- Fix labeling on /var/lib/misc/prelink*

- Allow xserver to rw_shm_perms with all x_clients - Allow prelink to execute files in the users home directory
2009-04-27 14:45:15 +00:00 · 2009-04-27 14:45:15 +00:00 · b0991a2dfd
parent 89c9c9ae6a
commit b0991a2dfd
2 changed files with 75 additions and 57 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -663,16 +663,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.12/policy/modules/admin/prelink.fc
 --- nsaserefpolicy/policy/modules/admin/prelink.fc	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc	2009-04-27 08:28:48.000000000 -0400
@@ -5,3 +5,5 @@
 
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
 /var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
 +
-+/var/lib/misc/prelink\*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.12/policy/modules/admin/prelink.if
 --- nsaserefpolicy/policy/modules/admin/prelink.if	2008-11-11 16:13:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.if	2009-04-27 09:47:06.000000000 -0400
@@ -120,3 +120,23 @@
 	logging_search_logs($1)
 	manage_files_pattern($1, prelink_log_t, prelink_log_t)
@ -699,7 +699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-04-27 08:32:37.000000000 -0400
@@ -21,12 +21,15 @@
 type prelink_tmp_t;
 files_tmp_file(prelink_tmp_t)
@ -750,17 +750,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 fs_getattr_xattr_fs(prelink_t)
 
-@@ -81,6 +89,9 @@
+@@ -81,6 +89,10 @@
 
 userdom_use_user_terminals(prelink_t)
 
 +# prelink executables in the user homedir
 +userdom_manage_home_role(system_r, prelink_t)
+userdom_exec_user_home_content_files(prelink_t)
 +
 optional_policy(`
 	amanda_manage_lib(prelink_t)
 ')
-@@ -88,3 +99,7 @@
+@@ -88,3 +100,7 @@
 optional_policy(`
 	cron_system_entry(prelink_t, prelink_exec_t)
 ')
@ -6425,7 +6426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	requiring the caller to use setexeccon().
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-24 00:02:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-27 09:47:43.000000000 -0400
@@ -15,7 +15,7 @@
 
 role sysadm_r;
@ -6578,18 +6579,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	pcmcia_run_cardctl(sysadm_t, sysadm_r)
 ')
 
-@@ -308,10 +250,6 @@
+@@ -308,7 +250,7 @@
 ')
 
 optional_policy(`
 -	pyzor_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
- 	quota_run(sysadm_t, sysadm_r)
+	prelink_run(sysadm_t, sysadm_r)
 ')
 
-@@ -320,10 +258,6 @@
+ optional_policy(`
+@@ -320,10 +262,6 @@
 ')
 
 optional_policy(`
@ -6600,7 +6599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rpc_domtrans_nfsd(sysadm_t)
 ')
 
-@@ -332,10 +266,6 @@
+@@ -332,10 +270,6 @@
 ')
 
 optional_policy(`
@ -6611,7 +6610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	rsync_exec(sysadm_t)
 ')
 
-@@ -345,10 +275,6 @@
+@@ -345,10 +279,6 @@
 ')
 
 optional_policy(`
@ -6622,7 +6621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	secadm_role_change(sysadm_r)
 ')
 
-@@ -358,35 +284,15 @@
+@@ -358,35 +288,15 @@
 ')
 
 optional_policy(`
@ -6658,7 +6657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	tripwire_run_siggen(sysadm_t, sysadm_r)
 	tripwire_run_tripwire(sysadm_t, sysadm_r)
 	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +300,10 @@
+@@ -394,18 +304,10 @@
 ')
 
 optional_policy(`
@ -6677,7 +6676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(sysadm_t)
 ')
 
-@@ -418,20 +316,12 @@
+@@ -418,20 +320,12 @@
 ')
 
 optional_policy(`
@ -6698,7 +6697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	vpn_run(sysadm_t, sysadm_r)
 ')
 
-@@ -440,13 +330,7 @@
+@@ -440,13 +334,7 @@
 ')
 
 optional_policy(`
@ -14840,7 +14839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
 --- nsaserefpolicy/policy/modules/services/milter.fc	2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-24 07:20:31.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc	2009-04-27 10:00:53.000000000 -0400
@@ -1,6 +1,8 @@
 -/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 -/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
@ -20707,7 +20706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/samba.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/samba.te	2009-04-27 08:59:49.000000000 -0400
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
@ -20833,7 +20832,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -256,7 +278,7 @@
+@@ -250,13 +272,14 @@
+ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+ 
+ allow smbd_t nmbd_var_run_t:file rw_file_perms;
+allow smbd_t nmbd_t:process { signal signull };
+ 
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 files_pid_filetrans(smbd_t, smbd_var_run_t, file)
 
@ -20842,7 +20848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
-@@ -298,6 +320,7 @@
+@@ -298,6 +321,7 @@
 
 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
@ -20850,7 +20856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 domain_use_interactive_fds(smbd_t)
 domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,6 +344,10 @@
+@@ -321,6 +345,10 @@
 userdom_use_unpriv_users_fds(smbd_t)
 userdom_dontaudit_search_user_home_dirs(smbd_t)
 
@ -20861,7 +20867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -333,25 +360,33 @@
+@@ -333,25 +361,33 @@
 
 tunable_policy(`samba_domain_controller',`
 	usermanage_domtrans_passwd(smbd_t)
@ -20901,7 +20907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 	cups_stream_connect(smbd_t)
-@@ -359,6 +394,16 @@
+@@ -359,6 +395,16 @@
 
 optional_policy(`
 	kerberos_use(smbd_t)
@ -20918,7 +20924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -376,13 +421,15 @@
+@@ -376,13 +422,15 @@
 tunable_policy(`samba_create_home_dirs',`
 	allow smbd_t self:capability chown;
 	userdom_create_user_home_dirs(smbd_t)
@ -20935,7 +20941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
 
-@@ -391,8 +438,8 @@
+@@ -391,8 +439,8 @@
 	auth_manage_all_files_except_shadow(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
 	auth_manage_all_files_except_shadow(nmbd_t)
@ -20945,7 +20951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ########################################
 #
-@@ -417,14 +464,11 @@
+@@ -417,14 +465,11 @@
 files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
 
 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@ -20961,7 +20967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -454,6 +498,7 @@
+@@ -454,6 +499,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 
 fs_getattr_all_fs(nmbd_t)
@ -20969,7 +20975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_search_auto_mountpoints(nmbd_t)
 
 domain_use_interactive_fds(nmbd_t)
-@@ -553,21 +598,36 @@
+@@ -553,21 +599,36 @@
 userdom_use_user_terminals(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
 
@ -21009,7 +21015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 append_files_pattern(swat_t, samba_log_t, samba_log_t)
 
-@@ -585,6 +645,9 @@
+@@ -585,6 +646,9 @@
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
 allow swat_t winbind_exec_t:file mmap_file_perms;
@ -21019,7 +21025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -609,15 +672,18 @@
+@@ -609,15 +673,18 @@
 
 dev_read_urand(swat_t)
 
@ -21038,7 +21044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_search_logs(swat_t)
 
 miscfiles_read_localization(swat_t)
-@@ -635,6 +701,17 @@
+@@ -635,6 +702,17 @@
 	kerberos_use(swat_t)
 ')
 
@ -21056,7 +21062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Winbind local policy
-@@ -642,7 +719,7 @@
+@@ -642,7 +720,7 @@
 
 allow winbind_t self:capability { dac_override ipc_lock setuid };
 dontaudit winbind_t self:capability sys_tty_config;
@ -21065,7 +21071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow winbind_t self:fifo_file rw_fifo_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +760,10 @@
+@@ -683,9 +761,10 @@
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, file)
 
@ -21078,7 +21084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corenet_all_recvfrom_unlabeled(winbind_t)
 corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +787,12 @@
+@@ -709,10 +788,12 @@
 
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
@ -21091,7 +21097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 logging_send_syslog_msg(winbind_t)
 
-@@ -768,8 +848,13 @@
+@@ -768,8 +849,13 @@
 userdom_use_user_terminals(winbind_helper_t)
 
 optional_policy(`
@ -21105,7 +21111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -778,6 +863,16 @@
+@@ -778,6 +864,16 @@
 #
 
 optional_policy(`
@ -21122,7 +21128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
-@@ -788,9 +883,43 @@
+@@ -788,9 +884,43 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
 
@ -24450,7 +24456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-04-27 08:35:28.000000000 -0400
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -24946,7 +24952,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
 
-@@ -622,7 +746,7 @@
+@@ -616,13 +740,14 @@
+ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
+ 
+ allow xserver_t { rootwindow_t x_domain }:x_drawable send;
+allow xserver_t x_domain:shm rw_shm_perms;
+ 
+ manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+ manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 
@ -24955,7 +24968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +759,19 @@
+@@ -635,9 +760,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -24975,7 +24988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +814,14 @@
+@@ -680,9 +815,14 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -24990,7 +25003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +836,13 @@
+@@ -697,8 +837,13 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -25004,7 +25017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -720,6 +864,7 @@
+@@ -720,6 +865,7 @@
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -25012,7 +25025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 modutils_domtrans_insmod(xserver_t)
 
-@@ -742,7 +887,7 @@
+@@ -742,7 +888,7 @@
 ')
 
 ifdef(`enable_mls',`
@ -25021,7 +25034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
 
-@@ -774,12 +919,16 @@
+@@ -774,12 +920,16 @@
 ')
 
 optional_policy(`
@ -25039,7 +25052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	unconfined_domtrans(xserver_t)
 ')
 
-@@ -806,7 +955,7 @@
+@@ -806,7 +956,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
@ -25048,7 +25061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +976,14 @@
+@@ -827,9 +977,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -25063,7 +25076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +998,14 @@
+@@ -844,11 +999,14 @@
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -25079,7 +25092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -856,6 +1013,11 @@
+@@ -856,6 +1014,11 @@
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
@ -25091,7 +25104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Rules common to all X window domains
-@@ -881,6 +1043,8 @@
+@@ -881,6 +1044,8 @@
 # X Server
 # can read server-owned resources
 allow x_domain xserver_t:x_resource read;
@ -25100,7 +25113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # can mess with own clients
 allow x_domain self:x_client { manage destroy };
 
-@@ -905,6 +1069,8 @@
+@@ -905,6 +1070,8 @@
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
 
@ -25109,7 +25122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # X Colormaps
 # can use the default colormap
 allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1138,49 @@
+@@ -972,17 +1139,49 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
@ -29642,7 +29655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-23 23:55:27.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-27 08:32:47.000000000 -0400
@@ -30,8 +30,9 @@
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -446,6 +446,11 @@ exit 0
 %endif

 %changelog
+* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
+- Fix labeling on /var/lib/misc/prelink*
+- Allow xserver to rw_shm_perms with all x_clients
+- Allow prelink to execute files in the users home directory
+
 * Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-19
 - Allow initrc_t to delete dev_null
 - Allow readahead to configure auditing