- Fix fusefs handling

- Do not allow sandbox to manage nsplugin_rw_t - Allow mozilla_plugin_t to connecto its parent - Allow init_t to connect to plymouthd running as kernel_t - Add mediawiki policy - dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. - Disable transition from dbus_session_domain to telepathy for F14 - Allow boinc_project to use shm - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users
2010-10-07 09:19:43 -04:00 · 2010-10-07 09:19:43 -04:00 · 0daa8b731a
commit 0daa8b731a
parent f73c8ed42e
3 changed files with 314 additions and 102 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -938,13 +938,6 @@ lircd = module
 # 
 lvm = base
 # Layer: admin
 # Module: mcelog
 #
 # Policy for mcelog.
 # 
 mcelog = base
 # Layer: services
 # Module: mailman
 #
@ -952,6 +945,13 @@ mcelog = base
 # 
 mailman = module
 # Layer: admin
 # Module: mcelog
 #
 # Policy for mcelog.
 # 
 mcelog = base
 # Layer: kernel
 # Module: mcs
 # Required in base
@ -960,6 +960,13 @@ mailman = module
 # 
 mcs = base
 # Layer: apps
 # Module: mediawiki
 #
 # mediawiki
 # 
 mediawiki = module
 # Layer: system
 # Module: miscfiles
 #
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -1733,14 +1733,16 @@ index c35d801..b1a841a 100644
 mta_manage_spool(useradd_t)
 diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
-index a870982..6542902 100644
+index a870982..6067b85 100644
 --- a/policy/modules/admin/vpn.te
 +++ b/policy/modules/admin/vpn.te
-@@ -107,6 +107,7 @@ sysnet_manage_config(vpnc_t)
+@@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t)
 sysnet_manage_config(vpnc_t)
 userdom_use_all_users_fds(vpnc_t)
- userdom_dontaudit_search_user_home_content(vpnc_t)
+-userdom_dontaudit_search_user_home_content(vpnc_t)
 +userdom_read_home_certs(vpnc_t)
 +userdom_search_admin_dir(vpnc_t)
 optional_policy(`
 	dbus_system_bus_client(vpnc_t)
@ -3629,6 +3631,109 @@ index 49abe8e..47a193c 100644
 ')
 optional_policy(`
 diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
 new file mode 100644
 index 0000000..bf872ef
 --- /dev/null
 +++ b/policy/modules/apps/mediawiki.fc
@@ -0,0 +1,10 @@
 +
 +/usr/lib(64)?/mediawiki/math/texvc	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)	
 +/usr/lib(64)?/mediawiki/math/texvc_tex --      gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
 +/usr/lib(64)?/mediawiki/math/texvc_tes --      gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
 +
 +/var/www/wiki(/.*)?		  gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
 +
 +/var/www/wiki/.*\.php    --           gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
 +
 +/usr/share/mediawiki(/.*)?	  gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
 diff --git a/policy/modules/apps/mediawiki.if b/policy/modules/apps/mediawiki.if
 new file mode 100644
 index 0000000..1c1d012
 --- /dev/null
 +++ b/policy/modules/apps/mediawiki.if
@@ -0,0 +1,40 @@
 +## <summary>Mediawiki policy</summary>
 +
 +#######################################
 +## <summary>
 +##      Allow the specified domain to read
 +##      mediawiki tmp files.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`mediawiki_read_tmp_files',`
 +        gen_require(`
 +                type httpd_mediawiki_tmp_t;
 +        ')
 +
 +        files_search_tmp($1)
 +        read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
 +	read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
 +')
 +
 +#######################################
 +## <summary>
 +##      Delete mediawiki tmp files.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`mediawiki_delete_tmp_files',`
 +        gen_require(`
 +                type httpd_mediawiki_tmp_t;
 +        ')
 +
 +        delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
 +')
 diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te
 new file mode 100644
 index 0000000..b7f569d
 --- /dev/null
 +++ b/policy/modules/apps/mediawiki.te
@@ -0,0 +1,35 @@
 +
 +policy_module(mediawiki, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +apache_content_template(mediawiki)
 +
 +type httpd_mediawiki_tmp_t;
 +files_tmp_file(httpd_mediawiki_tmp_t)
 +
 +permissive httpd_mediawiki_script_t;
 +
 +########################################
 +#
 +# mediawiki local policy
 +#
 +
 +manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
 +manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
 +manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
 +files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file })
 +
 +files_search_var_lib(httpd_mediawiki_script_t)
 +
 +userdom_read_user_tmp_files(httpd_mediawiki_script_t)
 +
 +miscfiles_read_tetex_data(httpd_mediawiki_script_t)
 +
 +optional_policy(`
 +	apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t)
 +')
 +
 diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
 index 7b08e13..9c9e6c1 100644
 --- a/policy/modules/apps/mono.if
@ -3673,7 +3778,7 @@ index 93ac529..aafece7 100644
 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib(64)?/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..dfac7cc 100644
+index 9a6d67d..b0c1197 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@ -3732,7 +3837,7 @@ index 9a6d67d..dfac7cc 100644
 ##	Execmod mozilla home directory content.
 ## </summary>
 ## <param name="domain">
-@@ -168,6 +194,69 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +194,70 @@ interface(`mozilla_domtrans',`
 ########################################
 ## <summary>
@ -3777,6 +3882,7 @@ index 9a6d67d..dfac7cc 100644
 +
 +	mozilla_domtrans_plugin($1)
 +	role $2 types mozilla_plugin_t;
 +	allow $1 mozilla_plugin_t:unix_stream_socket connectto;
 +')
 +
 +########################################
@ -5678,10 +5784,10 @@ index 0000000..587c440
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..2251b02
+index 0000000..89fcce3
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,407 @@
+@@ -0,0 +1,408 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@ -5836,6 +5942,8 @@ index 0000000..2251b02
 +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 +
 +allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
 +dontaudit sandbox_x_domain self:process signal;
 +
 +allow sandbox_x_domain self:shm create_shm_perms;
 +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
 +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
@ -6047,7 +6155,6 @@ index 0000000..2251b02
 +optional_policy(`
 +	nsplugin_read_rw_files(sandbox_web_type)
 +	nsplugin_rw_exec(sandbox_web_type)
 +	nsplugin_manage_rw(sandbox_web_type)
 +')
 +
 +optional_policy(`
@ -7129,7 +7236,7 @@ index 82842a0..369c3b5 100644
 		dbus_system_bus_client($1_wm_t)
 		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..46af2a4 100644
+index 0eb1d97..217bd0d 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@ -7233,7 +7340,15 @@ index 0eb1d97..46af2a4 100644
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
+@@ -248,6 +273,7 @@ ifdef(`distro_gentoo',`
 /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
 /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@ -7241,7 +7356,7 @@ index 0eb1d97..46af2a4 100644
 ')
 ifdef(`distro_suse', `
-@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -12714,7 +12829,7 @@ index 9e39aa5..8603d4d 100644
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..ba64143 100644
+index c9e1a44..6918ff2 100644
 --- a/policy/modules/services/apache.if
 +++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@ -12974,7 +13089,35 @@ index c9e1a44..ba64143 100644
 ##	Apache cache.
 ## </summary>
 ## <param name="domain">
-@@ -694,7 +730,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -544,6 +580,27 @@ interface(`apache_delete_cache_files',`
 ########################################
 ## <summary>
 +##	Allow the specified domain to search
 +##	apache configuration dirs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`apache_search_config',`
 +	gen_require(`
 +		type httpd_config_t;
 +	')
 +
 +	files_search_etc($1)
 +	allow $1 httpd_config_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	Allow the specified domain to read
 ##	apache configuration files.
 ## </summary>
@@ -694,7 +751,7 @@ interface(`apache_dontaudit_append_log',`
 		type httpd_log_t;
 	')
@ -12983,7 +13126,7 @@ index c9e1a44..ba64143 100644
 ')
 ########################################
-@@ -740,6 +776,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +797,25 @@ interface(`apache_dontaudit_search_modules',`
 ########################################
 ## <summary>
@ -13009,7 +13152,7 @@ index c9e1a44..ba64143 100644
 ##	Allow the specified domain to list
 ##	the contents of the apache modules
 ##	directory.
-@@ -756,6 +811,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +832,7 @@ interface(`apache_list_modules',`
 	')
 	allow $1 httpd_modules_t:dir list_dir_perms;
@ -13017,7 +13160,7 @@ index c9e1a44..ba64143 100644
 ')
 ########################################
-@@ -814,6 +870,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +891,7 @@ interface(`apache_list_sys_content',`
 	')
 	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@ -13025,7 +13168,7 @@ index c9e1a44..ba64143 100644
 	files_search_var($1)
 ')
-@@ -841,6 +898,74 @@ interface(`apache_manage_sys_content',`
+@@ -841,6 +919,74 @@ interface(`apache_manage_sys_content',`
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
@ -13100,7 +13243,7 @@ index c9e1a44..ba64143 100644
 ########################################
 ## <summary>
 ##	Execute all web scripts in the system
-@@ -857,7 +982,11 @@ interface(`apache_manage_sys_content',`
+@@ -857,7 +1003,11 @@ interface(`apache_manage_sys_content',`
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
 		attribute httpdcontent;
@ -13113,7 +13256,7 @@ index c9e1a44..ba64143 100644
 	')
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -916,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -916,9 +1066,10 @@ interface(`apache_domtrans_all_scripts',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -13125,7 +13268,7 @@ index c9e1a44..ba64143 100644
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
-@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1096,7 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
@ -13134,7 +13277,7 @@ index c9e1a44..ba64143 100644
 ')
 ########################################
-@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1237,25 @@ interface(`apache_read_tmp_files',`
 	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
 ')
@ -13160,7 +13303,7 @@ index c9e1a44..ba64143 100644
 ########################################
 ## <summary>
 ##	Dontaudit attempts to write
-@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1272,7 @@ interface(`apache_dontaudit_write_tmp_files',`
 		type httpd_tmp_t;
 	')
@ -13169,7 +13312,7 @@ index c9e1a44..ba64143 100644
 ')
 ########################################
-@@ -1165,17 +1314,14 @@ interface(`apache_cgi_domain',`
+@@ -1165,17 +1335,14 @@ interface(`apache_cgi_domain',`
 #
 interface(`apache_admin',`
 	gen_require(`
@ -13191,7 +13334,7 @@ index c9e1a44..ba64143 100644
 	ps_process_pattern($1, httpd_t)
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1186,10 +1332,10 @@ interface(`apache_admin',`
+@@ -1186,10 +1353,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
@ -13204,7 +13347,7 @@ index c9e1a44..ba64143 100644
 	admin_pattern($1, httpd_log_t)
 	admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1346,41 @@ interface(`apache_admin',`
+@@ -1200,14 +1367,41 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
@ -13252,7 +13395,7 @@ index c9e1a44..ba64143 100644
 +	dontaudit $1 httpd_t:unix_stream_socket { read write };
 ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..411a3ff 100644
+index 08dfa0c..410ff39 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@ -13555,7 +13698,13 @@ index 08dfa0c..411a3ff 100644
 # File Type of squirrelmail attachments
 type squirrelmail_spool_t;
 files_tmp_file(squirrelmail_spool_t)
-@@ -286,6 +369,7 @@ allow httpd_t self:udp_socket create_socket_perms;
+@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow httpd_t self:tcp_socket create_stream_socket_perms;
 allow httpd_t self:udp_socket create_socket_perms;
 +dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
 # Allow httpd_t to put files in /var/cache/httpd etc
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@ -13563,7 +13712,7 @@ index 08dfa0c..411a3ff 100644
 # Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +439,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +440,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -13571,7 +13720,7 @@ index 08dfa0c..411a3ff 100644
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +450,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +451,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
 corenet_tcp_sendrecv_all_ports(httpd_t)
 corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
@ -13582,7 +13731,7 @@ index 08dfa0c..411a3ff 100644
 corenet_sendrecv_http_server_packets(httpd_t)
 # Signal self for shutdown
 corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +465,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +466,12 @@ dev_rw_crypto(httpd_t)
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@ -13598,7 +13747,7 @@ index 08dfa0c..411a3ff 100644
 domain_use_interactive_fds(httpd_t)
-@@ -402,6 +489,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +490,10 @@ files_read_etc_files(httpd_t)
 files_read_var_lib_symlinks(httpd_t)
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -13609,7 +13758,7 @@ index 08dfa0c..411a3ff 100644
 libs_read_lib_files(httpd_t)
-@@ -416,34 +507,70 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +508,70 @@ seutil_dontaudit_search_config(httpd_t)
 userdom_use_unpriv_users_fds(httpd_t)
@ -13682,7 +13831,7 @@ index 08dfa0c..411a3ff 100644
 ')
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +583,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +584,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@ -13693,7 +13842,7 @@ index 08dfa0c..411a3ff 100644
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +597,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,8 +598,12 @@ tunable_policy(`httpd_enable_ftp_server',`
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
@ -13708,7 +13857,7 @@ index 08dfa0c..411a3ff 100644
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +610,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,6 +611,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
@ -13721,7 +13870,7 @@ index 08dfa0c..411a3ff 100644
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_t)
 	fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +625,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +626,16 @@ tunable_policy(`httpd_can_sendmail',`
 	# allow httpd to connect to mail servers
 	corenet_tcp_connect_smtp_port(httpd_t)
 	corenet_sendrecv_smtp_client_packets(httpd_t)
@ -13738,7 +13887,7 @@ index 08dfa0c..411a3ff 100644
 ')
 tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +650,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +651,10 @@ tunable_policy(`httpd_ssi_exec',`
 # are dontaudited here.
 tunable_policy(`httpd_tty_comm',`
 	userdom_use_user_terminals(httpd_t)
@ -13749,7 +13898,7 @@ index 08dfa0c..411a3ff 100644
 ')
 optional_policy(`
-@@ -513,7 +665,13 @@ optional_policy(`
+@@ -513,7 +666,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -13764,7 +13913,7 @@ index 08dfa0c..411a3ff 100644
 ')
 optional_policy(`
-@@ -528,7 +686,7 @@ optional_policy(`
+@@ -528,7 +687,7 @@ optional_policy(`
 	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
@ -13773,7 +13922,7 @@ index 08dfa0c..411a3ff 100644
 	dbus_system_bus_client(httpd_t)
 	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +695,12 @@ optional_policy(`
+@@ -537,8 +696,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -13787,15 +13936,21 @@ index 08dfa0c..411a3ff 100644
 	')
 ')
-@@ -557,6 +719,7 @@ optional_policy(`
+@@ -556,7 +719,13 @@ optional_policy(`
 ')
 optional_policy(`
 +	mediawiki_read_tmp_files(httpd_t)
 +	mediawiki_delete_tmp_files(httpd_t)
 +')
 +
 +optional_policy(`
 	# Allow httpd to work with mysql
 +	mysql_read_config(httpd_t)
 	mysql_stream_connect(httpd_t)
 	mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +730,7 @@ optional_policy(`
+@@ -567,6 +736,7 @@ optional_policy(`
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -13803,7 +13958,7 @@ index 08dfa0c..411a3ff 100644
 ')
 optional_policy(`
-@@ -577,6 +741,16 @@ optional_policy(`
+@@ -577,6 +747,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -13820,7 +13975,7 @@ index 08dfa0c..411a3ff 100644
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
 	postgresql_unpriv_client(httpd_t)
-@@ -591,6 +765,11 @@ optional_policy(`
+@@ -591,6 +771,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -13832,7 +13987,7 @@ index 08dfa0c..411a3ff 100644
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -603,6 +782,10 @@ optional_policy(`
+@@ -603,6 +788,10 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -13843,7 +13998,7 @@ index 08dfa0c..411a3ff 100644
 ########################################
 #
 # Apache helper local policy
-@@ -618,6 +801,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +807,10 @@ logging_send_syslog_msg(httpd_helper_t)
 userdom_use_user_terminals(httpd_helper_t)
@ -13854,7 +14009,7 @@ index 08dfa0c..411a3ff 100644
 ########################################
 #
 # Apache PHP script local policy
-@@ -654,28 +841,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +847,27 @@ libs_exec_lib_files(httpd_php_t)
 userdom_use_unpriv_users_fds(httpd_php_t)
 tunable_policy(`httpd_can_network_connect_db',`
@ -13895,7 +14050,7 @@ index 08dfa0c..411a3ff 100644
 ')
 ########################################
-@@ -699,17 +885,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +891,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -13921,7 +14076,7 @@ index 08dfa0c..411a3ff 100644
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +931,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +937,20 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
@ -13943,7 +14098,7 @@ index 08dfa0c..411a3ff 100644
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +970,25 @@ optional_policy(`
+@@ -769,6 +976,25 @@ optional_policy(`
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -13969,7 +14124,7 @@ index 08dfa0c..411a3ff 100644
 ########################################
 #
 # Apache system script local policy
-@@ -792,9 +1012,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +1018,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
 files_search_var_lib(httpd_sys_script_t)
 files_search_spool(httpd_sys_script_t)
@ -13983,7 +14138,7 @@ index 08dfa0c..411a3ff 100644
 ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
-@@ -803,6 +1027,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1033,33 @@ tunable_policy(`httpd_can_sendmail',`
 	mta_send_mail(httpd_sys_script_t)
 ')
@ -14017,7 +14172,7 @@ index 08dfa0c..411a3ff 100644
 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 	allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1079,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 ')
 tunable_policy(`httpd_enable_homedirs',`
@ -14026,7 +14181,7 @@ index 08dfa0c..411a3ff 100644
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1081,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1087,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
@ -14047,7 +14202,7 @@ index 08dfa0c..411a3ff 100644
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1107,20 @@ optional_policy(`
+@@ -842,10 +1113,20 @@ optional_policy(`
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -14068,7 +14223,7 @@ index 08dfa0c..411a3ff 100644
 ')
 ########################################
-@@ -891,11 +1166,21 @@ optional_policy(`
+@@ -891,11 +1172,21 @@ optional_policy(`
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -14876,10 +15031,10 @@ index 0000000..fa9b95a
 +')
 diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
 new file mode 100644
-index 0000000..c9622ef
+index 0000000..4bc3f06
 --- /dev/null
 +++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,167 @@
 +policy_module(boinc, 1.0.0)
 +
 +########################################
@ -15004,6 +15159,7 @@ index 0000000..c9622ef
 +allow boinc_project_t self:process { execmem execstack };
 +
 +allow boinc_project_t self:fifo_file rw_fifo_file_perms;
 +allow boinc_project_t self:sem create_sem_perms;
 +
 +manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 +manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@ -15592,7 +15748,7 @@ index 7a6e5ba..d664be8 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 1a65b5e..1c87fb3 100644
+index 1a65b5e..5595c96 100644
 --- a/policy/modules/services/certmonger.te
 +++ b/policy/modules/services/certmonger.te
@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
@ -15604,6 +15760,28 @@ index 1a65b5e..1c87fb3 100644
 manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
 manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
@@ -58,6 +58,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
 sysnet_dns_name_resolve(certmonger_t)
 +userdom_search_user_home_content(certmonger_t)
 +
 +optional_policy(`
 +	apache_search_config(certmonger_t)
 +')
 +
 +optional_policy(`
 +	bind_search_cache(certmonger_t)
 +')
 +
 optional_policy(`
 	dbus_system_bus_client(certmonger_t)
 	dbus_connect_system_bus(certmonger_t)
@@ -70,3 +80,4 @@ optional_policy(`
 optional_policy(`
 	pcscd_stream_connect(certmonger_t)
 ')
 +
 diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
 index d020c93..e5cbcef 100644
 --- a/policy/modules/services/cgroup.if
@ -19059,9 +19237,18 @@ index f590a1f..87f6bfb 100644
 	allow $1 fail2ban_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..7c5bf19 100644
+index 2a69e5e..0a4216c 100644
 --- a/policy/modules/services/fail2ban.te
 +++ b/policy/modules/services/fail2ban.te
@@ -28,7 +28,7 @@ files_pid_file(fail2ban_var_run_t)
 # fail2ban local policy
 #
 -allow fail2ban_t self:capability { sys_tty_config };
 +allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
 allow fail2ban_t self:process signal;
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
 allow fail2ban_t self:tcp_socket create_stream_socket_perms;
@ -38698,7 +38885,7 @@ index f6aafe7..666a58f 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..d17f2bf 100644
+index 698c11e..e90e509 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -38774,7 +38961,13 @@ index 698c11e..d17f2bf 100644
 # For /var/run/shutdown.pid.
 allow init_t init_var_run_t:file manage_file_perms;
-@@ -119,6 +144,7 @@ corecmd_exec_chroot(init_t)
+@@ -114,11 +139,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 +kernel_stream_connect(init_t)
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 dev_read_sysfs(init_t)
@ -38782,7 +38975,7 @@ index 698c11e..d17f2bf 100644
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
-@@ -127,9 +153,12 @@ domain_kill_all_domains(init_t)
+@@ -127,9 +154,12 @@ domain_kill_all_domains(init_t)
 domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
@ -38795,7 +38988,7 @@ index 698c11e..d17f2bf 100644
 files_rw_generic_pids(init_t)
 files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
-@@ -162,12 +191,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +192,15 @@ init_domtrans_script(init_t)
 libs_rw_ld_so_cache(init_t)
 logging_send_syslog_msg(init_t)
@ -38811,7 +39004,7 @@ index 698c11e..d17f2bf 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
 ')
-@@ -178,7 +210,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +211,7 @@ ifdef(`distro_redhat',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
@ -38820,7 +39013,7 @@ index 698c11e..d17f2bf 100644
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +218,74 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +219,74 @@ tunable_policy(`init_upstart',`
 	sysadm_shell_domtrans(init_t)
 ')
@ -38895,7 +39088,7 @@ index 698c11e..d17f2bf 100644
 ')
 optional_policy(`
-@@ -199,10 +293,19 @@ optional_policy(`
+@@ -199,10 +294,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -38915,7 +39108,7 @@ index 698c11e..d17f2bf 100644
 	unconfined_domain(init_t)
 ')
-@@ -212,7 +315,7 @@ optional_policy(`
+@@ -212,7 +316,7 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38924,7 +39117,7 @@ index 698c11e..d17f2bf 100644
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -241,6 +344,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +345,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38932,7 +39125,7 @@ index 698c11e..d17f2bf 100644
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +362,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +363,23 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -38956,7 +39149,7 @@ index 698c11e..d17f2bf 100644
 corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +407,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +408,7 @@ dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
@ -38964,7 +39157,7 @@ index 698c11e..d17f2bf 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -298,13 +415,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +416,13 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -38980,7 +39173,7 @@ index 698c11e..d17f2bf 100644
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -323,8 +440,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +441,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -38992,7 +39185,7 @@ index 698c11e..d17f2bf 100644
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -340,8 +459,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +460,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -39006,7 +39199,7 @@ index 698c11e..d17f2bf 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -351,6 +474,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +475,8 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -39015,7 +39208,7 @@ index 698c11e..d17f2bf 100644
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -363,6 +488,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +489,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -39023,7 +39216,7 @@ index 698c11e..d17f2bf 100644
 selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +506,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +507,7 @@ auth_read_pam_pid(initrc_t)
 auth_delete_pam_pid(initrc_t)
 auth_delete_pam_console_data(initrc_t)
 auth_use_nsswitch(initrc_t)
@ -39031,7 +39224,7 @@ index 698c11e..d17f2bf 100644
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
-@@ -394,13 +521,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +522,14 @@ logging_read_audit_config(initrc_t)
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -39047,7 +39240,7 @@ index 698c11e..d17f2bf 100644
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +601,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +602,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -39056,7 +39249,7 @@ index 698c11e..d17f2bf 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -519,6 +647,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +648,19 @@ ifdef(`distro_redhat',`
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
@ -39076,7 +39269,7 @@ index 698c11e..d17f2bf 100644
 	')
 	optional_policy(`
-@@ -526,10 +667,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +668,17 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -39094,7 +39287,7 @@ index 698c11e..d17f2bf 100644
 	')
 	optional_policy(`
-@@ -544,6 +692,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +693,35 @@ ifdef(`distro_suse',`
 	')
 ')
@ -39130,7 +39323,7 @@ index 698c11e..d17f2bf 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +733,8 @@ optional_policy(`
+@@ -556,6 +734,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -39139,7 +39332,7 @@ index 698c11e..d17f2bf 100644
 ')
 optional_policy(`
-@@ -572,6 +751,7 @@ optional_policy(`
+@@ -572,6 +752,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -39147,7 +39340,7 @@ index 698c11e..d17f2bf 100644
 ')
 optional_policy(`
-@@ -584,6 +764,11 @@ optional_policy(`
+@@ -584,6 +765,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -39159,7 +39352,7 @@ index 698c11e..d17f2bf 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -600,6 +785,9 @@ optional_policy(`
+@@ -600,6 +786,9 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -39169,7 +39362,7 @@ index 698c11e..d17f2bf 100644
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
-@@ -701,7 +889,13 @@ optional_policy(`
+@@ -701,7 +890,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -39183,7 +39376,7 @@ index 698c11e..d17f2bf 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -724,6 +918,10 @@ optional_policy(`
+@@ -724,6 +919,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39194,7 +39387,7 @@ index 698c11e..d17f2bf 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -745,6 +943,10 @@ optional_policy(`
+@@ -745,6 +944,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39205,7 +39398,7 @@ index 698c11e..d17f2bf 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -766,8 +968,6 @@ optional_policy(`
+@@ -766,8 +969,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -39214,7 +39407,7 @@ index 698c11e..d17f2bf 100644
 ')
 optional_policy(`
-@@ -776,14 +976,21 @@ optional_policy(`
+@@ -776,14 +977,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -39236,7 +39429,7 @@ index 698c11e..d17f2bf 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1012,19 @@ optional_policy(`
+@@ -805,11 +1013,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -39257,7 +39450,7 @@ index 698c11e..d17f2bf 100644
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1034,25 @@ optional_policy(`
+@@ -819,6 +1035,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -39283,7 +39476,7 @@ index 698c11e..d17f2bf 100644
 ')
 optional_policy(`
-@@ -844,3 +1078,55 @@ optional_policy(`
+@@ -844,3 +1079,55 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.5
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -470,6 +470,18 @@ exit 0
 %endif
 %changelog
 * Wed Oct 6 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-11
 - Fix fusefs handling
 - Do not allow sandbox to manage nsplugin_rw_t
 - Allow mozilla_plugin_t to connecto its parent
 - Allow init_t to connect to plymouthd running as kernel_t
 - Add mediawiki policy
 - dontaudit sandbox sending signals to itself.  This can happen when they are running at different mcs.
 - Disable transition from dbus_session_domain to telepathy for F14
 - Allow boinc_project to use shm
 - Allow certmonger to search through directories that contain certs
 - Allow fail2ban the DAC Override so it can read log files owned by non root users
 * Mon Oct 4 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-10
 - Start adding support for use_fusefs_home_dirs
 - Add /var/lib/syslog directory file context