* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3

- PolicyKit path has changed - Allow httpd connect to dirsrv socket - Allow tuned to write generic kernel sysctls - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Make condor_startd and rgmanager as initrc domain - Allow virsh to read /etc/passwd - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm - Fix files_filetrans_named_content() interface - Add new attribute - initrc_domain - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files
2012-06-12 14:33:10 +02:00 · 2012-06-12 14:33:10 +02:00 · c8f96d3d71
commit c8f96d3d71
parent 4415dfa1a8
3 changed files with 320 additions and 213 deletions
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@ -2453,7 +2453,7 @@ index 6480167..d0bf548 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index a36a01d..777623e 100644
+index a36a01d..f6aad32 100644
 --- a/apache.te
 +++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@ -3072,10 +3072,16 @@ index a36a01d..777623e 100644
 	cobbler_search_lib(httpd_t)
 ')
-@@ -540,6 +832,18 @@ optional_policy(`
+@@ -540,6 +832,24 @@ optional_policy(`
 	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
 +optional_policy(`
 +        # needed by FreeIPA 
 +	dirsrv_stream_connect(httpd_t)
 +	ldap_stream_connect(httpd_t)
 +')
 +
 +optional_policy(`
 +	dirsrv_manage_config(httpd_t)
 +	dirsrv_manage_log(httpd_t)
@ -3091,7 +3097,7 @@ index a36a01d..777623e 100644
  optional_policy(`
 	dbus_system_bus_client(httpd_t)
-@@ -549,12 +853,21 @@ optional_policy(`
+@@ -549,12 +859,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -3114,7 +3120,7 @@ index a36a01d..777623e 100644
 	kerberos_keytab_template(httpd, httpd_t)
 ')
-@@ -568,7 +881,21 @@ optional_policy(`
+@@ -568,7 +887,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -3136,7 +3142,7 @@ index a36a01d..777623e 100644
 	mysql_stream_connect(httpd_t)
 	mysql_rw_db_sockets(httpd_t)
-@@ -579,6 +906,7 @@ optional_policy(`
+@@ -579,6 +912,7 @@ optional_policy(`
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -3144,7 +3150,7 @@ index a36a01d..777623e 100644
 ')
 optional_policy(`
-@@ -589,6 +917,33 @@ optional_policy(`
+@@ -589,6 +923,33 @@ optional_policy(`
 ')
 optional_policy(`
@ -3178,7 +3184,7 @@ index a36a01d..777623e 100644
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
 	postgresql_unpriv_client(httpd_t)
-@@ -603,6 +958,11 @@ optional_policy(`
+@@ -603,6 +964,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -3190,7 +3196,7 @@ index a36a01d..777623e 100644
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -615,6 +975,12 @@ optional_policy(`
+@@ -615,6 +981,12 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -3203,7 +3209,7 @@ index a36a01d..777623e 100644
 ########################################
 #
 # Apache helper local policy
-@@ -628,7 +994,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
 logging_send_syslog_msg(httpd_helper_t)
@ -3216,7 +3222,7 @@ index a36a01d..777623e 100644
 ########################################
 #
-@@ -666,28 +1036,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t)
 userdom_use_unpriv_users_fds(httpd_php_t)
 tunable_policy(`httpd_can_network_connect_db',`
@ -3260,7 +3266,7 @@ index a36a01d..777623e 100644
 ')
 ########################################
-@@ -697,6 +1069,7 @@ optional_policy(`
+@@ -697,6 +1075,7 @@ optional_policy(`
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
@ -3268,7 +3274,7 @@ index a36a01d..777623e 100644
 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,14 +1084,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -3292,7 +3298,7 @@ index a36a01d..777623e 100644
 # for shell scripts
 corecmd_exec_bin(httpd_suexec_t)
 corecmd_exec_shell(httpd_suexec_t)
-@@ -752,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
@ -3325,7 +3331,7 @@ index a36a01d..777623e 100644
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)
 	fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1181,25 @@ optional_policy(`
+@@ -781,6 +1187,25 @@ optional_policy(`
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -3351,7 +3357,7 @@ index a36a01d..777623e 100644
 ########################################
 #
 # Apache system script local policy
-@@ -801,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
 kernel_read_kernel_sysctls(httpd_sys_script_t)
@ -3369,7 +3375,7 @@ index a36a01d..777623e 100644
 ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
-@@ -815,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
 	mta_send_mail(httpd_sys_script_t)
 ')
@ -3426,7 +3432,7 @@ index a36a01d..777623e 100644
 	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
 	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
 	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 ')
 tunable_policy(`httpd_enable_homedirs',`
@ -3467,7 +3473,7 @@ index a36a01d..777623e 100644
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1335,20 @@ optional_policy(`
+@@ -854,10 +1341,20 @@ optional_policy(`
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -3488,7 +3494,7 @@ index a36a01d..777623e 100644
 ')
 ########################################
-@@ -903,11 +1394,146 @@ optional_policy(`
+@@ -903,11 +1400,146 @@ optional_policy(`
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -10086,10 +10092,10 @@ index 0000000..168f664
 +')
 diff --git a/condor.te b/condor.te
 new file mode 100644
-index 0000000..4eb7bd9
+index 0000000..1bba4b7
 --- /dev/null
 +++ b/condor.te
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,232 @@
 +policy_module(condor, 1.0.0)
 +
 +########################################
@ -10308,6 +10314,7 @@ index 0000000..4eb7bd9
 +auth_use_nsswitch(condor_startd_t)
 +
 +init_domtrans_script(condor_startd_t)
 +init_initrc_domain(condor_startd_t)
 +
 +libs_exec_lib_files(condor_startd_t)
 +
@ -13263,7 +13270,7 @@ index c43ff4c..5da88b5 100644
 	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/cvs.te b/cvs.te
-index 88e7e97..1c723fb 100644
+index 88e7e97..08d7ec0 100644
 --- a/cvs.te
 +++ b/cvs.te
@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
@ -13298,8 +13305,12 @@ index 88e7e97..1c723fb 100644
 logging_send_syslog_msg(cvs_t)
 logging_send_audit_msgs(cvs_t)
-@@ -90,7 +92,7 @@ mta_send_mail(cvs_t)
+@@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t)
 mta_send_mail(cvs_t)
 +userdom_dontaudit_search_user_home_dirs(cvs_t)
 +
 # cjp: typeattribute doesnt work in conditionals yet
 auth_can_read_shadow_passwords(cvs_t)
 -tunable_policy(`allow_cvs_read_shadow',`
@ -13307,7 +13318,7 @@ index 88e7e97..1c723fb 100644
 	allow cvs_t self:capability dac_override;
 	auth_tunable_read_shadow(cvs_t)
 ')
-@@ -112,4 +114,5 @@ optional_policy(`
+@@ -112,4 +116,5 @@ optional_policy(`
 	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
 	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@ -16520,7 +16531,7 @@ index e1d7dc5..df96c0d 100644
 	admin_pattern($1, dovecot_var_run_t)
 diff --git a/dovecot.te b/dovecot.te
-index 2df7766..ef8b0d7 100644
+index 2df7766..53efc0b 100644
 --- a/dovecot.te
 +++ b/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@ -16751,7 +16762,7 @@ index 2df7766..ef8b0d7 100644
 miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +338,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
 userdom_manage_user_home_content_sockets(dovecot_deliver_t)
 userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@ -16779,6 +16790,7 @@ index 2df7766..ef8b0d7 100644
 optional_policy(`
 	mta_manage_spool(dovecot_deliver_t)
 +	mta_read_queue(dovecot_deliver_t)
 +	mta_read_home_rw(dovecot_deliver_t)
 +')
 +
 +optional_policy(`
@ -20106,16 +20118,17 @@ index 4afb81f..842165a 100644
 -
 -libs_exec_ldconfig(glance_api_t)
 diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..d776f66 100644
+index 00a19e3..17006fc 100644
 --- a/gnome.fc
 +++ b/gnome.fc
-@@ -1,9 +1,53 @@
+@@ -1,9 +1,54 @@
 -HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
 +HOME_DIR/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
 +HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
 +HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
 +HOME_DIR/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
 +HOME_DIR/\.nv(/.*)?  gen_context(system_u:object_r:cache_home_t,s0)
 HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@ -20166,7 +20179,7 @@ index 00a19e3..d776f66 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index f5afe78..581c9dd 100644
+index f5afe78..e283f63 100644
 --- a/gnome.if
 +++ b/gnome.if
@@ -1,44 +1,937 @@
@ -21276,7 +21289,7 @@ index f5afe78..581c9dd 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -122,17 +1068,62 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1068,80 @@ interface(`gnome_stream_connect_gconf',`
 ##	</summary>
 ## </param>
 #
@ -21292,6 +21305,24 @@ index f5afe78..581c9dd 100644
 +	gnome_filetrans_gstreamer_home_content($1)
 +')
 +
 +######################################
 +## <summary>
 +##      Allow to execute gstreamer home content files.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`gnome_exec_gstreamer_home_files',`
 +        gen_require(`
 +                type gstreamer_home_t;
 +        ')
 +
 +        can_exec($1, gstreamer_home_t)
 +')
 +
 +#######################################
 +## <summary>
 +##  file name transition gstreamer home content files.
@ -21343,7 +21374,7 @@ index f5afe78..581c9dd 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -140,51 +1131,306 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',`
 ##	</summary>
 ## </param>
 #
@ -21564,6 +21595,7 @@ index f5afe78..581c9dd 100644
 +	userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
 +	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
 +	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
 +	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
 +	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
 +	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
 +	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
@ -26044,10 +26076,10 @@ index 0000000..8bc2c6d
 +')
 diff --git a/l2tpd.te b/l2tpd.te
 new file mode 100644
-index 0000000..4786fde
+index 0000000..1b720ad
 --- /dev/null
 +++ b/l2tpd.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
 +policy_module(l2tpd, 1.0.0)
 +
 +########################################
@ -26136,6 +26168,8 @@ index 0000000..4786fde
 +
 +term_use_ptmx(l2tpd_t)
 +
 +auth_read_passwd(l2tpd_t)
 +
 +logging_send_syslog_msg(l2tpd_t)
 +
 +miscfiles_read_localization(l2tpd_t)
@ -27129,7 +27163,7 @@ index 3c7b1e8..1e155f5 100644
 +
 +/var/run/epylog\.pid		gen_context(system_u:object_r:logwatch_var_run_t,s0)
 diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..671d4e1 100644
+index 75ce30f..47aa9f5 100644
 --- a/logwatch.te
 +++ b/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@ -27171,16 +27205,18 @@ index 75ce30f..671d4e1 100644
 files_read_usr_files(logwatch_t)
 files_search_spool(logwatch_t)
 files_search_mnt(logwatch_t)
-@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t)
+@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
 fs_dontaudit_list_auto_mountpoints(logwatch_t)
 fs_list_inotifyfs(logwatch_t)
 +storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
 +
 +mls_file_read_to_clearance(logwatch_t)
 +
 term_dontaudit_getattr_pty_dirs(logwatch_t)
 term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
 sysnet_exec_ifconfig(logwatch_t)
 userdom_dontaudit_search_user_home_dirs(logwatch_t)
@ -27196,7 +27232,7 @@ index 75ce30f..671d4e1 100644
 	files_getattr_all_file_type_fs(logwatch_t)
 ')
-@@ -145,3 +161,24 @@ optional_policy(`
+@@ -145,3 +163,24 @@ optional_policy(`
 	samba_read_log(logwatch_t)
 	samba_read_share_files(logwatch_t)
 ')
@ -28700,7 +28736,7 @@ index ee72cbe..bf5fc09 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 26101cb..db61a30 100644
+index 26101cb..7393387 100644
 --- a/milter.te
 +++ b/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@ -28717,7 +28753,7 @@ index 26101cb..db61a30 100644
 # currently-supported milters are milter-greylist, milter-regex and spamass-milter
 milter_template(greylist)
 milter_template(regex)
-@@ -20,6 +27,23 @@ milter_template(spamass)
+@@ -20,6 +27,24 @@ milter_template(spamass)
 type spamass_milter_state_t;
 files_type(spamass_milter_state_t)
@ -28728,6 +28764,7 @@ index 26101cb..db61a30 100644
 +
 +allow dkim_milter_t self:capability { kill setgid setuid };
 +allow dkim_milter_t self:process signal;
 +allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
 +allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 +
 +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@ -28741,7 +28778,7 @@ index 26101cb..db61a30 100644
 ########################################
 #
 # milter-greylist local policy
-@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
+@@ -33,11 +58,19 @@ files_type(spamass_milter_state_t)
 allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
 allow greylist_milter_t self:process { setsched getsched };
@ -32982,7 +33019,7 @@ index a648982..59f096b 100644
 ')
 +
 diff --git a/ncftool.te b/ncftool.te
-index f19ca0b..8c48c33 100644
+index f19ca0b..dfc1ba2 100644
 --- a/ncftool.te
 +++ b/ncftool.te
@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
@ -33058,7 +33095,7 @@ index f19ca0b..8c48c33 100644
 optional_policy(`
 	consoletype_exec(ncftool_t)
 ')
-@@ -69,13 +83,17 @@ optional_policy(`
+@@ -69,13 +83,18 @@ optional_policy(`
 optional_policy(`
 	iptables_initrc_domtrans(ncftool_t)
@ -33066,6 +33103,7 @@ index f19ca0b..8c48c33 100644
 ')
 optional_policy(`
 +	modutils_list_module_config(ncftool_t)
 	modutils_read_module_config(ncftool_t)
 -	modutils_run_insmod(ncftool_t, ncftool_roles)
 +	modutils_domtrans_insmod(ncftool_t)
@ -38034,16 +38072,17 @@ index 4cffb07..3436696 100644
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
 allow podsleuth_t self:sem create_sem_perms;
 diff --git a/policykit.fc b/policykit.fc
-index 63d0061..c65d18f 100644
+index 63d0061..4718a93 100644
 --- a/policykit.fc
 +++ b/policykit.fc
-@@ -1,16 +1,18 @@
+@@ -1,16 +1,20 @@
 /usr/lib/policykit/polkit-read-auth-helper --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 -/usr/lib/policykit/polkit-grant-helper.* --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 +/usr/lib/policykit/polkit-grant-helper.*   --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
 /usr/lib/policykit/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
 -/usr/lib/policykit-1/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
 +/usr/lib/polkit-1/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
 /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@ -38051,11 +38090,12 @@ index 63d0061..c65d18f 100644
 -/usr/libexec/polkitd			--	gen_context(system_u:object_r:policykit_exec_t,s0)
 +/usr/libexec/polkitd.*			--	gen_context(system_u:object_r:policykit_exec_t,s0)
 +/usr/libexec/polkit-1/polkit-agent-helper-1 --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 +/usr/lib/polkit-1/polkit-agent-helper-1  --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 +/usr/libexec/polkit-1/polkitd.*		--	gen_context(system_u:object_r:policykit_exec_t,s0)
 /var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
 /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
-+/var/lib/polkit-1(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)?				gen_context(system_u:object_r:policykit_var_lib_t,s0)
 /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
 /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
@ -38203,7 +38243,7 @@ index 48ff1e8..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
 ')
 diff --git a/policykit.te b/policykit.te
-index 44db896..67a2c44 100644
+index 44db896..11800bb 100644
 --- a/policykit.te
 +++ b/policykit.te
@@ -1,51 +1,73 @@
@ -38293,7 +38333,7 @@ index 44db896..67a2c44 100644
 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
 policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@ -38337,6 +38377,10 @@ index 44db896..67a2c44 100644
 +')
 +
 +optional_policy(`
 +	kerberos_manage_host_rcache(policykit_t)
 +')
 +
 +optional_policy(`
 +	gnome_read_config(policykit_t)
 +')
 +
@ -38413,10 +38457,14 @@ index 44db896..67a2c44 100644
 	dbus_session_bus_client(policykit_auth_t)
 	optional_policy(`
-@@ -118,14 +191,21 @@ optional_policy(`
+@@ -118,14 +195,25 @@ optional_policy(`
 	hal_read_state(policykit_auth_t)
 ')
 +optional_policy(`
 +        kerberos_manage_host_rcache(policykit_auth_t)
 +')
 +
 +optional_policy(`
 +	xserver_stream_connect(policykit_auth_t)
 +	xserver_xdm_append_log(policykit_auth_t)
@ -38437,7 +38485,7 @@ index 44db896..67a2c44 100644
 allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
 allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
 files_read_etc_files(policykit_grant_t)
 files_read_usr_files(policykit_grant_t)
@ -38462,7 +38510,7 @@ index 44db896..67a2c44 100644
 		consolekit_dbus_chat(policykit_grant_t)
 	')
 ')
-@@ -167,9 +246,8 @@ optional_policy(`
+@@ -167,9 +254,8 @@ optional_policy(`
 # polkit_resolve local policy
 #
@ -38474,7 +38522,7 @@ index 44db896..67a2c44 100644
 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
 allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
 files_read_etc_files(policykit_resolve_t)
 files_read_usr_files(policykit_resolve_t)
@ -38489,7 +38537,7 @@ index 44db896..67a2c44 100644
 userdom_read_all_users_state(policykit_resolve_t)
 optional_policy(`
-@@ -207,4 +279,3 @@ optional_policy(`
+@@ -207,4 +287,3 @@ optional_policy(`
 	kernel_search_proc(policykit_resolve_t)
 	hal_read_state(policykit_resolve_t)
 ')
@ -44832,7 +44880,7 @@ index 7dc38d1..808f9c6 100644
 +	admin_pattern($1, rgmanager_var_run_t)
 +')
 diff --git a/rgmanager.te b/rgmanager.te
-index 07333db..53bff36 100644
+index 07333db..91ef567 100644
 --- a/rgmanager.te
 +++ b/rgmanager.te
@@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
@ -44882,7 +44930,7 @@ index 07333db..53bff36 100644
 # need to write to /dev/misc/dlm-control
 dev_rw_dlm_control(rgmanager_t)
-@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t)
+@@ -76,31 +78,37 @@ dev_search_sysfs(rgmanager_t)
 domain_read_all_domains_state(rgmanager_t)
 domain_getattr_all_domains(rgmanager_t)
@ -44914,6 +44962,7 @@ index 07333db..53bff36 100644
 auth_use_nsswitch(rgmanager_t)
 +init_domtrans_script(rgmanager_t)
 +init_initrc_domain(rgmanager_t)
 +
 logging_send_syslog_msg(rgmanager_t)
@ -44924,7 +44973,7 @@ index 07333db..53bff36 100644
 tunable_policy(`rgmanager_can_network_connect',`
 	corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +125,14 @@ optional_policy(`
+@@ -118,6 +126,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -44939,7 +44988,7 @@ index 07333db..53bff36 100644
 	fstools_domtrans(rgmanager_t)
 ')
-@@ -140,6 +155,16 @@ optional_policy(`
+@@ -140,6 +156,16 @@ optional_policy(`
 ')
 optional_policy(`
@ -44956,7 +45005,7 @@ index 07333db..53bff36 100644
 	mysql_domtrans_mysql_safe(rgmanager_t)
 	mysql_stream_connect(rgmanager_t)
 ')
-@@ -165,6 +190,8 @@ optional_policy(`
+@@ -165,6 +191,8 @@ optional_policy(`
 optional_policy(`
 	rpc_initrc_domtrans_nfsd(rgmanager_t)
 	rpc_initrc_domtrans_rpcd(rgmanager_t)
@ -47948,19 +47997,20 @@ index a07b2f4..36b4903 100644
 +
 +userdom_getattr_user_terminals(rwho_t)
 diff --git a/samba.fc b/samba.fc
-index 69a6074..3d65472 100644
+index 69a6074..c9dbc93 100644
 --- a/samba.fc
 +++ b/samba.fc
-@@ -14,6 +14,8 @@
+@@ -14,6 +14,9 @@
 #
 # /usr
 #
 +/usr/lib/systemd/system/smb.* 	--	gen_context(system_u:object_r:samba_unit_file_t,s0)
 +/usr/lib/systemd/system/nmb.*   --      gen_context(system_u:object_r:samba_unit_file_t,s0)
 +
 /usr/bin/net			--	gen_context(system_u:object_r:samba_net_exec_t,s0)
 /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
 /usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +38,10 @@
+@@ -36,6 +39,10 @@
 /var/log/samba(/.*)?			gen_context(system_u:object_r:samba_log_t,s0)
@ -47971,7 +48021,7 @@ index 69a6074..3d65472 100644
 /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/connections\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -48,6 +54,11 @@
+@@ -48,6 +55,11 @@
 /var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
@ -54328,7 +54378,7 @@ index 0000000..9127cec
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..a0d188c
+index 0000000..7eea9cd
 --- /dev/null
 +++ b/thumb.te
@@ -0,0 +1,105 @@
@ -54435,7 +54485,7 @@ index 0000000..a0d188c
 +	gnome_read_generic_data_home_files(thumb_t)
 +	gnome_manage_gstreamer_home_files(thumb_t)
 +	gnome_manage_gstreamer_home_dirs(thumb_t)
-+	#gnome_exec_gstreamer_home_files(thumb_t)
+	gnome_exec_gstreamer_home_files(thumb_t)
 +')
 diff --git a/thunderbird.te b/thunderbird.te
 index bf37d98..204ac7e 100644
@ -54764,7 +54814,7 @@ index 54b8605..a04f013 100644
 	admin_pattern($1, tuned_var_run_t)
 ')
 diff --git a/tuned.te b/tuned.te
-index db9d2a5..da20967 100644
+index db9d2a5..c7b09c0 100644
 --- a/tuned.te
 +++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@ -54780,7 +54830,7 @@ index db9d2a5..da20967 100644
 type tuned_log_t;
 logging_log_file(tuned_log_t)
-@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t)
+@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
 # tuned local policy
 #
@ -54809,10 +54859,12 @@ index db9d2a5..da20967 100644
 kernel_read_system_state(tuned_t)
 kernel_read_network_state(tuned_t)
 -
 +kernel_read_kernel_sysctls(tuned_t)
 +kernel_rw_kernel_sysctl(tuned_t)
 +kernel_rw_hotplug_sysctls(tuned_t)
 +kernel_rw_vm_sysctls(tuned_t)
- 
+
 +dev_getattr_all_blk_files(tuned_t)
 +dev_getattr_all_chr_files(tuned_t)
 +dev_dontaudit_getattr_all(tuned_t)
@ -54822,7 +54874,7 @@ index db9d2a5..da20967 100644
 # to allow cpu tuning
 dev_rw_netcontrol(tuned_t)
-@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
 files_read_usr_files(tuned_t)
 files_dontaudit_search_home(tuned_t)
@ -54833,7 +54885,7 @@ index db9d2a5..da20967 100644
 logging_send_syslog_msg(tuned_t)
 miscfiles_read_localization(tuned_t)
-@@ -58,6 +83,14 @@ optional_policy(`
+@@ -58,6 +84,14 @@ optional_policy(`
 	fstools_domtrans(tuned_t)
 ')
@ -56560,7 +56612,7 @@ index 7c5d8d8..85b7d8b 100644
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
 ')
 diff --git a/virt.te b/virt.te
-index ad3068a..6713ab0 100644
+index ad3068a..5759ef5 100644
 --- a/virt.te
 +++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@ -57154,7 +57206,7 @@ index ad3068a..6713ab0 100644
 files_read_usr_files(virt_domain)
 files_read_var_files(virt_domain)
 files_search_all(virt_domain)
-@@ -449,25 +657,428 @@ files_search_all(virt_domain)
+@@ -449,25 +657,430 @@ files_search_all(virt_domain)
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
@ -57257,6 +57309,8 @@ index ad3068a..6713ab0 100644
 +init_rw_script_stream_sockets(virsh_t)
 +init_use_fds(virsh_t)
 +
 +auth_read_passwd(virsh_t)
 +
 +miscfiles_read_localization(virsh_t)
 +
 +sysnet_dns_name_resolve(virsh_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -491,6 +491,22 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
 - PolicyKit path has changed
 - Allow httpd connect to dirsrv socket
 - Allow tuned to write generic kernel sysctls
 - Dontaudit logwatch to gettr on /dev/dm-2
 - Allow policykit-auth to manage kerberos files
 - Make condor_startd and rgmanager as initrc domain
 - Allow virsh to read /etc/passwd
 - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
 - xdm now needs to execute xsession_exec_t
 - Need labels for /var/lib/gdm
 - Fix files_filetrans_named_content() interface
 - Add new attribute - initrc_domain
 - Allow systemd_logind_t to signal, signull, sigkill all processes
 - Add filetrans rules for etc_runtime files
 * Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
 - Rename boolean names to remove allow_