- New paths for upstart

2010-07-26 21:46:12 +00:00 · 2010-07-26 21:46:12 +00:00 · a1ef703492
parent 8d55a410dc
commit a1ef703492
2 changed files with 118 additions and 54 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -1272,6 +1272,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
 
 optional_policy(`
 	hostname_exec(shorewall_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.8.8/policy/modules/admin/shutdown.fc
+--- nsaserefpolicy/policy/modules/admin/shutdown.fc	2010-07-14 11:21:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc	2010-07-26 16:52:20.000000000 -0400
+@@ -3,3 +3,5 @@
+ /sbin/shutdown		--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /var/run/shutdown\.pid 	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
+
+/lib/upstart/shutdown 	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.8.8/policy/modules/admin/shutdown.if
 --- nsaserefpolicy/policy/modules/admin/shutdown.if	2010-07-14 11:21:53.000000000 -0400
 +++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if	2010-07-20 10:46:10.000000000 -0400
@ -5383,8 +5392,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-07-20 10:46:10.000000000 -0400
-@@ -5,40 +5,39 @@
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-07-26 17:02:42.000000000 -0400
+@@ -5,40 +5,41 @@
 # Declarations
 #
 
@ -5419,16 +5428,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 
 -files_read_etc_files(seunshare_t)
 -files_mounton_all_poly_members(seunshare_t)
-+auth_use_nsswitch(seunshare_domain)
+fs_manage_cgroup_dirs(seunshare_domain)
 
 -auth_use_nsswitch(seunshare_t)
-+logging_send_syslog_msg(seunshare_domain)
+auth_use_nsswitch(seunshare_domain)
 
 -logging_send_syslog_msg(seunshare_t)
-+miscfiles_read_localization(seunshare_domain)
+logging_send_syslog_msg(seunshare_domain)
 
 -miscfiles_read_localization(seunshare_t)
-
+miscfiles_read_localization(seunshare_domain)
+ 
 -userdom_use_user_terminals(seunshare_t)
 +userdom_use_user_terminals(seunshare_domain)
 
@ -6519,8 +6529,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if	2010-07-26 14:00:19.000000000 -0400
-@@ -606,6 +606,24 @@
+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if	2010-07-26 16:44:30.000000000 -0400
+@@ -497,6 +497,24 @@
+ 
+ ########################################
+ ## <summary>
+##	Read generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+ ##	Read and write generic character device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -606,6 +624,24 @@
 
 ########################################
 ## <summary>
@ -6545,7 +6580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Create, delete, read, and write symbolic links in device directories.
 ## </summary>
 ## <param name="domain">
-@@ -1015,6 +1033,42 @@
+@@ -1015,6 +1051,42 @@
 
 ########################################
 ## <summary>
@ -6588,7 +6623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Delete all block device files.
 ## </summary>
 ## <param name="domain">
-@@ -3540,6 +3594,24 @@
+@@ -3540,6 +3612,24 @@
 
 ########################################
 ## <summary>
@ -6613,7 +6648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Get the attributes of sysfs directories.
 ## </summary>
 ## <param name="domain">
-@@ -3851,6 +3923,24 @@
+@@ -3851,6 +3941,24 @@
 
 ########################################
 ## <summary>
@ -6638,7 +6673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -4161,11 +4251,10 @@
+@@ -4161,11 +4269,10 @@
 #
 interface(`dev_rw_vhost',`
 	gen_require(`
@ -7584,7 +7619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +/cgroup(/.*)? 	 	gen_context(system_u:object_r:cgroup_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if	2010-07-21 11:43:41.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if	2010-07-26 17:02:26.000000000 -0400
@@ -1233,7 +1233,7 @@
 		type cifs_t;
 	')
@ -17349,7 +17384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.if	2010-07-21 08:47:33.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/mta.if	2010-07-26 17:39:52.000000000 -0400
@@ -220,6 +220,25 @@
 	application_executable_file($1)
 ')
@ -17400,7 +17435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 
 ########################################
-@@ -391,12 +408,13 @@
+@@ -391,12 +408,15 @@
 #
 interface(`mta_sendmail_domtrans',`
 	gen_require(`
@ -17412,11 +17447,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 +	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
 	corecmd_read_bin_symlinks($1)
 -	domain_auto_trans($1, sendmail_exec_t, $2)
+
+	allow $2 mta_exec_type:file entrypoint;
 +	domtrans_pattern($1, mta_exec_type, $2)
 ')
 
 ########################################
-@@ -474,7 +492,8 @@
+@@ -474,7 +494,8 @@
 		type etc_mail_t;
 	')
 
@ -17426,7 +17463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 
 ########################################
-@@ -698,7 +717,7 @@
+@@ -698,7 +719,7 @@
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir list_dir_perms;
 	allow $1 mail_spool_t:file setattr;
@ -17437,7 +17474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te	2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/mta.te	2010-07-26 17:09:17.000000000 -0400
@@ -21,7 +21,7 @@
 files_config_file(etc_mail_t)
 
@ -17447,6 +17484,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 type mqueue_spool_t;
 files_mountpoint(mqueue_spool_t)
+@@ -62,9 +62,9 @@
+ 
+ can_exec(system_mail_t, mta_exec_type)
+ 
+-kernel_read_system_state(system_mail_t)
+-kernel_read_network_state(system_mail_t)
+-kernel_request_load_module(system_mail_t)
+kernel_read_system_state(user_mail_domain)
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+ 
+ dev_read_sysfs(system_mail_t)
+ dev_read_rand(system_mail_t)
@@ -82,6 +82,9 @@
 
 userdom_use_user_terminals(system_mail_t)
@ -21487,7 +21537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.te	2010-07-20 10:46:11.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/samba.te	2010-07-26 17:19:57.000000000 -0400
@@ -152,9 +152,6 @@
 type winbind_log_t;
 logging_log_file(winbind_log_t)
@ -21585,7 +21635,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 allow swat_t smbd_exec_t:file mmap_file_perms ;
 
-@@ -754,6 +750,8 @@
+@@ -710,6 +706,7 @@
+ domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+ allow swat_t winbind_t:process { signal signull };
+ 
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+ allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+ allow swat_t winbind_var_run_t:sock_file { create unlink };
+ 
+@@ -754,6 +751,8 @@
 
 miscfiles_read_localization(swat_t)
 
@ -21594,7 +21652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -806,14 +804,14 @@
+@@ -806,14 +805,14 @@
 allow winbind_t winbind_log_t:file manage_file_perms;
 logging_log_filetrans(winbind_t, winbind_log_t, file)
 
@ -21614,7 +21672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 kernel_read_kernel_sysctls(winbind_t)
 kernel_read_system_state(winbind_t)
-@@ -833,6 +831,7 @@
+@@ -833,6 +832,7 @@
 corenet_tcp_bind_generic_node(winbind_t)
 corenet_udp_bind_generic_node(winbind_t)
 corenet_tcp_connect_smbd_port(winbind_t)
@ -21622,7 +21680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
 
-@@ -922,6 +921,18 @@
+@@ -922,6 +922,18 @@
 #
 
 optional_policy(`
@ -21641,7 +21699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
-@@ -932,9 +943,12 @@
+@@ -932,9 +944,12 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
 
@ -26302,8 +26360,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.fc	2010-07-20 10:46:11.000000000 -0400
-@@ -24,6 +24,11 @@
+++ serefpolicy-3.8.8/policy/modules/system/init.fc	2010-07-26 16:50:56.000000000 -0400
+@@ -24,7 +24,13 @@
 #
 # /sbin
 #
@ -26313,9 +26371,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 +# /sbin
 +#
 /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
-@@ -44,6 +49,9 @@
+ /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+@@ -44,6 +50,9 @@
 
 /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@ -26693,7 +26753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te	2010-07-26 14:00:27.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/init.te	2010-07-26 16:44:55.000000000 -0400
@@ -16,6 +16,27 @@
 ## </desc>
 gen_tunable(init_upstart, false)
@ -26805,7 +26865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,64 @@
+@@ -185,15 +216,65 @@
 	sysadm_shell_domtrans(init_t)
 ')
 
@ -26826,6 +26886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +	dev_write_kmsg(init_t)
 +	dev_rw_autofs(init_t)
 +	dev_manage_generic_dirs(init_t)
+	dev_read_generic_chr_files(init_t)
 +
 +	files_mounton_all_mountpoints(init_t)
 +	files_manage_all_pids_dirs(init_t)
@ -26870,7 +26931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	nscd_socket_use(init_t)
 ')
 
-@@ -211,7 +291,7 @@
+@@ -211,7 +292,7 @@
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -26879,7 +26940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -240,6 +320,7 @@
+@@ -240,6 +321,7 @@
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -26887,7 +26948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +338,22 @@
+@@ -257,11 +339,22 @@
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -26910,7 +26971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 corecmd_exec_all_executables(initrc_t)
 
-@@ -297,11 +389,13 @@
+@@ -297,11 +390,13 @@
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -26924,7 +26985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -320,8 +414,10 @@
+@@ -320,8 +415,10 @@
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -26936,7 +26997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -337,6 +433,8 @@
+@@ -337,6 +434,8 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -26945,7 +27006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 fs_delete_cgroup_dirs(initrc_t)
 fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +448,8 @@
+@@ -350,6 +449,8 @@
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -26954,7 +27015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -362,6 +462,7 @@
+@@ -362,6 +463,7 @@
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -26962,7 +27023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -393,13 +494,14 @@
+@@ -393,13 +495,14 @@
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -26978,7 +27039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +574,7 @@
+@@ -472,7 +575,7 @@
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -26987,7 +27048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -518,6 +620,19 @@
+@@ -518,6 +621,19 @@
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
@ -27007,7 +27068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	')
 
 	optional_policy(`
-@@ -525,10 +640,17 @@
+@@ -525,10 +641,17 @@
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -27025,7 +27086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	')
 
 	optional_policy(`
-@@ -543,6 +665,35 @@
+@@ -543,6 +666,35 @@
 	')
 ')
 
@ -27061,7 +27122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +706,8 @@
+@@ -555,6 +707,8 @@
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -27070,7 +27131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 
 optional_policy(`
-@@ -571,6 +724,7 @@
+@@ -571,6 +725,7 @@
 
 optional_policy(`
 	cgroup_stream_connect(initrc_t)
@ -27078,7 +27139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 
 optional_policy(`
-@@ -583,6 +737,11 @@
+@@ -583,6 +738,11 @@
 ')
 
 optional_policy(`
@ -27090,7 +27151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -599,6 +758,7 @@
+@@ -599,6 +759,7 @@
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -27098,7 +27159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
-@@ -700,7 +860,12 @@
+@@ -700,7 +861,12 @@
 ')
 
 optional_policy(`
@ -27111,7 +27172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -723,6 +888,10 @@
+@@ -723,6 +889,10 @@
 ')
 
 optional_policy(`
@ -27122,7 +27183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -765,8 +934,6 @@
+@@ -765,8 +935,6 @@
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -27131,7 +27192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 
 optional_policy(`
-@@ -779,10 +946,12 @@
+@@ -779,10 +947,12 @@
 	squid_manage_logs(initrc_t)
 ')
 
@ -27144,7 +27205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +973,19 @@
+@@ -804,11 +974,19 @@
 ')
 
 optional_policy(`
@ -27165,7 +27226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +995,25 @@
+@@ -818,6 +996,25 @@
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -27191,7 +27252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 
 optional_policy(`
-@@ -843,3 +1039,55 @@
+@@ -843,3 +1040,55 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.8
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,9 @@ exit 0
 %endif

 %changelog
+* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-6
+- New paths for upstart
+
 * Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-5
 - New permissions for syslog
 - New labels for /lib/upstart