From 08b890455e8cfe1954df5407dc2faa041454ce51 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Wed, 23 Dec 2009 18:39:12 +0000
Subject: [PATCH] - Cleanups from dgrift

---
 policy-F13.patch    | 168 ++++++++++++++++++++++++++++++++------------
 selinux-policy.spec |   2 +-
 2 files changed, 124 insertions(+), 46 deletions(-)

diff --git a/policy-F13.patch b/policy-F13.patch
index 2f48355e..e046ad87 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -4657,8 +4657,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.5/policy/modules/apps/sambagui.te
 --- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/sambagui.te	2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,60 @@
++++ serefpolicy-3.7.5/policy/modules/apps/sambagui.te	2009-12-23 12:39:59.000000000 -0500
+@@ -0,0 +1,61 @@
 +policy_module(sambagui,1.0.0)
 +
 +########################################
@@ -4675,6 +4675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
 +# system-config-samba local policy
 +#
 +
++allow sambagui_t self:capability dac_override;  
 +allow sambagui_t self:fifo_file rw_fifo_file_perms;
 +allow sambagui_t self:unix_dgram_socket create_socket_perms;
 +
@@ -4952,8 +4953,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.5/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te	2009-12-21 14:43:49.000000000 -0500
-@@ -0,0 +1,340 @@
++++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te	2009-12-23 12:55:41.000000000 -0500
+@@ -0,0 +1,342 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -5196,6 +5197,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
 +allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
 +
++kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
++
 +dev_read_rand(sandbox_web_client_t)
 +
 +# Browse the web, connect to printer
@@ -6455,7 +6458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.5/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/files.if	2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/files.if	2009-12-23 12:48:27.000000000 -0500
 @@ -932,10 +932,8 @@
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -6969,7 +6972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if	2009-12-23 07:46:46.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if	2009-12-23 08:58:51.000000000 -0500
 @@ -906,7 +906,7 @@
  		type cifs_t;
  	')
@@ -7014,7 +7017,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #########################################
  ## <summary>
  ##	Read named sockets on a NFS filesystem.
-@@ -4181,3 +4200,175 @@
+@@ -3684,6 +3703,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Search the XENFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_search_xenfs',`
++	gen_require(`
++		type xenfs_t;
++	')
++
++	allow $1 xenfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Mount a XENFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -4181,3 +4218,175 @@
  	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
  	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
  ')
@@ -12576,7 +12604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.5/policy/modules/services/cgroup.fc
 --- nsaserefpolicy/policy/modules/services/cgroup.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/cgroup.fc	2009-12-22 11:06:28.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cgroup.fc	2009-12-23 13:32:50.000000000 -0500
 @@ -0,0 +1,7 @@
 +/etc/rc\.d/init\.d/cgconfig	-- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
 +/etc/rc\.d/init\.d/cgred	-- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
@@ -14100,7 +14128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.5/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/cups.te	2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cups.te	2009-12-23 12:11:21.000000000 -0500
 @@ -23,6 +23,9 @@
  type cupsd_initrc_exec_t;
  init_script_file(cupsd_initrc_exec_t)
@@ -14162,7 +14190,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  corenet_tcp_bind_reserved_port(cupsd_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
  corenet_tcp_bind_all_rpc_ports(cupsd_t)
-@@ -250,6 +262,7 @@
+@@ -191,6 +203,7 @@
+ 
+ fs_getattr_all_fs(cupsd_t)
+ fs_search_auto_mountpoints(cupsd_t)
++fs_search_fusefs(cupsd_t)
+ fs_read_anon_inodefs_files(cupsd_t)
+ 
+ mls_file_downgrade(cupsd_t)
+@@ -250,6 +263,7 @@
  miscfiles_read_localization(cupsd_t)
  # invoking ghostscript needs to read fonts
  miscfiles_read_fonts(cupsd_t)
@@ -14170,7 +14206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  seutil_read_config(cupsd_t)
  sysnet_exec_ifconfig(cupsd_t)
-@@ -317,6 +330,10 @@
+@@ -317,6 +331,10 @@
  ')
  
  optional_policy(`
@@ -14181,7 +14217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	udev_read_db(cupsd_t)
  ')
  
-@@ -327,7 +344,7 @@
+@@ -327,7 +345,7 @@
  
  allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
  dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -14190,7 +14226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
  allow cupsd_config_t self:unix_stream_socket create_socket_perms;
  allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -378,6 +395,8 @@
+@@ -378,6 +396,8 @@
  dev_read_rand(cupsd_config_t)
  dev_rw_generic_usb_dev(cupsd_config_t)
  
@@ -14199,7 +14235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  fs_getattr_all_fs(cupsd_config_t)
  fs_search_auto_mountpoints(cupsd_config_t)
  
-@@ -407,6 +426,7 @@
+@@ -407,6 +427,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -14207,7 +14243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  cups_stream_connect(cupsd_config_t)
  
-@@ -419,12 +439,15 @@
+@@ -419,12 +440,15 @@
  ')
  
  optional_policy(`
@@ -14225,7 +14261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  	optional_policy(`
  		hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +469,10 @@
+@@ -446,6 +470,10 @@
  ')
  
  optional_policy(`
@@ -14236,7 +14272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	rpm_read_db(cupsd_config_t)
  ')
  
-@@ -457,6 +484,10 @@
+@@ -457,6 +485,10 @@
  	udev_read_db(cupsd_config_t)
  ')
  
@@ -14247,7 +14283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ########################################
  #
  # Cups lpd support
-@@ -542,6 +573,8 @@
+@@ -542,6 +574,8 @@
  manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
  files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
  
@@ -14256,7 +14292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  kernel_read_system_state(cups_pdf_t)
  
  files_read_etc_files(cups_pdf_t)
-@@ -556,11 +589,15 @@
+@@ -556,11 +590,15 @@
  miscfiles_read_fonts(cups_pdf_t)
  
  userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -14272,7 +14308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +638,9 @@
+@@ -601,6 +639,9 @@
  read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
  files_search_etc(hplip_t)
  
@@ -14282,7 +14318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
  files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
  
-@@ -627,6 +667,7 @@
+@@ -627,6 +668,7 @@
  corenet_tcp_connect_ipp_port(hplip_t)
  corenet_sendrecv_hplip_client_packets(hplip_t)
  corenet_receive_hplip_server_packets(hplip_t)
@@ -14954,7 +14990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  /var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.5/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/dovecot.te	2009-12-22 15:39:45.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/dovecot.te	2009-12-23 12:49:57.000000000 -0500
 @@ -56,7 +56,7 @@
  
  allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -14964,10 +15000,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  allow dovecot_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_t self:tcp_socket create_stream_socket_perms;
  allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -73,8 +73,9 @@
+@@ -73,8 +73,14 @@
  
  can_exec(dovecot_t, dovecot_exec_t)
  
++# Allow dovecot to create and read SSL parameters file
++manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
++files_search_var_lib(dovecot_t)
++files_read_var_symlinks(dovecot_t)
++
 +manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
  manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
 -logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
@@ -14975,7 +15016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
  manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -103,6 +104,7 @@
+@@ -103,6 +109,7 @@
  dev_read_urand(dovecot_t)
  
  fs_getattr_all_fs(dovecot_t)
@@ -14983,7 +15024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  fs_search_auto_mountpoints(dovecot_t)
  fs_list_inotifyfs(dovecot_t)
  
-@@ -142,6 +144,10 @@
+@@ -142,6 +149,10 @@
  ')
  
  optional_policy(`
@@ -14994,7 +15035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	seutil_sigchld_newrole(dovecot_t)
  ')
  
-@@ -159,7 +165,7 @@
+@@ -159,7 +170,7 @@
  #
  
  allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
@@ -15003,6 +15044,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
  allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+@@ -172,11 +183,6 @@
+ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+ 
+-# Allow dovecot to create and read SSL parameters file
+-manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+-files_search_var_lib(dovecot_t)
+-files_read_var_symlinks(dovecot_t)
+-
+ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+ manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -197,9 +203,9 @@
+ files_search_pids(dovecot_auth_t)
+ files_read_usr_files(dovecot_auth_t)
+ files_read_usr_symlinks(dovecot_auth_t)
++files_read_var_lib_files(dovecot_auth_t)
+ files_search_tmp(dovecot_auth_t)
+-files_read_var_lib_files(dovecot_t)
+-
++files_search_var_log(dovecot_auth_t)
+ init_rw_utmp(dovecot_auth_t)
+ 
+ miscfiles_read_localization(dovecot_auth_t)
 @@ -220,15 +226,23 @@
  ')
  
@@ -16761,7 +16826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  ##	Send a generic signal to MySQL.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.5/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/mysql.te	2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/mysql.te	2009-12-23 12:06:39.000000000 -0500
 @@ -1,6 +1,13 @@
  
  policy_module(mysql, 1.11.1)
@@ -16788,7 +16853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  ifdef(`distro_redhat',`
  	# because Fedora has the sock_file in the database directory
  	type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-@@ -131,20 +143,22 @@
+@@ -131,20 +143,24 @@
  # Local mysqld_safe policy
  #
  
@@ -16806,6 +16871,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
  
  domain_read_all_domains_state(mysqld_safe_t)
  
++files_dontaudit_search_all_mountpoints(mysqld_safe_t)
++
  logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
  
  kernel_read_system_state(mysqld_safe_t)
@@ -19336,7 +19403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.5/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/policykit.te	2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/policykit.te	2009-12-23 12:07:18.000000000 -0500
 @@ -36,11 +36,12 @@
  # policykit local policy
  #
@@ -19354,7 +19421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
  policykit_domtrans_auth(policykit_t)
  
-@@ -57,32 +58,52 @@
+@@ -57,10 +58,14 @@
  manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
  
@@ -19363,12 +19430,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
  files_read_etc_files(policykit_t)
  files_read_usr_files(policykit_t)
- 
-+fs_list_inotifyfs(policykit_t)
++files_dontaudit_search_all_mountpoints(policykit_t)
 +
++fs_list_inotifyfs(policykit_t)
+ 
  auth_use_nsswitch(policykit_t)
  
- logging_send_syslog_msg(policykit_t)
+@@ -68,21 +73,38 @@
  
  miscfiles_read_localization(policykit_t)
  
@@ -19411,7 +19479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
  rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
  
-@@ -92,21 +113,25 @@
+@@ -92,21 +114,25 @@
  manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
  
@@ -19440,7 +19508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -119,6 +144,14 @@
+@@ -119,6 +145,14 @@
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -19455,7 +19523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  ########################################
  #
  # polkit_grant local policy
-@@ -126,7 +159,8 @@
+@@ -126,7 +160,8 @@
  
  allow policykit_grant_t self:capability setuid;
  allow policykit_grant_t self:process getattr;
@@ -19465,7 +19533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -156,9 +190,12 @@
+@@ -156,9 +191,12 @@
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -19479,7 +19547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -170,7 +207,8 @@
+@@ -170,7 +208,8 @@
  
  allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
  allow policykit_resolve_t self:process getattr;
@@ -26477,7 +26545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.5/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/xserver.te	2009-12-22 09:44:04.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/xserver.te	2009-12-23 09:07:52.000000000 -0500
 @@ -36,6 +36,13 @@
  
  ## <desc>
@@ -26903,12 +26971,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  logging_read_generic_logs(xdm_t)
  
-+miscfiles_manage_fonts_cache(xserver_t)
 +miscfiles_search_man_pages(xdm_t)
  miscfiles_read_localization(xdm_t)
  miscfiles_read_fonts(xdm_t)
 -
 -sysnet_read_config(xdm_t)
++miscfiles_manage_fonts_cache(xdm_t)
 +miscfiles_manage_localization(xdm_t)
 +miscfiles_read_hwdata(xdm_t)
  
@@ -28945,7 +29013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
 +permissive kdump_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc	2009-12-23 07:33:05.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/libraries.fc	2009-12-23 12:43:23.000000000 -0500
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -29161,7 +29229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ') dnl end distro_redhat
  
  #
-@@ -307,10 +316,114 @@
+@@ -307,10 +316,115 @@
  
  /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
  
@@ -29276,6 +29344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/usr/local/zend/lib/apache2/libphp5\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/games/darwinia/lib/libSDL.*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
 --- nsaserefpolicy/policy/modules/system/libraries.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.5/policy/modules/system/libraries.if	2009-12-21 13:07:09.000000000 -0500
@@ -34735,7 +34804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.5/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/xen.te	2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/xen.te	2009-12-23 08:58:19.000000000 -0500
 @@ -85,6 +85,7 @@
  type xenconsoled_t;
  type xenconsoled_exec_t;
@@ -34752,7 +34821,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  
  storage_raw_read_fixed_disk(xend_t)
  storage_raw_write_fixed_disk(xend_t)
-@@ -421,6 +423,12 @@
+@@ -340,6 +342,8 @@
+ 
+ files_read_usr_files(xenstored_t)
+ 
++fs_search_xenfs(xenstored_t)
++
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+ storage_raw_read_removable_device(xenstored_t)
+@@ -421,6 +425,12 @@
  xen_stream_connect_xenstore(xm_t)
  
  optional_policy(`
@@ -34765,7 +34843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  	virt_manage_images(xm_t)
  	virt_stream_connect(xm_t)
  ')
-@@ -438,6 +446,8 @@
+@@ -438,6 +448,8 @@
  	fs_manage_xenfs_dirs(xm_ssh_t)
  	fs_manage_xenfs_files(xm_ssh_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d8c087e3..477bcd3c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,4 +1,4 @@
-t%define distro redhat
+%define distro redhat
 %define polyinstatiate n
 %define monolithic n
 %if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}