From 859ba0c85a0c570f8a70c9cf73d6e3965ab8dfc4 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 5 Oct 2011 17:14:02 -0400
Subject: [PATCH] Allow nmbd to manage sock file in /var/run/nmbd
 ricci_modservice send syslog msgs Stop transitioning from unconfined_t to
 ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly Allow
 systemd_logind_t to manage /run/USER/dconf/user

---
 booleans-targeted.conf |   8 ++-
 passwd.patch           |  91 +++++++++++++++++++----------
 policy-F16.patch       | 130 ++++++++++++++++++++---------------------
 selinux-policy.spec    |  19 +++++-
 thumb.patch            |  15 -----
 5 files changed, 149 insertions(+), 114 deletions(-)

diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 7457a4a4..d564050d 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,6 +1,6 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = true
+allow_execmem = false
 
 # Allow making a modified private filemapping executable (text relocation).
 # 
@@ -8,7 +8,7 @@ allow_execmod = true
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false
 
 # Allow ftpd to read cifs directories.
 # 
@@ -210,6 +210,10 @@ allow_daemons_use_tty = false
 # 
 allow_polyinstantiation = false
 
+# Allow confined domains to ptrace them selves
+# 
+allow_ptrace = true
+
 # Allow all domains to dump core
 # 
 allow_daemons_dump_core = true
diff --git a/passwd.patch b/passwd.patch
index 8e496c6a..7674222f 100644
--- a/passwd.patch
+++ b/passwd.patch
@@ -12,10 +12,18 @@ index ef8bc09..ea06507 100644
  
  miscfiles_read_localization(mcelog_t)
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 4779a8d..c2ee43e 100644
+index 4779a8d..b8eac3e 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
-@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t)
+@@ -89,6 +89,7 @@ fs_search_auto_mountpoints(chfn_t)
+ dev_read_urand(chfn_t)
+ dev_dontaudit_getattr_all(chfn_t)
+ 
++auth_manage_passwd(chfn_t)
+ auth_use_pam(chfn_t)
+ 
+ # allow checking if a shell is executable
+@@ -96,7 +97,6 @@ corecmd_check_exec_shell(chfn_t)
  
  domain_use_interactive_fds(chfn_t)
  
@@ -23,13 +31,37 @@ index 4779a8d..c2ee43e 100644
  files_read_etc_runtime_files(chfn_t)
  files_dontaudit_search_var(chfn_t)
  files_dontaudit_search_home(chfn_t)
+@@ -205,8 +205,8 @@ init_dontaudit_write_utmp(groupadd_t)
  
-+auth_manage_passwd(chfn_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it.  Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(chfn_t)
-@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
+ domain_use_interactive_fds(groupadd_t)
+ 
+-files_manage_etc_files(groupadd_t)
+ files_relabel_etc_files(groupadd_t)
++files_read_etc_files(groupadd_t)
+ files_read_etc_runtime_files(groupadd_t)
+ files_read_usr_symlinks(groupadd_t)
+ 
+@@ -221,9 +221,10 @@ miscfiles_read_localization(groupadd_t)
+ auth_domtrans_chk_passwd(groupadd_t)
+ auth_rw_lastlog(groupadd_t)
+ auth_use_nsswitch(groupadd_t)
++auth_manage_passwd(groupadd_t)
++auth_manage_shadow(groupadd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
+-auth_manage_shadow(groupadd_t)
+ auth_relabel_shadow(groupadd_t)
+ auth_etc_filetrans_shadow(groupadd_t)
+ 
+@@ -296,6 +297,7 @@ selinux_compute_user_contexts(passwd_t)
+ 
+ term_use_all_inherited_terms(passwd_t)
+ 
++auth_manage_passwd(passwd_t)
+ auth_manage_shadow(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+@@ -310,7 +312,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
  domain_use_interactive_fds(passwd_t)
  
  files_read_etc_runtime_files(passwd_t)
@@ -37,15 +69,15 @@ index 4779a8d..c2ee43e 100644
  files_search_var(passwd_t)
  files_dontaudit_search_pids(passwd_t)
  files_relabel_etc_files(passwd_t)
+@@ -390,6 +391,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
  
- term_search_ptys(passwd_t)
+ term_use_all_inherited_terms(sysadm_passwd_t)
  
-+auth_manage_passwd(passwd_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it.  Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(passwd_t)
-@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t)
++auth_manage_passwd(sysadm_passwd_t)
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+ auth_etc_filetrans_shadow(sysadm_passwd_t)
+@@ -402,7 +404,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -53,14 +85,7 @@ index 4779a8d..c2ee43e 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
- files_dontaudit_search_pids(sysadm_passwd_t)
- 
-+auth_manage_passwd(sysadm_passwd_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it.  Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(sysadm_passwd_t)
-@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
+@@ -461,7 +462,6 @@ domain_use_interactive_fds(useradd_t)
  domain_read_all_domains_state(useradd_t)
  domain_dontaudit_read_all_domains_state(useradd_t)
  
@@ -68,7 +93,7 @@ index 4779a8d..c2ee43e 100644
  files_search_var_lib(useradd_t)
  files_relabel_etc_files(useradd_t)
  files_read_etc_runtime_files(useradd_t)
-@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t)
+@@ -488,6 +488,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -152,10 +177,10 @@ index 4f9a575..5fc3a55 100644
  miscfiles_read_fonts(plymouthd_t)
  miscfiles_manage_fonts_cache(plymouthd_t)
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 290f8c4..cd2909f 100644
+index 52df08a..7790f7e 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
-@@ -881,6 +881,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
+@@ -882,6 +882,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
  fs_list_inotifyfs(svirt_lxc_domain)
  fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
  
@@ -164,19 +189,20 @@ index 290f8c4..cd2909f 100644
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 59742f4..51ca568 100644
+index 59742f4..904e39c 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -7,6 +7,7 @@
+@@ -7,6 +7,8 @@
  /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/passwd\.adjunct.*	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd.*		--	gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
  
  /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f05a80f..c317b16 100644
+index f05a80f..4372e5d 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
@@ -216,7 +242,7 @@ index f05a80f..c317b16 100644
  ')
  
  ########################################
-@@ -1810,19 +1817,115 @@ interface(`auth_unconfined',`
+@@ -1810,19 +1817,118 @@ interface(`auth_unconfined',`
  interface(`authlogin_filetrans_named_content',`
  	gen_require(`
  		type shadow_t;
@@ -333,6 +359,9 @@ index f05a80f..c317b16 100644
 +	files_rw_etc_dirs($1)
 +	allow $1 passwd_file_t:file manage_file_perms;
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd")
++	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++	files_etc_filetrans($1, passwd_file_t, file, "group")
++	files_etc_filetrans($1, passwd_file_t, file, "group-")
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
 index a53db2b..16e2e63 100644
diff --git a/policy-F16.patch b/policy-F16.patch
index 9591fd23..848fc92b 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -11166,10 +11166,10 @@ index 0000000..b78aa77
 +
 diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
 new file mode 100644
-index 0000000..73e7983
+index 0000000..fc5b449
 --- /dev/null
 +++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,123 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -11258,10 +11258,6 @@ index 0000000..73e7983
 +
 +userdom_use_inherited_user_ptys(thumb_t)
 +
-+optional_policy(`
-+	dbus_dontaudit_session_bus_connect(thumb_t)
-+')
-+
 +# optional_policy(`
 +#	gnome_read_gconf_home_files(thumb_t)
 +#	gnome_read_gstreamer_home_content(thumb_t)
@@ -13644,7 +13640,7 @@ index 6cf8784..935a96c 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..7139ab3 100644
+index f820f3b..60394ec 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -14044,11 +14040,13 @@ index f820f3b..7139ab3 100644
  ##	</summary>
  ## </param>
  #
-@@ -2932,7 +3168,7 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2931,8 +3167,8 @@ interface(`dev_dontaudit_write_mtrr',`
+ 		type mtrr_device_t;
  	')
  
- 	dontaudit $1 mtrr_device_t:file write;
+-	dontaudit $1 mtrr_device_t:file write;
 -	dontaudit $1 mtrr_device_t:chr_file write;
++	dontaudit $1 mtrr_device_t:file write_file_perms;
 +	dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
  ')
  
@@ -21423,7 +21421,7 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..fcc8949
+index 0000000..e1113e0
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
 @@ -0,0 +1,503 @@
@@ -21530,7 +21528,7 @@ index 0000000..fcc8949
 +init_domtrans_script(unconfined_t)
 +init_telinit(unconfined_t)
 +
-+libs_run_ldconfig(unconfined_t, unconfined_r)
++lib_filetrans_named_content(unconfined_t)
 +
 +logging_send_syslog_msg(unconfined_t)
 +logging_run_auditctl(unconfined_t, unconfined_r)
@@ -37459,18 +37457,10 @@ index 671d8fd..25c7ab8 100644
 +	dontaudit gnomeclock_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..ab59945 100644
+index 4fde46b..86ba356 100644
 --- a/policy/modules/services/gnomeclock.te
 +++ b/policy/modules/services/gnomeclock.te
-@@ -9,24 +9,31 @@ type gnomeclock_t;
- type gnomeclock_exec_t;
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
- 
-+systemd_systemctl_domain(gnomeclock)
-+
- ########################################
- #
- # gnomeclock local policy
+@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
  #
  
  allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -37497,7 +37487,7 @@ index 4fde46b..ab59945 100644
  
  miscfiles_read_localization(gnomeclock_t)
  miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +42,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
  userdom_read_all_users_state(gnomeclock_t)
  
  optional_policy(`
@@ -37531,25 +37521,6 @@ index 4fde46b..ab59945 100644
  	policykit_dbus_chat(gnomeclock_t)
  	policykit_domtrans_auth(gnomeclock_t)
  	policykit_read_lib(gnomeclock_t)
- 	policykit_read_reload(gnomeclock_t)
- ')
-+
-+#######################################
-+#
-+# gnomeclock systemctl local policy 
-+#
-+
-+files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
-+files_manage_etc_symlinks(gnomeclock_systemctl_t)
-+
-+miscfiles_read_localization(gnomeclock_systemctl_t)
-+
-+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
-+
-+optional_policy(`
-+	ntp_read_unit_file(gnomeclock_systemctl_t)
-+	ntp_read_state(gnomeclock_systemctl_t)
-+')
 diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
 index 7d97298..d6b2959 100644
 --- a/policy/modules/services/gpm.if
@@ -52467,7 +52438,7 @@ index f7826f9..679d185 100644
 +	admin_pattern($1, ricci_var_run_t)
 +')
 diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..28d2775 100644
+index 33e72e8..7582159 100644
 --- a/policy/modules/services/ricci.te
 +++ b/policy/modules/services/ricci.te
 @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -52615,7 +52586,7 @@ index 33e72e8..28d2775 100644
  miscfiles_read_localization(ricci_modrpm_t)
  
  optional_policy(`
-@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
+@@ -394,10 +416,10 @@ files_search_usr(ricci_modservice_t)
  # Needed for running chkconfig
  files_manage_etc_symlinks(ricci_modservice_t)
  
@@ -52623,8 +52594,12 @@ index 33e72e8..28d2775 100644
 -
  init_domtrans_script(ricci_modservice_t)
  
++logging_send_syslog_msg(ricci_modservice_t)
++
  miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +425,10 @@ optional_policy(`
+ 
+ optional_policy(`
+@@ -405,6 +427,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52635,7 +52610,7 @@ index 33e72e8..28d2775 100644
  	nscd_dontaudit_search_pid(ricci_modservice_t)
  ')
  
-@@ -444,22 +468,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +470,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
  files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
  
@@ -52665,7 +52640,7 @@ index 33e72e8..28d2775 100644
  optional_policy(`
  	aisexec_stream_connect(ricci_modstorage_t)
  	corosync_stream_connect(ricci_modstorage_t)
-@@ -471,12 +495,24 @@ optional_policy(`
+@@ -471,12 +497,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53831,7 +53806,7 @@ index 82cb169..87d1eec 100644
 +	samba_systemctl($1)
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..fed972d 100644
+index e30bb63..49941ec 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -53983,18 +53958,19 @@ index e30bb63..fed972d 100644
  ########################################
  #
  # nmbd Local policy
-@@ -484,8 +487,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +487,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
  allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
 +manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
 -files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
-+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file })
++manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
++files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
  
  read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +564,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +565,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
  allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
  
  allow smbcontrol_t nmbd_t:process { signal signull };
@@ -54012,7 +53988,7 @@ index e30bb63..fed972d 100644
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -574,11 +578,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +579,19 @@ samba_read_winbind_pid(smbcontrol_t)
  
  domain_use_interactive_fds(smbcontrol_t)
  
@@ -54033,7 +54009,7 @@ index e30bb63..fed972d 100644
  
  ########################################
  #
-@@ -644,19 +656,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +657,21 @@ auth_use_nsswitch(smbmount_t)
  
  miscfiles_read_localization(smbmount_t)
  
@@ -54058,7 +54034,7 @@ index e30bb63..fed972d 100644
  ########################################
  #
  # SWAT Local policy
-@@ -677,7 +691,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +692,7 @@ samba_domtrans_nmbd(swat_t)
  allow swat_t nmbd_t:process { signal signull };
  allow nmbd_t swat_t:process signal;
  
@@ -54067,7 +54043,7 @@ index e30bb63..fed972d 100644
  
  allow swat_t smbd_port_t:tcp_socket name_bind;
  
-@@ -692,12 +706,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +707,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
  manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
  
  manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -54082,7 +54058,7 @@ index e30bb63..fed972d 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +726,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +727,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
  domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
  allow swat_t winbind_t:process { signal signull };
  
@@ -54090,7 +54066,7 @@ index e30bb63..fed972d 100644
  allow swat_t winbind_var_run_t:dir { write add_name remove_name };
  allow swat_t winbind_var_run_t:sock_file { create unlink };
  
-@@ -754,6 +771,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +772,8 @@ logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
  
@@ -54099,7 +54075,7 @@ index e30bb63..fed972d 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -806,15 +825,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  allow winbind_t winbind_log_t:file manage_file_perms;
  logging_log_filetrans(winbind_t, winbind_log_t, file)
  
@@ -54121,7 +54097,7 @@ index e30bb63..fed972d 100644
  kernel_read_kernel_sysctls(winbind_t)
  kernel_read_system_state(winbind_t)
  
-@@ -833,6 +853,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +854,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
@@ -54129,7 +54105,7 @@ index e30bb63..fed972d 100644
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
  
-@@ -863,6 +884,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +885,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
  userdom_manage_user_home_content_sockets(winbind_t)
  userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
  
@@ -54142,7 +54118,7 @@ index e30bb63..fed972d 100644
  optional_policy(`
  	kerberos_use(winbind_t)
  ')
-@@ -904,7 +931,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +932,7 @@ logging_send_syslog_msg(winbind_helper_t)
  
  miscfiles_read_localization(winbind_helper_t) 
  
@@ -54151,7 +54127,7 @@ index e30bb63..fed972d 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -922,6 +949,18 @@ optional_policy(`
+@@ -922,6 +950,18 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -54170,7 +54146,7 @@ index e30bb63..fed972d 100644
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -932,9 +971,12 @@ optional_policy(`
+@@ -932,9 +972,12 @@ optional_policy(`
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -67047,7 +67023,7 @@ index 560dc48..6673319 100644
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..ed84884 100644
+index 808ba93..8f5a243 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
 @@ -207,6 +207,23 @@ interface(`libs_search_lib',`
@@ -67130,6 +67106,29 @@ index 808ba93..ed84884 100644
  ')
  
  ########################################
+@@ -534,3 +533,22 @@ interface(`lib_filetrans_shared_lib',`
+ interface(`files_lib_filetrans_shared_lib',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++## <summary>
++##	Transition to lib named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`lib_filetrans_named_content',`
++	gen_require(`
++		type ld_so_cache_t;
++	')
++
++	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
++	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
++')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
 index e5836d3..eae9427 100644
 --- a/policy/modules/system/libraries.te
@@ -71332,10 +71331,10 @@ index 0000000..46a3ec0
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..ff4814a
+index 0000000..3790267
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,369 @@
+@@ -0,0 +1,370 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -71471,6 +71470,7 @@ index 0000000..ff4814a
 +optional_policy(`
 +	# we label /run/user/$USER/dconf as config_home_t
 +	gnome_manage_home_config_dirs(systemd_logind_t)
++	gnome_manage_home_config(systemd_logind_t)
 +')
 +
 +optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7da84f26..47a95abc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 36.1%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -25,6 +25,10 @@ patch: policy-F16.patch
 patch1: unconfined_permissive.patch
 patch2: passwd.patch
 patch3: thumb.patch
+patch4: execmem.patch
+patch5: userdomain.patch
+patch6: apache.patch
+patch7: ptrace.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -241,6 +245,10 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1 -b .execmem
+%patch5 -p1 -b .userdomain
+%patch6 -p1 -b .apache
+#%patch7 -p1 -b .ptrace
 
 %install
 mkdir selinux_config
@@ -472,6 +480,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Oct 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-37
+- Allow nmbd to manage sock file in /var/run/nmbd
+- ricci_modservice send syslog msgs
+- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
+- Allow systemd_logind_t to manage /run/USER/dconf/user
+
+* Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.2
+- Make allow_ptrace remove all ptrace
+
 * Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.1
 - Fix missing patch from F16
 
diff --git a/thumb.patch b/thumb.patch
index 3f9217c5..97ff4097 100644
--- a/thumb.patch
+++ b/thumb.patch
@@ -14,18 +14,3 @@ index 1105ff5..620e17b 100644
  	optional_policy(`
  		setroubleshoot_dbus_chat(unconfined_usertype)
  		setroubleshoot_dbus_chat_fixit(unconfined_t)
-diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
-index 73e7983..fc5b449 100644
---- a/policy/modules/apps/thumb.te
-+++ b/policy/modules/apps/thumb.te
-@@ -86,10 +86,6 @@ userdom_write_user_tmp_files(thumb_t)
- 
- userdom_use_inherited_user_ptys(thumb_t)
- 
--optional_policy(`
--	dbus_dontaudit_session_bus_connect(thumb_t)
--')
--
- # optional_policy(`
- #	gnome_read_gconf_home_files(thumb_t)
- #	gnome_read_gstreamer_home_content(thumb_t)