- Additional rules for fprintd and sssd

2009-04-30 11:51:07 +00:00 · 2009-04-30 11:51:07 +00:00 · 21b13fca45
commit 21b13fca45
parent 40d8f60dd7
2 changed files with 160 additions and 48 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -1833,9 +1833,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive cpufreqselector_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.12/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc	2009-04-30 07:42:25.000000000 -0400
@@ -1,8 +1,16 @@
- HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
+-HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 +HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
@ -5234,7 +5235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-04-27 11:30:40.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-04-29 10:47:24.000000000 -0400
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -5305,7 +5306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
-@@ -153,3 +172,46 @@
+@@ -153,3 +172,50 @@
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -5338,6 +5339,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
+	ssh_rw_pipes(domain)
+')
+
+optional_policy(`
 +	unconfined_dontaudit_rw_pipes(domain)
 +	unconfined_sigchld(domain)
 +')
@ -8336,7 +8341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/apache.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.if	2009-04-29 14:18:52.000000000 -0400
@@ -13,21 +13,16 @@
 #
 template(`apache_content_template',`
@ -8558,7 +8563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
 			nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -227,10 +170,6 @@
+@@ -227,15 +170,13 @@
 
 	optional_policy(`
 		postgresql_unpriv_client(httpd_$1_script_t)
@ -8569,7 +8574,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	optional_policy(`
-@@ -504,6 +443,47 @@
+ 		nscd_socket_use(httpd_$1_script_t)
+ 	')
+
+	dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+ ')
+ 
+ ########################################
+@@ -504,6 +445,47 @@
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
@ -8617,7 +8629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	apache configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -579,7 +559,7 @@
+@@ -579,7 +561,7 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -8626,7 +8638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -715,6 +695,7 @@
+@@ -715,6 +697,7 @@
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
@ -8634,7 +8646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -782,6 +763,32 @@
+@@ -782,6 +765,32 @@
 
 ########################################
 ## <summary>
@ -8667,7 +8679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute all web scripts in the system
 ##	script domain.
 ## </summary>
-@@ -791,16 +798,18 @@
+@@ -791,16 +800,18 @@
 ##	</summary>
 ## </param>
 #
@ -8690,7 +8702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -859,6 +868,8 @@
+@@ -859,6 +870,8 @@
 ##	</summary>
 ## </param>
 #
@ -8699,7 +8711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 interface(`apache_run_all_scripts',`
 	gen_require(`
 		attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +895,7 @@
+@@ -884,7 +897,7 @@
 		type httpd_squirrelmail_t;
 	')
 
@ -8708,7 +8720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1040,3 +1051,160 @@
+@@ -1040,3 +1053,160 @@
 
 	allow httpd_t $1:process signal;
 ')
@ -10360,7 +10372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-04-29 13:51:27.000000000 -0400
@@ -13,6 +13,9 @@
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
@ -10400,7 +10412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
 
-@@ -47,13 +57,35 @@
+@@ -47,13 +57,36 @@
 
 auth_use_nsswitch(consolekit_t)
 
@ -10409,6 +10421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +init_chat(consolekit_t)
 +
 +logging_send_syslog_msg(consolekit_t)
+logging_send_audit_msgs(consolekit_t)
 +
 miscfiles_read_localization(consolekit_t)
 
@ -10438,7 +10451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	optional_policy(`
 		unconfined_dbus_chat(consolekit_t)
-@@ -61,6 +93,32 @@
+@@ -61,6 +94,32 @@
 ')
 
 optional_policy(`
@ -11834,7 +11847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/cvs.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cvs.te	2009-04-29 12:56:25.000000000 -0400
@@ -112,4 +112,5 @@
 	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
 	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@ -13431,8 +13444,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-28 16:07:25.000000000 -0400
-@@ -0,0 +1,36 @@
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-29 10:10:42.000000000 -0400
+@@ -0,0 +1,41 @@
 +policy_module(fprintd,1.0.0)
 +
 +########################################
@ -13463,8 +13476,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_read_all_users_state(fprintd_t)
 +
 +optional_policy(`
+	consolekit_dbus_chat(fprintd_t)
+')
+
+optional_policy(`
 +	polkit_read_reload(fprintd_t)
 +	polkit_read_lib(fprintd_t)
+	polkit_domtrans_auth(fprintd_t)
 +')
 +
 +permissive fprintd_t;
@ -14533,6 +14551,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive ifplugd_t;
 +
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.6.12/policy/modules/services/inetd.if
+--- nsaserefpolicy/policy/modules/services/inetd.if	2008-09-03 07:59:15.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/inetd.if	2009-04-29 14:44:12.000000000 -0400
+@@ -36,8 +36,7 @@
+ 	role system_r types $1;
+ 
+ 	domtrans_pattern(inetd_t, $2, $1)
+-
+-	allow inetd_t $1:process sigkill;
+	allow inetd_t $1:process { siginh sigkill };
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
 --- nsaserefpolicy/policy/modules/services/kerneloops.if	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if	2009-04-23 09:44:57.000000000 -0400
@ -14959,8 +14990,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
 --- nsaserefpolicy/policy/modules/services/milter.fc	2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-27 11:46:55.000000000 -0400
-@@ -1,6 +1,9 @@
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-29 10:14:21.000000000 -0400
+@@ -1,6 +1,10 @@
 -/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 -/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
 
@ -14969,6 +15000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_state_t,s0)
 /var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
 /var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/milter.*				--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
 +/var/lib/miltermilter.*					gen_context(system_u:object_r:spamass_milter_state_t,s0)
 +
 +/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
@ -20441,6 +20473,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 auth_login_pgm_domain(rshd_t)
 auth_write_login_records(rshd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te	2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te	2009-04-29 13:19:21.000000000 -0400
+@@ -8,6 +8,13 @@
+ 
+ ## <desc>
+ ## <p>
+## Allow rsync to run as a client
+## </p>
+## </desc>
+gen_tunable(rsync_client, false)
+
+## <desc>
+## <p>
+ ## Allow rsync to export any files/directories read only.
+ ## </p>
+ ## </desc>
+@@ -124,4 +131,12 @@
+ 	auth_read_all_symlinks_except_shadow(rsync_t)
+ 	auth_tunable_read_shadow(rsync_t)
+ ')
+
+tunable_policy(`rsync_client',`
+	corenet_tcp_connect_rsync_port(rsync_t)
+	manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+	manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+	manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+')
+
+ auth_can_read_shadow_passwords(rsync_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/samba.fc	2009-04-23 09:44:57.000000000 -0400
@ -21363,7 +21425,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if	2009-04-29 13:03:31.000000000 -0400
+@@ -89,7 +89,7 @@
+ 		type sendmail_t;
+ 	')
+ 
+-	allow $1 sendmail_t:unix_stream_socket { read write };
+	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+ ')
+ 
+ ########################################
@@ -149,3 +149,92 @@
 
 	logging_log_filetrans($1, sendmail_log_t, file)
@ -22406,7 +22477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-04-29 10:46:37.000000000 -0400
@@ -36,6 +36,7 @@
 	gen_require(`
 		attribute ssh_server;
@ -22607,7 +22678,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read a ssh server unnamed pipe.
 ## </summary>
 ## <param name="domain">
-@@ -611,3 +630,42 @@
+@@ -469,6 +488,23 @@
+ 
+ 	allow $1 sshd_t:fifo_file { getattr read };
+ ')
+########################################
+## <summary>
+##	Read/write a ssh server unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_rw_pipes',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:fifo_file { write read getattr ioctl };
+')
+ 
+ ########################################
+ ## <summary>
+@@ -611,3 +647,42 @@
 
 	dontaudit $1 sshd_key_t:file { getattr read };
 ')
@ -23085,8 +23180,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-28 15:43:36.000000000 -0400
-@@ -0,0 +1,72 @@
+++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-29 10:01:55.000000000 -0400
+@@ -0,0 +1,74 @@
 +policy_module(sssd,1.0.0)
 +
 +########################################
@ -23150,6 +23245,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +auth_domtrans_chk_passwd(sssd_t)
 +auth_domtrans_upd_passwd(sssd_t)
 +
+init_read_utmp(sssd_t)
+
 +logging_send_syslog_msg(sssd_t)
 +logging_send_audit_msgs(sssd_t)
 +
@ -25930,8 +26027,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-23 09:44:57.000000000 -0400
-@@ -280,6 +280,36 @@
+++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-29 14:42:44.000000000 -0400
+@@ -174,6 +174,7 @@
+ 	role system_r types $1;
+ 
+ 	domtrans_pattern(initrc_t,$2,$1)
+	allow initrc_t $1:process siginh;
+ 
+ 	# daemons started from init will
+ 	# inherit fds from init for the console
+@@ -272,6 +273,7 @@
+ 	role system_r types $1;
+ 
+ 	domtrans_pattern(initrc_t,$2,$1)
+	allow initrc_t $1:process siginh;
+ 
+ 	ifdef(`hide_broken_symptoms',`
+ 		# RHEL4 systems seem to have a stray
+@@ -280,6 +282,36 @@
 			kernel_dontaudit_use_fds($1)
 		')
 	')
@ -25968,7 +26081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -546,7 +576,7 @@
+@@ -546,7 +578,7 @@
 
 		# upstart uses a datagram socket instead of initctl pipe
 		allow $1 self:unix_dgram_socket create_socket_perms;
@ -25977,7 +26090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -619,18 +649,19 @@
+@@ -619,18 +651,19 @@
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -26001,7 +26114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -646,23 +677,43 @@
+@@ -646,19 +679,39 @@
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -26022,11 +26135,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- 	')
- ')
- 
- ########################################
- ## <summary>
+	')
+')
+
+########################################
+## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@ -26039,17 +26152,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
+ 	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -1291,6 +1342,25 @@
+ ')
+ 
+ ########################################
+@@ -1291,6 +1344,25 @@
 
 ########################################
 ## <summary>
@ -26075,7 +26184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
-@@ -1521,3 +1591,51 @@
+@@ -1521,3 +1593,51 @@
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -480,6 +480,9 @@ exit 0
 %endif

 %changelog
+* Wed Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-25
+- Additional rules for fprintd and sssd
+
 * Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
 - Allow nsplugin to unix_read unix_write sem for unconfined_java