[selinux-policy] - More access needed for devicekit - Add dbadm policy
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Aug 30 15:58:37 UTC 2010
commit 6578cf7413ee25605e62d67ee58d6d27ae018b32
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Aug 30 11:58:36 2010 -0400
- More access needed for devicekit
- Add dbadm policy
modules-minimum.conf | 2217 +------------------------------------------------
modules-mls.conf | 7 +
modules-targeted.conf | 7 +
policy-F14.patch | 469 +++++++++---
selinux-policy.spec | 6 +-
sources | 1 -
6 files changed, 395 insertions(+), 2312 deletions(-)
---
diff --git a/modules-minimum.conf b/modules-minimum.conf
deleted file mode 100644
index 0b350d3..0000000
--- a/modules-minimum.conf
+++ /dev/null
@@ -1,2216 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module. "module" will be compiled
-# as individual loadable modules.
-#
-
-# Layer: services
-# Module: accountsd
-#
-# An application to view and modify user accounts information
-#
-accountsd = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = base
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-#
-alsa = base
-
-# Layer: apps
-# Module: ada
-#
-# ada executable
-#
-ada = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles userspace management daemon
-#
-cachefilesd = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# cpufreqselector executable
-#
-cpufreqselector = module
-
-# Layer: apps
-# Module: chrome
-#
-# chrome sandbox
-#
-chrome = module
-
-# Layer: modules
-# Module: awstats
-#
-# awstats executable
-#
-awstats = module
-
-# Layer: services
-# Module: abrt
-#
-# Automatic bug detection and reporting tool
-#
-abrt = module
-
-# Layer: services
-# Module: aiccu
-#
-# SixXS Automatic IPv6 Connectivity Client Utility
-#
-aiccu = module
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-#
-amanda = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server
-#
-afs = module
-
-# Layer: services
-# Module: amavis
-#
-# Anti-virus
-#
-amavis = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-#
-anaconda = base
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-#
-apache = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-#
-apm = base
-
-# Layer: system
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = base
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-#
-arpwatch = module
-
-# Layer: services
-# Module: audioentropy
-#
-# Generate entropy from audio input
-#
-audioentropy = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = base
-
-# Layer: services
-# Module: asterisk
-#
-# Asterisk IP telephony server
-#
-asterisk = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-#
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-#
-avahi = module
-
-# Layer: services
-# Module: boinc
-#
-# Berkeley Open Infrastructure for Network Computing
-#
-boinc = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugzilla server
-#
-bugzilla = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# A lightweight DHCP and caching DNS server.
-#
-dnsmasq = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-#
-bluetooth = module
-
-# Layer: kernel
-# Module: ubac
-#
-#
-#
-ubac = base
-
-#
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = base
-
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-#
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# policy for ccs
-#
-ccs = module
-
-# Layer: apps
-# Module: calamaris
-#
-#
-# Squid log analysis
-#
-calamaris = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-#
-cdrecord = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-#
-certwatch = module
-
-# Layer: admin
-# Module: certmaster
-#
-# Digital Certificate master
-#
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client
-#
-certmonger = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-#
-cipe = module
-
-# Layer: services
-# Module: chronyd
-#
-# Daemon for maintaining clock time
-#
-chronyd = module
-
-# Layer: services
-# Module: cobbler
-#
-# cobbler
-#
-cobbler = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-#
-comsat = module
-
-# Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine Executive
-#
-corosync = module
-
-# Layer: services
-# Module: clamav
-#
-# ClamAV Virus Scanner
-#
-clamav = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = base
-
-# Layer: services
-# Module: consolekit
-#
-# ConsoleKit is a system daemon for tracking what users are logged
-#
-consolekit = module
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-#
-consoletype = base
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-#
-cpucontrol = base
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = base
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-#
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-#
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# cyphesis game server
-#
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-#
-cyrus = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-#
-daemontools = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-#
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-#
-dbus = base
-
-# Layer: services
-# Module: dcc
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-dcc = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-#
-ddcprobe = off
-
-# Layer: services
-# Module: devicekit
-#
-# devicekit-daemon
-#
-devicekit = module
-
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-#
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-#
-dictd = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-#
-distcc = off
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = base
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-#
-dmidecode = base
-
-# Layer: system
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-#
-dovecot = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Policy for gitosis
-#
-gitosis = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-#
-gpg = module
-
-# Layer: services
-# Module: gpsd
-#
-# gpsd monitor daemon
-#
-#
-gpsd = module
-
-# Layer: services
-# Module: git
-#
-# Policy for the stupid content tracker
-#
-git = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-#
-fetchmail = module
-
-# Layer: kernel
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-#
-finger = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = base
-
-# Layer: apps
-# Module: firewallgui
-#
-# policy for system-config-firewall
-#
-firewallgui = module
-
-# Layer: services
-# Module: fprintd
-#
-# finger print server
-#
-fprintd = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = base
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-#
-ftp = module
-
-# Layer: apps
-# Module: games
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-games = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = base
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-#
-gnome = module
-
-# Layer: services
-# Module: gnomeclock
-#
-# gnomeclock used by dbus/polkit to set time
-#
-gnomeclock = module
-
-# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer
-#
-hal = module
-
-# Layer: services
-# Module: hddtemp
-#
-# hddtemp hard disk temperature tool running as a daemon
-#
-hddtemp = module
-
-# Layer: services
-# Module: policykit
-#
-# Hardware abstraction layer
-#
-policykit = module
-
-# Layer: services
-# Module: puppet
-#
-# A network tool for managing many disparate systems
-#
-puppet = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty
-#
-ptchown = module
-
-# Layer: services
-# Module: psad
-#
-# Analyze iptables log for hostile traffic
-#
-psad = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = base
-
-
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-#
-hotplug = base
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS
-#
-howl = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = base
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = base
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-#
-inn = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = base
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-#
-irc = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-#
-irqbalance = base
-
-# Layer: system
-# Module: iscsi
-#
-# Open-iSCSI daemon
-#
-iscsi = module
-
-# Layer: services
-# Module: icecast
-#
-# ShoutCast compatible streaming media server
-#
-icecast = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-#
-i18n_input = off
-
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging server
-#
-jabber = module
-
-# Layer: apps
-# Module: java
-#
-# java executable
-#
-java = module
-
-# Layer: apps
-# Module: execmem
-#
-# execmem executable
-#
-execmem = module
-
-# Layer: system
-# Module: kdump
-#
-# kdump is kernel crash dumping mechanism
-#
-kdump = module
-
-# Layer: apps
-# Module: kdumpgui
-#
-# system-config-kdump policy
-#
-kdumpgui = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging (KSM) Tuning Daemon
-#
-ksmtuned = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-#
-kernel = base
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-#
-ktalk = module
-
-# Layer: admin
-# Module: kudzu
-#
-# Hardware detection and configuration tools
-#
-kudzu = base
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: services
-# Module: likewise
-#
-# Likewise Active Directory support for UNIX
-#
-likewise = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = base
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = base
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = base
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-#
-lockdev = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = base
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = base
-
-# Layer: services
-# Module: logwatch
-#
-# logwatch executable
-#
-logwatch = base
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-#
-lpd = module
-
-# Layer: services
-# Module: lircd
-#
-# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
-#
-lircd = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = base
-
-# Layer: admin
-# Module: mcelog
-#
-# Policy for mcelog.
-#
-mcelog = base
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-#
-mailman = module
-
-# Layer: kernel
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-#
-mcs = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = base
-
-# Layer: kernel
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-#
-mls = base
-
-# Layer: services
-# Module: mock
-#
-# Policy for mock rpm builder
-#
-mock = module
-
-# Layer: services
-# Module: mojomojo
-#
-# Wiki server
-#
-mojomojo = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = base
-
-# Layer: apps
-# Module: mono
-#
-# mono executable
-#
-mono = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = base
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-#
-mozilla = module
-
-# Layer: services
-# Module: ntop
-#
-# Policy for ntop
-#
-ntop = module
-
-# Layer: services
-# Module: nslcd
-#
-# Policy for nslcd
-#
-nslcd = module
-
-# Layer: apps
-# Module: nsplugin
-#
-# Policy for nspluginwrapper
-#
-nsplugin = module
-
-# Layer: services
-# Module: modemmanager
-#
-# Manager for dynamically switching between modems.
-#
-modemmanager = module
-
-# Layer: services
-# Module: mpd
-#
-# mpd - daemon for playing music
-#
-mpd = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Policy for Mozilla and related web browsers
-#
-mplayer = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for Mozilla and related web browsers
-#
-gpg = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-#
-mrtg = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = base
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-#
-nagios = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = base
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-#
-networkmanager = base
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = base
-
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-#
-ntp = module
-
-# Layer: services
-# Module: nut
-#
-# nut - Network UPS Tools
-#
-nut = module
-
-# Layer: services
-# Module: nx
-#
-# NX Remote Desktop
-#
-nx = module
-
-
-# Layer: services
-# Module: oddjob
-#
-# policy for oddjob
-#
-oddjob = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-#
-openct = off
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-#
-openvpn = module
-
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: service
-# Module: openct
-#
-# Middleware framework for smart card terminals
-#
-openct = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = base
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-pegasus = module
-
-# Layer: services
-# Module: piranha
-#
-# piranha - various tools to administer and configure the Linux Virtual Server
-#
-piranha = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-#
-postgresql = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-#
-portmap = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-#
-postfix = module
-
-# Layer: services
-# Module: postgrey
-#
-# email scanner
-#
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-#
-ppp = module
-
-# Layer: admin
-# Module: prelink
-#
-# Manage temporary directory sizes and file ages
-#
-prelink = base
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-#
-procmail = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-#
-publicfile = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# The PulseAudio Sound System
-#
-pulseaudio = module
-
-# Layer: services
-# Module: qmail
-#
-# Policy for qmail
-#
-qmail = module
-
-# Layer: services
-# Module: qpidd
-#
-# Policy for qpidd
-#
-qpidd = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = base
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = base
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-#
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-#
-radvd = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-#
-readahead = base
-
-# Layer: services
-# Module: rgmanager
-#
-# Red Hat Resource Group Manager
-#
-rgmanager = module
-
-# Layer: services
-# Module: rhcs
-#
-# RHCS - Red Hat Cluster Suite
-#
-rhcs = module
-
-# Layer: services
-# Module: aisexec
-#
-# RHCS - Red Hat Cluster Suite
-#
-aisexec = module
-
-# Layer: services
-# Module: rgmanager
-#
-# rgmanager
-#
-rgmanager = module
-
-# Layer: services
-# Module: clogd
-#
-# clogd - clustered mirror log server
-#
-clogd = module
-
-# Layer: services
-# Module: cmirrord
-#
-# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
-#
-cmirrord = module
-
-# Layer: services
-# Module: rhgb
-#
-# X windows login display manager
-#
-rhgb = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-#
-rdisc = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-#
-rlogin = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-#
-roundup = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-#
-rpc = base
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = base
-
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Real Time Kit Daemon
-#
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-#
-rwho = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs for UNIX and
-# name Service Switch daemon for resolving names
-# from Windows NT servers.
-#
-samba = module
-
-# Layer: apps
-# Module: sandbox
-#
-# Experimental policy for running apps within a sandbox
-#
-sandbox = module
-
-# Layer: apps
-# Module: sambagui
-#
-# policy for system-config-samba
-#
-sambagui = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-#
-screen = module
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = base
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = base
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-#
-seunshare = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Policy for shorewall
-#
-shorewall = base
-
-# Layer: admin
-# Module: shutdown
-#
-# Policy for shutdown
-#
-shutdown = module
-
-# Layer: admin
-# Module: sectoolm
-#
-# Policy for sectool-mechanism
-#
-sectoolm = module
-
-# Layer: system
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-#
-setrans = base
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-#
-setroubleshoot = base
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-#
-slrnpull = off
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-#
-slocate = module
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-#
-smartmon = module
-
-# Layer: services
-# Module: smokeping
-#
-# Latency Logging and Graphing System
-#
-smokeping = module
-
-# Layer: admin
-# Module: smoltclient
-#
-#The Fedora hardware profiler client
-#
-smoltclient = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-#
-snmp = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-#
-spamassassin = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-#
-squid = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = base
-
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon
-#
-sssd = module
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = base
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-#
-stunnel = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = base
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = base
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = base
-
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-#
-sysstat = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-#
-tgtd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = base
-
-# Layer: services
-# Module: usbmuxd
-#
-# Daemon for communicating with Apple's iPod Touch and iPhone
-#
-usbmuxd = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = base
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-#
-unconfined = module
-
-# Layer: services
-# Module: ulogd
-#
-# netfilter/iptables ULOG daemon
-#
-ulogd = module
-
-# Layer: services
-# Module: vhostmd
-#
-# vhostmd - A metrics gathering daemon
-#
-vhostmd = module
-
-# Layer: apps
-# Module: wine
-#
-# wine executable
-#
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# wireshark executable
-#
-wireshark = module
-
-# Layer: apps
-# Module: telepathy
-#
-# telepathy - Policy for Telepathy framework
-#
-telepathy = module
-
-# Layer: admin
-# Module: tzdata
-#
-# Policy for tzdata-update
-#
-tzdata = base
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-#
-userhelper = module
-
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-#
-tor = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-#
-tvtime = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-#
-uml = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-#
-usbmodules = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-#
-usernetctl = module
-
-# Layer: system
-# Module: xen
-#
-# virtualization software
-#
-xen = module
-
-# Layer: services
-# Module: varnishd
-#
-# Varnishd http accelerator daemon
-#
-varnishd = module
-
-# Layer: services
-# Module: virt
-#
-# Virtualization libraries
-#
-virt = module
-
-# Layer: apps
-# Module: qemu
-#
-# Virtualization emulator
-#
-qemu = module
-
-# Layer: system
-# Module: brctl
-#
-# Utilities for configuring the linux ethernet bridge
-#
-brctl = base
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-#
-telnet = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-#
-timidity = off
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-#
-tftp = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon
-#
-tuned = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-#
-uucp = module
-
-# Layer: services
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state
-#
-vbetool = base
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-#
-webalizer = module
-
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server
-#
-xfs = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-#
-xserver = base
-
-# Layer: services
-# Module: zarafa
-#
-# Zarafa Collaboration Platform
-#
-zarafa = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-#
-zebra = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = base
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = base
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-#
-vpn = module
-
-# Layer: admin
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state
-#
-vbetool = base
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-#
-amtu = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: aide
-#
-# Policy for aide
-#
-aide = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-#
-w3c = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth
-#
-plymouthd = module
-
-# Layer: services
-# Module: portreserve
-#
-# reserve ports to prevent portmap mapping them
-#
-portreserve = module
-
-# Layer: services
-# Module: rpcbind
-#
-# universal addresses to RPC program number mapper
-#
-rpcbind = module
-
-# Layer: apps
-# Module: rssh
-#
-# Restricted (scp/sftp) only shell
-#
-rssh = module
-
-# Layer: apps
-# Module: vmware
-#
-# VMWare Workstation virtual machines
-#
-vmware = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-#
-logadm = module
-
-# Layer: role
-# Module: webadm
-#
-# Minimally prived root role for managing apache
-#
-webadm = module
-
-#
-# Layer: services
-# Module: exim
-#
-# exim mail server
-#
-exim = module
-
-
-# Layer: services
-# Module: kismet
-#
-# Wireless sniffing and monitoring
-#
-kismet = module
-
-# Layer: services
-# Module: munin
-#
-# Munin
-#
-munin = module
-
-# Layer: services
-# Module: bitlbee
-#
-# An IRC to other chat networks gateway
-#
-bitlbee = module
-
-# Layer: system
-# Module: sosreport
-#
-# sosreport debuggin information generator
-#
-sosreport = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc</summary>
-#
-soundserver = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-#
-unconfineduser = module
-
-# Layer:role
-# Module: staff
-#
-# admin account
-#
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-#
-sysadm = base
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-#
-unprivuser = module
-
-# Layer: services
-# Module: prelude
-#
-prelude = module
-
-# Layer: services
-# Module: pads
-#
-pads = module
-
-# Layer: services
-# Module: kerneloops
-#
-# program to collect and submit kernel oopses to kerneloops.org
-#
-kerneloops = module
-
-# Layer: apps
-# Module: openoffice
-#
-# openoffice executable
-#
-openoffice = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
-#
-podsleuth = module
-
-# Layer: role
-# Module: guest
-#
-# Minimally privs guest account on tty logins
-#
-guest = module
-
-# Layer: role
-# Module: xguest
-#
-# Minimally privs guest account on X Windows logins
-#
-xguest = module
-
-# Layer: services
-# Module: cgroup
-#
-# Tools and libraries to control and monitor control groups
-#
-cgroup = module
-
-# Layer: services
-# Module: courier
-#
-# IMAP and POP3 email servers
-#
-courier = module
-
-# Layer: services
-# Module: denyhosts
-#
-# script to help thwart ssh server attacks
-#
-denyhosts = module
-
-# Layer: apps
-# Module: livecd
-#
-# livecd creator
-#
-livecd = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system
-#
-snort = module
-
-# Layer: services
-# Module: memcached
-#
-# high-performance memory object caching system
-#
-memcached = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-#
-netlabel = module
-
-# Layer: services
-# Module: zosremote
-#
-# policy for z/OS Remote-services Audit dispatcher plugin</summary>
-#
-zosremote = module
-
-# Layer: services
-# Module: pingd
-#
-#
-pingd = module
-
-# Layer: services
-# Module: milter
-#
-#
-#
-milter = module
diff --git a/modules-minimum.conf b/modules-minimum.conf
new file mode 120000
index 0000000..f601659
--- /dev/null
+++ b/modules-minimum.conf
@@ -0,0 +1 @@
+modules-targeted.conf
\ No newline at end of file
diff --git a/modules-mls.conf b/modules-mls.conf
index e73af3b..c406c69 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1813,6 +1813,13 @@ telepathy = module
vmware = module
# Layer: role
+# Module: dbadm
+#
+# Minimally prived root role for managing databases
+#
+dbadm = module
+
+# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 0b350d3..3164f2c 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2016,6 +2016,13 @@ rssh = module
vmware = module
# Layer: role
+# Module: dbadm
+#
+# Minimally prived root role for managing databases
+#
+dbadm = module
+
+# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
diff --git a/policy-F14.patch b/policy-F14.patch
index 11cdb34..9247ef9 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -502,14 +502,18 @@ index 89b9f2a..9cba75f 100644
pcscd_read_pub_files(certwatch_t)
')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index 2b12a37..ce00934 100644
+index 2b12a37..a370656 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
-@@ -85,6 +85,7 @@ optional_policy(`
- hal_dontaudit_rw_pipes(consoletype_t)
- hal_dontaudit_rw_dgram_sockets(consoletype_t)
- hal_dontaudit_write_log(consoletype_t)
-+ hal_dontaudit_read_pid_files(consoletype_t)
+@@ -81,10 +81,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- hal_dontaudit_use_fds(consoletype_t)
+- hal_dontaudit_rw_pipes(consoletype_t)
+- hal_dontaudit_rw_dgram_sockets(consoletype_t)
+- hal_dontaudit_write_log(consoletype_t)
++ hal_dontaudit_leaks(consoletype_t)
')
optional_policy(`
@@ -1672,6 +1676,19 @@ index 6a5004b..50cd538 100644
rpm_manage_cache(tmpreaper_t)
')
+diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
+index aa9636d..7851643 100644
+--- a/policy/modules/admin/tzdata.te
++++ b/policy/modules/admin/tzdata.te
+@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
+ # tzdata local policy
+ #
+
+-files_read_etc_files(tzdata_t)
++files_read_config_files(tzdata_t)
+ files_search_spool(tzdata_t)
+
+ fs_getattr_xattr_fs(tzdata_t)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index aecbf1c..0b5e634 100644
--- a/policy/modules/admin/usermanage.if
@@ -2341,7 +2358,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..852f36f 100644
+index f5afe78..ffd9870 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,26 @@ interface(`gnome_role',`
@@ -2520,7 +2537,7 @@ index f5afe78..852f36f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +189,52 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +189,71 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -2538,6 +2555,25 @@ index f5afe78..852f36f 100644
+
+########################################
+## <summary>
++## append to generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_append_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ append_files_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
+## write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
@@ -2576,7 +2612,7 @@ index f5afe78..852f36f 100644
')
########################################
-@@ -151,40 +258,270 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +277,288 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -2694,8 +2730,10 @@ index f5afe78..852f36f 100644
gen_require(`
- type gnome_home_t;
+ type gconfd_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+ can_exec($1, gconfd_exec_t)
+')
+
@@ -2734,10 +2772,8 @@ index f5afe78..852f36f 100644
+interface(`gnome_search_gconf',`
+ gen_require(`
+ type gconf_home_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
++ ')
++
+ allow $1 gconf_home_t:dir search_dir_perms;
userdom_search_user_home_dirs($1)
')
@@ -2805,7 +2841,7 @@ index f5afe78..852f36f 100644
+
+########################################
+## <summary>
-+## read gnome homedir content (.config)
++## list gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+## <summary>
@@ -2823,6 +2859,24 @@ index f5afe78..852f36f 100644
+
+########################################
+## <summary>
++## read gnome homedir content (.config)
++## </summary>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`gnome_read_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ read_files_pattern($1, config_home_t, config_home_t)
++')
++
++########################################
++## <summary>
+## Read/Write all inherited gnome home config
+## </summary>
+## <param name="domain">
@@ -6621,7 +6675,7 @@ index 9d24449..9782698 100644
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index c26662d..9cbfded 100644
+index c26662d..62e455a 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
@@ -6641,7 +6695,17 @@ index c26662d..9cbfded 100644
allow wine_t $2:fd use;
allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
-@@ -86,6 +90,7 @@ template(`wine_role',`
+@@ -44,8 +48,7 @@ template(`wine_role',`
+ allow $2 wine_t:process signal_perms;
+
+ allow $2 wine_t:fd use;
+- allow $2 wine_t:shm { associate getattr };
+- allow $2 wine_t:shm { unix_read unix_write };
++ allow $2 wine_t:shm { associate getattr unix_read unix_write };
+ allow $2 wine_t:unix_stream_socket connectto;
+
+ # X access, Home files
+@@ -86,6 +89,7 @@ template(`wine_role',`
#
template(`wine_role_template',`
gen_require(`
@@ -6649,7 +6713,7 @@ index c26662d..9cbfded 100644
type wine_exec_t;
')
-@@ -101,9 +106,16 @@ template(`wine_role_template',`
+@@ -101,9 +105,16 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
@@ -6668,6 +6732,29 @@ index c26662d..9cbfded 100644
optional_policy(`
xserver_role($1_r, $1_wine_t)
+@@ -153,3 +164,22 @@ interface(`wine_run',`
+ wine_domtrans($1)
+ role $2 types wine_t;
+ ')
++
++########################################
++## <summary>
++## Read and write wine Shared
++## memory segments.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`wine_rw_shm',`
++ gen_require(`
++ type wine_t;
++ ')
++
++ allow $1 wine_t:shm rw_shm_perms;
++')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8af45db..6fe38a1 100644
--- a/policy/modules/apps/wine.te
@@ -7703,7 +7790,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..73e4119 100644
+index 5302dac..96a406d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8001,7 +8088,32 @@ index 5302dac..73e4119 100644
')
########################################
-@@ -5138,12 +5355,12 @@ interface(`files_getattr_generic_locks',`
+@@ -4718,6 +4935,24 @@ interface(`files_read_var_files',`
+
+ ########################################
+ ## <summary>
++## Append files in the /var directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_append_var_files',`
++ gen_require(`
++ type var_t;
++ ')
++
++ append_files_pattern($1, var_t, var_t)
++')
++
++########################################
++## <summary>
+ ## Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -8019,7 +8131,7 @@ index 5302dac..73e4119 100644
')
########################################
-@@ -5317,6 +5534,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5552,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8063,7 +8175,7 @@ index 5302dac..73e4119 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5524,6 +5778,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5796,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -8090,7 +8202,7 @@ index 5302dac..73e4119 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5541,6 +5815,7 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8098,7 +8210,7 @@ index 5302dac..73e4119 100644
')
########################################
-@@ -5826,3 +6101,229 @@ interface(`files_unconfined',`
+@@ -5826,3 +6119,229 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -8610,7 +8722,7 @@ index e3e17ba..3b34959 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index fb63c3a..712e644 100644
+index fb63c3a..3561f03 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -8621,7 +8733,7 @@ index fb63c3a..712e644 100644
type bdev_t;
fs_type(bdev_t)
-@@ -67,7 +68,7 @@ fs_type(capifs_t)
+@@ -67,10 +68,11 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -8630,7 +8742,11 @@ index fb63c3a..712e644 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -106,6 +107,15 @@ fs_type(ibmasmfs_t)
++dev_associate_sysfs(cgroup_t)
+ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
+ type configfs_t;
+@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
@@ -8646,7 +8762,7 @@ index fb63c3a..712e644 100644
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
-@@ -148,6 +158,12 @@ fs_type(squash_t)
+@@ -148,6 +159,12 @@ fs_type(squash_t)
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
@@ -8659,7 +8775,7 @@ index fb63c3a..712e644 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -248,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -248,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -10282,10 +10398,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..faef468
+index 0000000..821d0dd
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,458 @@
+@@ -0,0 +1,462 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10474,7 +10590,11 @@ index 0000000..faef468
+ ')
+
+ optional_policy(`
-+ xserver_rw_shm(unconfined_usertype)
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
+ xserver_dbus_chat_xdm(unconfined_usertype)
+ ')
@@ -12631,7 +12751,7 @@ index 67c91aa..472ddad 100644
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..1a44ccb 100644
+index 1c8c27e..c6832b0 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
@@ -12650,18 +12770,34 @@ index 1c8c27e..1a44ccb 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -144,6 +146,10 @@ ifdef(`distro_redhat',`
+@@ -142,9 +144,8 @@ ifdef(`distro_redhat',`
+
+ can_exec(apmd_t, apmd_var_run_t)
+
+- # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+- sysnet_domtrans_ifconfig(apmd_t)
++ fstools_domtrans(apmd_t)
+ ')
- # ifconfig_exec_t needs to be run in its own domain for Red Hat
optional_policy(`
+@@ -155,6 +156,15 @@ ifdef(`distro_redhat',`
+ netutils_domtrans(apmd_t)
+ ')
+
++ # ifconfig_exec_t needs to be run in its own domain for Red Hat
++ optional_policy(`
+ sssd_search_lib(apmd_t)
+ ')
+
+ optional_policy(`
- sysnet_domtrans_ifconfig(apmd_t)
- ')
-
-@@ -218,9 +224,13 @@ optional_policy(`
++ sysnet_domtrans_ifconfig(apmd_t)
++ ')
++
+ ',`
+ # for ifconfig which is run all the time
+ kernel_dontaudit_search_sysctl(apmd_t)
+@@ -218,9 +228,13 @@ optional_policy(`
udev_read_state(apmd_t) #necessary?
')
@@ -15329,10 +15465,23 @@ index 1b492ed..286ec9e 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..2c2a551 100644
+index 305ddf4..fb3454a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
-@@ -314,7 +314,7 @@ interface(`cups_stream_connect_ptal',`
+@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
+ interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
++ type hplip_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
++ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ ')
+
+@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -15341,7 +15490,12 @@ index 305ddf4..2c2a551 100644
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t;
type ptal_var_run_t, hplip_var_run_t;
-@@ -341,9 +341,6 @@ interface(`cups_admin',`
+ type cupsd_initrc_exec_t;
++ type hplip_etc_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+@@ -341,15 +344,14 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -15351,6 +15505,14 @@ index 305ddf4..2c2a551 100644
admin_pattern($1, cupsd_tmp_t)
files_list_tmp($1)
+ admin_pattern($1, cupsd_var_run_t)
+ files_list_pids($1)
+
++ admin_pattern($1, hplip_etc_t)
++
+ admin_pattern($1, hplip_var_run_t)
+
+ admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 0f28095..11e74af 100644
--- a/policy/modules/services/cups.te
@@ -15706,7 +15868,7 @@ index 8ba9425..d53ee7e 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..a7de603 100644
+index f231f17..ccacea9 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -15734,7 +15896,7 @@ index f231f17..a7de603 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,13 +182,25 @@ optional_policy(`
+@@ -178,17 +182,33 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -15761,7 +15923,23 @@ index f231f17..a7de603 100644
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -225,6 +241,8 @@ auth_use_nsswitch(devicekit_power_t)
+
++manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
++manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
++files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
++
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+@@ -212,6 +232,7 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+ dev_rw_generic_chr_files(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
++dev_read_rand(devicekit_power_t)
+
+ files_read_kernel_img(devicekit_power_t)
+ files_read_etc_files(devicekit_power_t)
+@@ -225,6 +246,8 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -17104,10 +17282,10 @@ index 03742d8..7b9c543 100644
')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..d01cab6 100644
+index 7cf6763..5b9771e 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
-@@ -377,6 +377,26 @@ interface(`hal_read_pid_files',`
+@@ -377,6 +377,25 @@ interface(`hal_read_pid_files',`
########################################
## <summary>
@@ -17125,8 +17303,7 @@ index 7cf6763..d01cab6 100644
+ type hald_var_run_t;
+ ')
+
-+ files_search_pids($1)
-+ allow $1 hald_var_run_t:file read_inherited_file_perms;
++ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
+
+########################################
@@ -17134,6 +17311,34 @@ index 7cf6763..d01cab6 100644
## Read/Write hald PID files.
## </summary>
## <param name="domain">
+@@ -431,3 +450,27 @@ interface(`hal_manage_pid_files',`
+ files_search_pids($1)
+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+ ')
++
++########################################
++## <summary>
++## dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hal_dontaudit_leaks',`
++ gen_require(`
++ type hald_log_t;
++ type hald_t;
++ type hald_var_run_t;
++ ')
++
++ dontaudit $1 hald_t:fd use;
++ dontaudit $1 hald_log_t:file rw_inherited_file_perms;
++ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit hald_t $1:socket_class_set { read write };
++ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
++')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 24c6253..0a54d67 100644
--- a/policy/modules/services/hal.te
@@ -17233,19 +17438,21 @@ index 24c6253..0a54d67 100644
#
# Local hald dccm policy
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index a57ffc0..fbcdd74 100644
+index a57ffc0..f441c9a 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
-@@ -37,6 +37,8 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+@@ -37,7 +37,10 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+kernel_read_system_state(icecast_t)
+
corenet_tcp_bind_soundd_port(icecast_t)
++corenet_tcp_connect_soundd_port(icecast_t)
# Init script handling
-@@ -51,5 +53,9 @@ miscfiles_read_localization(icecast_t)
+ domain_use_interactive_fds(icecast_t)
+@@ -51,5 +54,9 @@ miscfiles_read_localization(icecast_t)
sysnet_dns_name_resolve(icecast_t)
optional_policy(`
@@ -23017,10 +23224,19 @@ index a96249c..ca97ead 100644
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index d6d76e1..af3353c 100644
+index d6d76e1..9cb5e25 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
-@@ -71,3 +71,7 @@ sysnet_dns_name_resolve(rpcbind_t)
+@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+ kernel_request_load_module(rpcbind_t)
+
++corecmd_exec_shell(rpcbind_t)
++
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
+ corenet_all_recvfrom_netlabel(rpcbind_t)
+ corenet_tcp_sendrecv_generic_if(rpcbind_t)
+@@ -71,3 +73,7 @@ sysnet_dns_name_resolve(rpcbind_t)
ifdef(`hide_broken_symptoms',`
dontaudit rpcbind_t self:udp_socket listen;
')
@@ -26774,7 +26990,7 @@ index da2601a..6ff8f25 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8084740..288d513 100644
+index 8084740..60da940 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -27578,7 +27794,7 @@ index 8084740..288d513 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,14 +1072,34 @@ optional_policy(`
+@@ -775,20 +1072,44 @@ optional_policy(`
')
optional_policy(`
@@ -27614,7 +27830,17 @@ index 8084740..288d513 100644
optional_policy(`
userhelper_search_config(xserver_t)
-@@ -804,10 +1121,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+ ')
+
+ optional_policy(`
++ wine_rw_shm(xserver_t)
++')
++
++optional_policy(`
+ xfs_stream_connect(xserver_t)
+ ')
+
+@@ -804,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27627,7 +27853,7 @@ index 8084740..288d513 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1145,13 @@ init_use_fds(xserver_t)
+@@ -828,6 +1149,13 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27641,7 +27867,7 @@ index 8084740..288d513 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1167,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -843,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -27658,7 +27884,7 @@ index 8084740..288d513 100644
')
optional_policy(`
-@@ -993,3 +1320,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -993,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -30291,7 +30517,7 @@ index 9df8c4d..1d2236b 100644
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..6f36eca 100644
+index bf416a4..af2af2d 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -30330,7 +30556,18 @@ index bf416a4..6f36eca 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -141,6 +147,10 @@ optional_policy(`
+@@ -131,6 +137,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_append_generic_cache_files(ldconfig_t)
++')
++
++optional_policy(`
+ puppet_rw_tmp(ldconfig_t)
+ ')
+
+@@ -141,6 +151,10 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -30963,7 +31200,7 @@ index 9c0faab..def8d5a 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..a3b7b0d 100644
+index 74a4466..f39f39f 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,7 @@ type insmod_t;
@@ -30974,7 +31211,7 @@ index 74a4466..a3b7b0d 100644
role system_r types insmod_t;
# module loading config
-@@ -55,12 +56,14 @@ corecmd_search_bin(depmod_t)
+@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
domain_use_interactive_fds(depmod_t)
@@ -30985,11 +31222,12 @@ index 74a4466..a3b7b0d 100644
files_read_etc_files(depmod_t)
files_read_usr_src_files(depmod_t)
files_list_usr(depmod_t)
++files_append_var_files(depmod_t)
+files_read_boot_files(depmod_t)
fs_getattr_xattr_fs(depmod_t)
-@@ -74,6 +77,7 @@ userdom_use_user_terminals(depmod_t)
+@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
@@ -30997,7 +31235,7 @@ index 74a4466..a3b7b0d 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -94,17 +98,21 @@ optional_policy(`
+@@ -94,17 +99,21 @@ optional_policy(`
rpm_manage_script_tmp_files(depmod_t)
')
@@ -31020,7 +31258,7 @@ index 74a4466..a3b7b0d 100644
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +133,7 @@ kernel_write_proc_files(insmod_t)
+@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -31028,7 +31266,7 @@ index 74a4466..a3b7b0d 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +151,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -31036,7 +31274,7 @@ index 74a4466..a3b7b0d 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +170,15 @@ files_write_kernel_modules(insmod_t)
+@@ -160,11 +171,15 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -31052,7 +31290,7 @@ index 74a4466..a3b7b0d 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,8 +187,7 @@ miscfiles_read_localization(insmod_t)
+@@ -173,8 +188,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -31062,7 +31300,7 @@ index 74a4466..a3b7b0d 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -191,6 +204,10 @@ optional_policy(`
+@@ -191,6 +205,10 @@ optional_policy(`
')
optional_policy(`
@@ -31073,7 +31311,7 @@ index 74a4466..a3b7b0d 100644
hal_write_log(insmod_t)
')
-@@ -229,10 +246,18 @@ optional_policy(`
+@@ -229,10 +247,18 @@ optional_policy(`
rpm_rw_pipes(insmod_t)
')
@@ -31691,10 +31929,21 @@ index 2cc4bda..9e81136 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..3f27d1b 100644
+index 170e2c7..bbaa8cf 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
-@@ -361,6 +361,27 @@ interface(`seutil_exec_restorecon',`
+@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, load_policy_exec_t, load_policy_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit load_policy_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
########################################
## <summary>
@@ -31722,7 +31971,18 @@ index 170e2c7..3f27d1b 100644
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
-@@ -545,6 +566,53 @@ interface(`seutil_run_setfiles',`
+@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',`
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setfiles_exec_t, setfiles_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit setfiles_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',`
########################################
## <summary>
@@ -31776,7 +32036,7 @@ index 170e2c7..3f27d1b 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -690,6 +758,7 @@ interface(`seutil_manage_config',`
+@@ -690,6 +766,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -31784,10 +32044,18 @@ index 170e2c7..3f27d1b 100644
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -1009,6 +1078,26 @@ interface(`seutil_domtrans_semanage',`
-
- ########################################
- ## <summary>
+@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',`
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, semanage_exec_t, semanage_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit semanage_t $1:socket_class_set { read write };
++ ')
++')
++
++########################################
++## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
@@ -31804,14 +32072,10 @@ index 170e2c7..3f27d1b 100644
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute semanage in the semanage domain, and
- ## allow the specified role the semanage domain,
- ## and use the caller's terminal.
-@@ -1038,6 +1127,54 @@ interface(`seutil_run_semanage',`
+ ')
+
+ ########################################
+@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',`
########################################
## <summary>
@@ -31866,7 +32130,7 @@ index 170e2c7..3f27d1b 100644
## Full management of the semanage
## module store.
## </summary>
-@@ -1149,3 +1286,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -33234,7 +33498,7 @@ index 025348a..59bc26b 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..a5d4a43 100644
+index a054cf5..8451600 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -33282,7 +33546,7 @@ index a054cf5..a5d4a43 100644
')
optional_policy(`
-@@ -216,6 +224,10 @@ optional_policy(`
+@@ -216,11 +224,16 @@ optional_policy(`
')
optional_policy(`
@@ -33293,7 +33557,24 @@ index a054cf5..a5d4a43 100644
consoletype_exec(udev_t)
')
-@@ -259,6 +271,10 @@ optional_policy(`
+ optional_policy(`
+ cups_domtrans_config(udev_t)
++ cups_read_config(udev_t)
+ ')
+
+ optional_policy(`
+@@ -233,6 +246,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_read_home_config(udev_t)
++')
++
++optional_policy(`
+ lvm_domtrans(udev_t)
+ ')
+
+@@ -259,6 +276,10 @@ optional_policy(`
')
optional_policy(`
@@ -33304,7 +33585,7 @@ index a054cf5..a5d4a43 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +289,10 @@ optional_policy(`
+@@ -273,6 +294,10 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4e87e9a..a39aad9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.0
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Thu Aug 26 2010 Dan Walsh <dwalsh at redhat.com> 3.9.0-2
+- More access needed for devicekit
+- Add dbadm policy
+
* Thu Aug 26 2010 Dan Walsh <dwalsh at redhat.com> 3.9.0-1
- Merge with upstream
diff --git a/sources b/sources
index 5304f11..cb5f564 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-1f8151f0184945098f3cc3ca0b53e861 serefpolicy-3.8.8.tgz
9012ab09af5480459942d4a54de91db4 serefpolicy-3.9.0.tgz
More information about the scm-commits
mailing list