- Fix xserver_dontaudit_read_xdm_pid

- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t - Allow readahead to manage readahead pid dirs - Allow readahead to read all mcs levels - Allow mozilla_plugin_t to use nfs or samba homedirs
2011-01-27 18:13:11 +00:00 · 2011-01-27 18:13:11 +00:00 · 73e5debe55
parent 3c70739f2c
commit 73e5debe55
2 changed files with 165 additions and 65 deletions
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -1218,7 +1218,7 @@ index 47c4723..4866a08 100644
 +	domtrans_pattern($1, readahead_exec_t, readahead_t)
 +')
 diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..39fbe42 100644
+index b4ac57e..e2d07b1 100644
 --- a/policy/modules/admin/readahead.te
 +++ b/policy/modules/admin/readahead.te
@@ -16,6 +16,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@ -1229,15 +1229,18 @@ index b4ac57e..39fbe42 100644
 ########################################
 #
-@@ -32,6 +33,7 @@ files_search_var_lib(readahead_t)
+@@ -31,7 +32,9 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
 files_search_var_lib(readahead_t)
 manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
- files_pid_filetrans(readahead_t, readahead_var_run_t, file)
+-files_pid_filetrans(readahead_t, readahead_var_run_t, file)
 +manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
 +files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
 +dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
 kernel_read_all_sysctls(readahead_t)
 kernel_read_system_state(readahead_t)
-@@ -53,6 +55,7 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,6 +56,7 @@ domain_read_all_domains_state(readahead_t)
 files_list_non_security(readahead_t)
 files_read_non_security_files(readahead_t)
@ -1245,7 +1248,7 @@ index b4ac57e..39fbe42 100644
 files_create_boot_flag(readahead_t)
 files_getattr_all_pipes(readahead_t)
 files_dontaudit_getattr_all_sockets(readahead_t)
-@@ -66,6 +69,7 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +70,14 @@ fs_read_cgroup_files(readahead_t)
 fs_read_tmpfs_files(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 fs_list_inotifyfs(readahead_t)
@ -1253,6 +1256,13 @@ index b4ac57e..39fbe42 100644
 fs_dontaudit_search_ramfs(readahead_t)
 fs_dontaudit_read_ramfs_pipes(readahead_t)
 fs_dontaudit_read_ramfs_files(readahead_t)
 fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
 mls_file_read_all_levels(readahead_t)
 +mcs_file_read_all(readahead_t)
 storage_raw_read_fixed_disk(readahead_t)
 diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
 index b206bf6..48922c9 100644
 --- a/policy/modules/admin/rpm.fc
@ -4525,6 +4535,20 @@ index 49abe8e..47a193c 100644
 ')
 optional_policy(`
 diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
 index 2523758..113a08b 100644
 --- a/policy/modules/apps/loadkeys.te
 +++ b/policy/modules/apps/loadkeys.te
@@ -46,5 +46,9 @@ ifdef(`hide_broken_symptoms',`
 ')
 optional_policy(`
 +	keyboardd_read_pipes(loadkeys_t)
 +')
 +
 +optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
 diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
 new file mode 100644
 index 0000000..bf872ef
@ -4828,7 +4852,7 @@ index 9a6d67d..76caa60 100644
 +')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..a5bdccb 100644
+index 2a91fa8..2fad053 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@ -4910,7 +4934,7 @@ index 2a91fa8..a5bdccb 100644
 	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,163 @@ optional_policy(`
+@@ -266,3 +291,175 @@ optional_policy(`
 optional_policy(`
 	thunderbird_domtrans(mozilla_t)
 ')
@ -5074,6 +5098,18 @@ index 2a91fa8..a5bdccb 100644
 +	xserver_read_user_iceauth(mozilla_plugin_t)
 +	xserver_read_user_xauth(mozilla_plugin_t)
 +')
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_manage_nfs_dirs(mozilla_plugin_t)
 +	fs_manage_nfs_files(mozilla_plugin_t)
 +	fs_manage_nfs_symlinks(mozilla_plugin_t)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_dirs(mozilla_plugin_t)
 +	fs_manage_cifs_files(mozilla_plugin_t)
 +	fs_manage_cifs_symlinks(mozilla_plugin_t)
 +')
 diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
 index d8ea41d..8bdc526 100644
 --- a/policy/modules/apps/mplayer.if
@ -5169,10 +5205,10 @@ index 0000000..ce51c8d
 +
 diff --git a/policy/modules/apps/namespace.if b/policy/modules/apps/namespace.if
 new file mode 100644
-index 0000000..9747548
+index 0000000..8d7c751
 --- /dev/null
 +++ b/policy/modules/apps/namespace.if
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,48 @@
 +
 +## <summary>policy for namespace</summary>
 +
@ -5218,6 +5254,8 @@ index 0000000..9747548
 +
 +	namespace_init_domtrans($1)
 +	role $2 types namespace_init_t;
 +
 +	seutil_run_setfiles(namespace_init_t, $2)
 +')
 diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
 new file mode 100644
@ -8795,7 +8833,7 @@ index 5a07a43..e97e47f 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index f12e087..bb37cd3 100644
+index f12e087..71e46ab 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@ -8925,7 +8963,7 @@ index f12e087..bb37cd3 100644
 -network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
 +network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
 network_port(ntp, udp,123,s0)
-+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
 network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
@ -15756,7 +15794,7 @@ index c9e1a44..1a1ba36 100644
 +	dontaudit $1 httpd_tmp_t:file { read write };
 ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..9dd70c3 100644
+index 08dfa0c..61f340d 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@ -16172,8 +16210,8 @@ index 08dfa0c..9dd70c3 100644
 +tunable_policy(`httpd_can_network_connect_db',`
 +	corenet_tcp_connect_mssql_port(httpd_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_t)
-+	corenet_tcp_connect_oracle_port(httpd_t)
+	corenet_tcp_connect_oracledb_port(httpd_t)
-+	corenet_sendrecv_oracle_client_packets(httpd_t)
+	corenet_sendrecv_oracledb_client_packets(httpd_t)
 +')
 +
 +tunable_policy(`httpd_can_network_memcache',`
@ -16422,8 +16460,8 @@ index 08dfa0c..9dd70c3 100644
 -	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 +	corenet_tcp_connect_mssql_port(httpd_php_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_php_t)
-+	corenet_tcp_connect_oracle_port(httpd_php_t)
+	corenet_tcp_connect_oracledb_port(httpd_php_t)
-+	corenet_sendrecv_oracle_client_packets(httpd_php_t)
+	corenet_sendrecv_oracledb_client_packets(httpd_php_t)
 ')
 optional_policy(`
@ -16479,8 +16517,8 @@ index 08dfa0c..9dd70c3 100644
 +tunable_policy(`httpd_can_network_connect_db',`
 +	corenet_tcp_connect_mssql_port(httpd_suexec_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+	corenet_tcp_connect_oracle_port(httpd_suexec_t)
+	corenet_tcp_connect_oracledb_port(httpd_suexec_t)
-+	corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
+	corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
 +')
 +
 +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
@ -16553,8 +16591,8 @@ index 08dfa0c..9dd70c3 100644
 +tunable_policy(`httpd_can_network_connect_db',`
 +	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+	corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+	corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
-+	corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+	corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
 +')
 +
 +fs_cifs_entry_type(httpd_sys_script_t)
@ -22591,7 +22629,7 @@ index e1d7dc5..673f185 100644
 	admin_pattern($1, dovecot_var_run_t)
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..ae635c6 100644
+index cbe14e4..2bf7e73 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@ -22691,15 +22729,16 @@ index cbe14e4..ae635c6 100644
 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -242,6 +260,7 @@ optional_policy(`
+@@ -242,6 +260,8 @@ optional_policy(`
 ')
 optional_policy(`
 +	postfix_manage_private_sockets(dovecot_auth_t)
 +	postfix_rw_master_pipes(dovecot_deliver_t)
 	postfix_search_spool(dovecot_auth_t)
 ')
-@@ -249,23 +268,39 @@ optional_policy(`
+@@ -249,23 +269,39 @@ optional_policy(`
 #
 # dovecot deliver local policy
 #
@ -22741,7 +22780,7 @@ index cbe14e4..ae635c6 100644
 miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +336,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +337,15 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 optional_policy(`
@ -25723,10 +25762,10 @@ index 0000000..485aacc
 +/usr/bin/system-setup-keyboard		--	gen_context(system_u:object_r:keyboardd_exec_t,s0)
 diff --git a/policy/modules/services/keyboardd.if b/policy/modules/services/keyboardd.if
 new file mode 100644
-index 0000000..26391e6
+index 0000000..6134ef2
 --- /dev/null
 +++ b/policy/modules/services/keyboardd.if
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,39 @@
 +
 +## <summary>policy for system-setup-keyboard daemon</summary>
 +
@ -25748,6 +25787,24 @@ index 0000000..26391e6
 +	domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
 +')
 +
 +######################################
 +## <summary>
 +##  Allow attempts to read  to
 +##  keyboardd unnamed pipes.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 +## </param>
 +#
 +interface(`keyboardd_read_pipes',`
 +    gen_require(`
 +            type keyboardd_t;
 +	')
 +
 +    allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
 +')
 diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te
 new file mode 100644
 index 0000000..a2bf9c3
@ -31338,7 +31395,7 @@ index 55e62d2..c114a40 100644
 /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..b87375e 100644
+index 46bee12..9b8c3eb 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@ -31423,7 +31480,32 @@ index 46bee12..b87375e 100644
 #
 interface(`postfix_stream_connect_master',`
 	gen_require(`
-@@ -462,7 +484,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -416,6 +438,24 @@ interface(`postfix_stream_connect_master',`
 ########################################
 ## <summary>
 +##	Allow read/write postfix master pipes
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`postfix_rw_master_pipes',`
 +	gen_require(`
 +		type postfix_master_t;
 +	')
 +
 +	allow $1 postfix_master_t:fifo_file rw_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	Execute the master postdrop in the
 ##	postfix_postdrop domain.
 ## </summary>
@@ -462,7 +502,7 @@ interface(`postfix_domtrans_postqueue',`
 ##	</summary>
 ## </param>
 #
@ -31432,7 +31514,7 @@ index 46bee12..b87375e 100644
 	gen_require(`
 		type postfix_postqueue_exec_t;
 	')
-@@ -529,6 +551,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +569,25 @@ interface(`postfix_domtrans_smtp',`
 ########################################
 ## <summary>
@ -31458,7 +31540,7 @@ index 46bee12..b87375e 100644
 ##	Search postfix mail spool directories.
 ## </summary>
 ## <param name="domain">
-@@ -539,10 +580,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +598,10 @@ interface(`postfix_domtrans_smtp',`
 #
 interface(`postfix_search_spool',`
 	gen_require(`
@ -31471,7 +31553,7 @@ index 46bee12..b87375e 100644
 	files_search_spool($1)
 ')
-@@ -558,10 +599,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +617,10 @@ interface(`postfix_search_spool',`
 #
 interface(`postfix_list_spool',`
 	gen_require(`
@ -31484,7 +31566,7 @@ index 46bee12..b87375e 100644
 	files_search_spool($1)
 ')
-@@ -577,11 +618,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +636,11 @@ interface(`postfix_list_spool',`
 #
 interface(`postfix_read_spool_files',`
 	gen_require(`
@ -31498,7 +31580,7 @@ index 46bee12..b87375e 100644
 ')
 ########################################
-@@ -596,11 +637,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +655,11 @@ interface(`postfix_read_spool_files',`
 #
 interface(`postfix_manage_spool_files',`
 	gen_require(`
@ -31512,7 +31594,7 @@ index 46bee12..b87375e 100644
 ')
 ########################################
-@@ -621,3 +662,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +680,103 @@ interface(`postfix_domtrans_user_mail_handler',`
 	typeattribute $1 postfix_user_domtrans;
 ')
@ -31617,7 +31699,7 @@ index 46bee12..b87375e 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..a069aae 100644
+index 06e37d4..3703671 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@ -31784,7 +31866,7 @@ index 06e37d4..a069aae 100644
 optional_policy(`
 	clamav_search_lib(postfix_local_t)
-@@ -304,9 +330,18 @@ optional_policy(`
+@@ -304,9 +330,22 @@ optional_policy(`
 ')
 optional_policy(`
@ -31795,6 +31877,10 @@ index 06e37d4..a069aae 100644
 	procmail_domtrans(postfix_local_t)
 ')
 +optional_policy(`
 +	sendmail_rw_pipes(postfix_local_t)
 +')
 +
 +optional_policy(`
 +	zarafa_deliver_domtrans(postfix_local_t)
 +	zarafa_stream_connect_server(postfix_local_t)
@ -31803,7 +31889,7 @@ index 06e37d4..a069aae 100644
 ########################################
 #
 # Postfix map local policy
-@@ -390,8 +425,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -390,8 +429,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
 # Postfix pipe local policy
 #
@ -31813,7 +31899,7 @@ index 06e37d4..a069aae 100644
 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +436,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +440,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
 domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@ -31822,7 +31908,7 @@ index 06e37d4..a069aae 100644
 optional_policy(`
 	dovecot_domtrans_deliver(postfix_pipe_t)
 ')
-@@ -420,6 +457,7 @@ optional_policy(`
+@@ -420,6 +461,7 @@ optional_policy(`
 optional_policy(`
 	spamassassin_domtrans_client(postfix_pipe_t)
@ -31830,7 +31916,7 @@ index 06e37d4..a069aae 100644
 ')
 optional_policy(`
-@@ -436,6 +474,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +478,9 @@ allow postfix_postdrop_t self:capability sys_resource;
 allow postfix_postdrop_t self:tcp_socket create;
 allow postfix_postdrop_t self:udp_socket create_socket_perms;
@ -31840,7 +31926,7 @@ index 06e37d4..a069aae 100644
 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
 postfix_list_spool(postfix_postdrop_t)
-@@ -519,7 +560,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +564,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
 allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
 allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@ -31849,7 +31935,7 @@ index 06e37d4..a069aae 100644
 corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +580,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +584,7 @@ postfix_list_spool(postfix_showq_t)
 allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
 allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@ -31858,7 +31944,7 @@ index 06e37d4..a069aae 100644
 # to write the mailq output, it really should not need read access!
 term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +629,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +633,16 @@ corecmd_exec_bin(postfix_smtpd_t)
 # for OpenSSL certificates
 files_read_usr_files(postfix_smtpd_t)
@ -31875,7 +31961,7 @@ index 06e37d4..a069aae 100644
 ')
 optional_policy(`
-@@ -611,8 +658,8 @@ optional_policy(`
+@@ -611,8 +662,8 @@ optional_policy(`
 # Postfix virtual local policy
 #
@ -31885,7 +31971,7 @@ index 06e37d4..a069aae 100644
 allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +677,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +681,8 @@ mta_delete_spool(postfix_virtual_t)
 # For reading spamassasin
 mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
@ -36409,10 +36495,10 @@ index adea9f9..d5b2d93 100644
 	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
 diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 4804f14..6f49778 100644
+index 4804f14..7d09c38 100644
 --- a/policy/modules/services/smartmon.te
 +++ b/policy/modules/services/smartmon.te
-@@ -72,6 +72,7 @@ files_exec_etc_files(fsdaemon_t)
+@@ -72,9 +72,11 @@ files_exec_etc_files(fsdaemon_t)
 files_read_etc_runtime_files(fsdaemon_t)
 # for config
 files_read_etc_files(fsdaemon_t)
@ -36420,7 +36506,11 @@ index 4804f14..6f49778 100644
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
-@@ -82,6 +83,8 @@ mls_file_read_all_levels(fsdaemon_t)
+fs_read_removable_files(fsdaemon_t)
 mls_file_read_all_levels(fsdaemon_t)
 #mls_rangetrans_target(fsdaemon_t)
@@ -82,6 +84,8 @@ mls_file_read_all_levels(fsdaemon_t)
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
 storage_raw_read_removable_device(fsdaemon_t)
@ -40390,7 +40480,7 @@ index 6f1e3c7..ecfe665 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..06e7dd4 100644
+index da2601a..223cc80 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -40801,7 +40891,7 @@ index da2601a..06e7dd4 100644
 ')
 ########################################
-@@ -805,7 +888,25 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +888,26 @@ interface(`xserver_read_xdm_pid',`
 	')
 	files_search_pids($1)
@ -40824,11 +40914,12 @@ index da2601a..06e7dd4 100644
 +        type xdm_var_run_t;
 +    ')
 +
 +	dontaudit $1 xdm_var_run_t:dir search_dir_perms;
 +    dontaudit $1 xdm_var_run_t:file read_file_perms;
 ')
 ########################################
-@@ -897,7 +998,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +999,7 @@ interface(`xserver_getattr_log',`
 	')
 	logging_search_logs($1)
@ -40837,7 +40928,7 @@ index da2601a..06e7dd4 100644
 ')
 ########################################
-@@ -916,7 +1017,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1018,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
@ -40846,7 +40937,7 @@ index da2601a..06e7dd4 100644
 ')
 ########################################
-@@ -963,6 +1064,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1065,45 @@ interface(`xserver_read_xkb_libs',`
 ########################################
 ## <summary>
@ -40892,7 +40983,7 @@ index da2601a..06e7dd4 100644
 ##	Read xdm temporary files.
 ## </summary>
 ## <param name="domain">
-@@ -976,7 +1116,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1117,7 @@ interface(`xserver_read_xdm_tmp_files',`
 		type xdm_tmp_t;
 	')
@ -40901,7 +40992,7 @@ index da2601a..06e7dd4 100644
 	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
-@@ -1038,6 +1178,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1179,42 @@ interface(`xserver_manage_xdm_tmp_files',`
 ########################################
 ## <summary>
@ -40944,7 +41035,7 @@ index da2601a..06e7dd4 100644
 ##	Do not audit attempts to get the attributes of
 ##	xdm temporary named sockets.
 ## </summary>
-@@ -1052,7 +1228,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1229,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')
@ -40953,7 +41044,7 @@ index da2601a..06e7dd4 100644
 ')
 ########################################
-@@ -1070,8 +1246,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1247,10 @@ interface(`xserver_domtrans',`
 		type xserver_t, xserver_exec_t;
 	')
@ -40965,7 +41056,7 @@ index da2601a..06e7dd4 100644
 ')
 ########################################
-@@ -1185,6 +1363,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1364,26 @@ interface(`xserver_stream_connect',`
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -40992,7 +41083,7 @@ index da2601a..06e7dd4 100644
 ')
 ########################################
-@@ -1210,7 +1408,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1409,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -41001,7 +41092,7 @@ index da2601a..06e7dd4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1220,13 +1418,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1419,23 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -41026,7 +41117,7 @@ index da2601a..06e7dd4 100644
 ')
 ########################################
-@@ -1243,10 +1451,393 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1452,393 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -47602,7 +47693,7 @@ index 2cc4bda..9e81136 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..d95624d 100644
+index 170e2c7..540a936 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
@ -47622,8 +47713,8 @@ index 170e2c7..d95624d 100644
 	auth_run_upd_passwd(newrole_t, $2)
 +
 +	optional_policy(`
-+        namespace_init_run(newrole_t, $2)
+	        namespace_init_run(newrole_t, $2)
-+    ')
+	')
 ')
 ########################################
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.13
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -472,6 +472,15 @@ exit 0
 %endif
 %changelog
 * Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6
 - Fix xserver_dontaudit_read_xdm_pid
 - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
 - Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. 
 	* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
 - Allow readahead to manage readahead pid dirs
 - Allow readahead to read all mcs levels
 - Allow mozilla_plugin_t to use nfs or samba homedirs
 * Wed Jan 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-5
 - Allow nagios plugin to read /proc/meminfo
 - Fix for mozilla_plugin