rpms/selinux-policy/devel policy-20080710.patch, 1.63, 1.64 selinux-policy.spec, 1.723, 1.724

Daniel J Walsh dwalsh at fedoraproject.org
Wed Oct 15 21:32:30 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28113

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
* Wed Oct 15 2008 Dan Walsh <dwalsh at redhat.com> 3.5.12-2
- Fix labeling of libGL


policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -r1.63 -r1.64
--- policy-20080710.patch	15 Oct 2008 01:37:04 -0000	1.63
+++ policy-20080710.patch	15 Oct 2008 21:32:29 -0000	1.64
@@ -2381,8 +2381,8 @@
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.12/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2008-08-07 11:15:03.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/apps/gpg.te	2008-10-14 15:00:15.000000000 -0400
-@@ -15,15 +15,253 @@
++++ serefpolicy-3.5.12/policy/modules/apps/gpg.te	2008-10-15 10:23:21.000000000 -0400
+@@ -15,15 +15,255 @@
  gen_tunable(gpg_agent_env_file, false)
  
  # Type for gpg or pgp executables.
@@ -2420,7 +2420,7 @@
 +#
 +
 +allow gpg_t self:capability { ipc_lock setuid };
-+allow gpg_t gpg_t:process signal;
++allow gpg_t self:process signal;
 +# setrlimit is for ulimit -c 0
 +allow gpg_t self:process { setrlimit getcap setcap setpgid };
 +
@@ -2435,6 +2435,8 @@
 +manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 +files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
 +
++kernel_read_sysctl(gpg_t)
++
 +unprivuser_home_dir_filetrans_home_content(gpg_t, file)
 +unprivuser_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
 +unprivuser_manage_home_content_files(gpg_t)
@@ -4282,8 +4284,8 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.12/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.te	2008-10-14 15:00:15.000000000 -0400
-@@ -0,0 +1,246 @@
++++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.te	2008-10-15 16:26:12.000000000 -0400
+@@ -0,0 +1,247 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -4381,6 +4383,7 @@
 +kernel_read_kernel_sysctls(nsplugin_t)
 +kernel_read_system_state(nsplugin_t)
 +
++files_dontaudit_list_home(nsplugin_t)
 +files_read_usr_files(nsplugin_t)
 +files_read_etc_files(nsplugin_t)
 +files_read_config_files(nsplugin_t)
@@ -5736,6 +5739,14 @@
 +')
 +
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.12/policy/modules/apps/wine.fc
+--- nsaserefpolicy/policy/modules/apps/wine.fc	2008-08-07 11:15:02.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/apps/wine.fc	2008-10-15 13:39:34.000000000 -0400
+@@ -2,3 +2,4 @@
+ 
+ /opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.12/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2008-08-07 11:15:02.000000000 -0400
 +++ serefpolicy-3.5.12/policy/modules/apps/wine.if	2008-10-14 15:00:15.000000000 -0400
@@ -6966,7 +6977,7 @@
  /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.12/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/kernel/files.if	2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/kernel/files.if	2008-10-15 16:25:10.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -12745,8 +12756,8 @@
 -') dnl end TODO
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.12/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/cups.fc	2008-10-14 15:00:15.000000000 -0400
-@@ -8,24 +8,33 @@
++++ serefpolicy-3.5.12/policy/modules/services/cups.fc	2008-10-15 08:41:30.000000000 -0400
+@@ -8,24 +8,35 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -12761,6 +12772,8 @@
  
  /etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
++/opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
  /usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 +/usr/bin/hpijs		--	gen_context(system_u:object_r:hplip_exec_t,s0)
  
@@ -12783,7 +12796,7 @@
  /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
  /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
  /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +42,7 @@
+@@ -33,7 +44,7 @@
  
  /usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
  /usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -12792,7 +12805,7 @@
  
  /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +52,18 @@
+@@ -43,10 +54,18 @@
  /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
  /var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
@@ -15412,8 +15425,17 @@
  optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.12/policy/modules/services/lpd.fc
 --- nsaserefpolicy/policy/modules/services/lpd.fc	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/lpd.fc	2008-10-14 15:00:15.000000000 -0400
-@@ -22,11 +22,14 @@
++++ serefpolicy-3.5.12/policy/modules/services/lpd.fc	2008-10-15 08:33:26.000000000 -0400
+@@ -3,6 +3,8 @@
+ #
+ /dev/printer		-s	gen_context(system_u:object_r:printer_t,s0)
+ 
++/opt/gutenprint/s?bin(/.*)?	gen_context(system_u:object_r:lpr_exec_t,s0)
++
+ #
+ # /usr
+ #
+@@ -22,11 +24,15 @@
  /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
  /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
  
@@ -15428,6 +15450,7 @@
 +/var/spool/cups-pdf(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
  /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
  /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.12/policy/modules/services/mailman.fc
 --- nsaserefpolicy/policy/modules/services/mailman.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.12/policy/modules/services/mailman.fc	2008-10-14 15:00:15.000000000 -0400
@@ -21131,7 +21154,7 @@
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.12/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/sendmail.te	2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/services/sendmail.te	2008-10-14 21:46:27.000000000 -0400
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -21220,12 +21243,12 @@
  
  optional_policy(`
  	clamav_search_lib(sendmail_t)
++	clamav_stream_connect(sendmail_t)
  ')
  
  optional_policy(`
 -	postfix_exec_master(sendmail_t)
 +	cyrus_stream_connect(sendmail_t)
-+	clamav_stream_connect(sendmail_t)
 +')
 +
 +optional_policy(`
@@ -21573,7 +21596,7 @@
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.12/policy/modules/services/snmp.te
 --- nsaserefpolicy/policy/modules/services/snmp.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/snmp.te	2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/services/snmp.te	2008-10-15 14:52:54.000000000 -0400
 @@ -9,6 +9,9 @@
  type snmpd_exec_t;
  init_daemon_domain(snmpd_t, snmpd_exec_t)
@@ -23228,7 +23251,7 @@
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.12/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/xserver.fc	2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/services/xserver.fc	2008-10-15 10:01:13.000000000 -0400
 @@ -1,13 +1,15 @@
  #
  # HOME_DIR
@@ -23264,7 +23287,7 @@
  #
  # /opt
  #
-@@ -58,7 +55,8 @@
+@@ -58,9 +55,11 @@
  #
  
  /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -23273,8 +23296,11 @@
 +/usr/sbin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +87,25 @@
+ /usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
+ /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -89,16 +88,25 @@
  
  /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
@@ -23304,7 +23330,7 @@
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/services/xserver.if	2008-10-14 21:00:40.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/services/xserver.if	2008-10-15 15:53:52.000000000 -0400
 @@ -16,6 +16,7 @@
  	gen_require(`
  		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -23483,21 +23509,21 @@
 -	#
 -	# $1_xauth_t Local policy
 -	#
--
+ 
 -	allow $1_xauth_t self:process signal;
 -	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
--
++	domtrans_pattern($2, xauth_exec_t, xauth_t)
++	allow $2 xauth_t:process signal;
+ 
 -	allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
 -	userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
 -
 -	manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
 -	manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
 -	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
- 
+-
 -	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-+	domtrans_pattern($2, xauth_exec_t, xauth_t)
-+	allow $2 xauth_t:process signal;
- 
+-
 -	allow $2 $1_xauth_t:process signal;
 +    	allow $2 xauth_home_t:file manage_file_perms;
 +	allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -23515,7 +23541,8 @@
 -
 -	files_read_etc_files($1_xauth_t)
 -	files_search_pids($1_xauth_t)
--
++	ps_process_pattern($2,xauth_t)
+ 
 -	fs_getattr_xattr_fs($1_xauth_t)
 -	fs_search_auto_mountpoints($1_xauth_t)
 -
@@ -23533,8 +23560,7 @@
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_manage_nfs_files($1_xauth_t)
 -	')
-+	ps_process_pattern($2,xauth_t)
- 
+-
 -	tunable_policy(`use_samba_home_dirs',`
 -		fs_manage_cifs_files($1_xauth_t)
 -	')
@@ -23571,7 +23597,7 @@
  
  	fs_search_auto_mountpoints($1_iceauth_t)
  
-@@ -473,34 +417,12 @@
+@@ -473,33 +417,12 @@
  	#
  
  	# Device rules
@@ -23581,7 +23607,7 @@
  	allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
 +	allow $2 $1_input_xevent_type:x_event send;
  	allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send;
- 
+-
 -	# manage: xhost X11:ChangeHosts
 -	# freeze: metacity X11:GrabKey
 -	# force_cursor: metacity X11:GrabPointer
@@ -23604,11 +23630,11 @@
 -
 -	# setattr: metacity X11:InstallColormap
 -	allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr };
--
++	allow $2 xdm_rootwindow_t:x_colormap remove_color;
+ 
  	# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
  	allow $2 info_xproperty_t:x_property { create write append };
- 
-@@ -616,7 +538,7 @@
+@@ -616,7 +539,7 @@
  #	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
  	gen_require(`
  		type xdm_t, xdm_tmp_t;
@@ -23617,7 +23643,7 @@
  	')
  
  	allow $2 self:shm create_shm_perms;
-@@ -624,8 +546,8 @@
+@@ -624,8 +547,8 @@
  	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -23628,7 +23654,7 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -649,13 +571,213 @@
+@@ -649,13 +572,210 @@
  
  	xserver_read_xdm_tmp_files($2)
  
@@ -23670,8 +23696,8 @@
 +		attribute x_domain;
 +		type $1_xserver_t;
 +#		type $2_input_xevent_t;
-+')
-+
+ ')
+ 
 +	allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
 +
 +#	typeattribute $2_input_xevent_t $1_input_xevent_type;
@@ -23708,7 +23734,7 @@
 +	# write: gnome-settings-daemon RANDR:SelectInput
 +	# setattr: gnome-settings-daemon X11:GrabKey
 +	# manage: metacity X11:ChangeWindowAttributes
-+	allow $3 $1_rootwindow_t:x_drawable { read show write manage setattr get_property blend create add_child write receive set_property };
++	allow $3 $1_rootwindow_t:x_drawable { show write manage setattr get_property blend create add_child write receive set_property };
 +
 +	# setattr: metacity X11:InstallColormap
 +	allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr };
@@ -23808,12 +23834,9 @@
 +	allow $2 manage_xevent_t:x_event receive;
 +	allow $2 manage_xevent_t:x_synthetic_event { send receive };
 +
-+	allow $2 output_xext_t:x_extension { query use };
-+	allow $2 debug_xext_t:x_extension { query use };
-+	allow $2 screensaver_xext_t:x_extension { query use };
++	allow $2 xextension_type:x_extension { query use };
 +
 +	allow $2 property_xevent_t:x_event receive;
-+	allow $2 shmem_xext_t:x_extension { query use };
 +
 +#	allow $2 $1_client_xevent_t:x_synthetic_event receive;
 +#	allow $2 $1_client_xevent_t:x_event receive;
@@ -23840,13 +23863,13 @@
 +
 +#	xserver_use($1, $1, $2)
 +	xserver_use(xdm, $1, $2)
- ')
- 
++')
++
 +
  #######################################
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
-@@ -682,7 +804,7 @@
+@@ -682,7 +802,7 @@
  #
  template(`xserver_common_x_domain_template',`
  	gen_require(`
@@ -23855,7 +23878,7 @@
  		type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
  		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
  		type xevent_t, client_xevent_t;
-@@ -691,7 +813,6 @@
+@@ -691,7 +811,6 @@
  		attribute x_server_domain, x_domain;
  		attribute xproperty_type;
  		attribute xevent_type, xextension_type;
@@ -23863,7 +23886,7 @@
  
  		class x_drawable all_x_drawable_perms;
  		class x_screen all_x_screen_perms;
-@@ -708,6 +829,7 @@
+@@ -708,6 +827,7 @@
  		class x_resource all_x_resource_perms;
  		class x_event all_x_event_perms;
  		class x_synthetic_event all_x_synthetic_event_perms;
@@ -23871,7 +23894,7 @@
  	')
  
  	##############################
-@@ -715,20 +837,22 @@
+@@ -715,20 +835,22 @@
  	# Declarations
  	#
  
@@ -23897,7 +23920,7 @@
  	##############################
  	#
  	# Local Policy
-@@ -746,7 +870,7 @@
+@@ -746,7 +868,7 @@
  	allow $3 x_server_domain:x_server getattr;
  	# everyone can do override-redirect windows.
  	# this could be used to spoof labels
@@ -23906,7 +23929,7 @@
  	# everyone can receive management events on the root window
  	# allows to know when new windows appear, among other things
  	allow $3 manage_xevent_t:x_event receive;
-@@ -755,36 +879,30 @@
+@@ -755,36 +877,30 @@
  	# can read server-owned resources
  	allow $3 x_server_domain:x_resource read;
  	# can mess with own clients
@@ -23953,7 +23976,7 @@
  
  	# X Input
  	# can receive own events
-@@ -811,6 +929,12 @@
+@@ -811,6 +927,12 @@
  	allow $3 manage_xevent_t:x_synthetic_event send;
  	allow $3 client_xevent_t:x_synthetic_event send;
  
@@ -23966,7 +23989,7 @@
  	# X Selections
  	# can use the clipboard
  	allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-@@ -819,13 +943,15 @@
+@@ -819,13 +941,15 @@
  
  	# Other X Objects
  	# can create and use cursors
@@ -23986,7 +24009,7 @@
  
  	tunable_policy(`! xserver_object_manager',`
  		# should be xserver_unconfined($3),
-@@ -885,24 +1011,17 @@
+@@ -885,24 +1009,17 @@
  #
  template(`xserver_user_x_domain_template',`
  	gen_require(`
@@ -24018,7 +24041,7 @@
  
  	# Allow connections to X server.
  	files_search_tmp($3)
-@@ -917,16 +1036,12 @@
+@@ -917,16 +1034,16 @@
  	xserver_rw_session_template($1, $3, $4)
  	xserver_use_user_fonts($1, $3)
  
@@ -24034,11 +24057,15 @@
 -	')
 +	allow $3 xdm_xproperty_t:x_property { write read };
 +	allow $3 xdm_xserver_t:x_screen { saver_hide saver_show };
++
++#	allow $3 $1_rootwindow_t:x_drawable read;
++	allow $3 xdm_rootwindow_t:x_drawable read;
++
 +	xserver_use_xdm($3)
  ')
  
  ########################################
-@@ -958,26 +1073,43 @@
+@@ -958,26 +1075,43 @@
  #
  template(`xserver_use_user_fonts',`
  	gen_require(`
@@ -24089,7 +24116,7 @@
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -1003,10 +1135,77 @@
+@@ -1003,10 +1137,77 @@
  #
  template(`xserver_domtrans_user_xauth',`
  	gen_require(`
@@ -24128,8 +24155,9 @@
 +template(`xserver_read_user_xauth',`
 +	gen_require(`
 +		type xauth_home_t;
-+	')
-+
+ 	')
+ 
+-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	allow $2 xauth_home_t:file { getattr read };
 +')
 +
@@ -24161,15 +24189,14 @@
 +template(`xserver_read_user_iceauth',`
 +	gen_require(`
 +		type iceauth_home_t;
- 	')
- 
--	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++	')
++
 +	# Read .Iceauthority file
 +	allow $2 iceauth_home_t:file { getattr read };
  ')
  
  ########################################
-@@ -1036,10 +1235,10 @@
+@@ -1036,10 +1237,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -24182,7 +24209,7 @@
  ')
  
  ########################################
-@@ -1225,6 +1424,25 @@
+@@ -1225,6 +1426,25 @@
  
  ########################################
  ## <summary>
@@ -24208,7 +24235,7 @@
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -1279,6 +1497,7 @@
+@@ -1279,6 +1499,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -24216,7 +24243,7 @@
  ')
  
  ########################################
-@@ -1297,7 +1516,7 @@
+@@ -1297,7 +1518,7 @@
  	')
  
  	files_search_pids($1)
@@ -24225,7 +24252,7 @@
  ')
  
  ########################################
-@@ -1320,6 +1539,24 @@
+@@ -1320,6 +1541,24 @@
  
  ########################################
  ## <summary>
@@ -24250,7 +24277,7 @@
  ##	Execute the X server in the XDM X server domain.
  ## </summary>
  ## <param name="domain">
-@@ -1330,15 +1567,47 @@
+@@ -1330,15 +1569,47 @@
  #
  interface(`xserver_domtrans_xdm_xserver',`
  	gen_require(`
@@ -24299,7 +24326,7 @@
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1488,7 +1757,7 @@
+@@ -1488,7 +1759,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -24308,7 +24335,7 @@
  ')
  
  ########################################
-@@ -1680,6 +1949,26 @@
+@@ -1680,6 +1951,26 @@
  
  ########################################
  ## <summary>
@@ -24335,7 +24362,7 @@
  ##	xdm xserver RW shared memory socket.
  ## </summary>
  ## <param name="domain">
-@@ -1698,6 +1987,24 @@
+@@ -1698,6 +1989,24 @@
  
  ########################################
  ## <summary>
@@ -24360,7 +24387,7 @@
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain complete control over the
  ##	display.
-@@ -1710,8 +2017,157 @@
+@@ -1710,8 +2019,157 @@
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -26232,8 +26259,8 @@
  allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.12/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/system/libraries.fc	2008-10-14 15:00:15.000000000 -0400
-@@ -60,12 +60,15 @@
++++ serefpolicy-3.5.12/policy/modules/system/libraries.fc	2008-10-15 08:59:49.000000000 -0400
+@@ -60,12 +61,15 @@
  #
  # /opt
  #
@@ -26249,7 +26276,7 @@
  ifdef(`distro_gentoo',`
  # despite the extensions, they are actually libs
  /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
-@@ -84,7 +87,8 @@
+@@ -84,7 +88,8 @@
  
  ifdef(`distro_redhat',`
  /opt/Adobe(/.*?)/nppdf\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26259,7 +26286,15 @@
  /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/cxoffice/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -133,6 +137,7 @@
+@@ -123,6 +128,7 @@
+ /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -133,6 +139,7 @@
  /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26267,7 +26302,7 @@
  /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -168,7 +173,8 @@
+@@ -168,7 +175,8 @@
  # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
  # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
  /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26277,7 +26312,7 @@
  
  /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,6 +193,7 @@
+@@ -187,6 +195,7 @@
  /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/codecs/[^/]*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26285,7 +26320,7 @@
  /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,7 +253,7 @@
+@@ -246,7 +255,7 @@
  
  # Flash plugin, Macromedia
  HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26294,7 +26329,7 @@
  /usr/lib(64)?/.*/libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/(.*/)?libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  HOME_DIR/.*/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +274,8 @@
+@@ -267,6 +276,8 @@
  /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -26303,7 +26338,7 @@
  # Java, Sun Microsystems (JPackage SRPM)
  /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +300,8 @@
+@@ -291,6 +302,8 @@
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -26312,7 +26347,7 @@
  ') dnl end distro_redhat
  
  #
-@@ -310,3 +321,15 @@
+@@ -310,3 +323,15 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -26501,6 +26536,18 @@
 -	logging_admin_syslog($1, $2)
 +	logging_admin_syslog($1, $2, $3)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.12/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te	2008-10-14 11:58:09.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/system/logging.te	2008-10-15 15:31:45.000000000 -0400
+@@ -221,7 +221,7 @@
+ # audit dispatcher local policy
+ #
+ 
+-allow audisp_t self:capability sys_nice;
++allow audisp_t self:capability { dac_override sys_nice };
+ allow audisp_t self:process setsched;
+ allow audisp_t self:fifo_file rw_file_perms;
+ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.12/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2008-08-07 11:15:12.000000000 -0400
 +++ serefpolicy-3.5.12/policy/modules/system/lvm.fc	2008-10-14 15:00:15.000000000 -0400
@@ -28250,7 +28297,7 @@
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.12/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2008-09-11 16:42:49.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/system/unconfined.fc	2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/system/unconfined.fc	2008-10-15 08:43:45.000000000 -0400
 @@ -2,15 +2,27 @@
  # e.g.:
  # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -28290,7 +28337,7 @@
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.12/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-09-11 16:42:49.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/system/unconfined.if	2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/system/unconfined.if	2008-10-15 08:50:25.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -28621,7 +28668,7 @@
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.12/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/system/unconfined.te	2008-10-14 15:12:41.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/system/unconfined.te	2008-10-15 08:45:32.000000000 -0400
 @@ -6,35 +6,76 @@
  # Declarations
  #
@@ -28916,7 +28963,7 @@
  ')
  
  ########################################
-@@ -229,14 +293,35 @@
+@@ -229,14 +293,43 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
@@ -28941,7 +28988,7 @@
 +
 +optional_policy(`
 +	xserver_rw_xdm_xserver_shm(unconfined_execmem_t)
- ')
++')
 +
 +########################################
 +#
@@ -28954,6 +29001,14 @@
 +# Allow SELinux aware applications to request rpm_script execution
 +rpm_transition_script(unconfined_notrans_t)
 +domain_ptrace_all_domains(unconfined_notrans_t)
++
++optional_policy(`
++	gen_require(`
++		type mplayer_exec_t;
++	')
++	domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+ ')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.12/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2008-08-07 11:15:12.000000000 -0400
 +++ serefpolicy-3.5.12/policy/modules/system/userdomain.fc	2008-10-14 15:00:15.000000000 -0400
@@ -28969,7 +29024,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.12/policy/modules/system/userdomain.if	2008-10-14 15:00:15.000000000 -0400
++++ serefpolicy-3.5.12/policy/modules/system/userdomain.if	2008-10-15 10:27:06.000000000 -0400
 @@ -28,10 +28,14 @@
  		class context contains;
  	')
@@ -29365,7 +29420,7 @@
  ')
  
  #######################################
-@@ -369,18 +359,18 @@
+@@ -369,18 +359,19 @@
  #
  template(`userdom_manage_tmp_template',`
  	gen_require(`
@@ -29391,10 +29446,11 @@
 +	manage_sock_files_pattern($1_usertype, user_tmp_t, user_tmp_t)
 +	manage_fifo_files_pattern($1_usertype, user_tmp_t, user_tmp_t)
 +	files_tmp_filetrans($1_usertype, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++	relabel_files_pattern($1_usertype, user_tmp_t, user_tmp_t)
  ')
  
  #######################################
-@@ -396,7 +386,13 @@
+@@ -396,7 +387,13 @@
  ## <rolebase/>
  #
  template(`userdom_exec_tmp_template',`
@@ -29409,7 +29465,7 @@
  ')
  
  #######################################
-@@ -439,18 +435,15 @@
+@@ -439,18 +436,15 @@
  #
  template(`userdom_manage_tmpfs_template',`
  	gen_require(`
@@ -29434,7 +29490,7 @@
  ')
  
  #######################################
-@@ -468,17 +461,17 @@
+@@ -468,17 +462,17 @@
  #
  template(`userdom_untrusted_content_template',`
  	gen_require(`
@@ -29455,7 +29511,7 @@
  	files_tmp_file($1_untrusted_content_tmp_t)
  
  	# Allow user to relabel untrusted content
-@@ -510,10 +503,6 @@
+@@ -510,10 +504,6 @@
  ## <rolebase/>
  #
  template(`userdom_exec_generic_pgms_template',`
@@ -29466,7 +29522,7 @@
  	corecmd_exec_bin($1_t)
  ')
  
-@@ -531,34 +520,20 @@
+@@ -531,34 +521,20 @@
  ## <rolebase/>
  #
  template(`userdom_basic_networking_template',`
@@ -29513,7 +29569,7 @@
  ')
  
  #######################################
-@@ -575,30 +550,33 @@
+@@ -575,30 +551,33 @@
  #
  template(`userdom_xwindows_client_template',`
  	gen_require(`
@@ -29563,7 +29619,7 @@
  ')
  
  #######################################
-@@ -629,13 +607,7 @@
+@@ -629,13 +608,7 @@
  ## <summary>
  ##	The template for allowing the user to change roles.
  ## </summary>
@@ -29578,7 +29634,7 @@
  ##	<summary>
  ##	The prefix of the user domain (e.g., user
  ##	is the prefix for user_t).
-@@ -699,188 +671,202 @@
+@@ -699,188 +672,202 @@
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
@@ -29862,7 +29918,7 @@
  ')
  
  #######################################
-@@ -902,9 +888,7 @@
+@@ -902,9 +889,7 @@
  ## </param>
  #
  template(`userdom_login_user_template', `
@@ -29873,7 +29929,7 @@
  
  	userdom_base_user_template($1)
  
-@@ -930,74 +914,77 @@
+@@ -930,74 +915,77 @@
  
  	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
  	dontaudit $1_t self:process setrlimit;
@@ -29984,7 +30040,7 @@
  	')
  ')
  
-@@ -1031,9 +1018,6 @@
+@@ -1031,9 +1019,6 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
@@ -29994,7 +30050,7 @@
  	typeattribute $1_tty_device_t user_ttynode;
  
  	##############################
-@@ -1042,12 +1026,25 @@
+@@ -1042,12 +1027,25 @@
  	#
  
  	# privileged home directory writers
@@ -30026,7 +30082,7 @@
  
  	optional_policy(`
  		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-@@ -1087,14 +1084,16 @@
+@@ -1087,14 +1085,16 @@
  	#
  
  	authlogin_per_role_template($1, $1_t, $1_r)
@@ -30048,7 +30104,7 @@
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1102,28 +1101,23 @@
+@@ -1102,28 +1102,23 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
@@ -30082,7 +30138,7 @@
  	')
  ')
  
-@@ -1134,8 +1128,7 @@
+@@ -1134,8 +1129,7 @@
  ## </summary>
  ## <desc>
  ##	<p>
@@ -30092,7 +30148,7 @@
  ##	</p>
  ##	<p>
  ##	This template creates a user domain, types, and
-@@ -1167,11 +1160,10 @@
+@@ -1167,11 +1161,10 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -30105,7 +30161,7 @@
  	# cjp: why?
  	files_read_kernel_symbol_table($1_t)
  
-@@ -1189,36 +1181,49 @@
+@@ -1189,36 +1182,49 @@
  		')
  	')
  
@@ -30168,7 +30224,7 @@
  	')
  ')
  
-@@ -1295,8 +1300,6 @@
+@@ -1295,8 +1301,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -30177,7 +30233,7 @@
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1318,8 +1321,6 @@
+@@ -1318,8 +1322,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -30186,7 +30242,7 @@
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1374,13 +1375,6 @@
+@@ -1374,13 +1376,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -30200,7 +30256,7 @@
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1432,6 +1426,7 @@
+@@ -1432,6 +1427,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -30208,7 +30264,7 @@
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1461,10 +1456,6 @@
+@@ -1461,10 +1457,6 @@
  	seutil_run_semanage($1,$2,$3)
  	seutil_run_setfiles($1, $2, $3)
  
@@ -30219,7 +30275,7 @@
  	optional_policy(`
  		aide_run($1,$2, $3)
  	')
-@@ -1484,6 +1475,14 @@
+@@ -1484,6 +1476,14 @@
  	optional_policy(`
  		netlabel_run_mgmt($1,$2, $3)
  	')
@@ -30234,7 +30290,7 @@
  ')
  
  ########################################
-@@ -1741,11 +1740,15 @@
+@@ -1741,11 +1741,15 @@
  #
  template(`userdom_user_home_content',`
  	gen_require(`
@@ -30253,7 +30309,7 @@
  ')
  
  ########################################
-@@ -1841,11 +1844,11 @@
+@@ -1841,11 +1845,11 @@
  #
  template(`userdom_search_user_home_dirs',`
  	gen_require(`
@@ -30267,7 +30323,7 @@
  ')
  
  ########################################
-@@ -1875,11 +1878,11 @@
+@@ -1875,11 +1879,11 @@
  #
  template(`userdom_list_user_home_dirs',`
  	gen_require(`
@@ -30281,7 +30337,7 @@
  ')
  
  ########################################
-@@ -1923,12 +1926,12 @@
+@@ -1923,12 +1927,12 @@
  #
  template(`userdom_user_home_domtrans',`
  	gen_require(`
@@ -30297,7 +30353,7 @@
  ')
  
  ########################################
-@@ -1958,10 +1961,11 @@
+@@ -1958,10 +1962,11 @@
  #
  template(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
@@ -30311,7 +30367,7 @@
  ')
  
  ########################################
-@@ -1993,11 +1997,47 @@
+@@ -1993,11 +1998,47 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -30361,7 +30417,7 @@
  ')
  
  ########################################
-@@ -2029,10 +2069,10 @@
+@@ -2029,10 +2070,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -30374,7 +30430,7 @@
  ')
  
  ########################################
-@@ -2062,11 +2102,11 @@
+@@ -2062,11 +2103,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -30388,7 +30444,7 @@
  ')
  
  ########################################
-@@ -2096,11 +2136,11 @@
+@@ -2096,11 +2137,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -30403,7 +30459,7 @@
  ')
  
  ########################################
-@@ -2130,10 +2170,14 @@
+@@ -2130,10 +2171,14 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -30420,7 +30476,7 @@
  ')
  
  ########################################
-@@ -2163,11 +2207,11 @@
+@@ -2163,11 +2208,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -30434,7 +30490,7 @@
  ')
  
  ########################################
-@@ -2197,11 +2241,11 @@
+@@ -2197,11 +2242,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -30448,7 +30504,7 @@
  ')
  
  ########################################
-@@ -2231,10 +2275,10 @@
+@@ -2231,10 +2276,10 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -30461,7 +30517,7 @@
  ')
  
  ########################################
-@@ -2266,12 +2310,12 @@
+@@ -2266,12 +2311,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -30477,7 +30533,7 @@
  ')
  
  ########################################
-@@ -2303,10 +2347,10 @@
+@@ -2303,10 +2348,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -30490,7 +30546,7 @@
  ')
  
  ########################################
-@@ -2338,12 +2382,12 @@
+@@ -2338,12 +2383,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -30506,7 +30562,7 @@
  ')
  
  ########################################
-@@ -2375,12 +2419,12 @@
+@@ -2375,12 +2420,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -30522,7 +30578,7 @@
  ')
  
  ########################################
-@@ -2412,12 +2456,12 @@
+@@ -2412,12 +2457,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -30538,7 +30594,7 @@
  ')
  
  ########################################
-@@ -2462,11 +2506,11 @@
+@@ -2462,11 +2507,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -30552,7 +30608,7 @@
  ')
  
  ########################################
-@@ -2511,11 +2555,11 @@
+@@ -2511,11 +2556,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -30566,7 +30622,7 @@
  ')
  
  ########################################
-@@ -2555,11 +2599,11 @@
+@@ -2555,11 +2600,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -30580,7 +30636,7 @@
  ')
  
  ########################################
-@@ -2589,11 +2633,11 @@
+@@ -2589,11 +2634,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -30594,7 +30650,7 @@
  ')
  
  ########################################
-@@ -2623,11 +2667,11 @@
+@@ -2623,11 +2668,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -30608,7 +30664,7 @@
  ')
  
  ########################################
-@@ -2659,10 +2703,10 @@
+@@ -2659,10 +2704,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -30621,7 +30677,7 @@
  ')
  
  ########################################
-@@ -2694,10 +2738,10 @@
+@@ -2694,10 +2739,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -30634,7 +30690,7 @@
  ')
  
  ########################################
-@@ -2727,12 +2771,12 @@
+@@ -2727,12 +2772,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -30650,7 +30706,7 @@
  ')
  
  ########################################
-@@ -2764,10 +2808,10 @@
+@@ -2764,10 +2809,10 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -30663,7 +30719,7 @@
  ')
  
  ########################################
-@@ -2799,10 +2843,10 @@
+@@ -2799,10 +2844,10 @@
  #
  template(`userdom_dontaudit_append_user_tmp_files',`
  	gen_require(`
@@ -30676,7 +30732,7 @@
  ')
  
  ########################################
-@@ -2832,12 +2876,12 @@
+@@ -2832,12 +2877,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -30692,7 +30748,7 @@
  ')
  
  ########################################
-@@ -2869,10 +2913,10 @@
+@@ -2869,10 +2914,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -30705,7 +30761,7 @@
  ')
  
  ########################################
-@@ -2904,12 +2948,12 @@
+@@ -2904,12 +2949,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -30721,7 +30777,7 @@
  ')
  
  ########################################
-@@ -2941,11 +2985,11 @@
+@@ -2941,11 +2986,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -30735,7 +30791,7 @@
  ')
  
  ########################################
-@@ -2977,11 +3021,11 @@
+@@ -2977,11 +3022,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -30749,7 +30805,7 @@
  ')
  
  ########################################
-@@ -3013,11 +3057,11 @@
+@@ -3013,11 +3058,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -30763,7 +30819,7 @@
  ')
  
  ########################################
-@@ -3049,11 +3093,11 @@
+@@ -3049,11 +3094,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -30777,7 +30833,7 @@
  ')
  
  ########################################
-@@ -3085,11 +3129,11 @@
+@@ -3085,11 +3130,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -30791,7 +30847,7 @@
  ')
  
  ########################################
-@@ -3134,10 +3178,10 @@
+@@ -3134,10 +3179,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -30804,7 +30860,7 @@
  	files_search_tmp($2)
  ')
  
-@@ -3178,19 +3222,19 @@
+@@ -3178,19 +3223,19 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -30828,7 +30884,7 @@
  ##	</p>
  ##	<p>
  ##	This is a templated interface, and should only
-@@ -3211,13 +3255,13 @@
+@@ -3211,13 +3256,13 @@
  #
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
@@ -30846,7 +30902,7 @@
  ')
  
  ########################################
-@@ -4616,11 +4660,11 @@
+@@ -4616,11 +4661,11 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -30860,7 +30916,7 @@
  ')
  
  ########################################
-@@ -4640,6 +4684,14 @@
+@@ -4640,6 +4685,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -30875,7 +30931,7 @@
  ')
  
  ########################################
-@@ -4677,6 +4729,8 @@
+@@ -4677,6 +4730,8 @@
  	')
  
  	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -30884,7 +30940,7 @@
  ')
  
  ########################################
-@@ -4721,6 +4775,25 @@
+@@ -4721,6 +4776,25 @@
  
  ########################################
  ## <summary>
@@ -30910,7 +30966,7 @@
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4946,7 +5019,7 @@
+@@ -4946,7 +5020,7 @@
  
  ########################################
  ## <summary>
@@ -30919,7 +30975,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5318,6 +5391,42 @@
+@@ -5318,6 +5392,42 @@
  
  ########################################
  ## <summary>
@@ -30962,7 +31018,7 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5368,7 +5477,7 @@
+@@ -5368,7 +5478,7 @@
  		attribute userdomain;
  	')
  
@@ -30971,7 +31027,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -5483,6 +5592,42 @@
+@@ -5483,6 +5593,42 @@
  
  ########################################
  ## <summary>
@@ -31014,7 +31070,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5513,3 +5658,548 @@
+@@ -5513,3 +5659,548 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.723
retrieving revision 1.724
diff -u -r1.723 -r1.724
--- selinux-policy.spec	14 Oct 2008 23:33:40 -0000	1.723
+++ selinux-policy.spec	15 Oct 2008 21:32:30 -0000	1.724
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.12
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,9 @@
 %endif
 
 %changelog
+* Wed Oct 15 2008 Dan Walsh <dwalsh at redhat.com> 3.5.12-2
+- Fix labeling of libGL
+
 * Fri Oct 10 2008 Dan Walsh <dwalsh at redhat.com> 3.5.12-1
 - Update to upstream
 




More information about the fedora-extras-commits mailing list