- Fix /sbin/ip6tables-save context

2009-05-02 11:52:13 +00:00 · 2009-05-02 11:52:13 +00:00 · 5dd89f3819
commit 5dd89f3819
parent 37ebfc9102
3 changed files with 178 additions and 97 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -994,7 +994,7 @@ portmap = module
 # 
 postfix = module
-o# Layer: services
+# Layer: services
 # Module: postgrey
 #
 # email scanner
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -4479,6 +4479,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +permissive sambagui_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
 --- nsaserefpolicy/policy/modules/apps/screen.fc	2008-11-11 16:13:42.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/screen.fc	2009-05-02 07:46:25.000000000 -0400
@@ -13,3 +13,4 @@
 #
 /var/run/screens?/S-[^/]+	-d	gen_context(system_u:object_r:screen_dir_t,s0)
 /var/run/screens?/S-[^/]+/.*		<<none>>
 +/var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
 --- nsaserefpolicy/policy/modules/apps/screen.if	2009-01-19 11:03:28.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/screen.if	2009-05-02 07:49:38.000000000 -0400
@@ -165,3 +165,23 @@
 		nscd_socket_use($1_screen_t)
 	')
 ')
 +
 +########################################
 +## <summary>
 +##	Manage screen var_run files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`screen_manage_var_run',`
 +	gen_require(`
 +		type screen_var_run_t;
 +	')
 +
 +         manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t)
 +         manage_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +         manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
 --- nsaserefpolicy/policy/modules/apps/uml.te	2009-01-19 11:03:28.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/uml.te	2009-04-28 11:42:33.000000000 -0400
@ -6039,7 +6074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te	2009-05-01 13:41:10.000000000 -0400
@@ -63,6 +63,15 @@
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@ -6056,7 +6091,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # kvmFS
 #
-@@ -120,6 +129,10 @@
+@@ -100,6 +109,7 @@
 genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
 type proc_xen_t, proc_type;
 +files_mountpoint(proc_xen_t)
 genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
 #
@@ -120,6 +130,10 @@
 type sysctl_rpc_t, sysctl_type;
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
@ -6067,7 +6110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # /proc/sys/fs directory and files
 type sysctl_fs_t, sysctl_type;
 files_mountpoint(sysctl_fs_t)
-@@ -160,6 +173,7 @@
+@@ -160,6 +174,7 @@
 #
 type unlabeled_t;
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@ -6075,7 +6118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -198,6 +212,8 @@
+@@ -198,6 +213,8 @@
 allow kernel_t self:sock_file read_sock_file_perms;
 allow kernel_t self:fd use;
@ -6084,7 +6127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow kernel_t proc_t:dir list_dir_perms;
 allow kernel_t proc_t:file read_file_perms;
 allow kernel_t proc_t:lnk_file read_lnk_file_perms;
-@@ -248,7 +264,8 @@
+@@ -248,7 +265,8 @@
 selinux_load_policy(kernel_t)
@ -6094,7 +6137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-@@ -262,6 +279,8 @@
+@@ -262,6 +280,8 @@
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
@ -6103,7 +6146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 mcs_process_set_categories(kernel_t)
-@@ -269,12 +288,18 @@
+@@ -269,12 +289,18 @@
 mls_process_write_down(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t) 
@ -6122,7 +6165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`read_default_t',`
 	files_list_default(kernel_t)
 	files_read_default_files(kernel_t)
-@@ -356,7 +381,11 @@
+@@ -356,7 +382,11 @@
 ')
 optional_policy(`
@ -6135,7 +6178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -388,3 +417,7 @@
+@@ -388,3 +418,7 @@
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
 allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
@ -6257,37 +6300,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/staff.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/staff.te	2009-05-02 07:50:07.000000000 -0400
-@@ -15,156 +15,90 @@
+@@ -15,156 +15,95 @@
 # Local policy
 #
 -optional_policy(`
 -	apache_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	auth_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	auditadm_role_change(staff_r)
 -')
 +kernel_read_ring_buffer(staff_t)
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
 -optional_policy(`
-	bluetooth_role(staff_r, staff_t)
+-	auth_role(staff_r, staff_t)
 -')
 +auth_domtrans_pam_console(staff_t)
 -optional_policy(`
-	cdrecord_role(staff_r, staff_t)
+-	auditadm_role_change(staff_r)
 -')
 +libs_manage_shared_libs(staff_t)
 -optional_policy(`
 -	bluetooth_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	cdrecord_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	cron_role(staff_r, staff_t)
 -')
@ -6295,10 +6338,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	dbus_role_template(staff, staff_r, staff_t)
 -')
-+seutil_run_newrole(staff_t, staff_r)
+-
-+netutils_run_ping(staff_t, staff_r)
+-optional_policy(`
 optional_policy(`
 -	ethereal_role(staff_r, staff_t)
 -')
 -
@ -6317,8 +6358,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	gnome_role(staff_r, staff_t)
 -')
-
+seutil_run_newrole(staff_t, staff_r)
-optional_policy(`
+netutils_run_ping(staff_t, staff_r)
 optional_policy(`
 -	gpg_role(staff_r, staff_t)
 -')
 -
@ -6332,122 +6375,123 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -optional_policy(`
 -	lockdev_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	lpd_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	mozilla_role(staff_r, staff_t)
 +	sudo_role_template(staff, staff_r, staff_t)
 ')
 optional_policy(`
-	mplayer_role(staff_r, staff_t)
+-	lpd_role(staff_r, staff_t)
 +	auditadm_role_change(staff_r)
 ')
 optional_policy(`
-	mta_role(staff_r, staff_t)
+-	mozilla_role(staff_r, staff_t)
 +	kerneloops_manage_tmp_files(staff_t)
 ')
 optional_policy(`
 -	mplayer_role(staff_r, staff_t)
 +	logadm_role_change(staff_r)
 ')
 optional_policy(`
 -	mta_role(staff_r, staff_t)
 +	secadm_role_change(staff_r)
 ')
 optional_policy(`
 -	oident_manage_user_content(staff_t)
 -	oident_relabel_user_content(staff_t)
 +	logadm_role_change(staff_r)
 ')
 optional_policy(`
 -	pyzor_role(staff_r, staff_t)
 +	secadm_role_change(staff_r)
 ')
 optional_policy(`
 -	razor_role(staff_r, staff_t)
 +	ssh_role_template(staff, staff_r, staff_t)
 ')
 optional_policy(`
-	rssh_role(staff_r, staff_t)
+-	pyzor_role(staff_r, staff_t)
 +	sysadm_role_change(staff_r)
 ')
 optional_policy(`
-	screen_role_template(staff, staff_r, staff_t)
+-	razor_role(staff_r, staff_t)
 +	usernetctl_run(staff_t, staff_r)
 ')
 optional_policy(`
-	secadm_role_change(staff_r)
+-	rssh_role(staff_r, staff_t)
 +	unconfined_role_change(staff_r)
 ')
 optional_policy(`
-	spamassassin_role(staff_r, staff_t)
+-	screen_role_template(staff, staff_r, staff_t)
 +	webadm_role_change(staff_r)
 ')
 -optional_policy(`
-	ssh_role_template(staff, staff_r, staff_t)
+-	secadm_role_change(staff_r)
 -')
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
 -optional_policy(`
-	su_role_template(staff, staff_r, staff_t)
+-	spamassassin_role(staff_r, staff_t)
 -')
 +files_read_kernel_modules(staff_t)
 -optional_policy(`
-	sudo_role_template(staff, staff_r, staff_t)
+-	ssh_role_template(staff, staff_r, staff_t)
 -')
 +kernel_read_fs_sysctls(staff_t)
 -optional_policy(`
-	sysadm_role_change(staff_r)
+-	su_role_template(staff, staff_r, staff_t)
 -	userdom_dontaudit_use_user_terminals(staff_t)
 -')
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
 -optional_policy(`
-	thunderbird_role(staff_r, staff_t)
+-	sudo_role_template(staff, staff_r, staff_t)
 -')
 +miscfiles_read_hwdata(staff_t)
 -optional_policy(`
-	tvtime_role(staff_r, staff_t)
+-	sysadm_role_change(staff_r)
 -	userdom_dontaudit_use_user_terminals(staff_t)
 -')
 +term_use_unallocated_ttys(staff_t)
 optional_policy(`
-	uml_role(staff_r, staff_t)
+-	thunderbird_role(staff_r, staff_t)
 +	gnomeclock_dbus_chat(staff_t)
 ')
 optional_policy(`
-	userhelper_role_template(staff, staff_r, staff_t)
+-	tvtime_role(staff_r, staff_t)
 +	kerneloops_dbus_chat(staff_t)
 ')
 optional_policy(`
-	vmware_role(staff_r, staff_t)
+-	uml_role(staff_r, staff_t)
 +	rpm_dbus_chat(staff_usertype)
 ')
 optional_policy(`
-	wireshark_role(staff_r, staff_t)
+-	userhelper_role_template(staff, staff_r, staff_t)
 +	screen_manage_var_run(staff_t)
 ')
 optional_policy(`
 -	vmware_role(staff_r, staff_t)
 +	setroubleshoot_stream_connect(staff_t)
 +	setroubleshoot_dbus_chat(staff_t)
 ')
 optional_policy(`
-	xserver_role(staff_r, staff_t)
+-	wireshark_role(staff_r, staff_t)
 +	virt_stream_connect(staff_t)
 ')
 -optional_policy(`
 -	xserver_role(staff_r, staff_t)
 -')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if
 --- nsaserefpolicy/policy/modules/roles/sysadm.if	2009-01-19 11:07:34.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if	2009-04-23 09:44:57.000000000 -0400
@ -12280,7 +12324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/DeviceKit-disk(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if
 --- nsaserefpolicy/policy/modules/services/devicekit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if	2009-05-02 07:48:49.000000000 -0400
@@ -0,0 +1,197 @@
 +
 +## <summary>policy for devicekit</summary>
@ -13432,8 +13476,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
 --- nsaserefpolicy/policy/modules/services/fprintd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if	2009-04-28 15:26:38.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if	2009-05-01 09:45:48.000000000 -0400
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,42 @@
 +
 +## <summary>policy for fprintd</summary>
 +
@ -13456,6 +13500,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	domtrans_pattern($1,fprintd_exec_t,fprintd_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Send and receive messages from
 +##	fprintd over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fprintd_dbus_chat',`
 +	gen_require(`
 +		type fprintd_t;
 +		class dbus send_msg;
 +	')
 +
 +	allow $1 fprintd_t:dbus send_msg;
 +	allow fprintd_t $1:dbus send_msg;
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-29 10:10:42.000000000 -0400
@ -14625,7 +14689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te
 --- nsaserefpolicy/policy/modules/services/kerneloops.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te	2009-05-01 13:21:26.000000000 -0400
@@ -13,6 +13,9 @@
 type kerneloops_initrc_exec_t;
 init_script_file(kerneloops_initrc_exec_t)
@ -14636,13 +14700,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # kerneloops local policy
-@@ -23,8 +26,13 @@
+@@ -21,10 +24,14 @@
 allow kerneloops_t self:capability sys_nice;
 allow kerneloops_t self:process { setsched getsched signal };
 allow kerneloops_t self:fifo_file rw_file_perms;
- allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
+-allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
- 
+
 +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
 +files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
-+
+ 
 kernel_read_ring_buffer(kerneloops_t)
 +fs_list_inotifyfs(kerneloops_t)
@ -14650,9 +14716,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Init script handling
 domain_use_interactive_fds(kerneloops_t)
-@@ -46,6 +54,5 @@
+@@ -38,14 +45,13 @@
 sysnet_dns_name_resolve(kerneloops_t)
 files_read_etc_files(kerneloops_t)
 +auth_use_nsswitch(kerneloops_t)
 +
 logging_send_syslog_msg(kerneloops_t)
 logging_read_generic_logs(kerneloops_t)
 miscfiles_read_localization(kerneloops_t)
 -sysnet_dns_name_resolve(kerneloops_t)
 -
 optional_policy(`
 -	dbus_system_bus_client(kerneloops_t)
 -	dbus_connect_system_bus(kerneloops_t)
@ -25914,7 +25990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-05-01 09:46:46.000000000 -0400
@@ -43,20 +43,38 @@
 interface(`auth_login_pgm_domain',`
 	gen_require(`
@ -25962,7 +26038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	init_rw_utmp($1)
-@@ -100,11 +119,40 @@
+@@ -100,9 +119,42 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
@ -25975,16 +26051,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	optional_policy(`
 +		afs_rw_udp_sockets($1)
-+	')
+ 	')
 +
 +	optional_policy(`
 +		dbus_system_bus_client($1)
 +		optional_policy(`
 +			oddjob_dbus_chat($1)
 +			oddjob_domtrans_mkhomedir($1)
- 	')
+	')
- ')
+')
- 
+
 +	optional_policy(`
 +		corecmd_exec_bin($1)
 +		storage_getattr_fixed_disk_dev($1)
@ -25992,6 +26068,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +
 +	optional_policy(`
 +		fprintd_dbus_chat($1)
 +	')
 +
 +	optional_policy(`
 +		nis_authenticate($1)
 +	')
 +
@ -26000,12 +26080,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		userdom_read_user_home_content_files($1)
 +	')
 +
-+')
+ ')
-+
+ 
 ########################################
- ## <summary>
+@@ -197,8 +249,11 @@
 ##	Use the login program as an entry point program.
@@ -197,8 +245,11 @@
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
 		type chkpwd_t, chkpwd_exec_t, shadow_t;
@ -26017,7 +26095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	corecmd_search_bin($1)
 	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-@@ -207,19 +258,16 @@
+@@ -207,19 +262,16 @@
 	dev_read_rand($1)
 	dev_read_urand($1)
@ -26042,7 +26120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -230,6 +278,29 @@
+@@ -230,6 +282,29 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -26072,7 +26150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -254,6 +325,7 @@
+@@ -254,6 +329,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -26080,7 +26158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -650,7 +722,7 @@
+@@ -650,7 +726,7 @@
 ########################################
 ## <summary>
@ -26089,7 +26167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1031,6 +1103,32 @@
+@@ -1031,6 +1107,32 @@
 ########################################
 ## <summary>
@ -26122,7 +26200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Manage all files on the filesystem, except
 ##	the shadow passwords and listed exceptions.
 ## </summary>
-@@ -1297,6 +1395,14 @@
+@@ -1297,6 +1399,14 @@
 	')
 	optional_policy(`
@ -26137,7 +26215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		nis_use_ypbind($1)
 	')
-@@ -1305,8 +1411,13 @@
+@@ -1305,8 +1415,13 @@
 	')
 	optional_policy(`
@ -26151,7 +26229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -1341,3 +1452,99 @@
+@@ -1341,3 +1456,99 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -27102,9 +27180,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_read_urand(racoon_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc	2009-04-30 08:29:56.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc	2009-04-30 18:57:54.000000000 -0400
-@@ -1,9 +1,11 @@
+@@ -1,9 +1,10 @@
- /sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -480,6 +480,9 @@ exit 0
 %endif
 %changelog
 * Fri May 1 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-27
 - Fix /sbin/ip6tables-save context
 * Thu Apr 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-26
 - Add shorewall policy