-Remove duplicate line

2009-05-06 12:51:59 +00:00 · 2009-05-06 12:51:59 +00:00 · 8a0604e919
commit 8a0604e919
parent 959ab94100
2 changed files with 93 additions and 79 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -4897,7 +4897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +corecmd_executable_file(wm_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-03-05 10:34:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc	2009-05-05 14:05:47.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc	2009-05-05 18:05:12.000000000 -0400
@@ -32,6 +32,8 @@
 #
 # /etc
@ -4907,18 +4907,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /etc/apcupsd/apccontrol		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/apcupsd/changeme		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/apcupsd/commfailure	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -134,6 +136,10 @@
+@@ -134,6 +136,9 @@
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 +/opt/gutenprint/cups/lib/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
 +/opt/gutenprint/cups/lib/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +
 #
 # /usr
 #
-@@ -210,6 +216,7 @@
+@@ -210,6 +215,7 @@
 /usr/share/Modules/init(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
@ -4926,7 +4925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
-@@ -299,3 +306,20 @@
+@@ -299,3 +305,20 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -8952,7 +8951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/apache.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.te	2009-05-06 08:47:58.000000000 -0400
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -9331,20 +9330,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -493,6 +614,12 @@
+@@ -494,12 +615,23 @@
 	openca_kill(httpd_t)
 ')
 optional_policy(`
 +	rpc_search_nfs_state_data(httpd_t)
 +')
 +
 +tunable_policy(`httpd_execmem',`
 +	allow httpd_t self:process { execmem execstack };
 +	allow httpd_sys_script_t self:process { execmem execstack };
 +	allow httpd_suexec_t self:process { execmem execstack };
 +') 
 +
- optional_policy(`
+optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
-@@ -500,6 +627,7 @@
+ 	postgresql_unpriv_client(httpd_t)
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
@ -9352,7 +9354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -508,6 +636,7 @@
+@@ -508,6 +640,7 @@
 ')
 optional_policy(`
@ -9360,7 +9362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -535,6 +664,22 @@
+@@ -535,6 +668,22 @@
 userdom_use_user_terminals(httpd_helper_t)
@ -9383,7 +9385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache PHP script local policy
-@@ -564,20 +709,25 @@
+@@ -564,20 +713,25 @@
 fs_search_auto_mountpoints(httpd_php_t)
@ -9415,7 +9417,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -595,23 +745,24 @@
+@@ -595,23 +749,24 @@
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@ -9444,7 +9446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +775,7 @@
+@@ -624,6 +779,7 @@
 logging_send_syslog_msg(httpd_suexec_t)
 miscfiles_read_localization(httpd_suexec_t)
@ -9452,7 +9454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -641,12 +793,20 @@
+@@ -641,12 +797,20 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
@ -9476,7 +9478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +832,14 @@
+@@ -672,15 +836,14 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -9495,7 +9497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +858,24 @@
+@@ -699,12 +862,24 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -9522,7 +9524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +883,35 @@
+@@ -712,6 +887,35 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
@ -9558,7 +9560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +924,10 @@
+@@ -724,6 +928,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -9569,7 +9571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -735,6 +939,8 @@
+@@ -735,6 +943,8 @@
 # httpd_rotatelogs local policy
 #
@ -9578,7 +9580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +960,12 @@
+@@ -754,6 +964,12 @@
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -9591,7 +9593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 # allow accessing files/dirs below the users home dir
-@@ -762,3 +974,66 @@
+@@ -762,3 +978,67 @@
 	userdom_search_user_home_dirs(httpd_suexec_t)
 	userdom_search_user_home_dirs(httpd_user_script_t)
 ')
@ -9658,6 +9660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
 +typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 +typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.12/policy/modules/services/audioentropy.te
 --- nsaserefpolicy/policy/modules/services/audioentropy.te	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/audioentropy.te	2009-04-23 09:44:57.000000000 -0400
@ -9685,7 +9688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.12/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/automount.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/automount.te	2009-05-06 08:47:22.000000000 -0400
@@ -71,6 +71,7 @@
 files_mounton_all_mountpoints(automount_t)
 files_mount_all_file_type_fs(automount_t)
@ -25238,7 +25241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-04-27 08:35:28.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-05-06 08:50:01.000000000 -0400
@@ -34,6 +34,13 @@
 ## <desc>
@ -25427,7 +25430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xdm_t self:tcp_socket create_stream_socket_perms;
 allow xdm_t self:udp_socket create_socket_perms;
 allow xdm_t self:socket create_socket_perms;
-@@ -314,6 +340,11 @@
+@@ -314,6 +340,13 @@
 allow xdm_t self:key { search link write };
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@ -25436,10 +25439,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
 +#Handle mislabeled files in homedir
 +userdom_delete_user_home_content_files(xdm_t)
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -329,22 +360,38 @@
+@@ -329,22 +362,38 @@
 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@ -25481,7 +25486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xdm_t xserver_t:process signal;
 allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +405,7 @@
+@@ -358,6 +407,7 @@
 allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 allow xdm_t xserver_t:shm rw_shm_perms;
@ -25489,7 +25494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
-@@ -366,10 +414,14 @@
+@@ -366,10 +416,14 @@
 delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
 delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
@ -25505,7 +25510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +441,13 @@
+@@ -389,11 +443,13 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -25519,7 +25524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_read_rand(xdm_t)
 dev_read_sysfs(xdm_t)
 dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +455,7 @@
+@@ -401,6 +457,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -25527,7 +25532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -413,14 +468,17 @@
+@@ -413,14 +470,17 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
@ -25547,7 +25552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +489,13 @@
+@@ -431,9 +491,13 @@
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -25561,7 +25566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +504,7 @@
+@@ -442,6 +506,7 @@
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -25569,7 +25574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +513,7 @@
+@@ -450,6 +515,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -25577,7 +25582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
-@@ -460,10 +524,10 @@
+@@ -460,10 +526,10 @@
 logging_read_generic_logs(xdm_t)
@ -25590,7 +25595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +536,8 @@
+@@ -472,6 +538,8 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -25599,7 +25604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 xserver_rw_session(xdm_t,xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
-@@ -504,10 +570,12 @@
+@@ -504,10 +572,12 @@
 optional_policy(`
 	alsa_domtrans(xdm_t)
@ -25612,7 +25617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -515,12 +583,45 @@
+@@ -515,12 +585,45 @@
 ')
 optional_policy(`
@ -25658,7 +25663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
-@@ -542,6 +643,23 @@
+@@ -542,6 +645,23 @@
 ')
 optional_policy(`
@ -25682,7 +25687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -550,8 +668,9 @@
+@@ -550,8 +670,9 @@
 ')
 optional_policy(`
@ -25694,7 +25699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +679,6 @@
+@@ -560,7 +681,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -25702,7 +25707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +689,10 @@
+@@ -571,6 +691,10 @@
 ')
 optional_policy(`
@ -25713,7 +25718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
-@@ -587,7 +709,7 @@
+@@ -587,7 +711,7 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -25722,7 +25727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +724,11 @@
+@@ -602,9 +726,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -25734,7 +25739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +740,14 @@
+@@ -616,13 +742,14 @@
 type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
 allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -25750,7 +25755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +760,19 @@
+@@ -635,9 +762,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -25770,7 +25775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +815,14 @@
+@@ -680,9 +817,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -25785,7 +25790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +837,13 @@
+@@ -697,8 +839,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -25799,7 +25804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +865,7 @@
+@@ -720,6 +867,7 @@
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -25807,7 +25812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +888,7 @@
+@@ -742,7 +890,7 @@
 ')
 ifdef(`enable_mls',`
@ -25816,7 +25821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
-@@ -774,12 +920,16 @@
+@@ -774,12 +922,16 @@
 ')
 optional_policy(`
@ -25834,7 +25839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(xserver_t)
 ')
-@@ -806,7 +956,7 @@
+@@ -806,7 +958,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
@ -25843,7 +25848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +977,14 @@
+@@ -827,9 +979,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -25858,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +999,14 @@
+@@ -844,11 +1001,14 @@
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -25874,7 +25879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -856,6 +1014,11 @@
+@@ -856,6 +1016,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
@ -25886,7 +25891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1044,8 @@
+@@ -881,6 +1046,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -25895,7 +25900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1070,8 @@
+@@ -905,6 +1072,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -25904,7 +25909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1139,49 @@
+@@ -972,17 +1141,49 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -28200,16 +28205,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/mount.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/mount.te	2009-05-06 07:59:38.000000000 -0400
-@@ -18,17 +18,21 @@
+@@ -18,17 +18,22 @@
 init_system_domain(mount_t,mount_exec_t)
 role system_r types mount_t;
 -type mount_loopback_t; # customizable
 -files_type(mount_loopback_t)
 +typealias mount_t alias mount_ntfs_t;
 +typealias mount_exec_t alias mount_ntfs_exec_t;
 +
- type mount_loopback_t; # customizable
+type mount_loop_t; # customizable
- files_type(mount_loopback_t)
+files_type(mount_loop_t)
 +typealias mount_loop_t alias mount_loopback_t;
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
@ -28226,7 +28234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
-@@ -36,7 +40,8 @@
+@@ -36,9 +41,10 @@
 #
 # setuid/setgid needed to mount cifs 
@ -28234,9 +28242,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
 +allow mount_t self:process { ptrace signal };
- allow mount_t mount_loopback_t:file read_file_perms;
+-allow mount_t mount_loopback_t:file read_file_perms;
 +allow mount_t mount_loop_t:file read_file_perms;
-@@ -47,12 +52,25 @@
+ allow mount_t mount_tmp_t:file manage_file_perms;
 allow mount_t mount_tmp_t:dir manage_dir_perms;
@@ -47,12 +53,25 @@
 files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
@ -28262,7 +28273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_rw_lvm_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +80,19 @@
+@@ -62,16 +81,19 @@
 storage_raw_write_fixed_disk(mount_t)
 storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
@ -28285,7 +28296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_use_all_terms(mount_t)
-@@ -79,6 +100,7 @@
+@@ -79,6 +101,7 @@
 corecmd_exec_bin(mount_t)
 domain_use_interactive_fds(mount_t)
@ -28293,7 +28304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_search_all(mount_t)
 files_read_etc_files(mount_t)
-@@ -87,7 +109,7 @@
+@@ -87,7 +110,7 @@
 files_mounton_all_mountpoints(mount_t)
 files_unmount_rootfs(mount_t)
 # These rules need to be generalized.  Only admin, initrc should have it:
@ -28302,7 +28313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_mount_all_file_type_fs(mount_t)
 files_unmount_all_file_type_fs(mount_t)
 # for when /etc/mtab loses its type
-@@ -100,6 +122,8 @@
+@@ -100,6 +123,8 @@
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
 init_dontaudit_getattr_initctl(mount_t)
@ -28311,7 +28322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_use_nsswitch(mount_t)
-@@ -116,6 +140,7 @@
+@@ -116,6 +141,7 @@
 seutil_read_config(mount_t)
 userdom_use_all_users_fds(mount_t)
@ -28319,7 +28330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -133,7 +158,7 @@
+@@ -133,7 +159,7 @@
 tunable_policy(`allow_mount_anyfile',`
 	auth_read_all_dirs_except_shadow(mount_t)
@ -28328,7 +28339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_mounton_non_security(mount_t)
 ')
-@@ -141,16 +166,16 @@
+@@ -141,16 +167,16 @@
 	# for nfs
 	corenet_all_recvfrom_unlabeled(mount_t)
 	corenet_all_recvfrom_netlabel(mount_t)
@ -28353,7 +28364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	corenet_tcp_bind_generic_port(mount_t)
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
-@@ -164,6 +189,8 @@
+@@ -164,6 +190,8 @@
 	fs_search_rpc(mount_t)
 	rpc_stub(mount_t)
@ -28362,7 +28373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -171,6 +198,15 @@
+@@ -171,6 +199,15 @@
 ')
 optional_policy(`
@ -28378,7 +28389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifdef(`hide_broken_symptoms',`
 		# for a bug in the X server
 		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +214,11 @@
+@@ -178,6 +215,11 @@
 	')
 ')
@ -28390,7 +28401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)
-@@ -185,14 +226,24 @@
+@@ -185,14 +227,24 @@
 optional_policy(`
 	samba_domtrans_smbmount(mount_t)
@ -30468,7 +30479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-28 16:06:27.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-05-06 08:49:37.000000000 -0400
@@ -30,8 +30,9 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 29%{?dist}
+Release: 30%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -477,6 +477,9 @@ exit 0
 %endif
 %changelog
 * Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-30
 -Remove duplicate line
 * Tue May 5 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-29
 - Allow svirt to manage pci and other sysfs device data