- Add wm policy

- Make mls work in graphics mode

policy-20090105.patch

@@ -22565,7 +22565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-21 14:02:11.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-21 16:14:47.000000000 -0500
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -23034,7 +23034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +817,12 @@
+@@ -697,8 +817,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -23043,11 +23043,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mls_xwin_read_to_clearance(xserver_t)
 +mls_process_write_to_clearance(xserver_t)
-+mls_file_write_to_clearance(xserver_t)
++mls_file_read_to_clearance(xserver_t)
++mls_file_write_all_levels(xserver_t)
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -720,6 +844,7 @@
+@@ -720,6 +845,7 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -23055,7 +23056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -774,6 +899,10 @@
+@@ -774,6 +900,10 @@
  ')
  
  optional_policy(`
@@ -23066,7 +23067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rhgb_getpgid(xserver_t)
  	rhgb_signal(xserver_t)
  ')
-@@ -806,7 +935,7 @@
+@@ -806,7 +936,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -23075,7 +23076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +959,10 @@
+@@ -830,6 +960,10 @@
  
  xserver_use_user_fonts(xserver_t)
  
@@ -23086,7 +23087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +977,14 @@
+@@ -844,11 +978,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -23102,7 +23103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -856,6 +992,11 @@
+@@ -856,6 +993,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -23114,7 +23115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Rules common to all X window domains
-@@ -972,6 +1113,37 @@
+@@ -972,6 +1114,37 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -23152,7 +23153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`TODO',`
  tunable_policy(`allow_polyinstantiation',`
  # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1158,13 @@
+@@ -986,3 +1159,13 @@
  #
  allow xdm_t user_home_type:file unlink;
  ') dnl end TODO
@@ -23783,7 +23784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.if	2009-01-20 14:42:59.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/init.if	2009-01-21 16:19:55.000000000 -0500
 @@ -280,6 +280,27 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -23812,6 +23813,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
+@@ -546,7 +567,7 @@
+ 
+ 		# upstart uses a datagram socket instead of initctl pipe
+ 		allow $1 self:unix_dgram_socket create_socket_perms;
+-		allow $1 init_t:unix_dgram_socket sendto;
++		init_chat($1)
+ 	')
+ ')
+ 
 @@ -619,18 +640,19 @@
  #
  interface(`init_spec_domtrans_script',`
@@ -27350,7 +27360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-21 15:37:07.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-21 16:19:30.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  

selinux-policy.spec

@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -445,8 +445,9 @@ exit 0
 %endif
 
 %changelog
-* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-4
+* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-5
 - Add wm policy
+- Make mls work in graphics mode
 
 * Tue Jan 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-3
 - Fixed for DeviceKit