Rebuild with latest code

2010-10-08 17:00:50 -04:00 · 2010-10-08 17:00:50 -04:00 · dd20c25744
parent 6f934680a8
commit dd20c25744
2 changed files with 174 additions and 72 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -858,6 +858,16 @@ index aa0dcc6..0faba2a 100644
 +	      dbus_read_config(prelink_t)
 +	')
 +')
 diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
 index 7077413..70edcd6 100644
 --- a/policy/modules/admin/readahead.fc
 +++ b/policy/modules/admin/readahead.fc
@@ -1,3 +1,5 @@
 /usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 /sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
 +/lib/systemd/systemd-readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 +
 diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
 index 2df2f1d..c1aaa79 100644
 --- a/policy/modules/admin/readahead.te
@ -1545,11 +1555,27 @@ index c368bdc..c927b85 100644
 +type sudo_db_t;
 +files_type(sudo_db_t)
 +
 diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
 index 81077db..8208e86 100644
 --- a/policy/modules/admin/tmpreaper.fc
 +++ b/policy/modules/admin/tmpreaper.fc
@@ -1,2 +1,3 @@
 /usr/sbin/tmpreaper		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
 /usr/sbin/tmpwatch		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
 +/lib/systemd/systemd-tmpfiles	--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
 diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..50cd538 100644
+index 6a5004b..c59c3cd 100644
 --- a/policy/modules/admin/tmpreaper.te
 +++ b/policy/modules/admin/tmpreaper.te
-@@ -25,8 +25,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
 type tmpreaper_t;
 type tmpreaper_exec_t;
 +init_system_domain(tmpreaper_t, tmpreaper_exec_t)
 application_domain(tmpreaper_t, tmpreaper_exec_t)
 role system_r types tmpreaper_t;
@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
 files_read_etc_files(tmpreaper_t)
 files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
@ -1561,7 +1587,7 @@ index 6a5004b..50cd538 100644
 files_getattr_all_dirs(tmpreaper_t)
 files_getattr_all_files(tmpreaper_t)
-@@ -52,7 +55,9 @@ optional_policy(`
+@@ -52,7 +56,9 @@ optional_policy(`
 ')
 optional_policy(`
@ -1571,7 +1597,7 @@ index 6a5004b..50cd538 100644
 	apache_delete_cache_files(tmpreaper_t)
 	apache_setattr_cache_dirs(tmpreaper_t)
 ')
-@@ -66,6 +71,14 @@ optional_policy(`
+@@ -66,6 +72,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -7182,7 +7208,7 @@ index 82842a0..369c3b5 100644
 		dbus_system_bus_client($1_wm_t)
 		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..46af2a4 100644
+index 0eb1d97..303d994 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@ -7216,7 +7242,7 @@ index 0eb1d97..46af2a4 100644
 /etc/profile.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -109,6 +117,8 @@ ifdef(`distro_debian',`
+@@ -109,11 +117,14 @@ ifdef(`distro_debian',`
 /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
 ')
@ -7225,7 +7251,13 @@ index 0eb1d97..46af2a4 100644
 #
 # /lib
 #
-@@ -126,6 +136,8 @@ ifdef(`distro_gentoo',`
+ 
 /lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
 +/lib/udev/devices/MAKEDEV	-l	gen_context(system_u:object_r:bin_t,s0)
 /lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
 /lib64/udev/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -126,6 +137,8 @@ ifdef(`distro_gentoo',`
 /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
 ')
@ -7234,7 +7266,7 @@ index 0eb1d97..46af2a4 100644
 #
 # /sbin
-@@ -145,6 +157,12 @@ ifdef(`distro_gentoo',`
+@@ -145,6 +158,12 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -7247,7 +7279,7 @@ index 0eb1d97..46af2a4 100644
 ifdef(`distro_gentoo',`
 /opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
 /opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +187,7 @@ ifdef(`distro_gentoo',`
+@@ -169,6 +188,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -7255,7 +7287,7 @@ index 0eb1d97..46af2a4 100644
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -205,7 +224,8 @@ ifdef(`distro_gentoo',`
+@@ -205,7 +225,8 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@ -7265,7 +7297,7 @@ index 0eb1d97..46af2a4 100644
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
-@@ -218,8 +238,11 @@ ifdef(`distro_gentoo',`
+@@ -218,8 +239,11 @@ ifdef(`distro_gentoo',`
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@ -7277,7 +7309,7 @@ index 0eb1d97..46af2a4 100644
 /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/denyhosts/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/denyhosts/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +251,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +252,8 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -7286,7 +7318,7 @@ index 0eb1d97..46af2a4 100644
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
 /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@ -7294,7 +7326,7 @@ index 0eb1d97..46af2a4 100644
 ')
 ifdef(`distro_suse', `
-@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -8987,25 +9019,31 @@ index 07352a5..12e9ecf 100644
 #Temporarily in policy until FC5 dissappears
 typealias etc_runtime_t alias firstboot_rw_t;
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index 59bae6a..16f0f9e 100644
+index 59bae6a..2e55e71 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -2,5 +2,10 @@
+@@ -2,5 +2,16 @@
 /dev/shm/.*		<<none>>
 /cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
 +/cgroup/.*		<<none>>
 +/lib/udev/devices/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/lib/udev/devices/hugepages/.*	<<none>>
 +
 +/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 +/lib/udev/devices/shm/.*	<<none>>
 +
 +/sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
 /sys/fs/cgroup(/.*)?	<<none>>
 +
 +/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..51d47a0 100644
+index 437a42a..c0e1d3a 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
-@@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',`
+@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
 	')
 	search_dirs_pattern($1, cgroup_t, cgroup_t)
@ -9013,7 +9051,31 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -665,6 +666,7 @@ interface(`fs_list_cgroup_dirs', `
+ ########################################
 ## <summary>
 +##	Relabelto cgroup directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_relabelto_cgroup_dirs',`
 +	gen_require(`
 +		type cgroup_t;
 +
 +	')
 +
 +	relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
 +')
 +
 +########################################
 +## <summary>
 ##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', `
 	')
 	list_dirs_pattern($1, cgroup_t, cgroup_t)
@ -9021,7 +9083,7 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -684,6 +686,7 @@ interface(`fs_delete_cgroup_dirs', `
+@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', `
 	')
 	delete_dirs_pattern($1, cgroup_t, cgroup_t)
@ -9029,7 +9091,7 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -704,6 +707,7 @@ interface(`fs_manage_cgroup_dirs',`
+@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',`
 	')
 	manage_dirs_pattern($1, cgroup_t, cgroup_t)
@ -9037,7 +9099,7 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -724,6 +728,7 @@ interface(`fs_read_cgroup_files',`
+@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',`
 	')
 	read_files_pattern($1, cgroup_t, cgroup_t)
@ -9045,7 +9107,7 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -743,6 +748,7 @@ interface(`fs_write_cgroup_files', `
+@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', `
 	')
 	write_files_pattern($1, cgroup_t, cgroup_t)
@ -9053,7 +9115,7 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -763,6 +769,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',`
 	')
 	rw_files_pattern($1, cgroup_t, cgroup_t)
@ -9061,7 +9123,7 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -803,6 +810,7 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',`
 	')
 	manage_files_pattern($1, cgroup_t, cgroup_t)
@ -9069,7 +9131,7 @@ index 437a42a..51d47a0 100644
 	dev_search_sysfs($1)
 ')
-@@ -1227,6 +1235,24 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1227,6 +1254,24 @@ interface(`fs_dontaudit_append_cifs_files',`
 ########################################
 ## <summary>
@ -9094,7 +9156,7 @@ index 437a42a..51d47a0 100644
 ##	Do not audit attempts to read or
 ##	write files on a CIFS or SMB filesystem.
 ## </summary>
-@@ -1241,7 +1267,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1286,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 		type cifs_t;
 	')
@ -9103,7 +9165,7 @@ index 437a42a..51d47a0 100644
 ')
 ########################################
-@@ -1504,6 +1530,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1549,25 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')
@ -9129,7 +9191,7 @@ index 437a42a..51d47a0 100644
 #######################################
 ## <summary>
 ##	Create, read, write, and delete dirs
-@@ -1931,7 +1976,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +1995,26 @@ interface(`fs_read_fusefs_symlinks',`
 ########################################
 ## <summary>
@ -9157,7 +9219,7 @@ index 437a42a..51d47a0 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1946,6 +2010,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2029,41 @@ interface(`fs_rw_hugetlbfs_files',`
 	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 ')
@ -9199,7 +9261,7 @@ index 437a42a..51d47a0 100644
 ########################################
 ## <summary>
-@@ -1999,6 +2098,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2117,7 @@ interface(`fs_list_inotifyfs',`
 	')
 	allow $1 inotifyfs_t:dir list_dir_perms;
@ -9207,7 +9269,7 @@ index 437a42a..51d47a0 100644
 ')
 ########################################
-@@ -2395,6 +2495,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',`
 ########################################
 ## <summary>
@ -9233,7 +9295,7 @@ index 437a42a..51d47a0 100644
 ##	Append files
 ##	on a NFS filesystem.
 ## </summary>
-@@ -2435,6 +2554,24 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',`
 ########################################
 ## <summary>
@ -9258,7 +9320,7 @@ index 437a42a..51d47a0 100644
 ##	Do not audit attempts to read or
 ##	write files on a NFS filesystem.
 ## </summary>
-@@ -2449,7 +2586,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 		type nfs_t;
 	')
@ -9267,7 +9329,7 @@ index 437a42a..51d47a0 100644
 ')
 ########################################
-@@ -2637,6 +2774,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',`
 ########################################
 ## <summary>
@ -9292,7 +9354,7 @@ index 437a42a..51d47a0 100644
 ##	Read removable storage symbolic links.
 ## </summary>
 ## <param name="domain">
-@@ -2845,7 +3000,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 #########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links
@ -9301,7 +9363,7 @@ index 437a42a..51d47a0 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3970,6 +4125,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ########################################
 ## <summary>
@ -9322,11 +9384,29 @@ index 437a42a..51d47a0 100644
 +')
 +
 +########################################
 +## <summary>
 +##	Relabelfrom directory  on tmpfs filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_relabelfrom_tmpfs_dir',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
 +	relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4662,3 +4835,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4872,24 @@ interface(`fs_unconfined',`
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -9807,6 +9887,16 @@ index 3723150..bde6daa 100644
 	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
 	dev_add_entry_generic_dirs($1)
 ')
 diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
 index 3994e57..ee146ae 100644
 --- a/policy/modules/kernel/terminal.fc
 +++ b/policy/modules/kernel/terminal.fc
@@ -40,3 +40,5 @@ ifdef(`distro_gentoo',`
 # used by init scripts to initally populate udev /dev
 /lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
 ')
 +
 +/lib/udev/devices/pts	-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
 index 492bf76..87a6942 100644
 --- a/policy/modules/kernel/terminal.if
@ -38623,7 +38713,7 @@ index 8419a01..5865dba 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..e90e509 100644
+index 698c11e..d92e0c3 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -38713,7 +38803,7 @@ index 698c11e..e90e509 100644
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
-@@ -127,9 +154,12 @@ domain_kill_all_domains(init_t)
+@@ -127,9 +154,13 @@ domain_kill_all_domains(init_t)
 domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
@ -38723,10 +38813,11 @@ index 698c11e..e90e509 100644
 files_read_etc_files(init_t)
 +files_read_all_pids(init_t)
 +files_read_system_conf_files(init_t)
 files_rw_generic_pids(init_t)
 files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
-@@ -162,12 +192,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +193,15 @@ init_domtrans_script(init_t)
 libs_rw_ld_so_cache(init_t)
 logging_send_syslog_msg(init_t)
@ -38742,7 +38833,7 @@ index 698c11e..e90e509 100644
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
 ')
-@@ -178,7 +211,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +212,7 @@ ifdef(`distro_redhat',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
@ -38751,7 +38842,7 @@ index 698c11e..e90e509 100644
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +219,74 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +220,79 @@ tunable_policy(`init_upstart',`
 	sysadm_shell_domtrans(init_t)
 ')
@ -38769,6 +38860,8 @@ index 698c11e..e90e509 100644
 +
 +	kernel_list_unlabeled(init_t)
 +	kernel_read_network_state(init_t)
 +	kernel_rw_kernel_sysctl(init_t)
 +	kernel_read_all_sysctls(init_t)
 +	kernel_unmount_debugfs(init_t)
 +
 +	dev_write_kmsg(init_t)
@ -38782,14 +38875,17 @@ index 698c11e..e90e509 100644
 +
 +	files_mounton_all_mountpoints(init_t)
 +	files_manage_all_pids_dirs(init_t)
 +	files_manage_urandom_seed(init_t)
 +
 +	fs_manage_cgroup_dirs(init_t)
 +	fs_manage_hugetlbfs_dirs(init_t)
 +	fs_manage_tmpfs_dirs(init_t)
 +	fs_relabelfrom_tmpfs_dir(init_t)
 +	fs_mount_all_fs(init_t)
 +	fs_list_auto_mountpoints(init_t)
 +	fs_read_cgroup_files(init_t)
 +	fs_write_cgroup_files(init_t)
 +	fs_relabelto_cgroup_dirs(init_t)
 +	fs_search_cgroup_dirs(daemon)
 +
 +	selinux_compute_create_context(init_t)
@ -38826,7 +38922,7 @@ index 698c11e..e90e509 100644
 ')
 optional_policy(`
-@@ -199,10 +294,19 @@ optional_policy(`
+@@ -199,10 +300,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -38846,7 +38942,7 @@ index 698c11e..e90e509 100644
 	unconfined_domain(init_t)
 ')
-@@ -212,7 +316,7 @@ optional_policy(`
+@@ -212,7 +322,7 @@ optional_policy(`
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38855,7 +38951,7 @@ index 698c11e..e90e509 100644
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -241,6 +345,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +351,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38863,7 +38959,7 @@ index 698c11e..e90e509 100644
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +363,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +369,23 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -38887,7 +38983,7 @@ index 698c11e..e90e509 100644
 corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +408,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +414,7 @@ dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
@ -38895,7 +38991,7 @@ index 698c11e..e90e509 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -298,13 +416,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +422,13 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -38911,7 +39007,7 @@ index 698c11e..e90e509 100644
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -323,8 +441,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +447,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -38923,7 +39019,7 @@ index 698c11e..e90e509 100644
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -340,8 +460,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +466,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -38937,7 +39033,7 @@ index 698c11e..e90e509 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -351,6 +475,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +481,8 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -38946,7 +39042,7 @@ index 698c11e..e90e509 100644
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -363,6 +489,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +495,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -38954,7 +39050,7 @@ index 698c11e..e90e509 100644
 selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +507,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +513,7 @@ auth_read_pam_pid(initrc_t)
 auth_delete_pam_pid(initrc_t)
 auth_delete_pam_console_data(initrc_t)
 auth_use_nsswitch(initrc_t)
@ -38962,7 +39058,7 @@ index 698c11e..e90e509 100644
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
-@@ -394,13 +522,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +528,14 @@ logging_read_audit_config(initrc_t)
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -38978,7 +39074,7 @@ index 698c11e..e90e509 100644
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +602,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +608,7 @@ ifdef(`distro_redhat',`
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -38987,7 +39083,7 @@ index 698c11e..e90e509 100644
 	files_dontaudit_read_root_files(initrc_t)
 	# These seem to be from the initrd
-@@ -519,6 +648,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +654,19 @@ ifdef(`distro_redhat',`
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
@ -39007,7 +39103,7 @@ index 698c11e..e90e509 100644
 	')
 	optional_policy(`
-@@ -526,10 +668,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +674,17 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -39025,7 +39121,7 @@ index 698c11e..e90e509 100644
 	')
 	optional_policy(`
-@@ -544,6 +693,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +699,35 @@ ifdef(`distro_suse',`
 	')
 ')
@ -39061,7 +39157,7 @@ index 698c11e..e90e509 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +734,8 @@ optional_policy(`
+@@ -556,6 +740,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -39070,7 +39166,7 @@ index 698c11e..e90e509 100644
 ')
 optional_policy(`
-@@ -572,6 +752,7 @@ optional_policy(`
+@@ -572,6 +758,7 @@ optional_policy(`
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -39078,7 +39174,7 @@ index 698c11e..e90e509 100644
 ')
 optional_policy(`
-@@ -584,6 +765,11 @@ optional_policy(`
+@@ -584,6 +771,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -39090,7 +39186,7 @@ index 698c11e..e90e509 100644
 	dev_getattr_printer_dev(initrc_t)
 	cups_read_log(initrc_t)
-@@ -600,6 +786,9 @@ optional_policy(`
+@@ -600,6 +792,9 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -39100,7 +39196,7 @@ index 698c11e..e90e509 100644
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
-@@ -701,7 +890,13 @@ optional_policy(`
+@@ -701,7 +896,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -39114,7 +39210,7 @@ index 698c11e..e90e509 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-@@ -724,6 +919,10 @@ optional_policy(`
+@@ -724,6 +925,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39125,7 +39221,7 @@ index 698c11e..e90e509 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -745,6 +944,10 @@ optional_policy(`
+@@ -745,6 +950,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -39136,7 +39232,7 @@ index 698c11e..e90e509 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
-@@ -766,8 +969,6 @@ optional_policy(`
+@@ -766,8 +975,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
@ -39145,7 +39241,7 @@ index 698c11e..e90e509 100644
 ')
 optional_policy(`
-@@ -776,14 +977,21 @@ optional_policy(`
+@@ -776,14 +983,21 @@ optional_policy(`
 ')
 optional_policy(`
@ -39167,7 +39263,7 @@ index 698c11e..e90e509 100644
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1013,19 @@ optional_policy(`
+@@ -805,11 +1019,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -39188,7 +39284,7 @@ index 698c11e..e90e509 100644
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1035,25 @@ optional_policy(`
+@@ -819,6 +1041,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -39214,7 +39310,7 @@ index 698c11e..e90e509 100644
 ')
 optional_policy(`
-@@ -844,3 +1079,55 @@ optional_policy(`
+@@ -844,3 +1085,55 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -470,6 +470,12 @@ exit 0
 %endif
 %changelog
 * Fri Oct 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-2
 - Lots of fixes for systemd
 - systemd now executes readahead and tmpwatch type scripts
 - Needs to manage random seed
 * Thu Oct 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-1
 - Allow smbd to use sys_admin
 - Remove duplicate file context for tcfmgr