From bac270827d2df1b3370ae35d8024c1f28917a99f Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 22 Oct 2010 08:26:00 -0400
Subject: [PATCH] - Allow chome to create netlink_route_socket - Add additional
 MATHLAB file context - Define nsplugin as an application_domain - Dontaudit
 sending signals from sandboxed domains to other domains - systemd requires
 init to build /tmp /var/auth and /var/lock dirs - mount wants to read
 devicekit_power /proc/ entries - mpd wants to connect to soundd port -
 Openoffice causes a setattr on a lib_t file for normal users, add dontaudit -
 Treat lib_t and textrel_shlib_t directories the same - Allow mount read
 access on virtual images

---
 policy-F14.patch    | 472 ++++++++++++++++++++++++++++++--------------
 selinux-policy.spec |  20 +-
 2 files changed, 344 insertions(+), 148 deletions(-)

diff --git a/policy-F14.patch b/policy-F14.patch
index 7957c71f..15bd03c4 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1864,10 +1864,10 @@ index 0000000..5ef90cd
 +
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..0958247
+index 0000000..0738be8
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,93 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -1897,6 +1897,7 @@ index 0000000..0958247
 +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
 +allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow chrome_sandbox_t self:shm create_shm_perms;
++allow chrome_sandbox_t self:netlink_route_socket  create_socket_perms;
 +
 +manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
 +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
@@ -3455,10 +3456,16 @@ index 66beb80..b7c6502 100644
 +')
 +
 diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
-index 86c1768..87d560b 100644
+index 86c1768..cd76e6a 100644
 --- a/policy/modules/apps/java.fc
 +++ b/policy/modules/apps/java.fc
-@@ -9,6 +9,7 @@
+@@ -5,10 +5,13 @@
+ /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
++/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
+ 
  #
  # /usr
  #
@@ -3466,7 +3473,7 @@ index 86c1768..87d560b 100644
  /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/fastjar	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -33,6 +34,9 @@
+@@ -33,6 +36,9 @@
  
  /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
  
@@ -4662,10 +4669,10 @@ index 0000000..4dbb161
 +')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
-index 0000000..1ca0e76
+index 0000000..182e476
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,312 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -4706,8 +4713,7 @@ index 0000000..1ca0e76
 +typealias nsplugin_home_t alias user_nsplugin_home_t;
 +
 +type nsplugin_t;
-+domain_type(nsplugin_t)
-+domain_entry_file(nsplugin_t, nsplugin_exec_t)
++application_domain(nsplugin_t, nsplugin_exec_t)
 +
 +type nsplugin_config_t;
 +domain_type(nsplugin_config_t)
@@ -5812,10 +5818,10 @@ index 0000000..587c440
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..39f006a
+index 0000000..10b7c23
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,420 @@
+@@ -0,0 +1,427 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -5970,7 +5976,7 @@ index 0000000..39f006a
 +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 +
 +allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
-+dontaudit sandbox_x_domain self:process signal;
++dontaudit sandbox_x_domain sandbox_x_domain:process signal;
 +
 +allow sandbox_x_domain self:shm create_shm_perms;
 +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -6016,6 +6022,8 @@ index 0000000..39f006a
 +term_getattr_pty_fs(sandbox_x_domain)
 +term_use_ptmx(sandbox_x_domain)
 +
++application_dontaudit_signal(sandbox_x_domain)
++
 +logging_send_syslog_msg(sandbox_x_domain)
 +logging_dontaudit_search_logs(sandbox_x_domain)
 +
@@ -6024,6 +6032,10 @@ index 0000000..39f006a
 +storage_dontaudit_rw_fuse(sandbox_x_domain)
 +
 +optional_policy(`
++	consolekit_dbus_chat(sandbox_x_domain)
++')
++
++optional_policy(`
 +	cups_stream_connect(sandbox_x_domain)
 +	cups_read_rw_config(sandbox_x_domain)
 +')
@@ -6181,11 +6193,11 @@ index 0000000..39f006a
 +userdom_delete_user_tmpfs_files(sandbox_web_type)
 +
 +optional_policy(`
-+	bluetooth_dontaudit_dbus_chat(sandbox_web_type)
++	alsa_read_rw_config(sandbox_web_type)
 +')
 +
 +optional_policy(`
-+	consolekit_dbus_chat(sandbox_web_type)
++	bluetooth_dontaudit_dbus_chat(sandbox_web_type)
 +')
 +
 +optional_policy(`
@@ -6236,6 +6248,7 @@ index 0000000..39f006a
 +	mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
 +')
++
 diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
 index 1dc7a85..7455c19 100644
 --- a/policy/modules/apps/seunshare.if
@@ -8363,7 +8376,7 @@ index 3517db2..bd4c23d 100644
 +/nsr(/.*)?						gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..3966eab 100644
+index 5302dac..0e4368f 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8690,7 +8703,32 @@ index 5302dac..3966eab 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4109,6 +4355,13 @@ interface(`files_purge_tmp',`
+@@ -3950,6 +4196,24 @@ interface(`files_rw_generic_tmp_sockets',`
+ 
+ ########################################
+ ## <summary>
++##	Relabel a file from the type used in /tmp.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabelfrom_tmp_files',`
++	gen_require(`
++		type tmp_t;
++	')
++
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4109,6 +4373,13 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8704,7 +8742,7 @@ index 5302dac..3966eab 100644
  ')
  
  ########################################
-@@ -4718,6 +4971,24 @@ interface(`files_read_var_files',`
+@@ -4718,6 +4989,24 @@ interface(`files_read_var_files',`
  
  ########################################
  ## <summary>
@@ -8729,7 +8767,7 @@ index 5302dac..3966eab 100644
  ##	Read and write files in the /var directory.
  ## </summary>
  ## <param name="domain">
-@@ -5053,6 +5324,24 @@ interface(`files_manage_mounttab',`
+@@ -5053,6 +5342,24 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -8754,7 +8792,7 @@ index 5302dac..3966eab 100644
  ##	Search the locks directory (/var/lock).
  ## </summary>
  ## <param name="domain">
-@@ -5138,12 +5427,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5138,12 +5445,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -8771,7 +8809,7 @@ index 5302dac..3966eab 100644
  ')
  
  ########################################
-@@ -5317,6 +5606,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5624,43 @@ interface(`files_search_pids',`
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
@@ -8815,7 +8853,7 @@ index 5302dac..3966eab 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5524,6 +5850,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5868,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -8860,7 +8898,7 @@ index 5302dac..3966eab 100644
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -5541,6 +5905,44 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5923,44 @@ interface(`files_read_all_pids',`
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -8905,7 +8943,7 @@ index 5302dac..3966eab 100644
  ')
  
  ########################################
-@@ -5826,3 +6228,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6246,247 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -15038,7 +15076,7 @@ index 3e45431..fa57a6f 100644
  	admin_pattern($1, bluetooth_var_lib_t)
  
 diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..67818fe 100644
+index 215b86b..913d2a9 100644
 --- a/policy/modules/services/bluetooth.te
 +++ b/policy/modules/services/bluetooth.te
 @@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
@@ -15049,18 +15087,19 @@ index 215b86b..67818fe 100644
  type bluetooth_t;
  type bluetooth_exec_t;
  init_daemon_domain(bluetooth_t, bluetooth_exec_t)
-@@ -99,6 +100,10 @@ kernel_request_load_module(bluetooth_t)
+@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
  #search debugfs - redhat bug 548206
  kernel_search_debugfs(bluetooth_t)
  
 +ifdef(`hide_broken_symptoms', `
 +	kernel_rw_unlabeled_socket(bluetooth_t)
++	dev_rw_generic_chr_files(bluetooth_t)
 +')
 +
  corenet_all_recvfrom_unlabeled(bluetooth_t)
  corenet_all_recvfrom_netlabel(bluetooth_t)
  corenet_tcp_sendrecv_generic_if(bluetooth_t)
-@@ -147,6 +152,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
  userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
  optional_policy(`
@@ -17072,7 +17111,7 @@ index 0258b48..8fde016 100644
  manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
  manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
 diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index 42c6bd7..ac43a92 100644
+index 42c6bd7..8f23087 100644
 --- a/policy/modules/services/consolekit.if
 +++ b/policy/modules/services/consolekit.if
 @@ -5,9 +5,9 @@
@@ -17087,7 +17126,35 @@ index 42c6bd7..ac43a92 100644
  ## </param>
  #
  interface(`consolekit_domtrans',`
-@@ -41,6 +41,24 @@ interface(`consolekit_dbus_chat',`
+@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
+ 
+ ########################################
+ ## <summary>
++##	dontaudit Send and receive messages from
++##	consolekit over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`consolekit_dontaudit_dbus_chat',`
++	gen_require(`
++		type consolekit_t;
++		class dbus send_msg;
++	')
++
++	dontaudit $1 consolekit_t:dbus send_msg;
++	dontaudit consolekit_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ##	Send and receive messages from
+ ##	consolekit over dbus.
+ ## </summary>
+@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -17112,7 +17179,7 @@ index 42c6bd7..ac43a92 100644
  ##	Read consolekit log files.
  ## </summary>
  ## <param name="domain">
-@@ -95,3 +113,22 @@ interface(`consolekit_read_pid_files',`
+@@ -95,3 +134,22 @@ interface(`consolekit_read_pid_files',`
  	files_search_pids($1)
  	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
  ')
@@ -18711,7 +18778,7 @@ index 8ba9425..b10da2c 100644
 +	gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..ab2edfc 100644
+index f706b99..c1ba3f2 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
 @@ -5,9 +5,9 @@
@@ -18726,7 +18793,33 @@ index f706b99..ab2edfc 100644
  ## </param>
  #
  interface(`devicekit_domtrans',`
-@@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',`
+@@ -120,6 +120,25 @@ interface(`devicekit_dbus_chat_power',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the domain to read devicekit_power state files in /proc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`devicekit_read_state_power',`
++	gen_require(`
++		type devicekit_power_t;
++	')
++
++	kernel_search_proc($1)
++	ps_process_pattern($1, devicekit_power_t)
++')
++
++########################################
++## <summary>
+ ##	Read devicekit PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -147,16 +166,6 @@ interface(`devicekit_read_pid_files',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -18743,7 +18836,7 @@ index f706b99..ab2edfc 100644
  ## <rolecap/>
  #
  interface(`devicekit_admin',`
-@@ -165,21 +155,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +174,22 @@ interface(`devicekit_admin',`
  		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
  	')
  
@@ -18771,6 +18864,7 @@ index f706b99..ab2edfc 100644
 -	files_search_pids($1)
 +	files_list_pids($1)
  ')
++
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
 index f231f17..3aaa784 100644
 --- a/policy/modules/services/devicekit.te
@@ -23116,10 +23210,10 @@ index 0000000..311aaed
 +')
 diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
 new file mode 100644
-index 0000000..84bc8bb
+index 0000000..68af4e8
 --- /dev/null
 +++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
 +policy_module(mpd, 1.0.0)
 +
 +########################################
@@ -23197,6 +23291,7 @@ index 0000000..84bc8bb
 +corenet_tcp_connect_http_port(mpd_t)
 +corenet_tcp_connect_http_cache_port(mpd_t)
 +corenet_tcp_connect_pulseaudio_port(mpd_t)
++corenet_tcp_connect_soundd_port(mpd_t)
 +corenet_tcp_bind_mpd_port(mpd_t)
 +corenet_tcp_bind_soundd_port(mpd_t)
 +
@@ -35622,7 +35717,7 @@ index 6f1e3c7..6a160b2 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..f963642 100644
+index da2601a..0ad10f7 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -36096,7 +36191,32 @@ index da2601a..f963642 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1052,7 +1155,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1038,6 +1141,24 @@ interface(`xserver_manage_xdm_tmp_files',`
+ 
+ ########################################
+ ## <summary>
++##	Create, read, write, and delete xdm temporary dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_manage_xdm_tmp_dirs',`
++	gen_require(`
++		type xdm_tmp_t;
++	')
++
++	manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to get the attributes of
+ ##	xdm temporary named sockets.
+ ## </summary>
+@@ -1052,7 +1173,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -36105,7 +36225,7 @@ index da2601a..f963642 100644
  ')
  
  ########################################
-@@ -1070,8 +1173,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1191,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -36117,7 +36237,7 @@ index da2601a..f963642 100644
  ')
  
  ########################################
-@@ -1185,6 +1290,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1308,7 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -36125,7 +36245,7 @@ index da2601a..f963642 100644
  ')
  
  ########################################
-@@ -1210,7 +1316,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1334,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -36134,7 +36254,7 @@ index da2601a..f963642 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1326,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1344,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -36159,7 +36279,7 @@ index da2601a..f963642 100644
  ')
  
  ########################################
-@@ -1243,10 +1359,355 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1377,355 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -37998,10 +38118,10 @@ index f9a06d2..3d407c6 100644
  
  files_read_etc_files(zos_remote_t)
 diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..42784aa 100644
+index ac50333..a5678f1 100644
 --- a/policy/modules/system/application.if
 +++ b/policy/modules/system/application.if
-@@ -130,3 +130,39 @@ interface(`application_signull',`
+@@ -130,3 +130,57 @@ interface(`application_signull',`
  
  	allow $1 application_domain_type:process signull;
  ')
@@ -38026,6 +38146,24 @@ index ac50333..42784aa 100644
 +
 +########################################
 +## <summary>
++##	Dontaudit signal sent to all application domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`application_dontaudit_signal',`
++	gen_require(`
++		attribute application_domain_type;
++	')
++
++	dontaudit $1 application_domain_type:process signal;
++')
++
++########################################
++## <summary>
 +##	Send signal to all application domains.
 +## </summary>
 +## <param name="domain">
@@ -39073,7 +39211,7 @@ index df3fa64..73dc579 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..2b0a437 100644
+index 8a105fd..ace700c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,27 @@ gen_require(`
@@ -39202,7 +39340,7 @@ index 8a105fd..2b0a437 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +220,89 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +220,92 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -39264,9 +39402,12 @@ index 8a105fd..2b0a437 100644
 +	files_relabel_all_pid_files(init_t)
 +	files_relabel_all_pid_files(init_t)
 +	files_manage_all_pids(init_t)
-+	files_manage_generic_locks(init_t)
++	files_manage_all_locks(init_t)
 +	files_manage_generic_tmp_dirs(init_t)
 +	files_manage_generic_tmp_files(init_t)
++	files_relabelfrom_tmp_files(init_t)
++
++	auth_manage_var_auth(init_t)
 +')
 +
  optional_policy(`
@@ -39292,7 +39433,7 @@ index 8a105fd..2b0a437 100644
  ')
  
  optional_policy(`
-@@ -199,10 +310,19 @@ optional_policy(`
+@@ -199,10 +313,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39308,11 +39449,15 @@ index 8a105fd..2b0a437 100644
 +	udev_read_db(init_t)
 +')
 +
++optional_policy(`
++	xserver_manage_xdm_tmp_dirs(init_t)
++')
++
 +optional_policy(`
  	unconfined_domain(init_t)
  ')
  
-@@ -212,7 +332,7 @@ optional_policy(`
+@@ -212,7 +339,7 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39321,7 +39466,7 @@ index 8a105fd..2b0a437 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -241,6 +361,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +368,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39329,7 +39474,7 @@ index 8a105fd..2b0a437 100644
  
  can_exec(initrc_t, initrc_tmp_t)
  manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +379,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +386,23 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -39353,7 +39498,7 @@ index 8a105fd..2b0a437 100644
  
  corecmd_exec_all_executables(initrc_t)
  
-@@ -291,6 +424,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +431,7 @@ dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
  dev_rw_lvm_control(initrc_t)
@@ -39361,7 +39506,7 @@ index 8a105fd..2b0a437 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,13 +432,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +439,13 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -39377,7 +39522,7 @@ index 8a105fd..2b0a437 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -323,8 +457,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +464,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -39389,7 +39534,7 @@ index 8a105fd..2b0a437 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +476,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +483,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -39403,7 +39548,7 @@ index 8a105fd..2b0a437 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,6 +491,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +498,8 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -39412,7 +39557,7 @@ index 8a105fd..2b0a437 100644
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -363,6 +505,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +512,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -39420,7 +39565,7 @@ index 8a105fd..2b0a437 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -380,6 +523,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +530,7 @@ auth_read_pam_pid(initrc_t)
  auth_delete_pam_pid(initrc_t)
  auth_delete_pam_console_data(initrc_t)
  auth_use_nsswitch(initrc_t)
@@ -39428,7 +39573,7 @@ index 8a105fd..2b0a437 100644
  
  libs_rw_ld_so_cache(initrc_t)
  libs_exec_lib_files(initrc_t)
-@@ -394,13 +538,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +545,14 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -39444,7 +39589,7 @@ index 8a105fd..2b0a437 100644
  userdom_read_user_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +618,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +625,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -39453,7 +39598,7 @@ index 8a105fd..2b0a437 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -519,6 +664,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +671,19 @@ ifdef(`distro_redhat',`
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -39473,7 +39618,7 @@ index 8a105fd..2b0a437 100644
  	')
  
  	optional_policy(`
-@@ -526,10 +684,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +691,17 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -39491,7 +39636,7 @@ index 8a105fd..2b0a437 100644
  	')
  
  	optional_policy(`
-@@ -544,6 +709,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +716,35 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -39527,7 +39672,7 @@ index 8a105fd..2b0a437 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +750,8 @@ optional_policy(`
+@@ -556,6 +757,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -39536,7 +39681,7 @@ index 8a105fd..2b0a437 100644
  ')
  
  optional_policy(`
-@@ -572,6 +768,7 @@ optional_policy(`
+@@ -572,6 +775,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -39544,7 +39689,7 @@ index 8a105fd..2b0a437 100644
  ')
  
  optional_policy(`
-@@ -584,6 +781,11 @@ optional_policy(`
+@@ -584,6 +788,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39556,7 +39701,7 @@ index 8a105fd..2b0a437 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -600,6 +802,9 @@ optional_policy(`
+@@ -600,6 +809,9 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -39566,7 +39711,7 @@ index 8a105fd..2b0a437 100644
  
  	optional_policy(`
  		consolekit_dbus_chat(initrc_t)
-@@ -701,7 +906,13 @@ optional_policy(`
+@@ -701,7 +913,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39580,7 +39725,7 @@ index 8a105fd..2b0a437 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -724,6 +935,10 @@ optional_policy(`
+@@ -724,6 +942,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39591,7 +39736,7 @@ index 8a105fd..2b0a437 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -745,6 +960,10 @@ optional_policy(`
+@@ -745,6 +967,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39602,7 +39747,7 @@ index 8a105fd..2b0a437 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -766,8 +985,6 @@ optional_policy(`
+@@ -766,8 +992,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -39611,7 +39756,7 @@ index 8a105fd..2b0a437 100644
  ')
  
  optional_policy(`
-@@ -776,14 +993,21 @@ optional_policy(`
+@@ -776,14 +1000,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39633,7 +39778,7 @@ index 8a105fd..2b0a437 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1029,19 @@ optional_policy(`
+@@ -805,11 +1036,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39654,7 +39799,7 @@ index 8a105fd..2b0a437 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1051,25 @@ optional_policy(`
+@@ -819,6 +1058,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -39680,7 +39825,7 @@ index 8a105fd..2b0a437 100644
  ')
  
  optional_policy(`
-@@ -844,3 +1095,55 @@ optional_policy(`
+@@ -844,3 +1102,55 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -40456,7 +40601,7 @@ index 9df8c4d..0199a7d 100644
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index d97d16d..ed1b8be 100644
+index d97d16d..ed84884 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
 @@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
@@ -40486,7 +40631,31 @@ index d97d16d..ed1b8be 100644
  ##	Use the dynamic link/loader for automatic loading
  ##	of shared libraries.
  ## </summary>
-@@ -383,7 +403,7 @@ interface(`libs_manage_shared_libs',`
+@@ -187,6 +207,23 @@ interface(`libs_search_lib',`
+ 
+ 	allow $1 lib_t:dir search_dir_perms;
+ ')
++########################################
++## <summary>
++##	dontaudit attempts to setattr on library files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`libs_dontaudit_setattr_lib_files',`
++	gen_require(`
++		type lib_t;
++	')
++
++	dontaudit $1 lib_t:file setattr;
++')
+ 
+ ########################################
+ ## <summary>
+@@ -383,7 +420,7 @@ interface(`libs_manage_shared_libs',`
  		type lib_t, textrel_shlib_t;
  	')
  
@@ -40495,7 +40664,7 @@ index d97d16d..ed1b8be 100644
  ')
  
  ########################################
-@@ -402,9 +422,9 @@ interface(`libs_use_shared_libs',`
+@@ -402,9 +439,9 @@ interface(`libs_use_shared_libs',`
  	')
  
  	files_search_usr($1)
@@ -40508,7 +40677,7 @@ index d97d16d..ed1b8be 100644
  	allow $1 textrel_shlib_t:file execmod;
  ')
  
-@@ -445,7 +465,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -445,7 +482,7 @@ interface(`libs_relabel_shared_libs',`
  		type lib_t, textrel_shlib_t;
  	')
  
@@ -41514,7 +41683,7 @@ index 8b5c196..3490497 100644
 +    role $2 types showmount_t;
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..c960661 100644
+index fca6947..809442b 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -17,8 +17,15 @@ type mount_exec_t;
@@ -41716,7 +41885,7 @@ index fca6947..c960661 100644
  ')
  
  optional_policy(`
-@@ -173,6 +247,24 @@ optional_policy(`
+@@ -173,6 +247,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41724,6 +41893,10 @@ index fca6947..c960661 100644
 +')
 +
 +optional_policy(`
++	devicekit_read_state_power(mount_t)
++')
++
++optional_policy(`
 +	dbus_system_bus_client(mount_t)
 +
 +	optional_policy(`
@@ -41741,7 +41914,7 @@ index fca6947..c960661 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +272,40 @@ optional_policy(`
+@@ -180,13 +276,44 @@ optional_policy(`
  	')
  ')
  
@@ -41778,11 +41951,15 @@ index fca6947..c960661 100644
 +')
 +
 +optional_policy(`
++	virt_read_blk_images(mount_t)
++')
++
++optional_policy(`
 +	vmware_exec_host(mount_t)
  ')
  
  ########################################
-@@ -195,6 +314,42 @@ optional_policy(`
+@@ -195,6 +322,42 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -43300,7 +43477,7 @@ index 8e71fb7..350d003 100644
 +	role_transition $1 dhcpc_exec_t system_r;
  ')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..3663802 100644
+index dfbe736..5740b79 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@@ -43363,7 +43540,7 @@ index dfbe736..3663802 100644
  domain_use_interactive_fds(dhcpc_t)
  domain_dontaudit_read_all_domains_state(dhcpc_t)
  
-@@ -130,6 +148,7 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+@@ -130,9 +148,11 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
  term_dontaudit_use_generic_ptys(dhcpc_t)
  
  init_rw_utmp(dhcpc_t)
@@ -43371,7 +43548,11 @@ index dfbe736..3663802 100644
  
  logging_send_syslog_msg(dhcpc_t)
  
-@@ -155,6 +174,10 @@ optional_policy(`
++miscfiles_read_generic_certs(dhcpc_t)
+ miscfiles_read_localization(dhcpc_t)
+ 
+ modutils_domtrans_insmod(dhcpc_t)
+@@ -155,6 +175,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43382,7 +43563,7 @@ index dfbe736..3663802 100644
  	init_dbus_chat_script(dhcpc_t)
  
  	dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +194,8 @@ optional_policy(`
+@@ -171,6 +195,8 @@ optional_policy(`
  
  optional_policy(`
  	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -43391,7 +43572,7 @@ index dfbe736..3663802 100644
  ')
  
  optional_policy(`
-@@ -192,6 +217,13 @@ optional_policy(`
+@@ -192,6 +218,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43405,7 +43586,7 @@ index dfbe736..3663802 100644
  	nis_read_ypbind_pid(dhcpc_t)
  ')
  
-@@ -213,6 +245,7 @@ optional_policy(`
+@@ -213,6 +246,7 @@ optional_policy(`
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -43413,7 +43594,7 @@ index dfbe736..3663802 100644
  ')
  
  optional_policy(`
-@@ -276,8 +309,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +310,11 @@ dev_read_urand(ifconfig_t)
  
  domain_use_interactive_fds(ifconfig_t)
  
@@ -43425,7 +43606,7 @@ index dfbe736..3663802 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +341,8 @@ modutils_domtrans_insmod(ifconfig_t)
+@@ -305,6 +342,8 @@ modutils_domtrans_insmod(ifconfig_t)
  
  seutil_use_runinit_fds(ifconfig_t)
  
@@ -43434,7 +43615,7 @@ index dfbe736..3663802 100644
  userdom_use_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
-@@ -314,6 +352,10 @@ ifdef(`distro_ubuntu',`
+@@ -314,6 +353,10 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -43445,7 +43626,7 @@ index dfbe736..3663802 100644
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -327,6 +369,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -327,6 +370,8 @@ ifdef(`hide_broken_symptoms',`
  optional_policy(`
  	hal_dontaudit_rw_pipes(ifconfig_t)
  	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -43454,7 +43635,7 @@ index dfbe736..3663802 100644
  ')
  
  optional_policy(`
-@@ -334,6 +378,10 @@ optional_policy(`
+@@ -334,6 +379,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43465,7 +43646,7 @@ index dfbe736..3663802 100644
  	nis_use_ypbind(ifconfig_t)
  ')
  
-@@ -355,3 +403,9 @@ optional_policy(`
+@@ -355,3 +404,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -44373,7 +44554,7 @@ index db75976..392d1ee 100644
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 35f1476..ad3b474 100644
+index 35f1476..addc01c 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -45282,7 +45463,7 @@ index 35f1476..ad3b474 100644
  	##############################
  	#
  	# Local policy
-@@ -874,45 +1013,105 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1013,107 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  
  	auth_role($1_r, $1_t)
@@ -45305,6 +45486,8 @@ index 35f1476..ad3b474 100644
 +	dev_write_video_dev($1_usertype)
 +	dev_rw_wireless($1_usertype)
 +
++	libs_dontaudit_setattr_lib_files($1_usertype)
++
 +	tunable_policy(`user_rw_noexattrfile',`
 +		dev_rw_usbfs($1_t)
 +		dev_rw_generic_usb_dev($1_usertype)
@@ -45399,7 +45582,7 @@ index 35f1476..ad3b474 100644
  	')
  ')
  
-@@ -947,7 +1146,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1148,7 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -45408,7 +45591,7 @@ index 35f1476..ad3b474 100644
  	userdom_common_user_template($1)
  
  	##############################
-@@ -956,54 +1155,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1157,77 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -45493,30 +45676,30 @@ index 35f1476..ad3b474 100644
 +
 +	optional_policy(`
 +		mono_role_template($1, $1_r, $1_t)
-+	')
-+
-+	optional_policy(`
-+		mount_run_fusermount($1_t, $1_r)
-+	')
-+
-+	optional_policy(`
-+		wine_role_template($1, $1_r, $1_t)
  	')
  
 -	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		ppp_run_cond($1_t,$1_r)
-+		postfix_run_postdrop($1_t, $1_r)
++		mount_run_fusermount($1_t, $1_r)
  	')
  
-+	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
++		wine_role_template($1, $1_r, $1_t)
++	')
++
++	optional_policy(`
++		postfix_run_postdrop($1_t, $1_r)
++	')
++
++	# Run pppd in pppd_t by default for user
++	optional_policy(`
 +		ppp_run_cond($1_t, $1_r)
  	')
  ')
  
-@@ -1039,7 +1261,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1263,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -45525,7 +45708,7 @@ index 35f1476..ad3b474 100644
  	')
  
  	##############################
-@@ -1074,6 +1296,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1298,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -45535,7 +45718,7 @@ index 35f1476..ad3b474 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1088,6 +1313,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1315,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -45543,7 +45726,7 @@ index 35f1476..ad3b474 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1119,10 +1345,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1347,13 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -45557,7 +45740,7 @@ index 35f1476..ad3b474 100644
  	fs_set_all_quotas($1_t)
  	fs_exec_noxattr($1_t)
  
-@@ -1142,6 +1371,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1373,7 @@ template(`userdom_admin_user_template',`
  	logging_send_syslog_msg($1_t)
  
  	modutils_domtrans_insmod($1_t)
@@ -45565,7 +45748,7 @@ index 35f1476..ad3b474 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1440,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1442,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -45574,7 +45757,7 @@ index 35f1476..ad3b474 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1237,6 +1469,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1471,7 @@ template(`userdom_security_admin_template',`
  	seutil_run_checkpolicy($1,$2)
  	seutil_run_loadpolicy($1,$2)
  	seutil_run_semanage($1,$2)
@@ -45582,7 +45765,7 @@ index 35f1476..ad3b474 100644
  	seutil_run_setfiles($1, $2)
  
  	optional_policy(`
-@@ -1275,12 +1508,15 @@ template(`userdom_security_admin_template',`
+@@ -1275,12 +1510,15 @@ template(`userdom_security_admin_template',`
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -45599,7 +45782,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -1391,6 +1627,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1391,6 +1629,7 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45607,7 +45790,7 @@ index 35f1476..ad3b474 100644
  	files_search_home($1)
  ')
  
-@@ -1437,6 +1674,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1437,6 +1676,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -45622,7 +45805,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -1452,9 +1697,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1452,9 +1699,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -45634,7 +45817,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -1511,6 +1758,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1511,6 +1760,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -45677,7 +45860,7 @@ index 35f1476..ad3b474 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1585,6 +1868,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1585,6 +1870,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45686,7 +45869,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -1599,10 +1884,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1599,10 +1886,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -45701,7 +45884,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -1645,34 +1932,53 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1645,30 +1934,49 @@ interface(`userdom_delete_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -45737,10 +45920,9 @@ index 35f1476..ad3b474 100644
  ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_mmap_user_home_content_files',`
++##	</summary>
++## </param>
++#
 +interface(`userdom_dontaudit_setattr_user_home_content_files',`
 +	gen_require(`
 +		type user_home_t;
@@ -45756,14 +45938,10 @@ index 35f1476..ad3b474 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_mmap_user_home_content_files',`
- 	gen_require(`
- 		type user_home_dir_t, user_home_t;
- 	')
-@@ -1696,12 +2002,32 @@ interface(`userdom_read_user_home_content_files',`
+ ##	</summary>
+ ## </param>
+ #
+@@ -1696,12 +2004,32 @@ interface(`userdom_read_user_home_content_files',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -45796,7 +45974,7 @@ index 35f1476..ad3b474 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1712,11 +2038,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1712,11 +2040,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -45814,7 +45992,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -1806,8 +2135,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1806,8 +2137,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -45824,7 +46002,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -1823,20 +2151,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1823,20 +2153,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -45849,7 +46027,7 @@ index 35f1476..ad3b474 100644
  
  ########################################
  ## <summary>
-@@ -2178,7 +2500,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2178,7 +2502,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -45858,7 +46036,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -2431,13 +2753,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2431,13 +2755,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -45874,7 +46052,7 @@ index 35f1476..ad3b474 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2458,26 +2781,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2458,26 +2783,6 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -45901,7 +46079,7 @@ index 35f1476..ad3b474 100644
  ##	Get the attributes of a user domain tty.
  ## </summary>
  ## <param name="domain">
-@@ -2811,7 +3114,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2811,7 +3116,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -45910,7 +46088,7 @@ index 35f1476..ad3b474 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2827,11 +3130,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2827,11 +3132,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -45926,7 +46104,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -2913,7 +3218,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2913,7 +3220,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -45935,7 +46113,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -2968,7 +3273,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2968,7 +3275,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -45982,7 +46160,7 @@ index 35f1476..ad3b474 100644
  ')
  
  ########################################
-@@ -3005,6 +3348,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3005,6 +3350,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -45990,7 +46168,7 @@ index 35f1476..ad3b474 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3135,3 +3479,854 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3135,3 +3481,854 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1650d91a..54d514eb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,8 +470,26 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 19 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-5
+- Allow chome to create netlink_route_socket
+- Add additional MATHLAB file context
+- Define nsplugin as an application_domain
+- Dontaudit sending signals from sandboxed domains to other domains
+- systemd requires init to build /tmp /var/auth and /var/lock dirs
+- mount wants to read devicekit_power /proc/ entries
+- mpd wants to connect to soundd port
+- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
+- Treat lib_t and textrel_shlib_t directories the same
+- Allow mount read access on virtual images
+
 * Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-4
 - Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
+- Allow devicekit_power to domtrans to mount
+- Allow dhcp to bind to udp ports > 1024 to do named stuff
+- Allow ssh_t to exec ssh_exec_t
+- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used
+- Fix clamav_append_log() intefaces
+- Fix 'psad_rw_fifo_file' interface
 
 * Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-3
 - Allow cobblerd to list cobler appache content