diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 71778d65..cb2771de 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -178,6 +178,10 @@ spamd_enable_home_dirs = false
#
user_direct_mouse = false
+# Allow all X apps to use /dev/dri
+#
+user_direct_dri = true
+
# Allow users to read system messages.
#
user_dmesg = false
@@ -279,3 +283,7 @@ fenced_can_network_connect=false
## allow sshd to forward port connections
#
sshd_forward_ports=true
+
+## On upgrades we want this true, Want it false on fresh installs
+#
+authlogin_nsswitch_use_ldap=true
diff --git a/modules-targeted.conf b/modules-targeted.conf
index d9919b0c..5f04812b 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1371,6 +1371,13 @@ radius = module
#
radvd = module
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+razor = module
+
# Layer: admin
# Module: readahead
#
diff --git a/policy-F15.patch b/policy-F15.patch
index b540d764..a692a3a3 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -451,10 +451,18 @@ index cd5e005..7f3f992 100644
optional_policy(`
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..5421065 100644
+index 72bc6d8..ed02103 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
-@@ -50,6 +50,12 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+@@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
+
+ allow dmesg_t self:process signal_perms;
+
++kernel_read_system_state(dmesg_t)
+ kernel_read_kernel_sysctls(dmesg_t)
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+@@ -50,6 +51,12 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
userdom_use_user_terminals(dmesg_t)
optional_policy(`
@@ -2670,7 +2678,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..2c8f94a 100644
+index f5afe78..c4df4b9 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
@@ -3092,7 +3100,7 @@ index f5afe78..2c8f94a 100644
')
########################################
-@@ -151,40 +453,173 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +453,174 @@ interface(`gnome_setattr_config_dirs',`
########################################
##
@@ -3219,6 +3227,7 @@ index f5afe78..2c8f94a 100644
+ type config_home_t;
+ ')
+
++ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+')
+
@@ -4157,7 +4166,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..b0c1197 100644
+index 9a6d67d..5ac3ea5 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -4216,7 +4225,7 @@ index 9a6d67d..b0c1197 100644
## Execmod mozilla home directory content.
##
##
-@@ -168,6 +194,70 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +194,71 @@ interface(`mozilla_domtrans',`
########################################
##
@@ -4261,7 +4270,8 @@ index 9a6d67d..b0c1197 100644
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
-+ allow $1 mozilla_plugin_t:unix_stream_socket connectto;
++ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
++ allow $1 mozilla_plugin_t:process { signal sigkill };
+')
+
+########################################
@@ -5109,10 +5119,10 @@ index 0000000..4f9cb05
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..ae1d09b
+index 0000000..a353718
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,316 @@
+@@ -0,0 +1,317 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5234,6 +5244,7 @@ index 0000000..ae1d09b
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
++kernel_read_network_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
@@ -7149,10 +7160,10 @@ index 0000000..46368cc
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..2ace399
+index 0000000..24f8037
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,329 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -7401,6 +7412,7 @@ index 0000000..2ace399
+
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
++corenet_udp_bind_all_ports(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
@@ -7690,7 +7702,7 @@ index c76ceb2..d7df452 100644
optional_policy(`
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
-index 9d24449..9782698 100644
+index 9d24449..2666317 100644
--- a/policy/modules/apps/wine.fc
+++ b/policy/modules/apps/wine.fc
@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -7701,6 +7713,14 @@ index 9d24449..9782698 100644
/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+ /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 0440b4c..4b055c1 100644
--- a/policy/modules/apps/wine.if
@@ -20526,6 +20546,21 @@ index f231f17..4ecd4b7 100644
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
+index 767e0c7..7956248 100644
+--- a/policy/modules/services/dhcp.fc
++++ b/policy/modules/services/dhcp.fc
+@@ -1,8 +1,8 @@
+-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+ /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
+ /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
++/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 5e2cea8..7e129ff 100644
--- a/policy/modules/services/dhcp.if
@@ -25041,15 +25076,15 @@ index 47e3612..ece07ab 100644
# The milter runs from /var/lib/spamass-milter
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
-index 0000000..42bb2a3
+index 0000000..68ad33f
--- /dev/null
+++ b/policy/modules/services/mock.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
-+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
-+
++/var/lib/mock -d gen_context(system_u:object_r:mock_var_lib_t,s0)
++/var/lib/mock(/.*)? <>
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
@@ -25815,10 +25850,10 @@ index 0000000..311aaed
+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644
-index 0000000..f2e8836
+index 0000000..92e86a2
--- /dev/null
+++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,127 @@
+policy_module(mpd, 1.0.0)
+
+########################################
@@ -25872,6 +25907,7 @@ index 0000000..f2e8836
+
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
++manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
@@ -26220,7 +26256,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..ce7924b 100644
+index 64268e4..8974c28 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -26275,7 +26311,7 @@ index 64268e4..ce7924b 100644
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-+ apache_dontaudit_write_tmp_files(system_mail_t)
++ apache_dontaudit_rw_tmp_files(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
@@ -29053,7 +29089,7 @@ index 5702ca4..5df5316 100644
+
+/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
-index 9759ed8..07dd3ff 100644
+index 9759ed8..48a5431 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -5,12 +5,12 @@
@@ -29192,7 +29228,56 @@ index 9759ed8..07dd3ff 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -243,18 +243,20 @@ interface(`plymouthd_read_pid_files', `
+@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', `
+
+ ########################################
+ ##
++## Allow the specified domain to read
++## to plymouthd log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`plymouthd_read_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++')
++
++########################################
++##
++## Allow the specified domain to manage
++## to plymouthd log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`plymouthd_manage_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an plymouthd environment
+ ##
+@@ -243,18 +285,20 @@ interface(`plymouthd_read_pid_files', `
##
##
#
@@ -31885,6 +31970,18 @@ index 0000000..d9c56d4
+ corosync_stream_connect(qpidd_t)
+')
+
+diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
+index b1ed1bf..21e2d95 100644
+--- a/policy/modules/services/radius.te
++++ b/policy/modules/services/radius.te
+@@ -77,6 +77,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
+ corenet_udp_bind_generic_node(radiusd_t)
+ corenet_udp_bind_radacct_port(radiusd_t)
+ corenet_udp_bind_radius_port(radiusd_t)
++corenet_tcp_connect_postgresql_port(radiusd_t)
+ corenet_tcp_connect_mysqld_port(radiusd_t)
+ corenet_tcp_connect_snmp_port(radiusd_t)
+ corenet_sendrecv_radius_server_packets(radiusd_t)
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index be05bff..2bd662a 100644
--- a/policy/modules/services/radvd.if
@@ -35559,7 +35656,7 @@ index d2496bd..1d0c078 100644
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..a8fa2a0 100644
+index 4b2230e..d45dc67 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -35606,6 +35703,14 @@ index 4b2230e..a8fa2a0 100644
')
tunable_policy(`squid_use_tproxy',`
+@@ -185,6 +186,7 @@ optional_policy(`
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
++ corenet_tcp_connect_squid_port(httpd_squid_script_t)
+
+ sysnet_dns_name_resolve(httpd_squid_script_t)
+
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..06da5f7 100644
--- a/policy/modules/services/ssh.fc
@@ -39595,7 +39700,7 @@ index da2601a..6b12229 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 145fc4b..05cbefe 100644
+index 145fc4b..d1f5057 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -40286,7 +40391,7 @@ index 145fc4b..05cbefe 100644
hostname_exec(xdm_t)
')
-@@ -539,28 +796,63 @@ optional_policy(`
+@@ -539,28 +796,64 @@ optional_policy(`
')
optional_policy(`
@@ -40305,6 +40410,7 @@ index 145fc4b..05cbefe 100644
+ plymouthd_search_spool(xdm_t)
+ plymouthd_exec_plymouth(xdm_t)
+ plymouthd_stream_connect(xdm_t)
++ plymouthd_read_log(xdm_t)
+')
+
+optional_policy(`
@@ -40359,7 +40465,7 @@ index 145fc4b..05cbefe 100644
')
optional_policy(`
-@@ -572,6 +864,10 @@ optional_policy(`
+@@ -572,6 +865,10 @@ optional_policy(`
')
optional_policy(`
@@ -40370,7 +40476,7 @@ index 145fc4b..05cbefe 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +892,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +893,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -40379,7 +40485,7 @@ index 145fc4b..05cbefe 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +906,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +907,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -40394,7 +40500,7 @@ index 145fc4b..05cbefe 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +933,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +934,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -40416,7 +40522,7 @@ index 145fc4b..05cbefe 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +953,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +954,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -40424,7 +40530,7 @@ index 145fc4b..05cbefe 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +980,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +981,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -40432,7 +40538,7 @@ index 145fc4b..05cbefe 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +989,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,11 +990,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -40450,7 +40556,7 @@ index 145fc4b..05cbefe 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1010,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +1011,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -40464,7 +40570,7 @@ index 145fc4b..05cbefe 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1038,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1039,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -40479,7 +40585,7 @@ index 145fc4b..05cbefe 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1098,28 @@ optional_policy(`
+@@ -773,12 +1099,28 @@ optional_policy(`
')
optional_policy(`
@@ -40509,7 +40615,7 @@ index 145fc4b..05cbefe 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1128,10 @@ optional_policy(`
+@@ -787,6 +1129,10 @@ optional_policy(`
')
optional_policy(`
@@ -40520,7 +40626,7 @@ index 145fc4b..05cbefe 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1147,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1148,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -40534,7 +40640,7 @@ index 145fc4b..05cbefe 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1158,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1159,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -40543,7 +40649,7 @@ index 145fc4b..05cbefe 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1171,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1172,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -40553,7 +40659,7 @@ index 145fc4b..05cbefe 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1181,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -833,6 +1182,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -40565,7 +40671,7 @@ index 145fc4b..05cbefe 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1194,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1195,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -40582,7 +40688,7 @@ index 145fc4b..05cbefe 100644
')
optional_policy(`
-@@ -853,6 +1209,10 @@ optional_policy(`
+@@ -853,6 +1210,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -40593,7 +40699,7 @@ index 145fc4b..05cbefe 100644
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1256,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1257,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -40602,7 +40708,7 @@ index 145fc4b..05cbefe 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1310,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1311,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -40634,7 +40740,7 @@ index 145fc4b..05cbefe 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1356,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1357,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -44287,7 +44393,7 @@ index 3fb1915..26e9f79 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..17dd196 100644
+index 571599b..3644f0f 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,10 @@
@@ -44309,7 +44415,7 @@ index 571599b..17dd196 100644
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
-@@ -54,14 +59,16 @@ ifdef(`distro_redhat',`
+@@ -54,18 +59,24 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -44330,9 +44436,11 @@ index 571599b..17dd196 100644
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
-@@ -69,3 +76,5 @@ ifdef(`distro_redhat',`
+ /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/var/stockmaniac/templates_cache gen_context(system_u:object_r:var_log_t,s0)
++
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -44476,7 +44584,7 @@ index c7cfb62..ee9809d 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..2b30dd6 100644
+index 9b5a9ed..d3fb3f6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -55,11 +55,12 @@ type klogd_var_run_t;
@@ -44588,7 +44696,18 @@ index 9b5a9ed..2b30dd6 100644
domain_use_interactive_fds(syslogd_t)
-@@ -488,6 +519,10 @@ optional_policy(`
+@@ -480,6 +511,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ plymouthd_manage_log(syslogd_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(syslogd_t)
+ ')
+
+@@ -488,6 +523,10 @@ optional_policy(`
')
optional_policy(`
@@ -45042,7 +45161,7 @@ index 72c746e..e3d06fd 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..b195f9d 100644
+index 8b5c196..83107f9 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
@@ -45062,7 +45181,7 @@ index 8b5c196..b195f9d 100644
')
########################################
-@@ -45,12 +55,58 @@ interface(`mount_run',`
+@@ -45,8 +55,54 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -45085,11 +45204,11 @@ index 8b5c196..b195f9d 100644
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
- ')
- ')
-
- ########################################
- ##
++ ')
++')
++
++########################################
++##
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -45109,19 +45228,15 @@ index 8b5c196..b195f9d 100644
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
-+ ')
+ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
+
+ fstools_run(mount_t, $2)
-+')
-+
-+########################################
-+##
- ## Execute mount in the caller domain.
- ##
- ##
+ ')
+
+ ########################################
@@ -84,9 +140,11 @@ interface(`mount_exec',`
interface(`mount_signal',`
gen_require(`
@@ -45143,7 +45258,32 @@ index 8b5c196..b195f9d 100644
##
##
#
-@@ -176,4 +234,109 @@ interface(`mount_run_unconfined',`
+@@ -135,6 +193,24 @@ interface(`mount_send_nfs_client_request',`
+
+ ########################################
+ ##
++## Read the mount tmp directory
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mount_list_tmp',`
++ gen_require(`
++ type mount_tmp_t;
++ ')
++
++ allow $1 mount_tmp_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Execute mount in the unconfined mount domain.
+ ##
+ ##
+@@ -176,4 +252,109 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
@@ -46519,12 +46659,17 @@ index 1447687..cdc0223 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 726619b..36426f7 100644
+index 726619b..ece1edf 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -13,7 +13,7 @@
- /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
- /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+@@ -10,10 +10,10 @@
+ /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -47094,10 +47239,10 @@ index 0000000..5f0352b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..24f8c6f
+index 0000000..52a952b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,101 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -47141,9 +47286,12 @@ index 0000000..24f8c6f
+files_read_etc_files(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
++dev_read_generic_files(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
++init_read_utmp(systemd_passwd_agent_t)
++
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+#######################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9be8f730..7002d792 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.12
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -333,7 +333,7 @@ if [ $1 -eq 1 ]; then
%loadpolicy targeted $packages
restorecon -R /root /var/log /var/run /var/lib 2> /dev/null
else
- semodule -n -s targeted -r pyzor -r razor -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
+ semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
%loadpolicy targeted $packages
%relabel targeted
fi
@@ -452,7 +452,7 @@ SELinux Reference policy mls base module.
%saveFileContext mls
%post mls
-semodule -n -s mls -r pyzor -r razor -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
+semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
packages=`cat /usr/share/selinux/mls/modules.lst`
%loadpolicy mls $packages
@@ -471,6 +471,25 @@ exit 0
%endif
%changelog
+* Tue Dec 28 2010 Dan Walsh 3.9.12-4
+- Gnome apps list config_home_t
+- mpd creates lnk files in homedir
+- apache leaks write to mail apps on tmp files
+- /var/stockmaniac/templates_cache contains log files
+- Abrt list the connects of mount_tmp_t dirs
+- passwd agent reads files under /dev and reads utmp file
+- squid apache script connects to the squid port
+- fix name of plymouth log file
+- teamviewer is a wine app
+- allow dmesg to read system state
+- Stop labeling files under /var/lib/mock so restorecon will not go into this
+- nsplugin needs to read network state for google talk
+
+* Thu Dec 23 2010 Dan Walsh 3.9.12-3
+- Allow xdm and syslog to use /var/log/boot.log
+- Allow users to communicate with mozilla_plugin and kill it
+- Add labeling for ipv6 and dhcp
+
* Tue Dec 21 2010 Dan Walsh 3.9.12-2
- New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev