Merge branches 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2010-12-10 13:30:20 -05:00 · 2010-12-10 13:30:20 -05:00 · acc2557fca
commit acc2557fca
parent d01d9d9503 b04a855a22
4 changed files with 214 additions and 79 deletions
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -2082,3 +2082,10 @@ shorewall = base
 # Policy for shutdown
 # 
 shutdown = module
+
+# Layer: kernel
+# Module: unlabelednet
+#
+# The unlabelednet module.
+#
+unlabelednet = module
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1762,6 +1762,14 @@ userdomain = base
 # 
 unconfined = module

+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
 # Layer: services
 # Module: ulogd
 #
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -220,18 +220,35 @@ index 90d5203..1392679 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
-index 453834c..5ff732d 100644
+index 453834c..9d83d66 100644
 --- a/policy/modules/admin/alsa.te
 +++ b/policy/modules/admin/alsa.te
-@@ -11,7 +11,7 @@ init_system_domain(alsa_t, alsa_exec_t)
+@@ -11,7 +11,10 @@ init_system_domain(alsa_t, alsa_exec_t)
 role system_r types alsa_t;
 
 type alsa_etc_rw_t;
 -files_type(alsa_etc_rw_t)
 +files_config_file(alsa_etc_rw_t)
+
+type alsa_tmp_t;
+files_tmp_file(alsa_tmp_t)
 
 type alsa_var_lib_t;
 files_type(alsa_var_lib_t)
+@@ -39,6 +42,13 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+ 
+ can_exec(alsa_t, alsa_exec_t)
+ 
+manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+userdom_dontaudit_setattr_user_tmp(alsa_t)
+
+
+ manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+ manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+ files_search_var_lib(alsa_t)
 diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
 index f76ed8a..9a9526a 100644
 --- a/policy/modules/admin/anaconda.te
@ -347,7 +364,7 @@ index a2e9cb5..b2de42c 100644
 optional_policy(`
 	apache_exec_modules(certwatch_t)
 diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index 66fee7d..9191e32 100644
+index 66fee7d..1d231b8 100644
 --- a/policy/modules/admin/consoletype.te
 +++ b/policy/modules/admin/consoletype.te
@@ -79,16 +79,18 @@ optional_policy(`
@ -355,7 +372,7 @@ index 66fee7d..9191e32 100644
 
 optional_policy(`
 +	devicekit_dontaudit_read_pid_files(consoletype_t)
-+	devicekit_dontaudit_write_log(consoletype_t)
+	devicekit_dontaudit_rw_log(consoletype_t)
 +')
 +
 +optional_policy(`
@ -4165,7 +4182,7 @@ index 9a6d67d..b0c1197 100644
 ##	mozilla over dbus.
 ## </summary>
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..9826f66 100644
+index cbf4bec..1aa992d 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2)
@ -4247,7 +4264,7 @@ index cbf4bec..9826f66 100644
 	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,144 @@ optional_policy(`
+@@ -266,3 +291,145 @@ optional_policy(`
 optional_policy(`
 	thunderbird_domtrans(mozilla_t)
 ')
@ -4375,6 +4392,7 @@ index cbf4bec..9826f66 100644
 +	nsplugin_manage_home_dirs(mozilla_plugin_t)
 +	nsplugin_manage_home_files(mozilla_plugin_t)
 +	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
+	nsplugin_user_home_filetrans(mozilla_plugin_t, file)
 +	nsplugin_signal(mozilla_plugin_t)
 +')
 +
@ -4495,10 +4513,10 @@ index 0000000..717eb3f
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
 new file mode 100644
-index 0000000..c06e99e
+index 0000000..4f9cb05
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,455 @@
+@@ -0,0 +1,480 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -4933,7 +4951,32 @@ index 0000000..c06e99e
 +		type nsplugin_home_t;
 +	')
 +
-+	userdom_user_home_content_filetrans($1, nsplugin_home_t,  $2)
+	userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
+')
+
+#######################################
+## <summary>
+##  Create objects in a user home directory
+##  with an automatic type transition to
+##  the nsplugin home file type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="object_class">
+##  <summary>
+##  The class of the object to be created.
+##  </summary>
+## </param>
+#
+interface(`nsplugin_user_home_filetrans',`
+    gen_require(`
+        type nsplugin_home_t;
+    ')
+
+    userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
 +')
 +
 +########################################
@ -7681,7 +7724,7 @@ index 82842a0..4111a1d 100644
 		dbus_system_bus_client($1_wm_t)
 		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..4842e56 100644
+index 34c9d01..6e68bd2 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@ -7705,7 +7748,16 @@ index 34c9d01..4842e56 100644
 /lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
 /lib/upstart(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
+@@ -247,6 +249,8 @@ ifdef(`distro_gentoo',`
+ /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -307,6 +311,7 @@ ifdef(`distro_redhat', `
 /usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib64/bluetooth(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@ -7737,7 +7789,7 @@ index 9e5c83e..953e0e8 100644
 +/lib/udev/devices/ppp	-c	gen_context(system_u:object_r:ppp_device_t,s0)
 +/lib/udev/devices/net/.* -c	gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index b06df19..ae572ad 100644
+index b06df19..f20833d 100644
 --- a/policy/modules/kernel/corenetwork.if.in
 +++ b/policy/modules/kernel/corenetwork.if.in
@@ -86,6 +86,33 @@ interface(`corenet_rpc_port',`
@ -7774,7 +7826,7 @@ index b06df19..ae572ad 100644
 ##	Define type to be a network client packet type
 ## </summary>
 ## <desc>
-@@ -2149,13 +2176,18 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2149,9 +2176,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 ## </param>
 #
 interface(`corenet_tcp_recvfrom_unlabeled',`
@ -7789,13 +7841,8 @@ index b06df19..ae572ad 100644
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
 	# older systems
-	kernel_sendrecv_unlabeled_association($1)
-+#	kernel_sendrecv_unlabeled_association($1)
- ')
- 
- ########################################
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 36ba519..7be305d 100644
+index 36ba519..e2d8b49 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@ -8003,17 +8050,6 @@ index 36ba519..7be305d 100644
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
-@@ -262,6 +302,10 @@ network_interface(lo, lo, s0 - mls_systemhigh)
- typealias netif_t alias { lo_netif_t netif_lo_t };
- ')
- 
-+optional_policy(`
-+	unlabelednet_sendrecv_packets(corenet_unlabeled_type)
-+')
-+
- ########################################
- #
- # Unconfined access to this module
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
 index 3b2da10..7c29e17 100644
 --- a/policy/modules/kernel/devices.fc
@ -10399,7 +10435,7 @@ index 6d21b3d..255b47a 100644
 
 #
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index b4ad6d7..0937933 100644
+index b4ad6d7..67e89f0 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@ -10463,6 +10499,15 @@ index b4ad6d7..0937933 100644
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
+@@ -2561,7 +2599,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+ 	allow $1 unlabeled_t:association { sendto recvfrom };
+ 
+ 	# temporary hack until labeling on packets is supported
+-	allow $1 unlabeled_t:packet { send recv };
+#	allow $1 unlabeled_t:packet { send recv };
+ ')
+ 
+ ########################################
@@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 
 ########################################
@ -10922,38 +10967,24 @@ index 0000000..f310b9d
 +# No unlabelednet file contexts.
 diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
 new file mode 100644
-index 0000000..ba2f0b8
+index 0000000..0ce0470
 --- /dev/null
 +++ b/policy/modules/kernel/unlabelednet.if
-@@ -0,0 +1,19 @@
-+## <summary> Policy for allowing confined domains to talk use unlabeled_t packets. </summary>
-+
-+########################################
-+## <summary>
-+##	Allow specified type to send recv unlabeled packets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unlabelednet_sendrecv_packets',`
-+	gen_require(`
-+		attribute unlabelednet_domain;
-+	')
-+
-+	kernel_sendrecv_unlabeled_association($1)
-+')
+@@ -0,0 +1 @@
+## <summary> Policy for allowing confined domains to use unlabeled_t packets</summary>
 diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
 new file mode 100644
-index 0000000..dee5ba8
+index 0000000..571c3b9
 --- /dev/null
 +++ b/policy/modules/kernel/unlabelednet.te
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,7 @@
 +policy_module(unlabelednet, 1.0)
 +
-+attribute unlabelednet_domain;
+gen_require(`
+	attribute corenet_unlabeled_type;
+')
+
+kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
 diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
 index b0d5b27..a96f2e6 100644
 --- a/policy/modules/roles/auditadm.te
@ -15998,10 +16029,10 @@ index 0000000..fa9b95a
 +')
 diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
 new file mode 100644
-index 0000000..4bc3f06
+index 0000000..3b58d07
 --- /dev/null
 +++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,169 @@
 +policy_module(boinc, 1.0.0)
 +
 +########################################
@ -16122,7 +16153,7 @@ index 0000000..4bc3f06
 +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 +allow boinc_t boinc_project_t:process sigkill;
 +
-+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
 +allow boinc_project_t self:process { execmem execstack };
 +
 +allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@ -16162,6 +16193,8 @@ index 0000000..4bc3f06
 +dev_rw_xserver_misc(boinc_project_t)
 +
 +files_read_etc_files(boinc_project_t)
+files_read_etc_runtime_files(boinc_project_t)
+files_read_usr_files(boinc_project_t)
 +
 +miscfiles_read_fonts(boinc_project_t)
 +miscfiles_read_localization(boinc_project_t)
@ -17131,7 +17164,7 @@ index 1f11572..7f6a7ab 100644
 	')
 
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index 8c36027..532fa91 100644
+index 8c36027..28863a5 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
@ -17238,7 +17271,11 @@ index 8c36027..532fa91 100644
 ########################################
 #
 # clamscam local policy
-@@ -251,6 +266,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+@@ -248,9 +263,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+ corenet_tcp_sendrecv_all_ports(clamscan_t)
+ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_bind_generic_node(clamscan_t)
 corenet_tcp_connect_clamd_port(clamscan_t)
 
 kernel_read_kernel_sysctls(clamscan_t)
@ -17246,6 +17283,16 @@ index 8c36027..532fa91 100644
 
 files_read_etc_files(clamscan_t)
 files_read_etc_runtime_files(clamscan_t)
+@@ -265,6 +282,9 @@ miscfiles_read_public_files(clamscan_t)
+ clamav_stream_connect(clamscan_t)
+ 
+ mta_send_mail(clamscan_t)
+mta_read_queue(clamscan_t)
+
+sysnet_read_config(clamscan_t)
+ 
+ optional_policy(`
+ 	amavis_read_spool_files(clamscan_t)
 diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
 index c0a66a4..e438c5f 100644
 --- a/policy/modules/services/clogd.if
@ -19749,7 +19796,7 @@ index 418a5a0..28d9e41 100644
 /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..4b3d7f7 100644
+index f706b99..6149a45 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@ -19764,7 +19811,7 @@ index f706b99..4b3d7f7 100644
 ## </param>
 #
 interface(`devicekit_domtrans',`
-@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +118,82 @@ interface(`devicekit_dbus_chat_power',`
 	allow devicekit_power_t $1:dbus send_msg;
 ')
 
@ -19806,6 +19853,25 @@ index f706b99..4b3d7f7 100644
 +	dontaudit $1 devicekit_var_log_t:file { write };
 +')
 +
+######################################
+## <summary>
+##  Do not audit attempts to read and write the devicekit
+##  log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_rw_log',`
+    gen_require(`
+        type devicekit_var_log_t;
+    ')
+
+    dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
+')
+
 +########################################
 +## <summary>
 +##	Allow the domain to read devicekit_power state files in /proc.
@ -19828,7 +19894,7 @@ index f706b99..4b3d7f7 100644
 ########################################
 ## <summary>
 ##	Read devicekit PID files.
-@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +215,52 @@ interface(`devicekit_read_pid_files',`
 
 ########################################
 ## <summary>
@ -19888,7 +19954,7 @@ index f706b99..4b3d7f7 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -165,21 +252,22 @@ interface(`devicekit_admin',`
+@@ -165,21 +271,22 @@ interface(`devicekit_admin',`
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
 	')
 
@ -20245,10 +20311,10 @@ index 0000000..60c81d6
 +')
 diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
 new file mode 100644
-index 0000000..c88f611
+index 0000000..b4d0dd0
 --- /dev/null
 +++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,95 @@
 +policy_module(dirsrv-admin,1.0.0) 
 +
 +########################################
@ -20318,7 +20384,8 @@ index 0000000..c88f611
 +
 +kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
 +
-+corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
+corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
+corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
 +corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
 +corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
 +corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
@ -26440,7 +26507,7 @@ index 8581040..cfcdf10 100644
 
 	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..3ce90f7 100644
+index da5b33d..8b56967 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@ -26494,7 +26561,17 @@ index da5b33d..3ce90f7 100644
 domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
 
 read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
-@@ -270,7 +271,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -201,7 +202,8 @@ corecmd_exec_shell(nrpe_t)
+ 
+ corenet_tcp_bind_generic_node(nrpe_t)
+ corenet_tcp_bind_inetd_child_port(nrpe_t)
+-corenet_sendrecv_unlabeled_packets(nrpe_t)
+corenet_all_recvfrom_unlabeled(nrpe_t)
+corenet_all_recvfrom_netlabel(nrpe_t)
+ 
+ dev_read_sysfs(nrpe_t)
+ dev_read_urand(nrpe_t)
+@@ -270,7 +272,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
 #
 
 allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@ -26502,7 +26579,7 @@ index da5b33d..3ce90f7 100644
 allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
 allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
-@@ -299,7 +299,7 @@ optional_policy(`
+@@ -299,7 +300,7 @@ optional_policy(`
 
 optional_policy(`
 	postfix_stream_connect_master(nagios_mail_plugin_t)
@ -26511,7 +26588,7 @@ index da5b33d..3ce90f7 100644
 ')
 
 ######################################
-@@ -310,6 +310,9 @@ optional_policy(`
+@@ -310,6 +311,9 @@ optional_policy(`
 # needed by ioctl()
 allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
 
@ -26521,7 +26598,7 @@ index da5b33d..3ce90f7 100644
 files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
 
 fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +326,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
 
 allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
 allow nagios_services_plugin_t self:process { signal sigkill };
@ -26529,7 +26606,7 @@ index da5b33d..3ce90f7 100644
 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
 allow nagios_services_plugin_t self:udp_socket create_socket_perms;
 
-@@ -340,6 +342,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
 
 optional_policy(`
 	netutils_domtrans_ping(nagios_services_plugin_t)
@ -30160,7 +30237,7 @@ index 2316653..77ef768 100644
 +	admin_pattern($1, prelude_lml_tmp_t)
 ')
 diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
-index 7e84587..7a7310d 100644
+index 7e84587..febda2f 100644
 --- a/policy/modules/services/prelude.te
 +++ b/policy/modules/services/prelude.te
@@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
@ -30182,6 +30259,20 @@ index 7e84587..7a7310d 100644
 allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
 allow prelude_lml_t self:unix_stream_socket connectto;
 
+@@ -236,11 +235,12 @@ kernel_read_sysctl(prelude_lml_t)
+ 
+ corecmd_exec_bin(prelude_lml_t)
+ 
+corenet_all_recvfrom_unlabeled(prelude_lml_t)
+corenet_all_recvfrom_netlabel(prelude_lml_t)
+ corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+ corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+ corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+ corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+-corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+ corenet_tcp_connect_prelude_port(prelude_lml_t)
+ 
+ dev_read_rand(prelude_lml_t)
 diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
 index 6f1b2c3..3f1a3fe 100644
 --- a/policy/modules/services/privoxy.te
@ -43754,7 +43845,7 @@ index aa2b0a6..304fbba 100644
 ')
 
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..31efcb2 100644
+index 879bb1e..5ce52c0 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
@@ -28,10 +28,12 @@ ifdef(`distro_gentoo',`
@ -43770,6 +43861,14 @@ index 879bb1e..31efcb2 100644
 /sbin/cryptsetup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -97,5 +99,7 @@ ifdef(`distro_gentoo',`
+ /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
+ /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/lvm(/.*)?     gen_context(system_u:object_r:lvm_var_run_t,s0)
+ /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
+ /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
 index 58bc27f..b4f0663 100644
 --- a/policy/modules/system/lvm.if
@ -43797,7 +43896,7 @@ index 58bc27f..b4f0663 100644
 +	allow $1 clvmd_tmpfs_t:file rw_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..17aeb3e 100644
+index 86ef2da..a251276 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -43861,6 +43960,15 @@ index 86ef2da..17aeb3e 100644
 
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+@@ -200,7 +214,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+ manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file sock_file })
+ 
+ read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+ read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
@@ -210,12 +224,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
 files_etc_filetrans(lvm_t, lvm_metadata_t, file)
 files_search_mnt(lvm_t)
@ -47269,7 +47377,7 @@ index db75976..392d1ee 100644
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 35f1476..d74e327 100644
+index 35f1476..1571559 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@ -49473,7 +49581,7 @@ index 35f1476..d74e327 100644
 +		type home_cert_t;
 +	')
 +
-+	userdom_search_user_home_dirs($1)
+	userdom_search_user_home_content($1)
 +	allow $1 home_cert_t:dir list_dir_perms;
 +	read_files_pattern($1, home_cert_t, home_cert_t)
 +	read_lnk_files_pattern($1, home_cert_t, home_cert_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.10
-Release: 7%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,18 @@ exit 0
 %endif

 %changelog
+* Fri Dec 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-10
+- Fixes for clamscan and boinc policy
+- Add boinc_project_t setpgid
+- Allow alsa to create tmp files in /tmp
+
+* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-9
+- Push fixes to allow disabling of unlabeled_t packet access
+- Enable unlabelednet policy
+
+* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-8
+- Fixes for lvm to work with systemd
+
 * Mon Dec 6 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-7
 - Fix the label for wicd log
 - plymouthd creates force-display-on-active-vt file