Merge branches 'master', 'master', 'master', 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2010-12-13 15:17:39 -05:00 · 2010-12-13 15:17:39 -05:00 · 4a0ad934f5
parent acc2557fca 3c0b9eac8c
commit 4a0ad934f5
4 changed files with 296 additions and 140 deletions
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -1496,6 +1496,13 @@ su = base
 # 
 sudo = base

+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+# 
+systemd = module
+
 # Layer: system
 # Module: sysnetwork
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1705,6 +1705,13 @@ su = base
 # 
 sudo = base

+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+# 
+systemd = module
+
 # Layer: system
 # Module: sysnetwork
 #
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -3590,7 +3590,7 @@ index 4f9dc90..8dc8a5f 100644
 +	relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
 ')
 diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
-index 66beb80..b7c6502 100644
+index 66beb80..52db7eb 100644
 --- a/policy/modules/apps/irc.te
 +++ b/policy/modules/apps/irc.te
@@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t)
@ -3624,7 +3624,7 @@ index 66beb80..b7c6502 100644
 # Local policy
 #
 
-@@ -101,3 +125,83 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -101,3 +125,76 @@ tunable_policy(`use_samba_home_dirs',`
 optional_policy(`
 	nis_use_ypbind(irc_t)
 ')
@ -3636,7 +3636,6 @@ index 66beb80..b7c6502 100644
 +
 +allow irssi_t self:process { signal sigkill };
 +allow irssi_t self:fifo_file rw_fifo_file_perms;
-+allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
 +allow irssi_t self:tcp_socket create_stream_socket_perms;
 +allow irssi_t self:udp_socket create_socket_perms;
 +
@ -3664,7 +3663,6 @@ index 66beb80..b7c6502 100644
 +corenet_tcp_sendrecv_generic_node(irssi_t)
 +corenet_tcp_sendrecv_generic_port(irssi_t)
 +corenet_tcp_bind_generic_node(irssi_t)
-+corenet_udp_bind_generic_node(irssi_t)
 +
 +dev_read_urand(irssi_t)
 +# irssi-otr genkey.
@ -3675,9 +3673,9 @@ index 66beb80..b7c6502 100644
 +
 +fs_search_auto_mountpoints(irssi_t)
 +
-+miscfiles_read_localization(irssi_t)
+auth_use_nsswitch(irssi_t)
 +
-+sysnet_read_config(irssi_t)
+miscfiles_read_localization(irssi_t)
 +
 +userdom_use_user_terminals(irssi_t)
 +
@ -3703,11 +3701,6 @@ index 66beb80..b7c6502 100644
 +optional_policy(`
 +	automount_dontaudit_getattr_tmp_dirs(irssi_t)
 +')
-+
-+optional_policy(`
-+	nis_use_ypbind(irssi_t)
-+')
-+
 diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
 index 86c1768..cd76e6a 100644
 --- a/policy/modules/apps/java.fc
@ -4182,7 +4175,7 @@ index 9a6d67d..b0c1197 100644
 ##	mozilla over dbus.
 ## </summary>
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..1aa992d 100644
+index cbf4bec..e3517da 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2)
@ -4264,7 +4257,7 @@ index cbf4bec..1aa992d 100644
 	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,145 @@ optional_policy(`
+@@ -266,3 +291,149 @@ optional_policy(`
 optional_policy(`
 	thunderbird_domtrans(mozilla_t)
 ')
@ -4273,6 +4266,9 @@ index cbf4bec..1aa992d 100644
 +#
 +# mozilla_plugin local policy
 +#
+
+dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+
 +allow mozilla_plugin_t self:process { setsched signal_perms execmem };
 +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@ -4361,6 +4357,7 @@ index cbf4bec..1aa992d 100644
 +userdom_read_user_home_content_files(mozilla_plugin_t)
 +userdom_read_user_home_content_files(mozilla_plugin_t)
 +userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
 +
 +optional_policy(`
 +	alsa_read_rw_config(mozilla_plugin_t)
@ -7789,7 +7786,7 @@ index 9e5c83e..953e0e8 100644
 +/lib/udev/devices/ppp	-c	gen_context(system_u:object_r:ppp_device_t,s0)
 +/lib/udev/devices/net/.* -c	gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index b06df19..f20833d 100644
+index b06df19..c0763c2 100644
 --- a/policy/modules/kernel/corenetwork.if.in
 +++ b/policy/modules/kernel/corenetwork.if.in
@@ -86,6 +86,33 @@ interface(`corenet_rpc_port',`
@ -7841,6 +7838,37 @@ index b06df19..f20833d 100644
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
 	# older systems
+@@ -2503,6 +2535,30 @@ interface(`corenet_all_recvfrom_netlabel',`
+ 
+ ########################################
+ ## <summary>
+##	Enable unlabeled net packets
+## </summary>
+## <desc>
+##	<p>
+##	Allow unlabeled_packet_t to be used by all domains that use the network
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_enable_unlabeled_packets',`
+	gen_require(`
+		attribute corenet_unlabeled_type;
+	')
+
+	kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
+')
+
+########################################
+## <summary>
+ ##	Do not audit attempts to receive packets from an unlabeled connection.
+ ## </summary>
+ ## <param name="domain">
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
 index 36ba519..e2d8b49 100644
 --- a/policy/modules/kernel/corenetwork.te.in
@ -8088,9 +8116,20 @@ index 3b2da10..7c29e17 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 15a7bef..80ad190 100644
+index 15a7bef..ee7727f 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
+@@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',`
+ 	relabelfrom_dirs_pattern($1, device_t, device_node)
+ 	relabelfrom_files_pattern($1, device_t, device_node)
+ 	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
+-	relabelfrom_fifo_files_pattern($1, device_t, device_node)
+-	relabelfrom_sock_files_pattern($1, device_t, device_node)
+	relabel_fifo_files_pattern($1, device_t,  { device_t device_node })
+	relabel_sock_files_pattern($1, device_t, { device_t device_node })
+ 	relabel_blk_files_pattern($1, device_t, { device_t device_node })
+ 	relabel_chr_files_pattern($1, device_t, { device_t device_node })
+ ')
@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
 
 ########################################
@ -10974,17 +11013,13 @@ index 0000000..0ce0470
 +## <summary> Policy for allowing confined domains to use unlabeled_t packets</summary>
 diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
 new file mode 100644
-index 0000000..571c3b9
+index 0000000..e1ebd1a
 --- /dev/null
 +++ b/policy/modules/kernel/unlabelednet.te
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,3 @@
 +policy_module(unlabelednet, 1.0)
 +
-+gen_require(`
-+	attribute corenet_unlabeled_type;
-+')
-+
-+kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
+corenet_enable_unlabeled_packets()
 diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
 index b0d5b27..a96f2e6 100644
 --- a/policy/modules/roles/auditadm.te
@ -16762,13 +16797,15 @@ index 7a6e5ba..d664be8 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 1a65b5e..e08bbdb 100644
+index 1a65b5e..ec0594e 100644
 --- a/policy/modules/services/certmonger.te
 +++ b/policy/modules/services/certmonger.te
-@@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t)
+@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
+ # certmonger local policy
 #
 
- allow certmonger_t self:capability { kill sys_nice };
+-allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:capability { dac_override dac_read_search kill sys_nice };
 +dontaudit certmonger_t self:capability sys_tty_config;
 allow certmonger_t self:process { getsched setsched sigkill };
 allow certmonger_t self:fifo_file rw_file_perms;
@ -19796,7 +19833,7 @@ index 418a5a0..28d9e41 100644
 /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..6149a45 100644
+index f706b99..20efe4a 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@ -19811,7 +19848,7 @@ index f706b99..6149a45 100644
 ## </param>
 #
 interface(`devicekit_domtrans',`
-@@ -118,6 +118,82 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',`
 	allow devicekit_power_t $1:dbus send_msg;
 ')
 
@ -19845,31 +19882,12 @@ index f706b99..6149a45 100644
 +##  </summary>
 +## </param>
 +#
-+interface(`devicekit_dontaudit_write_log',`
+interface(`devicekit_dontaudit_rw_log',`
 +	gen_require(`
 +		type devicekit_var_log_t;
 +	')
 +
-+	dontaudit $1 devicekit_var_log_t:file { write };
-+')
-+
-+######################################
-+## <summary>
-+##  Do not audit attempts to read and write the devicekit
-+##  log files.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain to not audit.
-+##  </summary>
-+## </param>
-+#
-+interface(`devicekit_dontaudit_rw_log',`
-+    gen_require(`
-+        type devicekit_var_log_t;
-+    ')
-+
-+    dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
+	dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
 +')
 +
 +########################################
@ -19894,7 +19912,7 @@ index f706b99..6149a45 100644
 ########################################
 ## <summary>
 ##	Read devicekit PID files.
-@@ -139,22 +215,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',`
 
 ########################################
 ## <summary>
@ -19954,7 +19972,7 @@ index f706b99..6149a45 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -165,21 +271,22 @@ interface(`devicekit_admin',`
+@@ -165,21 +252,22 @@ interface(`devicekit_admin',`
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
 	')
 
@ -21047,7 +21065,7 @@ index e1d7dc5..673f185 100644
 	admin_pattern($1, dovecot_var_run_t)
 
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..2cc1082 100644
+index cbe14e4..e8f3b0e 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@ -21069,9 +21087,12 @@ index cbe14e4..2cc1082 100644
 type dovecot_etc_t;
 files_config_file(dovecot_etc_t)
 
-@@ -58,7 +61,7 @@ files_pid_file(dovecot_var_run_t)
+@@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t)
+ # dovecot local policy
+ #
 
- allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+-allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
 dontaudit dovecot_t self:capability sys_tty_config;
 -allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
 +allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
@ -28687,7 +28708,7 @@ index 9759ed8..07dd3ff 100644
 	admin_pattern($1, plymouthd_var_run_t)
 ')
 diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..799f374 100644
+index fb8dc84..cf0e3d1 100644
 --- a/policy/modules/services/plymouthd.te
 +++ b/policy/modules/services/plymouthd.te
@@ -60,10 +60,18 @@ domain_use_interactive_fds(plymouthd_t)
@ -28717,7 +28738,15 @@ index fb8dc84..799f374 100644
 
 domain_use_interactive_fds(plymouth_t)
 
-@@ -87,7 +96,7 @@ sysnet_read_config(plymouth_t)
+@@ -81,13 +90,15 @@ files_read_etc_files(plymouth_t)
+ 
+ term_use_ptmx(plymouth_t)
+ 
+logging_delete_generic_logs(plymouth_t)
+
+ miscfiles_read_localization(plymouth_t)
+ 
+ sysnet_read_config(plymouth_t)
 
 plymouthd_stream_connect(plymouth_t)
 
@ -28887,7 +28916,7 @@ index 48ff1e8..13cdc77 100644
 +	allow $1 policykit_auth_t:process signal;
 ')
 diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..7385ecf 100644
+index 1e7169d..05409ab 100644
 --- a/policy/modules/services/policykit.te
 +++ b/policy/modules/services/policykit.te
@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
@ -29011,7 +29040,7 @@ index 1e7169d..7385ecf 100644
 +fs_search_tmpfs(polkit_auth_t)
 
 auth_use_nsswitch(policykit_auth_t)
-+auth_read_var_auth(policykit_auth_t)
+auth_rw_var_auth(policykit_auth_t)
 +auth_domtrans_chk_passwd(policykit_auth_t)
 
 logging_send_syslog_msg(policykit_auth_t)
@ -40653,7 +40682,7 @@ index 1c4b1e7..ffa4134 100644
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..ceadd00 100644
+index bea0ade..716da1d 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@ -40855,7 +40884,7 @@ index bea0ade..ceadd00 100644
 #######################################
 ## <summary>
 ##	Read the last logins log.
-@@ -874,6 +969,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +969,46 @@ interface(`auth_exec_pam',`
 
 ########################################
 ## <summary>
@ -40877,12 +40906,32 @@ index bea0ade..ceadd00 100644
 +	read_files_pattern($1, var_auth_t, var_auth_t)
 +')
 +
+#######################################
+## <summary>
+##  Read and write var auth files. Used by various other applications
+##  and pam applets etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`auth_rw_var_auth',`
+    gen_require(`
+        type var_auth_t;
+    ')
+
+    files_search_var($1)
+    rw_files_pattern($1, var_auth_t, var_auth_t)
+')
+
 +########################################
 +## <summary>
 ##	Manage var auth files. Used by various other applications
 ##	and pam applets etc.
 ## </summary>
-@@ -896,6 +1011,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +1031,26 @@ interface(`auth_manage_var_auth',`
 
 ########################################
 ## <summary>
@ -40909,7 +40958,7 @@ index bea0ade..ceadd00 100644
 ##	Read PAM PID files.
 ## </summary>
 ## <param name="domain">
-@@ -1093,6 +1228,24 @@ interface(`auth_delete_pam_console_data',`
+@@ -1093,6 +1248,24 @@ interface(`auth_delete_pam_console_data',`
 
 ########################################
 ## <summary>
@ -40934,7 +40983,7 @@ index bea0ade..ceadd00 100644
 ##	Read all directories on the filesystem, except
 ##	the shadow passwords and listed exceptions.
 ## </summary>
-@@ -1326,6 +1479,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1499,25 @@ interface(`auth_setattr_login_records',`
 
 ########################################
 ## <summary>
@ -40960,7 +41009,7 @@ index bea0ade..ceadd00 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1500,6 +1672,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1692,8 @@ interface(`auth_manage_login_records',`
 #
 interface(`auth_use_nsswitch',`
 
@ -40969,7 +41018,7 @@ index bea0ade..ceadd00 100644
 	files_list_var_lib($1)
 
 	# read /etc/nsswitch.conf
-@@ -1531,7 +1705,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1725,15 @@ interface(`auth_use_nsswitch',`
 	')
 
 	optional_policy(`
@ -41225,7 +41274,7 @@ index a97a096..dd65c15 100644
 /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..6b50255 100644
+index a442acc..949f5ff 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@ -41277,7 +41326,7 @@ index a442acc..6b50255 100644
 
 optional_policy(`
 +	devicekit_dontaudit_read_pid_files(fsadm_t)
-+	devicekit_dontaudit_write_log(fsadm_t)
+	devicekit_dontaudit_rw_log(fsadm_t)
 +')
 +
 +optional_policy(`
@ -41375,10 +41424,51 @@ index 9775375..41a244a 100644
 #
 # /var
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index df3fa64..cbc34e2 100644
+index df3fa64..473d2b4 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -105,7 +105,11 @@ interface(`init_domain',`
+@@ -79,6 +79,40 @@ interface(`init_script_domain',`
+ 	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+ ')
+ 
+
+#######################################
+## <summary>
+##  Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Type to be used as a domain.
+##  </summary>
+## </param>
+## <param name="entry_point">
+##  <summary>
+##  Type of the program to be used as an entry point to this domain.
+##  </summary>
+## </param>
+#
+interface(`init_systemd_domain',`
+    gen_require(`
+        type init_t;
+        role system_r;
+    ')
+
+    domain_type($1)
+    domain_entry_file($1,$2)
+
+    role system_r types $1;
+
+    tunable_policy(`init_systemd',`
+        domtrans_pattern(init_t,$2,$1)
+        allow init_t $1:unix_stream_socket create_stream_socket_perms;
+        allow $1 init_t:unix_dgram_socket sendto;
+    ')
+')
+
+ ########################################
+ ## <summary>
+ ##	Create a domain which can be started by init.
+@@ -105,7 +139,11 @@ interface(`init_domain',`
 
 	role system_r types $1;
 
@ -41391,7 +41481,7 @@ index df3fa64..cbc34e2 100644
 
 	ifdef(`hide_broken_symptoms',`
 		# RHEL4 systems seem to have a stray
-@@ -193,8 +197,10 @@ interface(`init_daemon_domain',`
+@@ -193,8 +231,10 @@ interface(`init_daemon_domain',`
 	gen_require(`
 		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
@ -41402,7 +41492,7 @@ index df3fa64..cbc34e2 100644
 	')
 
 	typeattribute $1 daemon;
-@@ -205,6 +211,21 @@ interface(`init_daemon_domain',`
+@@ -205,6 +245,21 @@ interface(`init_daemon_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(initrc_t,$2,$1)
@ -41424,7 +41514,7 @@ index df3fa64..cbc34e2 100644
 
 	# daemons started from init will
 	# inherit fds from init for the console
-@@ -283,17 +304,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +338,20 @@ interface(`init_daemon_domain',`
 interface(`init_ranged_daemon_domain',`
 	gen_require(`
 		type initrc_t;
@ -41446,7 +41536,7 @@ index df3fa64..cbc34e2 100644
 	')
 ')
 
-@@ -336,8 +360,10 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,8 +394,10 @@ interface(`init_ranged_daemon_domain',`
 #
 interface(`init_system_domain',`
 	gen_require(`
@ -41457,7 +41547,7 @@ index df3fa64..cbc34e2 100644
 	')
 
 	application_domain($1,$2)
-@@ -345,6 +371,20 @@ interface(`init_system_domain',`
+@@ -345,6 +405,20 @@ interface(`init_system_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(initrc_t,$2,$1)
@ -41478,7 +41568,7 @@ index df3fa64..cbc34e2 100644
 
 	ifdef(`hide_broken_symptoms',`
 		# RHEL4 systems seem to have a stray
-@@ -353,6 +393,37 @@ interface(`init_system_domain',`
+@@ -353,6 +427,37 @@ interface(`init_system_domain',`
 			kernel_dontaudit_use_fds($1)
 		')
 	')
@ -41516,7 +41606,7 @@ index df3fa64..cbc34e2 100644
 ')
 
 ########################################
-@@ -401,16 +472,19 @@ interface(`init_system_domain',`
+@@ -401,16 +506,19 @@ interface(`init_system_domain',`
 interface(`init_ranged_system_domain',`
 	gen_require(`
 		type initrc_t;
@ -41536,7 +41626,7 @@ index df3fa64..cbc34e2 100644
 	')
 ')
 
-@@ -687,19 +761,24 @@ interface(`init_telinit',`
+@@ -687,19 +795,24 @@ interface(`init_telinit',`
 		type initctl_t;
 	')
 
@ -41562,7 +41652,7 @@ index df3fa64..cbc34e2 100644
 	')
 ')
 
-@@ -772,18 +851,19 @@ interface(`init_script_file_entry_type',`
+@@ -772,18 +885,19 @@ interface(`init_script_file_entry_type',`
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -41586,7 +41676,7 @@ index df3fa64..cbc34e2 100644
 	')
 ')
 
-@@ -799,23 +879,45 @@ interface(`init_spec_domtrans_script',`
+@@ -799,19 +913,41 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -41609,11 +41699,11 @@ index df3fa64..cbc34e2 100644
 	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- 	')
- ')
- 
- ########################################
- ## <summary>
+	')
+')
+
+########################################
+## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@ -41626,17 +41716,13 @@ index df3fa64..cbc34e2 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
+ 	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -867,8 +969,12 @@ interface(`init_script_file_domtrans',`
+ ')
+ 
+ ########################################
+@@ -867,8 +1003,12 @@ interface(`init_script_file_domtrans',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
@ -41649,7 +41735,7 @@ index df3fa64..cbc34e2 100644
 	domtrans_pattern($1, $2, initrc_t)
 	files_search_etc($1)
 ')
-@@ -1129,12 +1235,7 @@ interface(`init_read_script_state',`
+@@ -1129,12 +1269,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
@ -41663,7 +41749,7 @@ index df3fa64..cbc34e2 100644
 ')
 
 ########################################
-@@ -1374,6 +1475,27 @@ interface(`init_dbus_send_script',`
+@@ -1374,6 +1509,27 @@ interface(`init_dbus_send_script',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
@ -41691,7 +41777,7 @@ index df3fa64..cbc34e2 100644
 ##	init scripts over dbus.
 ## </summary>
 ## <param name="domain">
-@@ -1460,6 +1582,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1460,6 +1616,25 @@ interface(`init_getattr_script_status_files',`
 
 ########################################
 ## <summary>
@ -41717,7 +41803,7 @@ index df3fa64..cbc34e2 100644
 ##	Do not audit attempts to read init script
 ##	status files.
 ## </summary>
-@@ -1673,7 +1814,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1673,7 +1848,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
@ -41726,7 +41812,7 @@ index df3fa64..cbc34e2 100644
 ')
 
 ########################################
-@@ -1748,3 +1889,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1748,3 +1923,93 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -41821,7 +41907,7 @@ index df3fa64..cbc34e2 100644
 +	allow $1 init_t:unix_dgram_socket sendto;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..98c1479 100644
+index 8a105fd..2be1d2a 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -41959,7 +42045,7 @@ index 8a105fd..98c1479 100644
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +222,120 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +222,121 @@ tunable_policy(`init_upstart',`
 	sysadm_shell_domtrans(init_t)
 ')
 
@ -41988,6 +42074,7 @@ index 8a105fd..98c1479 100644
 +	dev_write_kmsg(init_t)
 +	dev_write_urand(init_t)
 +	dev_rw_autofs(init_t)
+	dev_create_generic_symlinks(init_t)
 +	dev_manage_generic_dirs(init_t)
 +	dev_manage_generic_files(init_t)
 +	dev_read_generic_chr_files(init_t)
@ -42080,7 +42167,7 @@ index 8a105fd..98c1479 100644
 ')
 
 optional_policy(`
-@@ -199,10 +343,24 @@ optional_policy(`
+@@ -199,10 +344,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42105,7 +42192,7 @@ index 8a105fd..98c1479 100644
 	unconfined_domain(init_t)
 ')
 
-@@ -212,7 +370,7 @@ optional_policy(`
+@@ -212,7 +371,7 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -42114,7 +42201,7 @@ index 8a105fd..98c1479 100644
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -241,12 +399,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +400,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -42129,7 +42216,7 @@ index 8a105fd..98c1479 100644
 
 init_write_initctl(initrc_t)
 
-@@ -258,11 +418,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +419,23 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -42153,7 +42240,7 @@ index 8a105fd..98c1479 100644
 
 corecmd_exec_all_executables(initrc_t)
 
-@@ -291,6 +463,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +464,7 @@ dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
@ -42161,7 +42248,7 @@ index 8a105fd..98c1479 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -298,13 +471,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +472,13 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -42177,7 +42264,7 @@ index 8a105fd..98c1479 100644
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -323,8 +496,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +497,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -42189,7 +42276,7 @@ index 8a105fd..98c1479 100644
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -340,8 +515,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +516,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -42203,7 +42290,7 @@ index 8a105fd..98c1479 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -351,6 +530,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +531,8 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -42212,7 +42299,7 @@ index 8a105fd..98c1479 100644
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -363,6 +544,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +545,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -42220,7 +42307,7 @@ index 8a105fd..98c1479 100644
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -374,6 +556,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +557,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -42228,7 +42315,7 @@ index 8a105fd..98c1479 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -394,13 +577,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +578,14 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -42244,7 +42331,7 @@ index 8a105fd..98c1479 100644
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +657,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +658,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -42253,7 +42340,7 @@ index 8a105fd..98c1479 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -519,6 +703,23 @@ ifdef(`distro_redhat',`
+@@ -519,6 +704,23 @@ ifdef(`distro_redhat',`
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
@ -42277,7 +42364,7 @@ index 8a105fd..98c1479 100644
 	')
 
 	optional_policy(`
-@@ -526,10 +727,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +728,17 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -42295,7 +42382,7 @@ index 8a105fd..98c1479 100644
 	')
 
 	optional_policy(`
-@@ -544,6 +752,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +753,35 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -42331,7 +42418,7 @@ index 8a105fd..98c1479 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +793,8 @@ optional_policy(`
+@@ -556,6 +794,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -42340,7 +42427,7 @@ index 8a105fd..98c1479 100644
 ')
 
 optional_policy(`
-@@ -572,6 +811,7 @@ optional_policy(`
+@@ -572,6 +812,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -42348,7 +42435,7 @@ index 8a105fd..98c1479 100644
 ')
 
 optional_policy(`
-@@ -584,6 +824,11 @@ optional_policy(`
+@@ -584,6 +825,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42360,7 +42447,7 @@ index 8a105fd..98c1479 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -600,9 +845,13 @@ optional_policy(`
+@@ -600,9 +846,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -42374,7 +42461,7 @@ index 8a105fd..98c1479 100644
 	')
 
 	optional_policy(`
-@@ -701,7 +950,13 @@ optional_policy(`
+@@ -701,7 +951,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42388,7 +42475,7 @@ index 8a105fd..98c1479 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -724,6 +979,10 @@ optional_policy(`
+@@ -724,6 +980,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42399,7 +42486,7 @@ index 8a105fd..98c1479 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -737,6 +996,10 @@ optional_policy(`
+@@ -737,6 +997,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42410,7 +42497,7 @@ index 8a105fd..98c1479 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -745,6 +1008,10 @@ optional_policy(`
+@@ -745,6 +1009,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42421,7 +42508,7 @@ index 8a105fd..98c1479 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -766,8 +1033,6 @@ optional_policy(`
+@@ -766,8 +1034,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -42430,7 +42517,7 @@ index 8a105fd..98c1479 100644
 ')
 
 optional_policy(`
-@@ -776,14 +1041,21 @@ optional_policy(`
+@@ -776,14 +1042,21 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42452,7 +42539,7 @@ index 8a105fd..98c1479 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1077,19 @@ optional_policy(`
+@@ -805,11 +1078,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -42473,7 +42560,7 @@ index 8a105fd..98c1479 100644
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1099,25 @@ optional_policy(`
+@@ -819,6 +1100,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -42499,7 +42586,7 @@ index 8a105fd..98c1479 100644
 ')
 
 optional_policy(`
-@@ -844,3 +1143,59 @@ optional_policy(`
+@@ -844,3 +1144,59 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -43054,7 +43141,7 @@ index 1d1c399..67d0dec 100644
 +	tgtd_manage_semaphores(iscsid_t)
 ')
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..8d1d7fa 100644
+index 9df8c4d..010ec0e 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
@ -43092,14 +43179,18 @@ index 9df8c4d..8d1d7fa 100644
 /usr/lib(64)?/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/win32/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +151,7 @@ ifdef(`distro_redhat',`
+@@ -151,9 +151,10 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
 /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -43608,7 +43699,7 @@ index 571599b..17dd196 100644
 +
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..f32290a 100644
+index c7cfb62..620e0a4 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
@ -43711,7 +43802,33 @@ index c7cfb62..f32290a 100644
 ')
 
 ########################################
-@@ -996,6 +1071,8 @@ interface(`logging_admin_syslog',`
+@@ -824,6 +899,25 @@ interface(`logging_read_generic_logs',`
+ 
+ ########################################
+ ## <summary>
+##	Delete generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_delete_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:file unlink;
+')
+
+########################################
+## <summary>
+ ##	Write generic log files.
+ ## </summary>
+ ## <param name="domain">
+@@ -996,6 +1090,8 @@ interface(`logging_admin_syslog',`
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
@ -44035,6 +44152,19 @@ index 86ef2da..a251276 100644
 	modutils_domtrans_insmod(lvm_t)
 ')
 
+diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
+index 172287e..2683ce9 100644
+--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
+@@ -9,7 +9,7 @@ ifdef(`distro_gentoo',`
+ # /etc
+ #
+ /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
+-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)?	        gen_context(system_u:object_r:cert_t,s0)
+ /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
+ /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+ /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
 index 926ba65..1dfa62a 100644
 --- a/policy/modules/system/miscfiles.if
@ -46306,12 +46436,12 @@ index 0000000..5f0352b
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..e974e97
+index 0000000..17052b8
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,94 @@
 +
-+policy_module(systemd, 1.0)
+policy_module(systemd, 1.0.0)
 +
 +#######################################
 +#
@ -46320,6 +46450,7 @@ index 0000000..e974e97
 +
 +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
 +# systemd components
+
 +type systemd_passwd_agent_t;
 +type systemd_passwd_agent_exec_t;
 +init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
@ -46329,9 +46460,7 @@ index 0000000..e974e97
 +# domain for systemd-tmpfiles component
 +type systemd_tmpfiles_t;
 +type systemd_tmpfiles_exec_t;
-+init_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
-+#application_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
-+#role system_r types systemd_tmpfiles_t;
+init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
 +
 +permissive systemd_tmpfiles_t;
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.10
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,19 @@ exit 0
 %endif

 %changelog
+* Mon Dec 13 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-11
+- Turn on systemd policy
+- mozilla_plugin needs to read certs in the homedir.
+- Dontaudit leaked file descriptors from devicekit
+- Fix ircssi to use auth_use_nsswitch
+- Change to use interface without param in corenet to disable unlabelednet packets
+- Allow init to relabel sockets and fifo files in /dev
+- certmonger needs dac* capabilities to manage cert files not owned by root
+- dovecot needs fsetid to change group membership on mail
+- plymouthd removes /var/log/boot.log
+- systemd is creating symlinks in /dev
+- Change label on /etc/httpd/alias to be all cert_t
+
 * Fri Dec 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-10
 - Fixes for clamscan and boinc policy
 - Add boinc_project_t setpgid