* Wed Jan 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-9

- boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Create tmpfs file while running as wine as user_tmpfs_t - Dontaudit attempts by readahead to read sock_files - libmpg ships badly created librarie
2013-01-30 12:41:36 +01:00 · 2013-01-30 12:41:36 +01:00 · f125066d3c
parent 45852f5fe5
commit f125066d3c
3 changed files with 296 additions and 188 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -210991,7 +210991,7 @@ index c2c6e05..d0e6d1c 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..6e07122 100644
+index 64ff4d7..cb04ef9 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@ -211184,7 +211184,33 @@ index 64ff4d7..6e07122 100644
 ##	Get the attributes of all named sockets.
 ## </summary>
 ## <param name="domain">
-@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',`
+@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+ 
+ ########################################
+ ## <summary>
+##	Do not audit attempts to read
+##	of all named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_read_all_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:sock_file read;
+')
+
+########################################
+## <summary>
+ ##	Do not audit attempts to get the attributes
+ ##	of non security named sockets.
+ ## </summary>
+@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',`
 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@ -211197,7 +211223,7 @@ index 64ff4d7..6e07122 100644
 
 	# satisfy the assertions:
 	seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1327,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1346,6 @@ interface(`files_list_all',`
 
 ########################################
 ## <summary>
@ -211222,7 +211248,7 @@ index 64ff4d7..6e07122 100644
 ##	Do not audit attempts to search the
 ##	contents of any directories on extended
 ##	attribute filesystems.
-@@ -1443,9 +1570,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1589,6 @@ interface(`files_relabel_non_auth_files',`
 	# device nodes with file types.
 	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
 	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@ -211232,7 +211258,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 #############################################
-@@ -1673,6 +1797,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +1816,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
 
 ########################################
 ## <summary>
@ -211257,7 +211283,7 @@ index 64ff4d7..6e07122 100644
 ##	Do not audit attempts to write to mount points.
 ## </summary>
 ## <param name="domain">
-@@ -1691,6 +1833,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +1852,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
 
 ########################################
 ## <summary>
@ -211282,7 +211308,7 @@ index 64ff4d7..6e07122 100644
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
-@@ -1874,25 +2034,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2053,25 @@ interface(`files_delete_root_dir_entry',`
 
 ########################################
 ## <summary>
@ -211314,7 +211340,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1905,7 +2065,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2084,7 @@ interface(`files_relabel_rootfs',`
 		type root_t;
 	')
 
@ -211323,7 +211349,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -1928,6 +2088,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2107,24 @@ interface(`files_unmount_rootfs',`
 
 ########################################
 ## <summary>
@ -211348,7 +211374,7 @@ index 64ff4d7..6e07122 100644
 ##	Get attributes of the /boot directory.
 ## </summary>
 ## <param name="domain">
-@@ -2627,6 +2805,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2824,24 @@ interface(`files_rw_etc_dirs',`
 	allow $1 etc_t:dir rw_dir_perms;
 ')
 
@ -211373,7 +211399,7 @@ index 64ff4d7..6e07122 100644
 ##########################################
 ## <summary>
 ## 	Manage generic directories in /etc
-@@ -2698,6 +2894,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +2913,7 @@ interface(`files_read_etc_files',`
 	allow $1 etc_t:dir list_dir_perms;
 	read_files_pattern($1, etc_t, etc_t)
 	read_lnk_files_pattern($1, etc_t, etc_t)
@ -211381,7 +211407,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -2706,7 +2903,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +2922,7 @@ interface(`files_read_etc_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -211390,7 +211416,7 @@ index 64ff4d7..6e07122 100644
 ##	</summary>
 ## </param>
 #
-@@ -2762,6 +2959,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +2978,25 @@ interface(`files_manage_etc_files',`
 
 ########################################
 ## <summary>
@ -211416,7 +211442,7 @@ index 64ff4d7..6e07122 100644
 ##	Delete system configuration files in /etc.
 ## </summary>
 ## <param name="domain">
-@@ -2780,6 +2996,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3015,24 @@ interface(`files_delete_etc_files',`
 
 ########################################
 ## <summary>
@ -211441,7 +211467,7 @@ index 64ff4d7..6e07122 100644
 ##	Execute generic files in /etc.
 ## </summary>
 ## <param name="domain">
-@@ -2945,24 +3179,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,26 +3198,8 @@ interface(`files_delete_boot_flag',`
 
 ########################################
 ## <summary>
@ -211463,10 +211489,14 @@ index 64ff4d7..6e07122 100644
 -
 -########################################
 -## <summary>
- ##	Read files in /etc that are dynamically
- ##	created on boot, such as mtab.
+-##	Read files in /etc that are dynamically
+-##	created on boot, such as mtab.
+##	Read files in /etc that are dynamically
+##	created on boot, such as mtab.
 ## </summary>
-@@ -3003,9 +3219,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ##	<p>
+@@ -3003,9 +3238,7 @@ interface(`files_read_etc_runtime_files',`
 
 ########################################
 ## <summary>
@ -211477,7 +211507,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3013,18 +3227,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3246,17 @@ interface(`files_read_etc_runtime_files',`
 ##	</summary>
 ## </param>
 #
@ -211499,11 +211529,10 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3042,7 +3255,27 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3274,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Read and write files in /etc that are dynamically
 +##	Do not audit attempts to read files
 +##	in /etc that are dynamically
 +##	created on boot, such as mtab.
@ -211524,11 +211553,10 @@ index 64ff4d7..6e07122 100644
 +
 +########################################
 +## <summary>
-+##	Read and write files in /etc that are dynamically
+ ##	Read and write files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
- ## <param name="domain">
-@@ -3059,6 +3292,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3311,7 @@ interface(`files_rw_etc_runtime_files',`
 
 	allow $1 etc_t:dir list_dir_perms;
 	rw_files_pattern($1, etc_t, etc_runtime_t)
@ -211536,7 +211564,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -3080,6 +3314,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3333,7 @@ interface(`files_manage_etc_runtime_files',`
 	')
 
 	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@ -211544,7 +211572,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -3132,6 +3367,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3386,25 @@ interface(`files_getattr_isid_type_dirs',`
 
 ########################################
 ## <summary>
@ -211570,7 +211598,7 @@ index 64ff4d7..6e07122 100644
 ##	Do not audit attempts to search directories on new filesystems
 ##	that have not yet been labeled.
 ## </summary>
-@@ -3208,6 +3462,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3481,25 @@ interface(`files_delete_isid_type_dirs',`
 
 ########################################
 ## <summary>
@ -211596,7 +211624,7 @@ index 64ff4d7..6e07122 100644
 ##	Create, read, write, and delete directories
 ##	on new filesystems that have not yet been labeled.
 ## </summary>
-@@ -3455,6 +3728,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3747,25 @@ interface(`files_rw_isid_type_blk_files',`
 
 ########################################
 ## <summary>
@ -211622,7 +211650,7 @@ index 64ff4d7..6e07122 100644
 ##	Create, read, write, and delete block device nodes
 ##	on new filesystems that have not yet been labeled.
 ## </summary>
-@@ -3796,20 +4088,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4107,38 @@ interface(`files_list_mnt',`
 
 ######################################
 ## <summary>
@ -211666,7 +211694,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -4199,6 +4509,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4528,133 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
@ -211800,7 +211828,7 @@ index 64ff4d7..6e07122 100644
 ########################################
 ## <summary>
 ##	Allow the specified type to associate
-@@ -4221,6 +4658,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +4677,26 @@ interface(`files_associate_tmp',`
 
 ########################################
 ## <summary>
@ -211827,7 +211855,7 @@ index 64ff4d7..6e07122 100644
 ##	Get the	attributes of the tmp directory (/tmp).
 ## </summary>
 ## <param name="domain">
-@@ -4234,17 +4691,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +4710,37 @@ interface(`files_getattr_tmp_dirs',`
 		type tmp_t;
 	')
 
@ -211866,7 +211894,7 @@ index 64ff4d7..6e07122 100644
 ##	</summary>
 ## </param>
 #
-@@ -4271,6 +4748,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +4767,7 @@ interface(`files_search_tmp',`
 		type tmp_t;
 	')
 
@ -211874,7 +211902,7 @@ index 64ff4d7..6e07122 100644
 	allow $1 tmp_t:dir search_dir_perms;
 ')
 
-@@ -4307,6 +4785,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +4804,7 @@ interface(`files_list_tmp',`
 		type tmp_t;
 	')
 
@ -211882,7 +211910,7 @@ index 64ff4d7..6e07122 100644
 	allow $1 tmp_t:dir list_dir_perms;
 ')
 
-@@ -4316,7 +4795,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +4814,7 @@ interface(`files_list_tmp',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -211891,7 +211919,7 @@ index 64ff4d7..6e07122 100644
 ##	</summary>
 ## </param>
 #
-@@ -4328,6 +4807,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +4826,25 @@ interface(`files_dontaudit_list_tmp',`
 	dontaudit $1 tmp_t:dir list_dir_perms;
 ')
 
@ -211917,7 +211945,7 @@ index 64ff4d7..6e07122 100644
 ########################################
 ## <summary>
 ##	Remove entries from the tmp directory.
-@@ -4343,6 +4841,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +4860,7 @@ interface(`files_delete_tmp_dir_entry',`
 		type tmp_t;
 	')
 
@ -211925,7 +211953,7 @@ index 64ff4d7..6e07122 100644
 	allow $1 tmp_t:dir del_entry_dir_perms;
 ')
 
-@@ -4384,6 +4883,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +4902,32 @@ interface(`files_manage_generic_tmp_dirs',`
 
 ########################################
 ## <summary>
@ -211958,7 +211986,7 @@ index 64ff4d7..6e07122 100644
 ##	Manage temporary files and directories in /tmp.
 ## </summary>
 ## <param name="domain">
-@@ -4438,7 +4963,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,7 +4982,7 @@ interface(`files_rw_generic_tmp_sockets',`
 
 ########################################
 ## <summary>
@ -211967,7 +211995,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4446,17 +4971,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,17 +4990,17 @@ interface(`files_rw_generic_tmp_sockets',`
 ##	</summary>
 ## </param>
 #
@ -211989,7 +212017,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4464,59 +4989,53 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4464,59 +5008,53 @@ interface(`files_setattr_all_tmp_dirs',`
 ##	</summary>
 ## </param>
 #
@ -212060,7 +212088,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -4524,54 +5043,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4524,18 +5062,96 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
 ##	</summary>
 ## </param>
 #
@ -212079,50 +212107,39 @@ index 64ff4d7..6e07122 100644
 -##	Relabel to and from all temporary
 -##	file types.
 +##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-## <rolecap/>
- #
-interface(`files_relabel_all_tmp_files',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 +interface(`files_list_all_tmp',`
- 	gen_require(`
- 		attribute tmpfile;
-		type var_t;
- 	')
- 
-	allow $1 var_t:dir search_dir_perms;
-	relabel_files_pattern($1, tmpfile, tmpfile)
+	gen_require(`
+		attribute tmpfile;
+	')
+
 +	allow $1 tmpfile:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Do not audit attempts to get the attributes
-##	of all tmp sock_file.
+')
+
+########################################
+## <summary>
 +##	Relabel to and from all temporary
 +##	directory types.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-##	Domain not to audit.
+## </summary>
+## <param name="domain">
+##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
+##	</summary>
+## </param>
 +## <rolecap/>
- #
-interface(`files_dontaudit_getattr_all_tmp_sockets',`
+#
 +interface(`files_relabel_all_tmp_dirs',`
- 	gen_require(`
- 		attribute tmpfile;
+	gen_require(`
+		attribute tmpfile;
 +		type var_t;
- 	')
- 
-	dontaudit $1 tmpfile:sock_file getattr;
-')
+	')
+
 +	allow $1 var_t:dir search_dir_perms;
 +	relabel_dirs_pattern($1, tmpfile, tmpfile)
 +')
@ -212169,46 +212186,19 @@ index 64ff4d7..6e07122 100644
 +## <summary>
 +##	Relabel to and from all temporary
 +##	file types.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_tmp_files',`
-+	gen_require(`
-+		attribute tmpfile;
-+		type var_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	relabel_files_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to get the attributes
-+##	of all tmp sock_file.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4561,7 +5177,7 @@ interface(`files_relabel_all_tmp_files',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	dontaudit $1 tmpfile:sock_file getattr;
-+')
- 
- ########################################
- ## <summary>
-@@ -4646,6 +5243,16 @@ interface(`files_purge_tmp',`
+ ##	</summary>
+ ## </param>
+ #
+@@ -4646,6 +5262,16 @@ interface(`files_purge_tmp',`
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -212225,7 +212215,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -5223,6 +5830,24 @@ interface(`files_list_var',`
+@@ -5223,6 +5849,24 @@ interface(`files_list_var',`
 
 ########################################
 ## <summary>
@ -212250,7 +212240,7 @@ index 64ff4d7..6e07122 100644
 ##	Create, read, write, and delete directories
 ##	in the /var directory.
 ## </summary>
-@@ -5578,6 +6203,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6222,25 @@ interface(`files_read_var_lib_symlinks',`
 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
 ')
 
@ -212276,7 +212266,7 @@ index 64ff4d7..6e07122 100644
 # cjp: the next two interfaces really need to be fixed
 # in some way.  They really neeed their own types.
 
-@@ -5623,7 +6267,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6286,7 @@ interface(`files_manage_mounttab',`
 
 ########################################
 ## <summary>
@ -212285,7 +212275,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5631,12 +6275,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6294,13 @@ interface(`files_manage_mounttab',`
 ##	</summary>
 ## </param>
 #
@ -212301,7 +212291,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -5654,6 +6299,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6318,7 @@ interface(`files_search_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -212309,7 +212299,7 @@ index 64ff4d7..6e07122 100644
 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_lock_t)
 ')
-@@ -5680,7 +6326,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6345,26 @@ interface(`files_dontaudit_search_locks',`
 
 ########################################
 ## <summary>
@ -212337,7 +212327,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -5688,13 +6353,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6372,12 @@ interface(`files_dontaudit_search_locks',`
 ##	</summary>
 ## </param>
 #
@ -212354,7 +212344,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -5713,7 +6377,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6396,7 @@ interface(`files_rw_lock_dirs',`
 		type var_t, var_lock_t;
 	')
 
@ -212363,7 +212353,7 @@ index 64ff4d7..6e07122 100644
 	rw_dirs_pattern($1, var_t, var_lock_t)
 ')
 
-@@ -5746,7 +6410,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6429,6 @@ interface(`files_create_lock_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -212371,7 +212361,7 @@ index 64ff4d7..6e07122 100644
 #
 interface(`files_relabel_all_lock_dirs',`
 	gen_require(`
-@@ -5774,8 +6437,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5774,8 +6456,7 @@ interface(`files_getattr_generic_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -212381,7 +212371,7 @@ index 64ff4d7..6e07122 100644
 	allow $1 var_lock_t:dir list_dir_perms;
 	getattr_files_pattern($1, var_lock_t, var_lock_t)
 ')
-@@ -5791,13 +6453,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6472,12 @@ interface(`files_getattr_generic_locks',`
 ## </param>
 #
 interface(`files_delete_generic_locks',`
@ -212399,7 +212389,7 @@ index 64ff4d7..6e07122 100644
 ')
 
 ########################################
-@@ -5816,9 +6477,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6496,7 @@ interface(`files_manage_generic_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -212410,7 +212400,7 @@ index 64ff4d7..6e07122 100644
 	manage_files_pattern($1, var_lock_t, var_lock_t)
 ')
 
-@@ -5860,8 +6519,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6538,7 @@ interface(`files_read_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -212420,7 +212410,7 @@ index 64ff4d7..6e07122 100644
 	allow $1 lockfile:dir list_dir_perms;
 	read_files_pattern($1, lockfile, lockfile)
 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6541,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6560,7 @@ interface(`files_manage_all_locks',`
 		type var_t, var_lock_t;
 	')
 
@ -212430,7 +212420,7 @@ index 64ff4d7..6e07122 100644
 	manage_dirs_pattern($1, lockfile, lockfile)
 	manage_files_pattern($1, lockfile, lockfile)
 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6578,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6597,7 @@ interface(`files_lock_filetrans',`
 		type var_t, var_lock_t;
 	')
 
@ -212440,7 +212430,7 @@ index 64ff4d7..6e07122 100644
 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
 ')
 
-@@ -5985,6 +6641,43 @@ interface(`files_search_pids',`
+@@ -5985,6 +6660,43 @@ interface(`files_search_pids',`
 	search_dirs_pattern($1, var_t, var_run_t)
 ')
 
@ -212484,7 +212474,7 @@ index 64ff4d7..6e07122 100644
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-@@ -6007,6 +6700,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6719,25 @@ interface(`files_dontaudit_search_pids',`
 
 ########################################
 ## <summary>
@ -212510,7 +212500,7 @@ index 64ff4d7..6e07122 100644
 ##	List the contents of the runtime process
 ##	ID directories (/var/run).
 ## </summary>
-@@ -6122,7 +6834,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +6853,6 @@ interface(`files_pid_filetrans',`
 	')
 
 	allow $1 var_t:dir search_dir_perms;
@ -212518,7 +212508,7 @@ index 64ff4d7..6e07122 100644
 	filetrans_pattern($1, var_run_t, $2, $3, $4)
 ')
 
-@@ -6231,55 +6942,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +6961,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
@ -212581,7 +212571,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6287,42 +6986,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7005,35 @@ interface(`files_delete_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -212631,7 +212621,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6330,18 +7022,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7041,18 @@ interface(`files_manage_all_pids',`
 ##	</summary>
 ## </param>
 #
@ -212655,7 +212645,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6349,37 +7041,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7060,40 @@ interface(`files_mounton_all_poly_members',`
 ##	</summary>
 ## </param>
 #
@ -212707,7 +212697,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6387,18 +7082,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7101,17 @@ interface(`files_dontaudit_search_spool',`
 ##	</summary>
 ## </param>
 #
@ -212730,7 +212720,7 @@ index 64ff4d7..6e07122 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -6406,18 +7100,284 @@ interface(`files_list_spool',`
+@@ -6406,18 +7119,18 @@ interface(`files_list_spool',`
 ##	</summary>
 ## </param>
 #
@ -212751,13 +212741,14 @@ index 64ff4d7..6e07122 100644
 -##	Read generic spool files.
 +##	manage all pidfiles 
 +##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6425,7 +7138,273 @@ interface(`files_manage_generic_spool_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
 +interface(`files_manage_all_pids',`
 +	gen_require(`
 +		attribute pidfile;
@ -213017,10 +213008,18 @@ index 64ff4d7..6e07122 100644
 +########################################
 +## <summary>
 +##	Read generic spool files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6562,3 +7522,459 @@ interface(`files_unconfined',`
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_generic_spool',`
+ 	gen_require(`
+ 		type var_t, var_spool_t;
+ 	')
+@@ -6562,3 +7541,459 @@ interface(`files_unconfined',`
 
 	typeattribute $1 files_unconfined_type;
 ')
@ -220309,7 +220308,7 @@ index 76d9f66..c61ed66 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..2b21421 100644
+index fe0c682..da12170 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@ -220938,7 +220937,7 @@ index fe0c682..2b21421 100644
 +		type sshd_devpts_t;
 +	')
 +
-+	allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
+	allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
 index 5fc0391..f0a738c 100644
@ -224328,10 +224327,10 @@ index 1b6619e..be02b96 100644
 +    allow $1 application_domain_type:socket_class_set getattr;
 +')
 diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..fc63d59 100644
+index c6fdab7..cd80b96 100644
 --- a/policy/modules/system/application.te
 +++ b/policy/modules/system/application.te
-@@ -6,7 +6,27 @@ attribute application_domain_type;
+@@ -6,12 +6,33 @@ attribute application_domain_type;
 # Executables to be run by user
 attribute application_exec_type;
 
@ -224346,6 +224345,8 @@ index c6fdab7..fc63d59 100644
 +
 +files_dontaudit_search_non_security_dirs(application_domain_type)
 +
+auth_login_pgm_sigchld(application_domain_type)
+
 +optional_policy(`
 +	afs_rw_udp_sockets(application_domain_type)
 +')
@ -224359,6 +224360,11 @@ index c6fdab7..fc63d59 100644
 	cron_sigchld(application_domain_type)
 ')
 
+ optional_policy(`
+-	ssh_sigchld(application_domain_type)
+ 	ssh_rw_stream_sockets(application_domain_type)
+ ')
+ 
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
 index 28ad538..ebe81bf 100644
 --- a/policy/modules/system/authlogin.fc
@ -224451,7 +224457,7 @@ index 28ad538..ebe81bf 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..de75e59 100644
+index 3efd5b6..792df83 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -224969,7 +224975,7 @@ index 3efd5b6..de75e59 100644
 ')
 
 ########################################
-@@ -1805,3 +1975,200 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1975,219 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -225170,6 +225176,25 @@ index 3efd5b6..de75e59 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
 +')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to login programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_login_pgm_sigchld',`
+	gen_require(`
+		attribute login_pgm;
+	')
+
+	allow $1 login_pgm:process sigchld;
+')
+
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
 index 104037e..d10bb17 100644
 --- a/policy/modules/system/authlogin.te
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2432,10 +2432,10 @@ index 0000000..3929b7e
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..fa4edf1
+index 0000000..bd752cd
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,243 @@
+@@ -0,0 +1,244 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@ -2531,6 +2531,7 @@ index 0000000..fa4edf1
 +
 +can_exec(antivirus_domain, antivirus_exec_t)
 +
+kernel_read_net_sysctls(antivirus_t)
 +kernel_read_kernel_sysctls(antivirus_domain)
 +kernel_read_sysctl(antivirus_domain)
 +kernel_read_system_state(antivirus_t)
@ -8600,7 +8601,7 @@ index 02fefaa..fbcef10 100644
 +	')
 ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..69f0a40 100644
+index 7c92aa1..1dc00c7 100644
 --- a/boinc.te
 +++ b/boinc.te
@@ -1,11 +1,13 @@
@ -8619,7 +8620,7 @@ index 7c92aa1..69f0a40 100644
 type boinc_exec_t;
 init_daemon_domain(boinc_t, boinc_exec_t)
 
-@@ -21,31 +23,64 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +23,65 @@ files_tmpfs_file(boinc_tmpfs_t)
 type boinc_var_lib_t;
 files_type(boinc_var_lib_t)
 
@ -8650,6 +8651,7 @@ index 7c92aa1..69f0a40 100644
 +
 +allow boinc_domain self:fifo_file rw_fifo_file_perms;
 +allow boinc_domain self:sem create_sem_perms;
+allow boinc_domain self:process execmem;
 +
 +manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
 +manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
@ -8693,7 +8695,7 @@ index 7c92aa1..69f0a40 100644
 
 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
 manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +89,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +90,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
 manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
 fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
 
@ -8787,7 +8789,7 @@ index 7c92aa1..69f0a40 100644
 
 term_getattr_all_ptys(boinc_t)
 term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +136,61 @@ init_read_utmp(boinc_t)
+@@ -130,55 +137,61 @@ init_read_utmp(boinc_t)
 
 logging_send_syslog_msg(boinc_t)
 
@ -8816,7 +8818,7 @@ index 7c92aa1..69f0a40 100644
 +allow boinc_t boinc_project_t:process noatsecure;
 +
 +allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
-+allow boinc_project_t self:process { execmem execstack };
+allow boinc_project_t self:process { execstack };
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@ -27273,7 +27275,7 @@ index 1a5ed62..9762e4a 100644
 optional_policy(`
 	unconfined_domain(inetd_child_t)
 diff --git a/inn.if b/inn.if
-index eb87f23..8e11e4b 100644
+index eb87f23..d3d32c3 100644
 --- a/inn.if
 +++ b/inn.if
@@ -124,6 +124,7 @@ interface(`inn_read_config',`
@ -27284,7 +27286,7 @@ index eb87f23..8e11e4b 100644
 	allow $1 innd_etc_t:dir list_dir_perms;
 	allow $1 innd_etc_t:file read_file_perms;
 	allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
-@@ -144,6 +145,7 @@ interface(`inn_read_news_lib',`
+@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',`
 		type innd_var_lib_t;
 	')
 
@ -27292,7 +27294,31 @@ index eb87f23..8e11e4b 100644
 	allow $1 innd_var_lib_t:dir list_dir_perms;
 	allow $1 innd_var_lib_t:file read_file_perms;
 ')
-@@ -163,6 +165,7 @@ interface(`inn_read_news_spool',`
+ 
+ ########################################
+ ## <summary>
+##	Write innd inherited news library content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_write_inherited_news_lib',`
+	gen_require(`
+		type innd_var_lib_t;
+	')
+
+	allow $1 innd_var_lib_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
+ ##	Read innd news spool content.
+ ## </summary>
+ ## <param name="domain">
+@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',`
 		type news_spool_t;
 	')
 
@ -27300,7 +27326,7 @@ index eb87f23..8e11e4b 100644
 	allow $1 news_spool_t:dir list_dir_perms;
 	allow $1 news_spool_t:file read_file_perms;
 	allow $1 news_spool_t:lnk_file read_lnk_file_perms;
-@@ -226,8 +229,15 @@ interface(`inn_domtrans',`
+@@ -226,8 +247,15 @@ interface(`inn_domtrans',`
 interface(`inn_admin',`
 	gen_require(`
 		type innd_t, innd_etc_t, innd_log_t;
@ -61608,7 +61634,7 @@ index 661bb88..06f69c4 100644
 +')
 +
 diff --git a/readahead.te b/readahead.te
-index f1512d6..ba3b9b2 100644
+index f1512d6..93f1ee6 100644
 --- a/readahead.te
 +++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@ -61638,7 +61664,7 @@ index f1512d6..ba3b9b2 100644
 dev_getattr_generic_chr_files(readahead_t)
 dev_getattr_generic_blk_files(readahead_t)
 dev_getattr_all_chr_files(readahead_t)
-@@ -51,12 +56,21 @@ domain_use_interactive_fds(readahead_t)
+@@ -51,12 +56,22 @@ domain_use_interactive_fds(readahead_t)
 domain_read_all_domains_state(readahead_t)
 
 files_create_boot_flag(readahead_t)
@ -61651,6 +61677,7 @@ index f1512d6..ba3b9b2 100644
 files_dontaudit_getattr_non_security_blk_files(readahead_t)
 +files_dontaudit_all_access_check(readahead_t)
 +files_dontaudit_read_security_files(readahead_t)
+files_dontaudit_read_all_sockets(readahead_t)
 +
 +ifdef(`hide_broken_symptoms', `
 +      files_dontaudit_write_all_files(readahead_t)
@ -61660,7 +61687,7 @@ index f1512d6..ba3b9b2 100644
 
 fs_getattr_all_fs(readahead_t)
 fs_search_auto_mountpoints(readahead_t)
-@@ -66,13 +80,12 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,13 +81,12 @@ fs_read_cgroup_files(readahead_t)
 fs_read_tmpfs_files(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 fs_list_inotifyfs(readahead_t)
@ -61675,7 +61702,7 @@ index f1512d6..ba3b9b2 100644
 mls_file_read_all_levels(readahead_t)
 
 storage_raw_read_fixed_disk(readahead_t)
-@@ -84,13 +97,13 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -84,13 +98,13 @@ auth_dontaudit_read_shadow(readahead_t)
 init_use_fds(readahead_t)
 init_use_script_ptys(readahead_t)
 init_getattr_initctl(readahead_t)
@ -71923,7 +71950,7 @@ index 88e753f..ca74cd9 100644
 +	admin_pattern($1, mail_spool_t)
 ')
 diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..7bffa0b 100644
+index 5f35d78..d4003d0 100644
 --- a/sendmail.te
 +++ b/sendmail.te
@@ -1,18 +1,10 @@
@ -72090,7 +72117,18 @@ index 5f35d78..7bffa0b 100644
 ')
 
 optional_policy(`
-@@ -166,6 +159,11 @@ optional_policy(`
+@@ -158,6 +151,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	inn_write_inherited_news_lib(sendmail_t)
+')
+
+optional_policy(`
+ 	milter_stream_connect_all(sendmail_t)
+ ')
+ 
+@@ -166,6 +163,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -72102,7 +72140,7 @@ index 5f35d78..7bffa0b 100644
 	postfix_domtrans_postdrop(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +185,13 @@ optional_policy(`
+@@ -187,21 +189,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -74691,7 +74729,7 @@ index 1499b0b..82fc7f6 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..258b449 100644
+index 4faa7e0..9e4d192 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -1,4 +1,4 @@
@ -75394,7 +75432,7 @@ index 4faa7e0..258b449 100644
 ')
 
 optional_policy(`
-@@ -474,32 +552,29 @@ optional_policy(`
+@@ -474,32 +552,30 @@ optional_policy(`
 
 ########################################
 #
@ -75418,6 +75456,7 @@ index 4faa7e0..258b449 100644
 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 
 -kernel_read_system_state(spamd_update_t)
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
 +allow spamd_update_t spamd_tmp_t:file read_file_perms;
 
 -corenet_all_recvfrom_unlabeled(spamd_update_t)
@ -75434,7 +75473,7 @@ index 4faa7e0..258b449 100644
 
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +583,20 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +584,21 @@ dev_read_urand(spamd_update_t)
 
 domain_use_interactive_fds(spamd_update_t)
 
@ -75447,6 +75486,7 @@ index 4faa7e0..258b449 100644
 +mta_read_config(spamd_update_t)
 
 -userdom_use_user_terminals(spamd_update_t)
+userdom_search_admin_dir(spamd_update_t)
 +userdom_use_inherited_user_ptys(spamd_update_t)
 
 optional_policy(`
@ -75723,7 +75763,7 @@ index dbb005a..45291bb 100644
 -/var/run/sssd\.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
-index a240455..54c45f6 100644
+index a240455..6c2da43 100644
 --- a/sssd.if
 +++ b/sssd.if
@@ -1,21 +1,21 @@
@ -75978,18 +76018,36 @@ index a240455..54c45f6 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -317,8 +352,8 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +352,26 @@ interface(`sssd_stream_connect',`
 
 ########################################
 ## <summary>
 -##	All of the rules required to
 -##	administrate an sssd environment.
+##	Dontaudit attempts to connect to sssd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_stream_connect',`
+	gen_require(`
+		type sssd_t;
+	')
+
+	dontaudit $1 sssd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
 +##	All of the rules required to administrate
 +##	an sssd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -327,7 +362,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +380,7 @@ interface(`sssd_stream_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
@ -75998,7 +76056,7 @@ index a240455..54c45f6 100644
 ##	</summary>
 ## </param>
 ## <rolecap/>
-@@ -335,27 +370,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +388,29 @@ interface(`sssd_stream_connect',`
 interface(`sssd_admin',`
 	gen_require(`
 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@ -78828,10 +78886,10 @@ index 0000000..72c42ad
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..4f8e329
+index 0000000..aaf768a
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,137 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@ -78949,6 +79007,7 @@ index 0000000..4f8e329
 +	gnome_dontaudit_search_config(thumb_t)
 +	gnome_append_generic_cache_files(thumb_t)
 +	gnome_read_generic_data_home_files(thumb_t)
+	gnome_dontaudit_rw_generic_cache_files(thumb_t)
 +	gnome_manage_gstreamer_home_files(thumb_t)
 +	gnome_manage_gstreamer_home_dirs(thumb_t)
 +	gnome_exec_gstreamer_home_files(thumb_t)
@ -78957,6 +79016,10 @@ index 0000000..4f8e329
 +')
 +
 +optional_policy(`
+	sssd_dontaudit_stream_connect(thumb_t)
+')
+
+optional_policy(`
 +	nscd_dontaudit_write_sock_file(thumb_t)
 +')
 +
@ -85603,10 +85666,18 @@ index fd2b6cc..4b83bb0 100644
 
 ########################################
 diff --git a/wine.te b/wine.te
-index b51923c..22e9047 100644
+index b51923c..bdbac3a 100644
 --- a/wine.te
 +++ b/wine.te
-@@ -48,7 +48,7 @@ domain_mmap_low(wine_t)
+@@ -39,6 +39,7 @@ allow wine_t self:fifo_file manage_fifo_file_perms;
+ can_exec(wine_t, wine_exec_t)
+ 
+ userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+userdom_tmpfs_filetrans(wine_t, file)
+ 
+ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+@@ -48,7 +49,7 @@ domain_mmap_low(wine_t)
 
 files_execmod_all_files(wine_t)
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -521,6 +521,18 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Jan 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-9
+- boinc_cliean wants also execmem as boinc projecs have
+- Allow sa-update to search admin home for /root/.spamassassin
+- Allow sa-update to search admin home for /root/.spamassassin
+- Allow antivirus domain to read net sysctl
+- Dontaudit attempts from thumb_t to connect to ssd
+- Dontaudit attempts by readahead to read sock_files
+- Dontaudit attempts by readahead to read sock_files
+- Create tmpfs file while running as wine as user_tmpfs_t
+- Dontaudit attempts by readahead to read sock_files
+- libmpg ships badly created librarie
+
 * Mon Jan 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-8
 - Change ssh_use_pts to use macro and only inherited sshd_devpts_t
 - Allow confined users to read systemd_logind seat information