- New labels for ghc http content

- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy
2010-12-22 16:12:41 -05:00 · 2010-12-22 16:12:41 -05:00 · ef836a9861
parent c68e37c2c7
commit ef836a9861
2 changed files with 85 additions and 83 deletions
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -5109,10 +5109,10 @@ index 0000000..4f9cb05
 +')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
-index 0000000..aedbcbe
+index 0000000..ae1d09b
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,315 @@
+@@ -0,0 +1,316 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@ -5343,6 +5343,7 @@ index 0000000..aedbcbe
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
+dev_read_urand(nsplugin_config_t)
 +dev_dontaudit_read_rand(nsplugin_config_t)
 +dev_dontaudit_rw_dri(nsplugin_config_t)
 +
@ -7846,7 +7847,7 @@ index 82842a0..4111a1d 100644
 		dbus_system_bus_client($1_wm_t)
 		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..93e0ee8 100644
+index 34c9d01..d858795 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@ -7887,7 +7888,11 @@ index 34c9d01..93e0ee8 100644
 /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,6 +324,7 @@ ifdef(`distro_redhat', `
+@@ -316,9 +321,11 @@ ifdef(`distro_redhat', `
+ /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)	
 /usr/share/fedora-usermgmt/wrapper --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hplip/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
@ -8003,7 +8008,7 @@ index b06df19..c0763c2 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index edefaf3..e00278f 100644
+index edefaf3..7548158 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@ -8094,7 +8099,7 @@ index edefaf3..e00278f 100644
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,30 +147,34 @@ network_port(iscsi, tcp,3260,s0)
+@@ -125,30 +147,35 @@ network_port(iscsi, tcp,3260,s0)
 network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 network_port(jabber_interserver, tcp,5269,s0)
@ -8116,6 +8121,7 @@ index edefaf3..e00278f 100644
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
+network_port(movaz_ssc, tcp,5252,s0)
 +network_port(mpd, tcp,6600,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
 -network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
@ -8133,7 +8139,7 @@ index edefaf3..e00278f 100644
 network_port(ntp, udp,123,s0)
 network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -156,12 +182,20 @@ network_port(pegasus_http, tcp,5988,s0)
+@@ -156,12 +183,20 @@ network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pingd, tcp,9125,s0)
@ -8154,7 +8160,7 @@ index edefaf3..e00278f 100644
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pulseaudio, tcp,4713,s0)
-@@ -176,43 +210,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -176,43 +211,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
@ -14200,7 +14206,7 @@ index c3a1903..b0e48c6 100644
 corenet_all_recvfrom_unlabeled(amavis_t)
 corenet_all_recvfrom_netlabel(amavis_t)
 diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..3bfac20 100644
+index 9e39aa5..7ba3b11 100644
 --- a/policy/modules/services/apache.fc
 +++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@ -14220,17 +14226,19 @@ index 9e39aa5..3bfac20 100644
 /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,8 +42,7 @@ ifdef(`distro_suse', `
+@@ -43,8 +42,9 @@ ifdef(`distro_suse', `
 /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 
 -/usr/share/dirsrv(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 -/usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/drupal(6)?(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/mythweb(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,7 +72,8 @@ ifdef(`distro_suse', `
+@@ -74,7 +74,8 @@ ifdef(`distro_suse', `
 
 /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@ -14240,7 +14248,7 @@ index 9e39aa5..3bfac20 100644
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -86,7 +85,6 @@ ifdef(`distro_suse', `
+@@ -86,7 +87,6 @@ ifdef(`distro_suse', `
 /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
@ -14248,7 +14256,7 @@ index 9e39aa5..3bfac20 100644
 
 ifdef(`distro_debian', `
 /var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +107,22 @@ ifdef(`distro_debian', `
+@@ -109,3 +109,22 @@ ifdef(`distro_debian', `
 /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@ -20208,7 +20216,7 @@ index 418a5a0..28d9e41 100644
 /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..20efe4a 100644
+index f706b99..22b862e 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@ -20223,29 +20231,10 @@ index f706b99..20efe4a 100644
 ## </param>
 #
 interface(`devicekit_domtrans',`
-@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',`
 	allow devicekit_power_t $1:dbus send_msg;
 ')
 
-+######################################
-+## <summary>
-+##  Allow to write the devicekit
-+##  log files.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain to not audit.
-+##  </summary>
-+## </param>
-+#
-+interface(`devicekit_write_log',`
-+    gen_require(`
-+        type devicekit_var_log_t;
-+	')
-+
-+    allow $1 devicekit_var_log_t:file { write };
-+')
-+
 +#######################################
 +## <summary>
 +##  Do not audit attempts to write the devicekit
@ -20287,7 +20276,7 @@ index f706b99..20efe4a 100644
 ########################################
 ## <summary>
 ##	Read devicekit PID files.
-@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',`
 
 ########################################
 ## <summary>
@ -20347,7 +20336,7 @@ index f706b99..20efe4a 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -165,21 +252,22 @@ interface(`devicekit_admin',`
+@@ -165,21 +233,21 @@ interface(`devicekit_admin',`
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
 	')
 
@ -20375,7 +20364,6 @@ index f706b99..20efe4a 100644
 -	files_search_pids($1)
 +	files_list_pids($1)
 ')
-+
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
 index f231f17..4ecd4b7 100644
 --- a/policy/modules/services/devicekit.te
@ -24961,7 +24949,7 @@ index ed1af3c..40b5f0e 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
-index 47e3612..98801a7 100644
+index 47e3612..ece07ab 100644
 --- a/policy/modules/services/milter.te
 +++ b/policy/modules/services/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.3.0)
@ -25009,7 +24997,27 @@ index 47e3612..98801a7 100644
 #
 
 # It removes any existing socket (not owned by root) whilst running as root,
-@@ -52,8 +76,8 @@ mta_read_config(greylist_milter_t)
+@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
+ allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+ allow greylist_milter_t self:process { setsched getsched };
+ 
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+
+ # It creates a pid file /var/run/milter-greylist.pid
+ files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+ 
+ kernel_read_kernel_sysctls(greylist_milter_t)
+ 
+corecmd_exec_bin(greylist_milter_t)
+corecmd_exec_shell(greylist_milter_t)
+
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+
+ # Allow the milter to read a GeoIP database in /usr/share
+ files_read_usr_files(greylist_milter_t)
+ # The milter runs from /var/lib/milter-greylist and maintains files there
+@@ -52,8 +84,8 @@ mta_read_config(greylist_milter_t)
 ########################################
 #
 # milter-regex local policy
@ -25020,7 +25028,7 @@ index 47e3612..98801a7 100644
 #
 
 # It removes any existing socket (not owned by root) whilst running as root
-@@ -72,8 +96,8 @@ mta_read_config(regex_milter_t)
+@@ -72,8 +104,8 @@ mta_read_config(regex_milter_t)
 ########################################
 #
 # spamass-milter local policy
@ -41253,7 +41261,7 @@ index 1c4b1e7..ffa4134 100644
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..cbd62c5 100644
+index bea0ade..a0feb45 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@ -41580,7 +41588,7 @@ index bea0ade..cbd62c5 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1500,28 +1692,38 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',`
 #
 interface(`auth_use_nsswitch',`
 
@ -41594,7 +41602,7 @@ index bea0ade..cbd62c5 100644
 	sysnet_dns_name_resolve($1)
 -	sysnet_use_ldap($1)
 +
-+	tunable_policy(`authlogin_use_sssd',`', `
+	tunable_policy(`authlogin_nsswitch_use_ldap',`
 +		files_list_var_lib($1)
 +
 +		miscfiles_read_generic_certs($1)
@ -41604,61 +41612,45 @@ index bea0ade..cbd62c5 100644
 
 	optional_policy(`
 -		avahi_stream_connect($1)
-+		tunable_policy(`authlogin_use_sssd',`', `
+		tunable_policy(`authlogin_nsswitch_use_ldap',`
 +			dirsrv_stream_connect($1)
 +		')
 	')
 
 	optional_policy(`
 -		ldap_stream_connect($1)
-+		tunable_policy(`authlogin_use_sssd',`', `
+		tunable_policy(`authlogin_nsswitch_use_ldap',`
 +			ldap_stream_connect($1)
 +		')
 	')
 
  	optional_policy(`
-		likewise_stream_connect_lsassd($1)
-+		tunable_policy(`authlogin_use_sssd',`', `
-+			likewise_stream_connect_lsassd($1)
-+		')
+ 		likewise_stream_connect_lsassd($1)
 	')
 
 +	# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
 	optional_policy(`
 		kerberos_use($1)
 	')
-@@ -1531,13 +1733,25 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',`
 	')
 
 	optional_policy(`
 -		nscd_socket_use($1)
 +		nscd_use($1)
- 	')
- 
- 	optional_policy(`
-		samba_stream_connect_winbind($1)
-		samba_read_var_files($1)
-		samba_dontaudit_write_var_files($1)
-+		tunable_policy(`authlogin_use_sssd',`', `
-+			nslcd_stream_connect($1)
-+		')
+	')
+
+	optional_policy(`
+		nslcd_stream_connect($1)
 +	')
 +
 +	optional_policy(`
 +		sssd_stream_connect($1)
-+	')
-+
-+	optional_policy(`
-+		tunable_policy(`authlogin_use_sssd',`', `
-+			samba_stream_connect_winbind($1)
-+			samba_read_var_files($1)
-+			samba_dontaudit_write_var_files($1)
-+		')
 	')
- ')
 
+ 	optional_policy(`
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..c2a3970 100644
+index 54d122b..069790d 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
@ -41677,7 +41669,7 @@ index 54d122b..c2a3970 100644
 +## Allow users to login using a sssd server
 +## </p>
 +## </desc>
-+gen_tunable(authlogin_use_sssd, false)
+gen_tunable(authlogin_nsswitch_use_ldap, false)
 +
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
@ -42553,7 +42545,7 @@ index ed152c4..be3bb8f 100644
 +	allow $1 init_t:unix_dgram_socket sendto;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 0580e7c..28fd86c 100644
+index 0580e7c..1618f9d 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -43241,7 +43233,7 @@ index 0580e7c..28fd86c 100644
 +userdom_inherit_append_user_tmp_files(daemon)
 +userdom_dontaudit_rw_stream(daemon)
 +
-+logging_append_all_logs(daemon)
+logging_inherit_append_all_logs(daemon)
 +
 +optional_policy(`
 +	# sudo service restart causes this 
@ -44345,7 +44337,7 @@ index 571599b..17dd196 100644
 +
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..620e0a4 100644
+index c7cfb62..ee9809d 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
@ -44416,7 +44408,7 @@ index c7cfb62..620e0a4 100644
 +		attribute logfile;
 +	')
 +
-+	allow $1 logfile:file { getattr append };
+	allow $1 logfile:file { getattr append ioctl lock };
 +')
 +
 +########################################
@ -44660,7 +44652,7 @@ index 58bc27f..b4f0663 100644
 +	allow $1 clvmd_tmpfs_t:file rw_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..a251276 100644
+index 86ef2da..0676045 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -44705,8 +44697,12 @@ index 86ef2da..a251276 100644
 	ccs_stream_connect(clvmd_t)
 ')
 
-@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
- allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+@@ -167,9 +179,10 @@ optional_policy(`
+ # net_admin for multipath
+ allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+ dontaudit lvm_t self:capability sys_tty_config;
+-allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+allow lvm_t self:process { setfscreate sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
 +allow lvm_t self:sem create_sem_perms;
@ -46782,7 +46778,7 @@ index 8e71fb7..f1b155a 100644
 +	role_transition $1 dhcpc_exec_t system_r;
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..d8c6f24 100644
+index dfbe736..d1f6368 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@ -46944,12 +46940,11 @@ index dfbe736..d8c6f24 100644
 ifdef(`hide_broken_symptoms',`
 	optional_policy(`
 		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -325,8 +372,15 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +372,14 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
 +	devicekit_dontaudit_read_pid_files(ifconfig_t)
-+	devicekit_write_log(ifconfig_t)
 +')
 +
 +optional_policy(`
@ -46960,7 +46955,7 @@ index dfbe736..d8c6f24 100644
 ')
 
 optional_policy(`
-@@ -334,6 +388,14 @@ optional_policy(`
+@@ -334,6 +387,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46975,7 +46970,7 @@ index dfbe736..d8c6f24 100644
 	nis_use_ypbind(ifconfig_t)
 ')
 
-@@ -355,3 +417,9 @@ optional_policy(`
+@@ -355,3 +416,9 @@ optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.12
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,13 @@ exit 0
 %endif

 %changelog
+* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-2
+- New labels for ghc http content
+- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
+- pm-suspend now creates log file for append access so we remove devicekit_wri
+- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
+- Fixes for greylist_milter policy
+
 * Tue Dec 21 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-1
 - Update to upstream
 - Fixes for systemd policy