diff --git a/policy-20090105.patch b/policy-20090105.patch
index 553f80c9..1d2eb7c3 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -1401,7 +1401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.6.3/policy/modules/admin/vbetool.if
--- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/admin/vbetool.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/admin/vbetool.if 2009-01-23 14:46:57.000000000 -0500
@@ -18,3 +18,28 @@
corecmd_search_bin($1)
domtrans_pattern($1, vbetool_exec_t, vbetool_t)
@@ -4058,7 +4058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-20 14:46:23.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-23 15:08:37.000000000 -0500
@@ -58,6 +58,8 @@
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -4103,7 +4103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-@@ -293,3 +299,8 @@
+@@ -293,3 +299,10 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4112,6 +4112,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib(64)?/pm-utils/sleep.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.3/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.if 2009-01-19 13:10:02.000000000 -0500
@@ -6183,7 +6185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.3/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-19 13:53:59.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-23 09:24:07.000000000 -0500
@@ -36,7 +36,7 @@
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -6193,6 +6195,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
ifdef(`distro_redhat', `
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -57,7 +57,7 @@
+
+ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+-/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+ /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+ /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -67,6 +67,8 @@
/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -8502,7 +8513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-21 11:01:33.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-23 15:14:19.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -10134,8 +10145,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.3/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.fc 2009-01-19 13:10:02.000000000 -0500
-@@ -17,9 +17,9 @@
++++ serefpolicy-3.6.3/policy/modules/services/cron.fc 2009-01-23 15:16:30.000000000 -0500
+@@ -1,3 +1,4 @@
++/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+@@ -17,9 +18,9 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -10148,7 +10164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -41,7 +41,11 @@
+@@ -41,7 +42,11 @@
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
@@ -10163,7 +10179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-21 15:20:50.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-23 15:15:40.000000000 -0500
@@ -12,6 +12,10 @@
##
#
@@ -10259,7 +10275,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gen_require(`
type crond_t;
')
-@@ -481,11 +515,14 @@
+@@ -416,6 +450,42 @@
+
+ ########################################
+ ##
++## Execute cron in the cron system domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_domtrans',`
++ gen_require(`
++ type system_cronjob_t, crond_exec_t;
++ ')
++
++ domtrans_pattern($1,crond_exec_t,system_cronjob_t)
++')
++
++########################################
++##
++## Execute crond_exec_t
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_exec',`
++ gen_require(`
++ type crond_exec_t;
++ ')
++
++ can_exec($1,crond_exec_t)
++')
++
++########################################
++##
+ ## Inherit and use a file descriptor
+ ## from system cron jobs.
+ ##
+@@ -481,11 +551,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -10275,7 +10334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -506,3 +543,82 @@
+@@ -506,3 +579,101 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
@@ -10358,9 +10417,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
++
++########################################
++##
++## Execute crond server in the nscd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`cron_initrc_domtrans',`
++ gen_require(`
++ type crond_initrc_exec_t;
++')
++
++ init_labeled_script_domtrans($1, crond_initrc_exec_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-21 15:19:17.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-23 15:14:37.000000000 -0500
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10372,8 +10450,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
-@@ -58,6 +62,8 @@
+@@ -56,8 +60,13 @@
+ domain_interactive_fd(crond_t)
+ domain_cron_exemption_source(crond_t)
++type crond_initrc_exec_t;
++init_script_file(crond_initrc_exec_t)
++
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
@@ -10381,7 +10464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-@@ -70,10 +76,11 @@
+@@ -70,10 +79,11 @@
typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
cron_common_crontab_template(crontab)
@@ -10394,7 +10477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-@@ -103,6 +110,13 @@
+@@ -103,6 +113,13 @@
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
@@ -10408,7 +10491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Admin crontab local policy
-@@ -130,7 +144,7 @@
+@@ -130,7 +147,7 @@
# Cron daemon local policy
#
@@ -10417,7 +10500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -149,19 +163,19 @@
+@@ -149,19 +166,19 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -10441,7 +10524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
selinux_validate_context(crond_t)
-@@ -183,6 +197,8 @@
+@@ -183,6 +200,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -10450,7 +10533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
-@@ -192,10 +208,13 @@
+@@ -192,10 +211,13 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -10464,7 +10547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -208,6 +227,7 @@
+@@ -208,6 +230,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -10472,7 +10555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +247,45 @@
+@@ -227,21 +250,45 @@
')
')
@@ -10519,7 +10602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -283,7 +327,14 @@
+@@ -283,7 +330,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -10534,7 +10617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -314,9 +365,13 @@
+@@ -314,9 +368,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -10549,7 +10632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +425,8 @@
+@@ -370,7 +428,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10559,7 +10642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +434,7 @@
+@@ -378,6 +437,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -10567,7 +10650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -428,11 +485,20 @@
+@@ -428,11 +488,20 @@
')
optional_policy(`
@@ -10588,7 +10671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -460,8 +526,7 @@
+@@ -460,8 +529,7 @@
')
optional_policy(`
@@ -10598,7 +10681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -469,24 +534,17 @@
+@@ -469,24 +537,17 @@
')
optional_policy(`
@@ -10607,16 +10690,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
- ')
-
+-')
+-
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_cronjob_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_cronjob_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
--')
+ ')
-') dnl end TODO
--
+
########################################
#
# User cronjobs local policy
@@ -10626,7 +10709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +628,9 @@
+@@ -570,6 +631,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -11606,8 +11689,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-20 17:22:44.000000000 -0500
-@@ -0,0 +1,157 @@
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-23 09:25:48.000000000 -0500
+@@ -0,0 +1,177 @@
+
+## policy for devicekit
+
@@ -11765,10 +11848,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ devicekit_manage_var_run($1)
+
+')
++
++########################################
++##
++## Send to devicekit over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`devicekit_dgram_send',`
++ gen_require(`
++ type devicekit_t;
++ ')
++
++ allow $1 devicekit_t:unix_dgram_socket sendto;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-20 17:10:23.000000000 -0500
-@@ -0,0 +1,71 @@
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-23 15:17:57.000000000 -0500
+@@ -0,0 +1,114 @@
+policy_module(devicekit,1.0.0)
+
+########################################
@@ -11816,19 +11919,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+# DeviceKit-Power local policy
+#
++allow devicekit_power_t self:capability { sys_tty_config dac_override };
++allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+
++corecmd_exec_bin(devicekit_power_t)
++corecmd_exec_shell(devicekit_power_t)
++
++consoletype_exec(devicekit_power_t)
++
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
-+dev_read_sysfs(devicekit_power_t)
++dev_rw_sysfs(devicekit_power_t)
+
+files_read_etc_files(devicekit_power_t)
++files_read_usr_files(devicekit_t)
+
+fs_list_inotifyfs(devicekit_power_t)
+
++auth_use_nsswitch(devicekit_power_t)
++
+miscfiles_read_localization(devicekit_power_t)
+
++userdom_read_all_users_state(devicekit_power_t)
++
+optional_policy(`
++ hal_domtrans_mac(devicekit_power_t)
++ hal_write_log(devicekit_power_t)
++ hal_manage_pid_dirs(devicekit_power_t)
++ hal_manage_pid_files(devicekit_power_t)
++ hal_dbus_chat(devicekit_power_t)
++')
++
++optional_policy(`
++ cron_initrc_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
++ polkit_domtrans_auth(devicekit_power_t)
++ polkit_read_lib(devicekit_power_t)
+ polkit_read_reload(devicekit_power_t)
+')
+
@@ -11836,9 +11965,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dbus_system_bus_client(devicekit_power_t)
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
++
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_power_t)
+ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(devicekit_power_t)
++ ')
++
++ optional_policy(`
++ rpm_dbus_chat(devicekit_power_t)
++ ')
++')
++
++optional_policy(`
++ bootloader_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
++ vbetool_domtrans(devicekit_power_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
@@ -12735,8 +12881,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.3/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-20 15:29:07.000000000 -0500
-@@ -51,10 +51,7 @@
++++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-23 14:59:53.000000000 -0500
+@@ -20,6 +20,24 @@
+
+ ########################################
+ ##
++## Execute hal mac in the hal mac domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hal_domtrans_mac',`
++ gen_require(`
++ type hald_mac_t, hald_mac_exec_t;
++ ')
++
++ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
++')
++
++########################################
++##
+ ## Get the attributes of a hal process.
+ ##
+ ##
+@@ -51,10 +69,7 @@
type hald_t;
')
@@ -12748,6 +12919,67 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
+@@ -340,3 +355,60 @@
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+ ')
++
++########################################
++##
++## Read/Write hald PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hal_rw_pid_files',`
++ gen_require(`
++ type hald_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 hald_var_run_t:file rw_file_perms;
++')
++
++########################################
++##
++## Manage hald PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hal_manage_pid_files',`
++ gen_require(`
++ type hald_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
++')
++
++########################################
++##
++## Manage hald PID dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`hal_manage_pid_dirs',`
++ gen_require(`
++ type hald_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-20 11:41:48.000000000 -0500
@@ -14776,7 +15008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.3/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/nscd.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/nscd.if 2009-01-23 15:15:06.000000000 -0500
@@ -58,6 +58,42 @@
########################################
@@ -16474,7 +16706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.3/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-19 14:47:07.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-23 14:44:09.000000000 -0500
@@ -0,0 +1,241 @@
+
+## policy for polkit_auth
@@ -22605,7 +22837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 16:14:47.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-23 10:14:45.000000000 -0500
@@ -34,6 +34,13 @@
##
@@ -23043,6 +23275,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Device rules
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+@@ -622,7 +728,7 @@
+ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+-filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file)
++#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file)
+
+ manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+ manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -635,6 +741,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27411,7 +27652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 16:19:30.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-23 15:07:13.000000000 -0500
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e8c67e0d..8c2d929a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@ exit 0
%endif
%changelog
+* Fri Jan 23 2009 Dan Walsh 3.6.3-8
+- Add policy to make dbus/nm-applet work
+
* Thu Jan 22 2009 Dan Walsh 3.6.3-7
- Remove polgen-ifgen from post and add trigger to policycoreutils-python