- Fix transition to nsplugin '

Thu Sep 18 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-3 - Fix labeling on new pm*log - Allow ssh to bind to all nodes
2008-09-22 12:33:03 +00:00 · 2008-09-22 12:33:03 +00:00 · f77dd2c9db
parent 11ef2470b7
commit f77dd2c9db
2 changed files with 210 additions and 145 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -4268,8 +4268,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:nsplugin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.8/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if	2008-09-17 19:08:43.000000000 -0400
-@@ -0,0 +1,495 @@
+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if	2008-09-21 07:27:44.000000000 -0400
+@@ -0,0 +1,493 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -4348,8 +4348,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +template(`nsplugin_per_role_template_notrans',`
 +	gen_require(`
 +		type nsplugin_rw_t;
-+		type nsplugin_t;
-+		type nsplugin_config_t;
 +		type nsplugin_home_t;
 +		type nsplugin_exec_t;
 +		type nsplugin_config_exec_t;
@ -4419,80 +4417,80 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1_nsplugin_config_t self:process { execstack execmem };
 +')
 +	
-+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
-+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
+manage_dirs_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, $1_nsplugin_t, nsplugin_home_t, {file dir})
+unprivuser_dontaudit_write_home_content_files($1_nsplugin_t)
 +
-+corecmd_exec_bin(nsplugin_t)
-+corecmd_exec_shell(nsplugin_t)
+corecmd_exec_bin($1_nsplugin_t)
+corecmd_exec_shell($1_nsplugin_t)
 +
-+corenet_all_recvfrom_unlabeled(nsplugin_t)
-+corenet_all_recvfrom_netlabel(nsplugin_t)
-+corenet_tcp_connect_flash_port(nsplugin_t)
-+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
-+corenet_tcp_connect_http_port(nsplugin_t)
-+corenet_tcp_sendrecv_generic_if(nsplugin_t)
-+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
+corenet_all_recvfrom_unlabeled($1_nsplugin_t)
+corenet_all_recvfrom_netlabel($1_nsplugin_t)
+corenet_tcp_connect_flash_port($1_nsplugin_t)
+corenet_tcp_connect_pulseaudio_port($1_nsplugin_t)
+corenet_tcp_connect_http_port($1_nsplugin_t)
+corenet_tcp_sendrecv_generic_if($1_nsplugin_t)
+corenet_tcp_sendrecv_all_nodes($1_nsplugin_t)
 +
-+domain_dontaudit_read_all_domains_state(nsplugin_t)
+domain_dontaudit_read_all_domains_state($1_nsplugin_t)
 +
-+dev_read_rand(nsplugin_t)
-+dev_read_sound(nsplugin_t)
-+dev_write_sound(nsplugin_t)
-+dev_read_video_dev(nsplugin_t)
-+dev_write_video_dev(nsplugin_t)
-+dev_getattr_dri_dev(nsplugin_t)
-+dev_rwx_zero(nsplugin_t)
+dev_read_rand($1_nsplugin_t)
+dev_read_sound($1_nsplugin_t)
+dev_write_sound($1_nsplugin_t)
+dev_read_video_dev($1_nsplugin_t)
+dev_write_video_dev($1_nsplugin_t)
+dev_getattr_dri_dev($1_nsplugin_t)
+dev_rwx_zero($1_nsplugin_t)
 +
-+kernel_read_kernel_sysctls(nsplugin_t)
-+kernel_read_system_state(nsplugin_t)
+kernel_read_kernel_sysctls($1_nsplugin_t)
+kernel_read_system_state($1_nsplugin_t)
 +
-+files_read_usr_files(nsplugin_t)
-+files_read_etc_files(nsplugin_t)
-+files_read_config_files(nsplugin_t)
+files_read_usr_files($1_nsplugin_t)
+files_read_etc_files($1_nsplugin_t)
+files_read_config_files($1_nsplugin_t)
 +
-+fs_list_inotifyfs(nsplugin_t)
-+fs_manage_tmpfs_files(nsplugin_t)
-+fs_getattr_tmpfs(nsplugin_t)
-+fs_getattr_xattr_fs(nsplugin_t)
+fs_list_inotifyfs($1_nsplugin_t)
+fs_manage_tmpfs_files($1_nsplugin_t)
+fs_getattr_tmpfs($1_nsplugin_t)
+fs_getattr_xattr_fs($1_nsplugin_t)
 +
-+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
-+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
+term_dontaudit_getattr_all_user_ptys($1_nsplugin_t)
+term_dontaudit_getattr_all_user_ttys($1_nsplugin_t)
 +
-+auth_use_nsswitch(nsplugin_t)
+auth_use_nsswitch($1_nsplugin_t)
 +
-+libs_use_ld_so(nsplugin_t)
-+libs_use_shared_libs(nsplugin_t)
-+libs_exec_ld_so(nsplugin_t)
+libs_use_ld_so($1_nsplugin_t)
+libs_use_shared_libs($1_nsplugin_t)
+libs_exec_ld_so($1_nsplugin_t)
 +
-+miscfiles_read_localization(nsplugin_t)
-+miscfiles_read_fonts(nsplugin_t)
+miscfiles_read_localization($1_nsplugin_t)
+miscfiles_read_fonts($1_nsplugin_t)
 +
-+unprivuser_manage_tmp_dirs(nsplugin_t)
-+unprivuser_manage_tmp_files(nsplugin_t)
-+unprivuser_manage_tmp_sockets(nsplugin_t)
+unprivuser_manage_tmp_dirs($1_nsplugin_t)
+unprivuser_manage_tmp_files($1_nsplugin_t)
+unprivuser_manage_tmp_sockets($1_nsplugin_t)
 +userdom_tmp_filetrans_user_tmp(user, $1_nsplugin_t, { file dir sock_file })
-+unprivuser_read_tmpfs_files(nsplugin_t)
-+unprivuser_rw_semaphores(nsplugin_t)
-+unprivuser_delete_tmpfs_files(nsplugin_t)
+unprivuser_read_tmpfs_files($1_nsplugin_t)
+unprivuser_rw_semaphores($1_nsplugin_t)
+unprivuser_delete_tmpfs_files($1_nsplugin_t)
 +
-+unprivuser_read_home_content_symlinks(nsplugin_t)
-+unprivuser_read_home_content_files(nsplugin_t)
-+unprivuser_read_tmp_files(nsplugin_t)
+unprivuser_read_home_content_symlinks($1_nsplugin_t)
+unprivuser_read_home_content_files($1_nsplugin_t)
+unprivuser_read_tmp_files($1_nsplugin_t)
 +userdom_write_user_tmp_sockets(user, $1_nsplugin_t)
-+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
-+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
+unprivuser_dontaudit_append_home_content_files($1_nsplugin_t)
+userdom_dontaudit_unlink_unpriv_home_content_files($1_nsplugin_t)
 +userdom_dontaudit_manage_user_tmp_files(user, $1_nsplugin_t)
 +
 +optional_policy(`
-+	alsa_read_rw_config(nsplugin_t)
+	alsa_read_rw_config($1_nsplugin_t)
 +')
 +
 +optional_policy(`
-+	gnome_exec_gconf(nsplugin_t)
+	gnome_exec_gconf($1_nsplugin_t)
 +	gnome_manage_user_gnome_config(user, $1_nsplugin_t)
 +	allow $1_nsplugin_t gnome_home_t:sock_file write;
 +')
@ -4503,25 +4501,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
-+	mplayer_exec(nsplugin_t)
+	mplayer_exec($1_nsplugin_t)
 +	mplayer_read_user_home_files(user, $1_nsplugin_t)
 +')
 +
 +optional_policy(`
-+	unconfined_execmem_signull(nsplugin_t)
-+	unconfined_delete_tmpfs_files(nsplugin_t)
+	unconfined_execmem_signull($1_nsplugin_t)
+	unconfined_delete_tmpfs_files($1_nsplugin_t)
 +')
 +
 +optional_policy(`
-+	xserver_stream_connect_xdm_xserver(nsplugin_t)
-+	xserver_xdm_rw_shm(nsplugin_t)
-+	xserver_read_xdm_tmp_files(nsplugin_t)
-+	xserver_read_xdm_pid(nsplugin_t)
+	xserver_stream_connect_xdm_xserver($1_nsplugin_t)
+	xserver_xdm_rw_shm($1_nsplugin_t)
+	xserver_read_xdm_tmp_files($1_nsplugin_t)
+	xserver_read_xdm_pid($1_nsplugin_t)
 +	xserver_read_user_xauth(user, $1_nsplugin_t)
 +	xserver_read_user_iceauth(user, $1_nsplugin_t)
 +	xserver_use_user_fonts(user, $1_nsplugin_t)
-+	xserver_manage_home_fonts(nsplugin_t)
-+	xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
+	xserver_manage_home_fonts($1_nsplugin_t)
+	xserver_dontaudit_rw_xdm_home_files($1_nsplugin_t)
 +')
 +
 +########################################
@ -4537,55 +4535,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow $1_nsplugin_config_t self:fifo_file rw_file_perms;
 +allow $1_nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
-+fs_list_inotifyfs(nsplugin_config_t)
+fs_list_inotifyfs($1_nsplugin_config_t)
 +
-+can_exec(nsplugin_config_t, nsplugin_rw_t)
-+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+can_exec($1_nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
 +
-+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_dirs_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
 +
-+corecmd_exec_bin(nsplugin_config_t)
-+corecmd_exec_shell(nsplugin_config_t)
+corecmd_exec_bin($1_nsplugin_config_t)
+corecmd_exec_shell($1_nsplugin_config_t)
 +
-+kernel_read_system_state(nsplugin_config_t)
+kernel_read_system_state($1_nsplugin_config_t)
 +
-+files_read_etc_files(nsplugin_config_t)
-+files_read_usr_files(nsplugin_config_t)
-+files_dontaudit_search_home(nsplugin_config_t)
-+files_list_tmp(nsplugin_config_t)
+files_read_etc_files($1_nsplugin_config_t)
+files_read_usr_files($1_nsplugin_config_t)
+files_dontaudit_search_home($1_nsplugin_config_t)
+files_list_tmp($1_nsplugin_config_t)
 +
-+auth_use_nsswitch(nsplugin_config_t)
+auth_use_nsswitch($1_nsplugin_config_t)
 +
-+libs_use_ld_so(nsplugin_config_t)
-+libs_use_shared_libs(nsplugin_config_t)
+libs_use_ld_so($1_nsplugin_config_t)
+libs_use_shared_libs($1_nsplugin_config_t)
 +
-+miscfiles_read_localization(nsplugin_config_t)
-+miscfiles_read_fonts(nsplugin_config_t)
+miscfiles_read_localization($1_nsplugin_config_t)
+miscfiles_read_fonts($1_nsplugin_config_t)
 +
-+userdom_search_all_users_home_content(nsplugin_config_t)
+userdom_search_all_users_home_content($1_nsplugin_config_t)
 +
 +tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_dirs(nsplugin_t)
-+	fs_manage_nfs_files(nsplugin_t)
-+	fs_manage_nfs_dirs(nsplugin_config_t)
-+	fs_manage_nfs_files(nsplugin_config_t)
+	fs_manage_nfs_dirs($1_nsplugin_t)
+	fs_manage_nfs_files($1_nsplugin_t)
+	fs_manage_nfs_dirs($1_nsplugin_config_t)
+	fs_manage_nfs_files($1_nsplugin_config_t)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_dirs(nsplugin_t)
-+	fs_manage_cifs_files(nsplugin_t)
-+	fs_manage_cifs_dirs(nsplugin_config_t)
-+	fs_manage_cifs_files(nsplugin_config_t)
+	fs_manage_cifs_dirs($1_nsplugin_t)
+	fs_manage_cifs_files($1_nsplugin_t)
+	fs_manage_cifs_dirs($1_nsplugin_config_t)
+	fs_manage_cifs_files($1_nsplugin_config_t)
 +')
 +
-+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
+domtrans_pattern($1_nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
 +
 +optional_policy(`
-+	xserver_read_home_fonts(nsplugin_config_t)
+	xserver_read_home_fonts($1_nsplugin_config_t)
 +')
 +
 +optional_policy(`
@ -10745,7 +10743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.8/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/apache.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/apache.te	2008-09-19 10:06:15.000000000 -0400
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -10896,7 +10894,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -312,12 +361,11 @@
+@@ -299,6 +348,7 @@
+ corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_all_nodes(httpd_t)
+corenet_udp_bind_all_nodes(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
+@@ -312,12 +362,11 @@
 
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@ -10911,7 +10917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 domain_use_interactive_fds(httpd_t)
 
-@@ -335,6 +383,10 @@
+@@ -335,6 +384,10 @@
 files_read_var_lib_symlinks(httpd_t)
 
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -10922,7 +10928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
-@@ -351,18 +403,33 @@
+@@ -351,18 +404,33 @@
 
 userdom_use_unpriv_users_fds(httpd_t)
 
@ -10960,7 +10966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ')
 
-@@ -370,20 +437,45 @@
+@@ -370,20 +438,45 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
@ -11007,7 +11013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +486,12 @@
+@@ -394,11 +487,12 @@
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
 
@ -11023,7 +11029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_read_nfs_files(httpd_t)
 	fs_read_nfs_symlinks(httpd_t)
 ')
-@@ -408,6 +501,11 @@
+@@ -408,6 +502,11 @@
 	fs_read_cifs_symlinks(httpd_t)
 ')
 
@ -11035,7 +11041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +539,13 @@
+@@ -441,8 +540,13 @@
 ')
 
 optional_policy(`
@ -11051,7 +11057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -454,18 +557,13 @@
+@@ -454,18 +558,13 @@
 ')
 
 optional_policy(`
@ -11071,7 +11077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -475,6 +573,12 @@
+@@ -475,6 +574,12 @@
 	openca_kill(httpd_t)
 ')
 
@ -11084,7 +11090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
-@@ -482,6 +586,7 @@
+@@ -482,6 +587,7 @@
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
@ -11092,7 +11098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -490,6 +595,7 @@
+@@ -490,6 +596,7 @@
 ')
 
 optional_policy(`
@ -11100,7 +11106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -519,9 +625,28 @@
+@@ -519,9 +626,28 @@
 logging_send_syslog_msg(httpd_helper_t)
 
 tunable_policy(`httpd_tty_comm',`
@ -11129,7 +11135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache PHP script local policy
-@@ -551,22 +676,27 @@
+@@ -551,22 +677,27 @@
 
 fs_search_auto_mountpoints(httpd_php_t)
 
@ -11163,7 +11169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -590,6 +720,8 @@
+@@ -590,6 +721,8 @@
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
@ -11172,7 +11178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +730,7 @@
+@@ -598,9 +731,7 @@
 
 fs_search_auto_mountpoints(httpd_suexec_t)
 
@ -11183,7 +11189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +763,25 @@
+@@ -633,12 +764,25 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
@ -11212,7 +11218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +790,12 @@
+@@ -647,6 +791,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
@ -11225,7 +11231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,10 +813,6 @@
+@@ -664,10 +814,6 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
@ -11236,7 +11242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache system script local policy
-@@ -677,7 +822,8 @@
+@@ -677,7 +823,8 @@
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
@ -11246,7 +11252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +837,15 @@
+@@ -691,12 +838,15 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
@ -11264,7 +11270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +853,28 @@
+@@ -704,6 +854,30 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
@ -11272,6 +11278,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 +	allow httpd_sys_script_t self:udp_socket create_socket_perms;
 +
+	corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+	corenet_udp_bind_all_nodes(httpd_sys_script_t)
 +	corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
 +	corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 +	corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
@ -11293,7 +11301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +887,10 @@
+@@ -716,10 +890,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -11308,7 +11316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -727,6 +898,8 @@
+@@ -727,6 +901,8 @@
 # httpd_rotatelogs local policy
 #
 
@ -11317,7 +11325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +914,56 @@
+@@ -741,3 +917,56 @@
 logging_search_logs(httpd_rotatelogs_t)
 
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -16314,6 +16322,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	spamassassin_exec(exim_t)
 +	spamassassin_exec_client(exim_t)
 ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.8/policy/modules/services/fail2ban.fc
+--- nsaserefpolicy/policy/modules/services/fail2ban.fc	2008-09-08 10:18:37.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/fail2ban.fc	2008-09-19 11:19:25.000000000 -0400
+@@ -3,5 +3,5 @@
+ /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+-/var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+-/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+
+/var/run/fail2ban.*		gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.8/policy/modules/services/fail2ban.if
 --- nsaserefpolicy/policy/modules/services/fail2ban.if	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.8/policy/modules/services/fail2ban.if	2008-09-17 08:49:08.000000000 -0400
@ -16385,6 +16404,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_list_pids($1)
 +        admin_pattern($1, fail2ban_var_run_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.8/policy/modules/services/fail2ban.te
+--- nsaserefpolicy/policy/modules/services/fail2ban.te	2008-09-05 10:28:20.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/fail2ban.te	2008-09-19 11:19:16.000000000 -0400
+@@ -37,9 +37,10 @@
+ logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+ 
+ # pid file
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+ 
+ kernel_read_system_state(fail2ban_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.8/policy/modules/services/fetchmail.if
 --- nsaserefpolicy/policy/modules/services/fetchmail.if	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.8/policy/modules/services/fetchmail.if	2008-09-17 08:49:08.000000000 -0400
@ -18031,8 +18065,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/mailman/mail/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.8/policy/modules/services/mailman.if
 --- nsaserefpolicy/policy/modules/services/mailman.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/mailman.if	2008-09-17 08:49:08.000000000 -0400
-@@ -211,6 +211,7 @@
+++ serefpolicy-3.5.8/policy/modules/services/mailman.if	2008-09-19 10:41:48.000000000 -0400
+@@ -31,6 +31,12 @@
+ 	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+ 	allow mailman_$1_t self:udp_socket create_socket_perms;
+ 
+	files_search_spool(mailman_$1_t)
+
+	manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+
+ 	manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ 	manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ 	manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+@@ -211,6 +217,7 @@
 		type mailman_data_t;
 	')
 
@ -18040,7 +18087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	manage_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
-@@ -252,6 +253,25 @@
+@@ -252,6 +259,25 @@
 
 #######################################
 ## <summary>
@ -18068,7 +18115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.8/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/mailman.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/mailman.te	2008-09-19 10:39:55.000000000 -0400
@@ -53,10 +53,9 @@
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
@ -18110,11 +18157,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ########################################
 #
-@@ -104,6 +106,7 @@
+@@ -104,6 +106,11 @@
 # some of the following could probably be changed to dontaudit, someone who
 # knows mailman well should test this out and send the changes
 sysadm_search_home_dirs(mailman_queue_t)
 +sysadm_getattr_home_dirs(mailman_queue_t)
+
+optional_policy(`
+	apache_read_config(mailman_queue_t)
+')
 
 optional_policy(`
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
@ -21509,7 +21560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/spool/postfix/postgrey(/.*)?	gen_context(system_u:object_r:postgrey_spool_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.8/policy/modules/services/postgrey.if
 --- nsaserefpolicy/policy/modules/services/postgrey.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if	2008-09-19 10:23:31.000000000 -0400
@@ -12,10 +12,80 @@
 #
 interface(`postgrey_stream_connect',`
@ -21519,8 +21570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
         ')
 
 	allow $1 postgrey_t:unix_stream_socket connectto;
-         allow $1 postgrey_var_run_t:sock_file write;
-+        allow $1 postgrey_spool_t:sock_file write;
+-        allow $1 postgrey_var_run_t:sock_file write;
+	write_sock_files_pattern($1, postgrey_var_run_t,  postgrey_var_run_t)
+	write_sock_files_pattern($1, postgrey_spool_t,  postgrey_spool_t)
 	files_search_pids($1)
 ')
 +
@ -21954,7 +22006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.8/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/prelude.te	2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/prelude.te	2008-09-19 10:06:36.000000000 -0400
@@ -13,18 +13,56 @@
 type prelude_spool_t;
 files_type(prelude_spool_t)
@ -22052,7 +22104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 dev_read_rand(prelude_audisp_t)
 dev_read_urand(prelude_audisp_t)
-@@ -123,9 +173,119 @@
+@@ -123,9 +173,122 @@
 libs_use_shared_libs(prelude_audisp_t)
 
 logging_send_syslog_msg(prelude_audisp_t)
@ -22104,6 +22156,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# prelude_lml local declarations
 +#
 +
+allow prelude_lml_t self:capability dac_override;
+
 +# Init script handling
 +domain_use_interactive_fds(prelude_lml_t)
 +
@ -22166,13 +22220,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +sysnet_dns_name_resolve(prelude_lml_t)
 +
 +optional_policy(`
+	apache_search_sys_content(prelude_lml_t)
 +	apache_read_log(prelude_lml_t)
 +')
 +
 ########################################
 #
 # prewikka_cgi Declarations
-@@ -133,8 +293,19 @@
+@@ -133,8 +296,19 @@
 
 optional_policy(`
 	apache_content_template(prewikka)
@ -30386,8 +30441,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.8/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/libraries.fc	2008-09-17 08:49:09.000000000 -0400
-@@ -66,6 +66,8 @@
+++ serefpolicy-3.5.8/policy/modules/system/libraries.fc	2008-09-21 08:23:42.000000000 -0400
+@@ -60,12 +60,15 @@
+ #
+ # /opt
+ #
+/opt/.*\.so					gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?lib64(/.*)?				gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
 /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
 
@ -30396,7 +30458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`distro_gentoo',`
 # despite the extensions, they are actually libs
 /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
-@@ -84,7 +86,8 @@
+@@ -84,7 +87,8 @@
 
 ifdef(`distro_redhat',`
 /opt/Adobe(/.*?)/nppdf\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30406,7 +30468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/cxoffice/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -133,6 +136,7 @@
+@@ -133,6 +137,7 @@
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30414,7 +30476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-@@ -168,7 +172,8 @@
+@@ -168,7 +173,8 @@
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30424,7 +30486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,6 +192,7 @@
+@@ -187,6 +193,7 @@
 /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/codecs/[^/]*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30432,7 +30494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,7 +252,7 @@
+@@ -246,7 +253,7 @@
 
 # Flash plugin, Macromedia
 HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30441,7 +30503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/lib(64)?/.*/libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/(.*/)?libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.*/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +273,8 @@
+@@ -267,6 +274,8 @@
 /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@ -30450,7 +30512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +299,8 @@
+@@ -291,6 +300,8 @@
 /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30459,7 +30521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ') dnl end distro_redhat
 
 #
-@@ -310,3 +320,13 @@
+@@ -310,3 +321,13 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@ -33302,7 +33364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if	2008-09-17 09:11:15.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if	2008-09-21 07:04:00.000000000 -0400
@@ -28,10 +28,14 @@
 		class context contains;
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -381,6 +381,9 @@ exit 0
 %endif

 %changelog
+* Sun Sep 21 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-4
+- Fix transition to nsplugin
+'
 * Thu Sep 18 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-3
 - Fix labeling on new pm*log
 - Allow ssh to bind to all nodes