[selinux-policy: 1234/3172] patch from dan Sun, 19 Feb 2006 08:16:18 -0500

Thu Oct 7 20:51:49 UTC 2010

commit 46c69cb27ac3b001be4b3a55512847aee3f8795c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Feb 20 16:31:54 2006 +0000

    patch from dan Sun, 19 Feb 2006 08:16:18 -0500

 refpolicy/policy/global_tunables                  |   14 ++++++++
 refpolicy/policy/modules/admin/amanda.if          |   37 +++++++++++++++++++++
 refpolicy/policy/modules/admin/amanda.te          |    4 +-
 refpolicy/policy/modules/admin/vpn.te             |    4 ++-
 refpolicy/policy/modules/apps/java.fc             |    1 +
 refpolicy/policy/modules/apps/java.if             |   28 ++++++++++++++++
 refpolicy/policy/modules/apps/java.te             |   16 ++++++++-
 refpolicy/policy/modules/kernel/corenetwork.te.in |    3 +-
 refpolicy/policy/modules/kernel/devices.if        |   19 +++++++++++
 refpolicy/policy/modules/kernel/devices.te        |    2 +-
 refpolicy/policy/modules/services/automount.te    |    4 +-
 refpolicy/policy/modules/services/avahi.te        |    3 +-
 refpolicy/policy/modules/services/fetchmail.te    |    3 +-
 refpolicy/policy/modules/services/hal.te          |    4 +-
 refpolicy/policy/modules/services/ktalk.fc        |    1 +
 refpolicy/policy/modules/services/ktalk.te        |    2 +-
 refpolicy/policy/modules/services/spamassassin.te |   10 ++++--
 refpolicy/policy/modules/services/xserver.fc      |    1 +
 refpolicy/policy/modules/services/xserver.if      |   10 +++++-
 refpolicy/policy/modules/services/xserver.te      |    2 +-
 refpolicy/policy/modules/services/zebra.te        |    3 +-
 refpolicy/policy/modules/system/fstools.te        |    9 ++++-
 refpolicy/policy/modules/system/init.te           |    5 ++-
 refpolicy/policy/modules/system/libraries.fc      |    2 +-
 refpolicy/policy/modules/system/libraries.te      |    2 +-
 refpolicy/policy/modules/system/lvm.te            |    3 +-
 refpolicy/policy/modules/system/modutils.if       |    2 +-
 refpolicy/policy/modules/system/modutils.te       |    2 +-
 refpolicy/policy/modules/system/unconfined.te     |   10 +++++-
 29 files changed, 178 insertions(+), 28 deletions(-)
---

diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index b96f390..1d556fb 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -469,3 +469,17 @@ gen_tunable(write_untrusted_content,false)
 ## </desc>
 gen_tunable(xdm_sysadm_login,false)
 ')
+
+########################################
+#
+# Targeted policy specific
+#
+
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow spammd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs,true)
+')
diff --git a/refpolicy/policy/modules/admin/amanda.if b/refpolicy/policy/modules/admin/amanda.if
index 0b9281f..f7b1645 100644
--- a/refpolicy/policy/modules/admin/amanda.if
+++ b/refpolicy/policy/modules/admin/amanda.if
@@ -90,3 +90,40 @@ interface(`amanda_dontaudit_read_dumpdates',`
 
 	dontaudit $1 amanda_dumpdates_t:file { getattr read };
 ')
+
+########################################
+## <summary>
+##	Allow read/writing /etc/dumpdates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`amanda_rw_dumpdates_files',`
+	gen_require(`
+		type amanda_dumpdates_t;
+	')
+
+	allow $1 amanda_dumpdates_t:file rw_file_perms;
+')
+########################################
+## <summary>
+##	Allow read/writing amanda logs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`amanda_append_log_files',`
+	gen_require(`
+		type amanda_log_t;
+	')
+
+	allow $1 amanda_log_t:file ra_file_perms;
+')
+
+
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index b4e07e0..df244b7 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.2.0)
+policy_module(amanda,1.2.1)
 
 #######################################
 #
@@ -86,7 +86,7 @@ optional_policy(`prelink',`
 # Amanda local policy
 #
 
-allow amanda_t self:capability { chown dac_override setuid };
+allow amanda_t self:capability { chown dac_override setuid kill };
 allow amanda_t self:process { setpgid signal };
 allow amanda_t self:fifo_file { getattr read write ioctl lock };
 allow amanda_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
index 3e59ad2..60e0330 100644
--- a/refpolicy/policy/modules/admin/vpn.te
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
 
-policy_module(vpnc,1.1.0)
+policy_module(vpnc,1.1.1)
 
 ########################################
 #
@@ -11,6 +11,7 @@ domain_type(vpnc_t)
 
 type vpnc_exec_t;
 domain_entry_file(vpnc_t,vpnc_exec_t)
+role system_r types vpnc_t;
 
 type vpnc_tmp_t;
 files_tmp_file(vpnc_tmp_t)
@@ -69,6 +70,7 @@ dev_read_urand(vpnc_t)
 dev_read_sysfs(vpnc_t)
 
 fs_getattr_xattr_fs(vpnc_t)
+fs_getattr_tmpfs(vpnc_t)
 
 term_use_all_user_ptys(vpnc_t)
 term_use_all_user_ttys(vpnc_t)
diff --git a/refpolicy/policy/modules/apps/java.fc b/refpolicy/policy/modules/apps/java.fc
index 782c8ab..9375e71 100644
--- a/refpolicy/policy/modules/apps/java.fc
+++ b/refpolicy/policy/modules/apps/java.fc
@@ -2,4 +2,5 @@
 # /usr
 #
 /usr(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index f82d416..930d7a6 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -178,3 +178,31 @@ template(`java_per_userdomain_template',`
 		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`java_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type java_t, java_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, java_exec_t, java_t)
+
+		allow $1 java_t:fd use;
+		allow java_t $1:fd use;
+		allow java_t $1:fifo_file rw_file_perms;
+		allow java_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --git a/refpolicy/policy/modules/apps/java.te b/refpolicy/policy/modules/apps/java.te
index d7ffdc2..caea9aa 100644
--- a/refpolicy/policy/modules/apps/java.te
+++ b/refpolicy/policy/modules/apps/java.te
@@ -1,10 +1,24 @@
 
-policy_module(java,1.0.0)
+policy_module(java,1.0.1)
 
 ########################################
 #
 # Declarations
 #
 
+type java_t;
+domain_type(java_t)
+
 type java_exec_t;
 files_type(java_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow java_t self:process { execstack execmem };
+	unconfined_domain_noaudit(java_t)
+	role system_r types java_t;
+')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index e0ef744..e846d39 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.0.3)
+policy_module(corenetwork,1.0.4)
 
 ########################################
 #
@@ -106,6 +106,7 @@ network_port(radius, udp,1645,s0, udp,1812,s0)
 network_port(razor, tcp,2703,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
+network_port(router, udp,520,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 917c544..d037910 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -206,6 +206,25 @@ interface(`dev_delete_generic_files',`
 
 ########################################
 ## <summary>
+##	Create a file in the device directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to create the files.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 device_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Dontaudit getattr on generic pipes.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 0827543..b1a555b 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.0.2)
+policy_module(devices,1.0.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index 3037e1f..ecc8e84 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount,1.1.2)
+policy_module(automount,1.1.3)
 
 ########################################
 #
@@ -92,7 +92,7 @@ domain_use_wide_inherit_fd(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
 files_search_var_lib(automount_t)
-files_search_mnt(automount_t)
+files_list_mnt(automount_t)
 files_getattr_home_dir(automount_t)
 files_read_etc_files(automount_t)
 files_read_etc_runtime_files(automount_t)
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index 477d7ee..7065f36 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.1.0)
+policy_module(avahi,1.1.1)
 
 ########################################
 #
@@ -63,6 +63,7 @@ term_dontaudit_use_console(avahi_t)
 domain_use_wide_inherit_fd(avahi_t)
 
 files_read_etc_files(avahi_t)
+files_read_etc_runtime_files(avahi_t)
 
 init_use_fd(avahi_t)
 init_use_script_ptys(avahi_t)
diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te
index 4ab327c..bd72615 100644
--- a/refpolicy/policy/modules/services/fetchmail.te
+++ b/refpolicy/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
 
-policy_module(fetchmail,1.0.2)
+policy_module(fetchmail,1.0.3)
 
 ########################################
 #
@@ -67,6 +67,7 @@ dev_read_urand(fetchmail_t)
 
 files_read_etc_files(fetchmail_t)
 files_read_etc_runtime_files(fetchmail_t)
+files_dontaudit_search_home(fetchmail_t)
 
 fs_getattr_all_fs(fetchmail_t)
 fs_search_auto_mountpoints(fetchmail_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 59f8012..a060299 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.2.5)
+policy_module(hal,1.2.6)
 
 ########################################
 #
@@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
 #
 
 # execute openvt which needs setuid
-allow hald_t self:capability { setuid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
+allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:process signal_perms;
 allow hald_t self:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/ktalk.fc b/refpolicy/policy/modules/services/ktalk.fc
index 48c7cad..720bca5 100644
--- a/refpolicy/policy/modules/services/ktalk.fc
+++ b/refpolicy/policy/modules/services/ktalk.fc
@@ -1,2 +1,3 @@
 
+/usr/bin/in.talkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
 /usr/bin/ktalkd		--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te
index f8bfffb..284c1c3 100644
--- a/refpolicy/policy/modules/services/ktalk.te
+++ b/refpolicy/policy/modules/services/ktalk.te
@@ -1,5 +1,5 @@
 
-policy_module(ktalk,1.1.0)
+policy_module(ktalk,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index a3643ff..b5f6f5e 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.2.2)
+policy_module(spamassassin,1.2.3)
 
 ########################################
 #
@@ -77,6 +77,7 @@ corenet_tcp_bind_spamd_port(spamd_t)
 # DnsResolver.pm module which binds to
 # random ports >= 1024.
 corenet_udp_bind_generic_port(spamd_t)
+corenet_udp_bind_imaze_port(spamd_t)
 corenet_tcp_connect_razor_port(spamd_t)
 
 dev_read_sysfs(spamd_t)
@@ -122,8 +123,11 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(spamd_t)
 	term_dontaudit_use_generic_ptys(spamd_t)
 	files_dontaudit_read_root_files(spamd_t)
-	userdom_manage_generic_user_home_dirs(spamd_t)
-	userdom_manage_generic_user_home_files(spamd_t)
+	tunable_policy(`spamd_enable_home_dirs',`
+		userdom_manage_generic_user_home_dirs(spamd_t)
+		userdom_manage_generic_user_home_files(spamd_t)
+		userdom_manage_generic_user_home_symlinks(spamd_t)
+	')
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 5c1ffe8..d0ba416 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -52,6 +52,7 @@ ifdef(`strict_policy',`
 /usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth		--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 49de4bc..0c92946 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -39,11 +39,12 @@ template(`xserver_common_domain_template',`
 	# admin of APM bios?
 	# sys_nice is so that the X server can set a negative nice value
 	# execheap needed until the X module loader is fixed.
+	# NVIDIA Needs execstack
 
 	allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 	dontaudit $1_xserver_t self:capability chown;
 	allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_xserver_t self:process { execmem execheap setsched };
+	allow $1_xserver_t self:process { execmem execheap execstack setsched };
 	allow $1_xserver_t self:fd use;
 	allow $1_xserver_t self:fifo_file rw_file_perms;
 	allow $1_xserver_t self:sock_file r_file_perms;
@@ -53,6 +54,7 @@ template(`xserver_common_domain_template',`
 	allow $1_xserver_t self:msg { send receive };
 	allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
 	allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
 	allow $1_xserver_t self:udp_socket create_socket_perms;
 
@@ -86,6 +88,7 @@ template(`xserver_common_domain_template',`
 	kernel_read_modprobe_sysctls($1_xserver_t)
 	# Xorg wants to check if kernel is tainted
 	kernel_read_kernel_sysctls($1_xserver_t)
+	kernel_write_proc_files($1_xserver_t)
 
 	# Run helper programs in $1_xserver_t.
 	corecmd_search_sbin($1_xserver_t)
@@ -122,9 +125,12 @@ template(`xserver_common_domain_template',`
 	dev_rw_xserver_misc($1_xserver_t)
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
+	dev_rwx_zero($1_xserver_t)
 
 	files_read_etc_files($1_xserver_t)
 	files_read_etc_runtime_files($1_xserver_t)
+	files_read_usr_files($1_xserver_t)
+
 	# brought on by rhgb
 	files_search_mnt($1_xserver_t)
 	# for nscd
@@ -134,6 +140,8 @@ template(`xserver_common_domain_template',`
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
 
+	init_getpgid($1_xserver_t)
+
 	term_setattr_unallocated_ttys($1_xserver_t)
 	term_use_unallocated_ttys($1_xserver_t)
 
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 248032d..a7998e9 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.0.2)
+policy_module(xserver,1.0.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index 9d5d17e..117d11d 100644
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
 
-policy_module(zebra,1.1.1)
+policy_module(zebra,1.1.2)
 
 ########################################
 #
@@ -73,6 +73,7 @@ corenet_non_ipsec_sendrecv(zebra_t)
 corenet_tcp_bind_all_nodes(zebra_t)
 corenet_udp_bind_all_nodes(zebra_t)
 corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
 
 dev_associate_usbfs(zebra_var_run_t)
 dev_list_all_dev_nodes(zebra_t)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 7c345eb..7edd190 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.2.1)
+policy_module(fstools,1.2.2)
 
 ########################################
 #
@@ -15,7 +15,7 @@ role system_r types fsadm_t;
 type fsadm_tmp_t;
 files_tmp_file(fsadm_tmp_t)
 
-type swapfile_t;
+type swapfile_t; # customizable
 files_type(swapfile_t)
 
 ########################################
@@ -154,6 +154,11 @@ tunable_policy(`read_default_t',`
 	files_read_default_pipes(fsadm_t)
 ')
 
+optional_policy(`amanda',`
+	amanda_rw_dumpdates_files(fsadm_t)
+	amanda_append_log_files(fsadm_t)
+')
+
 optional_policy(`cron',`
 	# for smartctl cron jobs
 	cron_system_entry(fsadm_t,fsadm_exec_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 233b778..ed05cac 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.2.4)
+policy_module(init,1.2.5)
 
 gen_require(`
 	class passwd rootok;
@@ -231,6 +231,8 @@ allow initrc_t initrc_tmp_t:file create_file_perms;
 allow initrc_t initrc_tmp_t:dir create_dir_perms;
 files_filetrans_tmp(initrc_t,initrc_tmp_t, { file dir })
 
+init_write_initctl(initrc_t)
+
 kernel_read_system_state(initrc_t)
 kernel_read_software_raid_state(initrc_t)
 kernel_read_network_state(initrc_t)
@@ -272,6 +274,7 @@ dev_setattr_all_chr_files(initrc_t)
 dev_read_lvm_control(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
+dev_manage_generic_files(initrc_t)
 # Wants to remove udev.tbl:
 dev_delete_generic_symlinks(initrc_t)
 
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index b24ad99..677bfdc 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -62,7 +62,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 1ad32c8..30052b2 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.2.2)
+policy_module(libraries,1.2.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 0d7651c..c06d05f 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.2.1)
+policy_module(lvm,1.2.2)
 
 ########################################
 #
@@ -203,6 +203,7 @@ dev_dontaudit_getattr_generic_pipes(lvm_t)
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
+fs_donaudit_read_removable_files(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index c82e973..ddd0e8c 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -204,7 +204,7 @@ interface(`modutils_run_depmod',`
 	')
 
 	modutils_domtrans_depmod($1)
-	role $2 types insmod_t;
+	role $2 types depmod_t;
 	allow insmod_t $3:chr_file rw_term_perms;
 ')
 
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 4313886..94a1b59 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.0.1)
+policy_module(modutils,1.0.2)
 
 gen_require(`
 	bool secure_mode_insmod;
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 596ba65..c45086d 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.2.5)
+policy_module(unconfined,1.2.6)
 
 ########################################
 #
@@ -93,6 +93,10 @@ ifdef(`targeted_policy',`
 		fstools_domtrans(unconfined_t)
 	')
 
+	optional_policy(`java',`
+		java_domtrans(unconfined_t)
+	')
+
 	optional_policy(`lpd',`
 		lpd_domtrans_checkpc(unconfined_t)
 	')
@@ -149,6 +153,10 @@ ifdef(`targeted_policy',`
 		usermanage_domtrans_admin_passwd(unconfined_t)
 	')
 
+	optional_policy(`vpn',`
+		vpn_domtrans(unconfined_t)
+	')
+
 	optional_policy(`webalizer',`
 		webalizer_domtrans(unconfined_t)
 	')
