- New log file for vmware

- Allow xdm to setattr on user_tmp_t
2009-05-26 16:57:59 +00:00 · 2009-05-26 16:57:59 +00:00 · 9ee63df41a
commit 9ee63df41a
parent ef7416c2b8
2 changed files with 123 additions and 71 deletions
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -4776,6 +4776,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type uml_tmp_t;
 typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.13/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-01-05 15:39:38.000000000 -0500
 +++ serefpolicy-3.6.13/policy/modules/apps/vmware.fc	2009-05-26 08:07:36.000000000 -0400
@@ -63,6 +63,7 @@
 ')
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
 +/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.13/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2009-01-19 11:03:28.000000000 -0500
 +++ serefpolicy-3.6.13/policy/modules/apps/vmware.te	2009-05-21 09:48:23.000000000 -0400
@ -8683,7 +8694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive afs_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.13/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/services/apache.fc	2009-05-21 09:48:23.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/apache.fc	2009-05-26 09:24:36.000000000 -0400
@@ -1,12 +1,13 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -8746,7 +8757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +74,28 @@
+@@ -64,11 +74,30 @@
 /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
@ -8774,7 +8785,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +
-+/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.13/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.13/policy/modules/services/apache.if	2009-05-21 09:48:23.000000000 -0400
@ -10704,7 +10717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.13/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/services/cron.if	2009-05-21 09:48:23.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/cron.if	2009-05-26 08:39:51.000000000 -0400
@@ -12,6 +12,10 @@
 ## </param>
 #
@ -10757,43 +10770,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	miscfiles_read_localization($1_t)
-@@ -147,26 +163,26 @@
+@@ -147,27 +163,14 @@
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
 -		type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
-+		type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+		type unconfined_cronjob_t;
 	')
 -	role $1 types { unconfined_cronjob_t crontab_t };
-+	role $1 types { unconfined_cronjob_t admin_crontab_t };
+	role $1 types unconfined_cronjob_t;
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
- 	# Transition from the user domain to the derived domain.
+-	# Transition from the user domain to the derived domain.
 -	domtrans_pattern($2, crontab_exec_t, crontab_t)
-+	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+-
- 
+-	# crontab shows up in user ps
 	# crontab shows up in user ps
 -	ps_process_pattern($2, crontab_t)
 -	allow $2 crontab_t:process signal;
-+	ps_process_pattern($2, admin_crontab_t)
+-
-+	allow $2 admin_crontab_t:process signal;
+-	# Run helper programs as the user domain
 	# Run helper programs as the user domain
 -	#corecmd_bin_domtrans(crontab_t, $2)
 -	#corecmd_shell_domtrans(crontab_t, $2)
 -	corecmd_exec_bin(crontab_t)
 -	corecmd_exec_shell(crontab_t)
-+	#corecmd_bin_domtrans(admin_crontab_t, $2)
+-
 +	#corecmd_shell_domtrans(admin_crontab_t, $2)
 +	corecmd_exec_bin(admin_crontab_t)
 +	corecmd_exec_shell(admin_crontab_t)
 	optional_policy(`
 		gen_require(`
-@@ -261,10 +277,12 @@
+ 			class dbus send_msg;
@@ -261,10 +264,12 @@
 	allow $1 system_cronjob_t:fifo_file rw_file_perms;
 	allow $1 system_cronjob_t:process sigchld;
@ -10806,7 +10813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	role system_r types $1;
 ')
-@@ -343,6 +361,24 @@
+@@ -343,6 +348,24 @@
 ########################################
 ## <summary>
@ -10831,7 +10838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read and write a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
-@@ -361,7 +397,7 @@
+@@ -361,7 +384,7 @@
 ########################################
 ## <summary>
@ -10840,7 +10847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -369,7 +405,7 @@
+@@ -369,7 +392,7 @@
 ##	</summary>
 ## </param>
 #
@ -10849,7 +10856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	gen_require(`
 		type crond_t;
 	')
-@@ -416,6 +452,42 @@
+@@ -416,6 +439,42 @@
 ########################################
 ## <summary>
@ -10892,7 +10899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Inherit and use a file descriptor
 ##	from system cron jobs.
 ## </summary>
-@@ -481,11 +553,14 @@
+@@ -481,11 +540,14 @@
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
@ -10908,7 +10915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -506,3 +581,101 @@
+@@ -506,3 +568,101 @@
 	dontaudit $1 system_cronjob_tmp_t:file append;
 ')
@ -17928,6 +17935,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.13/policy/modules/services/postgresql.if
 --- nsaserefpolicy/policy/modules/services/postgresql.if	2009-05-22 10:28:56.000000000 -0400
 +++ serefpolicy-3.6.13/policy/modules/services/postgresql.if	2009-05-21 09:48:24.000000000 -0400
@@ -64,7 +64,7 @@
 	allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
 -	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
 +	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
 	type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
 	allow $2 sepgsql_trusted_proc_t:process transition;
@@ -362,7 +362,7 @@
 	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
 -	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
 +	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
 	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
 ')
@@ -384,3 +384,46 @@
 	typeattribute $1 sepgsql_unconfined_type;
@ -17978,6 +18003,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.13/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2009-05-22 10:28:56.000000000 -0400
 +++ serefpolicy-3.6.13/policy/modules/services/postgresql.te	2009-05-21 09:48:24.000000000 -0400
@@ -1,5 +1,5 @@
 -policy_module(postgresql, 1.8.7)
 +policy_module(postgresql, 1.8.6)
 gen_require(`
 	class db_database all_db_database_perms;
@@ -32,6 +32,9 @@
 type postgresql_etc_t;
 files_config_file(postgresql_etc_t)
@ -24139,7 +24171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.13/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/services/xserver.te	2009-05-21 09:48:24.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/services/xserver.te	2009-05-26 08:16:53.000000000 -0400
@@ -34,6 +34,13 @@
 ## <desc>
@ -24493,16 +24525,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +538,8 @@
+@@ -472,6 +538,9 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
 +userdom_manage_user_tmp_dirs(xdm_t)
 +userdom_manage_user_tmp_sockets(xdm_t)
 +userdom_manage_tmpfs_role(system_r, xdm_t)
 xserver_rw_session(xdm_t,xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
-@@ -504,10 +572,12 @@
+@@ -504,10 +573,12 @@
 optional_policy(`
 	alsa_domtrans(xdm_t)
@ -24515,7 +24548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -515,12 +585,45 @@
+@@ -515,12 +586,45 @@
 ')
 optional_policy(`
@ -24561,7 +24594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	hostname_exec(xdm_t)
 ')
-@@ -542,6 +645,23 @@
+@@ -542,6 +646,23 @@
 ')
 optional_policy(`
@ -24585,7 +24618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -550,8 +670,9 @@
+@@ -550,8 +671,9 @@
 ')
 optional_policy(`
@ -24597,7 +24630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -560,7 +681,6 @@
+@@ -560,7 +682,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -24605,7 +24638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +691,10 @@
+@@ -571,6 +692,10 @@
 ')
 optional_policy(`
@ -24616,7 +24649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
-@@ -587,7 +711,7 @@
+@@ -587,7 +712,7 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -24625,7 +24658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +726,11 @@
+@@ -602,9 +727,11 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -24637,7 +24670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +742,14 @@
+@@ -616,13 +743,14 @@
 type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
 allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -24653,7 +24686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +762,19 @@
+@@ -635,9 +763,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -24673,7 +24706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +817,14 @@
+@@ -680,9 +818,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -24688,7 +24721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +839,13 @@
+@@ -697,8 +840,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -24702,7 +24735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +867,7 @@
+@@ -720,6 +868,7 @@
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -24710,7 +24743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +890,7 @@
+@@ -742,7 +891,7 @@
 ')
 ifdef(`enable_mls',`
@ -24719,7 +24752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
-@@ -774,12 +922,16 @@
+@@ -774,12 +923,16 @@
 ')
 optional_policy(`
@ -24737,7 +24770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(xserver_t)
 ')
-@@ -806,7 +958,7 @@
+@@ -806,7 +959,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
@ -24746,7 +24779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +979,14 @@
+@@ -827,9 +980,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -24761,7 +24794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1001,14 @@
+@@ -844,11 +1002,14 @@
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -24777,7 +24810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -856,6 +1016,11 @@
+@@ -856,6 +1017,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
@ -24789,7 +24822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1046,8 @@
+@@ -881,6 +1047,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -24798,7 +24831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1072,8 @@
+@@ -905,6 +1073,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -24807,7 +24840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1141,49 @@
+@@ -972,17 +1142,49 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -24968,8 +25001,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.13/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/authlogin.if	2009-05-21 09:48:24.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/system/authlogin.if	2009-05-26 08:44:04.000000000 -0400
-@@ -43,20 +43,38 @@
+@@ -43,22 +43,42 @@
 interface(`auth_login_pgm_domain',`
 	gen_require(`
 		type var_auth_t;
@ -25007,8 +25040,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 	# for SSP/ProPolice
 	dev_read_urand($1)
 +	# for encrypted homedir
 +	dev_read_sysfs($1)
 	# for fingerprint readers
-@@ -90,6 +108,7 @@
+ 	dev_rw_input_dev($1)
 	dev_rw_generic_usb_dev($1)
@@ -90,6 +110,7 @@
 	auth_rw_faillog($1)
 	auth_exec_pam($1)
 	auth_use_nsswitch($1)
@ -25016,7 +25053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	init_rw_utmp($1)
-@@ -100,9 +119,42 @@
+@@ -100,9 +121,42 @@
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
@ -25061,7 +25098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -197,8 +249,11 @@
+@@ -197,8 +251,11 @@
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
 		type chkpwd_t, chkpwd_exec_t, shadow_t;
@ -25073,7 +25110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	corecmd_search_bin($1)
 	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-@@ -207,19 +262,16 @@
+@@ -207,19 +264,16 @@
 	dev_read_rand($1)
 	dev_read_urand($1)
@ -25098,7 +25135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -230,6 +282,29 @@
+@@ -230,6 +284,29 @@
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -25128,7 +25165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -254,6 +329,7 @@
+@@ -254,6 +331,7 @@
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -25136,7 +25173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -650,7 +726,7 @@
+@@ -650,7 +728,7 @@
 ########################################
 ## <summary>
@ -25145,7 +25182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1031,6 +1107,32 @@
+@@ -1031,6 +1109,32 @@
 ########################################
 ## <summary>
@ -25178,7 +25215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Manage all files on the filesystem, except
 ##	the shadow passwords and listed exceptions.
 ## </summary>
-@@ -1297,6 +1399,14 @@
+@@ -1297,6 +1401,14 @@
 	')
 	optional_policy(`
@ -25193,7 +25230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		nis_use_ypbind($1)
 	')
-@@ -1305,8 +1415,13 @@
+@@ -1305,8 +1417,13 @@
 	')
 	optional_policy(`
@ -25207,7 +25244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -1341,3 +1456,99 @@
+@@ -1341,3 +1458,99 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -25452,8 +25489,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.13/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/init.fc	2009-05-21 09:48:24.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/system/init.fc	2009-05-26 09:16:32.000000000 -0400
-@@ -4,8 +4,7 @@
+@@ -4,10 +4,10 @@
 /etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
@ -25462,8 +25499,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 +/etc/sysconfig/network-scripts/ifup-ipsec  	--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -45,6 +44,8 @@
+ /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -45,6 +45,8 @@
 /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@ -25474,7 +25514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.13/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/init.if	2009-05-21 09:48:24.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/system/init.if	2009-05-26 09:12:18.000000000 -0400
@@ -174,6 +174,7 @@
 	role system_r types $1;
@ -26075,7 +26115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.13/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.13/policy/modules/system/ipsec.te	2009-05-21 09:48:24.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/system/ipsec.te	2009-05-26 09:16:40.000000000 -0400
@@ -55,7 +55,7 @@
 allow ipsec_t self:capability { net_admin dac_override dac_read_search };
@ -26103,6 +26143,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
@@ -347,6 +349,7 @@
 files_read_etc_files(setkey_t)
 init_dontaudit_use_fds(setkey_t)
 +init_read_script_tmp_files(setkey_t)
 # allow setkey to set the context for ipsec SAs and policy.
 ipsec_setcontext_default_spd(setkey_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.13/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2009-04-06 12:42:08.000000000 -0400
 +++ serefpolicy-3.6.13/policy/modules/system/iptables.fc	2009-05-21 13:27:58.000000000 -0400
@ -29267,7 +29315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.13/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.13/policy/modules/system/userdomain.if	2009-05-21 09:48:24.000000000 -0400
+++ serefpolicy-3.6.13/policy/modules/system/userdomain.if	2009-05-26 08:16:31.000000000 -0400
@@ -30,8 +30,9 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.13
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -473,6 +473,10 @@ exit 0
 %endif
 %changelog
 * Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-2
 - New log file for vmware
 - Allow xdm to setattr on user_tmp_t
 * Thu May 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-1
 - Upgrade to upstream