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_search_lib',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ allow $1 mpd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read mpd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_read_lib_files',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## mpd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_manage_lib_files',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++')
++
++#######################################
++##
++## Create an object in the root directory, with a private
++## type using a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++#
++interface(`mpd_var_lib_filetrans',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ filetrans_pattern($1, mpd_var_lib_t, $2, $3)
++')
++
++########################################
++##
++## Manage mpd lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mpd_manage_lib_dirs',`
++ gen_require(`
++ type mpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an mpd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`mpd_admin',`
++ gen_require(`
++ type mpd_t;
++ type mpd_initrc_exec_t;
++ type mpd_data_t;
++ type mpd_log_t;
++ type mpd_var_lib_t;
++ ')
++
++ allow $1 mpd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mpd_t)
++
++ mpd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 mpd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, mpd_var_lib_t)
++
++ mpd_search_lib($1)
++ admin_pattern($1, mpd_data_t)
++
++ admin_pattern($1, mpd_log_t)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.8.1/policy/modules/services/mpd.te
+--- nsaserefpolicy/policy/modules/services/mpd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.1/policy/modules/services/mpd.te 2010-06-02 13:02:18.000000000 -0400
+@@ -0,0 +1,107 @@
++
++policy_module(mpd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mpd_t;
++type mpd_exec_t;
++init_daemon_domain(mpd_t, mpd_exec_t)
++
++permissive mpd_t;
++
++type mpd_initrc_exec_t;
++init_script_file(mpd_initrc_exec_t)
++
++type mpd_data_t;
++files_type(mpd_data_t)
++
++type mpd_log_t;
++logging_log_file(mpd_log_t)
++
++type mpd_tmp_t;
++files_tmp_file(mpd_tmp_t)
++
++type mpd_tmpfs_t;
++files_tmpfs_file(mpd_tmpfs_t)
++
++type mpd_var_lib_t;
++files_type(mpd_var_lib_t)
++
++########################################
++#
++# mpd local policy
++#
++
++allow mpd_t self:capability { kill setgid setuid };
++allow mpd_t self:process { getsched setsched setrlimit signal signull };
++
++allow mpd_t self:fifo_file rw_fifo_file_perms;
++allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow mpd_t self:tcp_socket create_stream_socket_perms;
++allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
++
++manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
++manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
++mpd_var_lib_filetrans(mpd_t, mpd_data_t, { dir file })
++
++append_files_pattern(mpd_t, mpd_log_t, mpd_log_t)
++
++manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
++manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
++manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
++files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
++
++manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
++manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
++fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
++
++manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
++manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
++manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
++files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
++
++kernel_read_system_state(mpd_t)
++kernel_read_kernel_sysctls(mpd_t)
++
++corecmd_exec_bin(mpd_t)
++
++corenet_sendrecv_pulseaudio_client_packets(mpd_t)
++corenet_tcp_connect_http_port(mpd_t)
++corenet_tcp_connect_pulseaudio_port(mpd_t)
++corenet_tcp_bind_mpd_port(mpd_t)
++corenet_tcp_bind_soundd_port(mpd_t)
++
++dev_read_sysfs(mpd_t)
++
++files_read_etc_files(mpd_t)
++files_read_usr_files(mpd_t)
++
++fs_getattr_tmpfs(mpd_t)
++fs_list_inotifyfs(mpd_t)
++fs_rw_anon_inodefs_files(mpd_t)
++
++auth_use_nsswitch(mpd_t)
++
++logging_send_syslog_msg(mpd_t)
++
++miscfiles_read_localization(mpd_t)
++
++userdom_read_user_tmpfs_files(mpd_t)
++
++optional_policy(`
++ dbus_system_bus_client(mpd_t)
++')
++
++optional_policy(`
++ pulseaudio_exec(mpd_t)
++ pulseaudio_stream_connect(mpd_t)
++ pulseaudio_signull(mpd_t)
++')
++
++optional_policy(`
++ udev_read_db(mpd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.1/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.8.1/policy/modules/services/mta.fc 2010-05-26 16:28:29.000000000 -0400
@@ -18466,6 +19099,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.1/policy/modules/services/psad.te
+--- nsaserefpolicy/policy/modules/services/psad.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/services/psad.te 2010-06-02 08:22:34.000000000 -0400
+@@ -86,6 +86,7 @@
+ dev_read_urand(psad_t)
+
+ files_read_etc_runtime_files(psad_t)
++files_read_usr_files(psad_t)
+
+ fs_getattr_all_fs(psad_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.8.1/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.8.1/policy/modules/services/puppet.te 2010-05-27 10:25:33.000000000 -0400
@@ -21061,6 +21705,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.8.1/policy/modules/services/sysstat.te
+--- nsaserefpolicy/policy/modules/services/sysstat.te 2010-05-25 16:28:22.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/services/sysstat.te 2010-06-02 12:14:05.000000000 -0400
+@@ -69,3 +69,8 @@
+ optional_policy(`
+ logging_send_syslog_msg(sysstat_t)
+ ')
++
++optional_policy(`
++ nscd_socket_use(sysstat_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.8.1/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.1/policy/modules/services/tgtd.te 2010-05-26 16:28:29.000000000 -0400
@@ -21316,7 +21972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.1/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/services/virt.te 2010-05-27 11:28:59.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/services/virt.te 2010-06-02 13:40:05.000000000 -0400
@@ -51,12 +51,12 @@
virt_domain_template(svirt)
role system_r types svirt_t;
@@ -21425,7 +22081,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -252,21 +270,36 @@
+@@ -248,25 +266,41 @@
+ dev_rw_kvm(virtd_t)
+ dev_getattr_all_chr_files(virtd_t)
+ dev_rw_mtrr(virtd_t)
++dev_rw_vhost(virtd_t)
+
# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
@@ -21465,7 +22126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -291,15 +324,22 @@
+@@ -291,15 +325,22 @@
logging_send_syslog_msg(virtd_t)
@@ -21488,7 +22149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +410,7 @@
+@@ -370,6 +411,7 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -21496,7 +22157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -407,6 +448,19 @@
+@@ -407,6 +449,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -21516,7 +22177,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -445,6 +499,11 @@
+@@ -434,6 +489,7 @@
+ dev_rw_ksm(virt_domain)
+ dev_rw_kvm(virt_domain)
+ dev_rw_qemu(virt_domain)
++dev_rw_vhost(virt_domain)
+
+ domain_use_interactive_fds(virt_domain)
+
+@@ -445,6 +501,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -21528,7 +22197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +521,13 @@
+@@ -462,8 +523,13 @@
')
optional_policy(`
@@ -21690,7 +22359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/services/xserver.if 2010-05-27 15:12:11.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/services/xserver.if 2010-06-02 15:33:07.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -22290,7 +22959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/services/xserver.te 2010-05-27 10:18:22.000000000 -0400
++++ serefpolicy-3.8.1/policy/modules/services/xserver.te 2010-06-02 15:32:34.000000000 -0400
@@ -36,6 +36,13 @@
##
@@ -23095,8 +23764,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1103,7 @@
- allow xserver_t xdm_var_lib_t:file { getattr read };
+@@ -808,10 +1100,10 @@
+
+ # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
+ # handle of a file inside the dir!!!
+-allow xserver_t xdm_var_lib_t:file { getattr read };
++allow xserver_t xdm_var_lib_t:file read_file_perms;
dontaudit xserver_t xdm_var_lib_t:dir search;
-allow xserver_t xdm_var_run_t:file read_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 840c798..5bfb64c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.1
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,7 +469,11 @@ exit 0
%endif
%changelog
-* Mon Jun 1 2010 Dan Walsh 3.8.1-4
+* Wed Jun 2 2010 Dan Walsh 3.8.1-5
+- Add xdm_var_run_t to xserver_stream_connect_xdm
+- Add cmorrord and mpd policy from Miroslav Grepl
+
+* Tue Jun 1 2010 Dan Walsh 3.8.1-4
- Fix sshd creation of krb cc files for users to be user_tmp_t
* Thu May 27 2010 Dan Walsh 3.8.1-3