- Allow sshd to read var_lib symlinks for freenx

2009-04-22 19:18:30 +00:00 · 2009-04-22 19:18:30 +00:00 · 3c498a780b
commit 3c498a780b
parent a32a1594b6
2 changed files with 127 additions and 47 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -459,10 +459,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.12/policy/modules/admin/dmesg.fc
+--- nsaserefpolicy/policy/modules/admin/dmesg.fc	2008-08-07 11:15:13.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.fc	2009-04-22 14:17:05.000000000 -0400
+@@ -1,2 +1,4 @@
+ 
+ /bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/sbin/mcelog	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
 --- nsaserefpolicy/policy/modules/admin/dmesg.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te	2009-04-07 16:01:44.000000000 -0400
-@@ -35,7 +35,7 @@
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te	2009-04-22 14:39:11.000000000 -0400
+@@ -9,6 +9,7 @@
+ type dmesg_t;
+ type dmesg_exec_t;
+ init_system_domain(dmesg_t, dmesg_exec_t)
+cron_system_entry(dmesg_t, dmesg_exec_t)
+ 
+ ########################################
+ #
+@@ -20,12 +21,14 @@
+ 
+ allow dmesg_t self:process signal_perms;
+ 
+kernel_read_system_state(dmesg_t)
+ kernel_read_kernel_sysctls(dmesg_t)
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
+ kernel_list_proc(dmesg_t)
+ kernel_read_proc_symlinks(dmesg_t)
+dev_read_kmsg(dmesg_t)
+ 
+ dev_read_sysfs(dmesg_t)
+ 
+@@ -35,7 +38,7 @@
 
 domain_use_interactive_fds(dmesg_t)
 
@ -3055,8 +3086,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te	2009-04-17 11:13:07.000000000 -0400
-@@ -0,0 +1,293 @@
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te	2009-04-22 13:50:31.000000000 -0400
+@@ -0,0 +1,294 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@ -3086,7 +3117,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +application_executable_file(nsplugin_config_exec_t)
 +
 +type nsplugin_rw_t;
-+files_type(nsplugin_rw_t)
+files_poly_member(nsplugin_rw_t)
+userdom_user_home_content(nsplugin_rw_t)
 +
 +type nsplugin_tmp_t;
 +files_tmp_file(nsplugin_tmp_t)
@ -3611,7 +3643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if	2009-04-07 16:01:44.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if	2009-04-22 13:29:00.000000000 -0400
@@ -0,0 +1,148 @@
 +
 +## <summary>policy for pulseaudio</summary>
@ -5229,7 +5261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-04-20 12:17:02.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-04-22 13:33:02.000000000 -0400
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -9697,6 +9729,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 libs_legacy_use_shared_libs(bitlbee_t)
 
 miscfiles_read_localization(bitlbee_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te	2009-04-22 13:29:27.000000000 -0400
+@@ -152,6 +152,10 @@
+ 	optional_policy(`
+ 		hal_dbus_chat(bluetooth_t)
+ 	')
+
+	optional_policy(`
+		pulseaudio_dbus_chat(bluetooth_t)
+	')
+ ')
+ 
+ optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc
 --- nsaserefpolicy/policy/modules/services/certmaster.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc	2009-04-07 16:01:44.000000000 -0400
@ -10693,7 +10739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.te	2009-04-21 16:03:54.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cron.te	2009-04-22 14:41:00.000000000 -0400
@@ -38,6 +38,10 @@
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
@ -10756,7 +10802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
-@@ -146,22 +163,23 @@
+@@ -146,20 +163,20 @@
 allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 
@ -10781,11 +10827,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +kernel_read_fs_sysctls(crond_t)
 kernel_search_key(crond_t)
 
-+dev_read_kmsg(crond_t)
 dev_read_sysfs(crond_t)
- selinux_get_fs_mount(crond_t)
- selinux_validate_context(crond_t)
-@@ -174,6 +192,7 @@
+@@ -174,6 +191,7 @@
 
 fs_getattr_all_fs(crond_t)
 fs_search_auto_mountpoints(crond_t)
@ -10793,7 +10836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # need auth_chkpwd to check for locked accounts.
 auth_domtrans_chk_passwd(crond_t)
-@@ -183,7 +202,11 @@
+@@ -183,7 +201,11 @@
 corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
@ -10805,7 +10848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(crond_t)
 files_read_generic_spool(crond_t)
 files_list_usr(crond_t)
-@@ -192,10 +215,15 @@
+@@ -192,10 +214,15 @@
 files_search_default(crond_t)
 
 init_rw_utmp(crond_t)
@ -10821,7 +10864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
-@@ -208,6 +236,7 @@
+@@ -208,6 +235,7 @@
 userdom_list_user_home_dirs(crond_t)
 
 mta_send_mail(crond_t)
@ -10829,7 +10872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ifdef(`distro_debian',`
 	# pam_limits is used
-@@ -227,21 +256,44 @@
+@@ -227,21 +255,44 @@
 	')
 ')
 
@ -10875,7 +10918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -268,8 +320,8 @@
+@@ -268,8 +319,8 @@
 # System cron process domain
 #
 
@ -10886,7 +10929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-@@ -283,7 +335,14 @@
+@@ -283,7 +334,14 @@
 allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
@ -10901,7 +10944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
-@@ -303,6 +362,7 @@
+@@ -303,6 +361,7 @@
 allow system_cronjob_t crond_t:fd use;
 allow system_cronjob_t crond_t:fifo_file rw_file_perms;
 allow system_cronjob_t crond_t:process sigchld;
@ -10909,7 +10952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -314,9 +374,13 @@
+@@ -314,9 +373,13 @@
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
 files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
 
@ -10924,7 +10967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
-@@ -345,6 +409,7 @@
+@@ -345,6 +408,7 @@
 fs_getattr_all_symlinks(system_cronjob_t)
 fs_getattr_all_pipes(system_cronjob_t)
 fs_getattr_all_sockets(system_cronjob_t)
@ -10932,7 +10975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # quiet other ps operations
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
-@@ -370,7 +435,8 @@
+@@ -370,7 +434,8 @@
 init_read_utmp(system_cronjob_t)
 init_dontaudit_rw_utmp(system_cronjob_t)
 # prelink tells init to restart it self, we either need to allow or dontaudit
@ -10942,7 +10985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 auth_use_nsswitch(system_cronjob_t)
 
-@@ -378,6 +444,7 @@
+@@ -378,6 +443,7 @@
 libs_exec_ld_so(system_cronjob_t)
 
 logging_read_generic_logs(system_cronjob_t)
@ -10950,7 +10993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(system_cronjob_t)
 
 miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +485,10 @@
+@@ -418,6 +484,10 @@
 ')
 
 optional_policy(`
@ -10961,7 +11004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ftp_read_log(system_cronjob_t)
 ')
 
-@@ -428,11 +499,20 @@
+@@ -428,11 +498,20 @@
 ')
 
 optional_policy(`
@ -10982,7 +11025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -447,6 +527,7 @@
+@@ -447,6 +526,7 @@
 	prelink_read_cache(system_cronjob_t)
 	prelink_manage_log(system_cronjob_t)
 	prelink_delete_cache(system_cronjob_t)
@ -10990,7 +11033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -460,8 +541,7 @@
+@@ -460,8 +540,7 @@
 ')
 
 optional_policy(`
@ -11000,7 +11043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -469,24 +549,17 @@
+@@ -469,24 +548,17 @@
 ')
 
 optional_policy(`
@ -11028,7 +11071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow cronjob_t self:process { signal_perms setsched };
 allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +643,9 @@
+@@ -570,6 +642,9 @@
 userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 
@ -21997,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-04-21 13:22:50.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-04-22 11:47:12.000000000 -0400
@@ -36,6 +36,7 @@
 	gen_require(`
 		attribute ssh_server;
@ -22065,18 +22108,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	dev_read_urand($1_ssh_t)
 
-@@ -132,6 +132,10 @@
- 	files_read_etc_runtime_files($1_ssh_t)
+@@ -133,6 +133,8 @@
 	files_read_etc_files($1_ssh_t)
 	files_read_var_files($1_ssh_t)
-+	# Required for FreeNX
-+	files_read_var_lib_symlinks($1_t)
-+
-+	auth_use_nsswitch($1_ssh_t)
 
+	auth_use_nsswitch($1_ssh_t)
+
 	logging_send_syslog_msg($1_ssh_t)
 	logging_read_generic_logs($1_ssh_t)
-@@ -140,9 +144,6 @@
+ 
+@@ -140,9 +142,6 @@
 
 	seutil_read_config($1_ssh_t)
 
@ -22086,7 +22127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	tunable_policy(`read_default_t',`
 		files_list_default($1_ssh_t)
 		files_read_default_files($1_ssh_t)
-@@ -154,14 +155,6 @@
+@@ -154,14 +153,6 @@
 	optional_policy(`
 		kerberos_use($1_ssh_t)
 	')
@ -22101,7 +22142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 #######################################
-@@ -194,13 +187,14 @@
+@@ -194,13 +185,14 @@
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 
@ -22117,7 +22158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
 	term_create_pty($1_t,$1_devpts_t)
-@@ -214,6 +208,7 @@
+@@ -214,6 +206,7 @@
 	allow $1_t sshd_key_t:file read_file_perms;
 
 	kernel_read_kernel_sysctls($1_t)
@ -22125,7 +22166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	corenet_all_recvfrom_unlabeled($1_t)
 	corenet_all_recvfrom_netlabel($1_t)
-@@ -229,7 +224,12 @@
+@@ -229,7 +222,12 @@
 	corenet_udp_bind_generic_node($1_t)
 	corenet_tcp_bind_ssh_port($1_t)
 	corenet_tcp_connect_all_ports($1_t)
@ -22138,6 +22179,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	fs_dontaudit_getattr_all_fs($1_t)
 
+@@ -245,6 +243,8 @@
+ 
+ 	files_read_etc_files($1_t)
+ 	files_read_etc_runtime_files($1_t)
+	# Required for FreeNX
+	files_read_var_lib_symlinks($1_t)
+ 
+ 	logging_search_logs($1_t)
+ 
@@ -254,9 +254,14 @@
 
 	userdom_dontaudit_relabelfrom_user_ptys($1_t)
@ -26090,7 +26140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-04-07 16:01:44.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-04-22 14:41:22.000000000 -0400
@@ -1,5 +1,5 @@
 
 -policy_module(ipsec, 1.9.1)
@ -26098,6 +26148,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ########################################
 #
+@@ -55,7 +55,7 @@
+ 
+ allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+ dontaudit ipsec_t self:capability sys_tty_config;
+-allow ipsec_t self:process { signal setsched };
+allow ipsec_t self:process { getsched signal setsched };
+ allow ipsec_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_t self:udp_socket create_socket_perms;
+ allow ipsec_t self:key_socket create_socket_perms;
+@@ -67,7 +67,7 @@
+ read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
+ 
+ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+-read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ 
+ manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -103,11 +103,13 @@
 corenet_raw_sendrecv_all_nodes(ipsec_t)
 corenet_tcp_sendrecv_all_ports(ipsec_t)
@ -26113,7 +26181,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_sendrecv_generic_server_packets(ipsec_t)
 corenet_sendrecv_isakmp_server_packets(ipsec_t)
 
-@@ -167,6 +169,8 @@
+@@ -127,6 +129,8 @@
+ domain_use_interactive_fds(ipsec_t)
+ 
+ files_read_etc_files(ipsec_t)
+files_read_usr_files(ipsec_t)
+files_search_tmp(ipsec_t)
+ 
+ init_use_fds(ipsec_t)
+ init_use_script_ptys(ipsec_t)
+@@ -167,6 +171,8 @@
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
 
@ -26122,7 +26199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
 manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
 
-@@ -242,8 +246,6 @@
+@@ -242,8 +248,6 @@
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 
@ -26131,7 +26208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 miscfiles_read_localization(ipsec_mgmt_t)
 
 modutils_domtrans_insmod(ipsec_mgmt_t)
-@@ -298,13 +300,10 @@
+@@ -298,13 +302,10 @@
 kernel_read_network_state(racoon_t)
 
 corenet_all_recvfrom_unlabeled(racoon_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -446,6 +446,9 @@ exit 0
 %endif

 %changelog
+* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-12
+- Allow sshd to read var_lib symlinks for freenx
+
 * Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-11
 - Allow nsplugin unix_read and write on users shm and sem
 - Allow sysadm_t to execute su