diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc	2010-01-19 12:03:52.541857693 +0100
@@ -1,5 +1,7 @@
 HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 
+/root/\.gnupg(/.+)?  gen_context(system_u:object_r:gpg_secret_t,s0)
+
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc	2010-01-18 18:24:22.616539953 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc	2010-01-18 18:27:02.741544960 +0100
@@ -11,6 +11,7 @@
 /usr/bin/netscape		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-snapshot	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany			--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/epiphany-bin		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te	2010-01-18 18:24:22.631540185 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te	2010-01-19 11:53:14.080857057 +0100
@@ -73,6 +73,7 @@
 
 sysnet_dns_name_resolve(podsleuth_t)
 
+userdom_read_user_tmpfs_files(podsleuth_t)
 userdom_signal_unpriv_users(podsleuth_t)
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if	2010-01-18 18:24:22.648539903 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2010-01-18 18:27:02.742545576 +0100
@@ -45,9 +45,10 @@
 	allow sandbox_x_domain $1:process { sigchld signal };
 	allow sandbox_x_domain sandbox_x_domain:process signal;
 	# Dontaudit leaked file descriptors
-	dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
+	dontaudit sandbox_x_domain $1:fifo_file { read write };
 	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
 	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
 	
 	manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
 	manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -103,9 +104,10 @@
 #
 template(`sandbox_x_domain_template',`
 	gen_require(`
-		type xserver_exec_t;
+		type xserver_exec_t, sandbox_devpts_t;
 		type sandbox_xserver_t;
 		attribute sandbox_domain, sandbox_x_domain;
+		attribute sandbox_file_type;
 	')
 
 	type $1_t, sandbox_x_domain;
@@ -163,10 +165,6 @@
 	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
 	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
 	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
-
-	optional_policy(`
-		xserver_common_app($1_t)
-	')
 ')
 
 ########################################
@@ -187,3 +185,39 @@
 
 	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+	gen_require(`
+		attribute sandbox_file_type;
+	')
+
+	delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+##	allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+	gen_require(`
+		attribute sandbox_file_type;
+	')
+
+	delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2010-01-18 18:24:22.649539960 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te	2010-01-18 18:27:02.743530757 +0100
@@ -10,14 +10,15 @@
 #
 
 sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
 sandbox_x_domain_template(sandbox_x)
 sandbox_x_domain_template(sandbox_web)
 sandbox_x_domain_template(sandbox_net)
 
 type sandbox_xserver_t;
 domain_type(sandbox_xserver_t)
-xserver_common_app(sandbox_xserver_t)
 permissive sandbox_xserver_t;
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
 
 type sandbox_xserver_tmpfs_t;
 files_tmpfs_file(sandbox_xserver_tmpfs_t)
@@ -92,10 +93,6 @@
 	')
 ')
 
-optional_policy(`
-	xserver_common_app(sandbox_xserver_t)
-')
-
 ########################################
 #
 # sandbox local policy
@@ -104,7 +101,7 @@
 ## internal communication is often done using fifo and unix sockets.
 allow sandbox_domain self:fifo_file manage_file_perms;
 allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
-allow sandbox_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
 
 gen_require(`
 	type usr_t, lib_t, locale_t;
@@ -161,7 +158,7 @@
 
 auth_dontaudit_read_login_records(sandbox_x_domain)
 auth_dontaudit_write_login_records(sandbox_x_domain)
-#auth_use_nsswitch(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
 auth_search_pam_console_data(sandbox_x_domain)
 
 init_read_utmp(sandbox_x_domain)
@@ -179,12 +176,20 @@
 miscfiles_read_fonts(sandbox_x_domain)
 
 optional_policy(`
+	cups_stream_connect(sandbox_x_domain)
+	cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
 	gnome_read_gconf_config(sandbox_x_domain)
 ')
 
 optional_policy(`
-	cups_stream_connect(sandbox_x_domain)
-	cups_read_rw_config(sandbox_x_domain)
+	nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+	sssd_dontaudit_search_lib(sandbox_x_domain)
 ')
 
 userdom_dontaudit_use_user_terminals(sandbox_x_domain)
@@ -207,7 +212,7 @@
 
 corenet_tcp_connect_ipp_port(sandbox_x_client_t)
 
-#auth_use_nsswitch(sandbox_x_client_t)
+auth_use_nsswitch(sandbox_x_client_t)
 
 dbus_system_bus_client(sandbox_x_client_t)
 dbus_read_config(sandbox_x_client_t)
@@ -267,7 +272,7 @@
 corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
 corenet_tcp_connect_speech_port(sandbox_web_client_t)
 
-#auth_use_nsswitch(sandbox_web_client_t)
+auth_use_nsswitch(sandbox_web_client_t)
 
 dbus_system_bus_client(sandbox_web_client_t)
 dbus_read_config(sandbox_web_client_t)
@@ -310,7 +315,7 @@
 corenet_tcp_connect_all_ports(sandbox_net_client_t)
 corenet_sendrecv_all_client_packets(sandbox_net_client_t)
 
-#auth_use_nsswitch(sandbox_net_client_t)
+auth_use_nsswitch(sandbox_net_client_t)
 
 dbus_system_bus_client(sandbox_net_client_t)
 dbus_read_config(sandbox_net_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if	2010-01-18 18:24:22.657540000 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if	2010-01-18 18:27:02.744541291 +0100
@@ -143,6 +143,10 @@
 	userdom_unpriv_usertype($1, $1_wine_t)
 	userdom_manage_tmpfs_role($2, $1_wine_t)
 
+	tunable_policy(`wine_mmap_zero_ignore',`
+		allow $1_wine_t self:memprotect mmap_zero;
+	')
+
 	domain_mmap_low_type($1_wine_t)
 	tunable_policy(`mmap_low_allowed',`
 		domain_mmap_low($1_wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te	2010-01-18 18:24:22.664530344 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.te	2010-01-18 18:27:02.745530942 +0100
@@ -6,6 +6,15 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors
+## </p>
+## </desc>
+#
+gen_tunable(wine_mmap_zero_ignore, false)
+
+
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@@ -29,6 +38,11 @@
 manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
 files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
 
+tunable_policy(`wine_mmap_zero_ignore',`
+	allow wine_t self:memprotect mmap_zero;
+')
+
+
 domain_mmap_low_type(wine_t)
 tunable_policy(`mmap_low_allowed',`
 	domain_mmap_low(wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-01-18 18:24:22.668540002 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in	2010-01-19 12:10:56.565608631 +0100
@@ -92,8 +92,8 @@
 network_port(dbskkd, tcp,1178,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
-network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp,547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-01-18 18:24:22.670530409 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2010-01-18 18:27:02.746530790 +0100
@@ -162,6 +162,8 @@
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 
+/dev/uio[0-9]+      	-c  	gen_context(system_u:object_r:userio_device_t,s0)
+
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2010-01-18 18:24:22.673530022 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-01-18 18:27:02.749530752 +0100
@@ -3833,6 +3833,24 @@
 	write_chr_files_pattern($1, device_t, v4l_device_t)
 ')
 
+#####################################
+## <summary>
+##  Read or write userio device.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+    	gen_require(`
+        	type device_t, userio_device_t;
+    	')
+
+    	rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write VMWare devices.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te	2010-01-18 18:24:22.675530137 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te	2010-01-18 18:27:02.751530797 +0100
@@ -233,6 +233,12 @@
 type usb_device_t;
 dev_node(usb_device_t)
 
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	2010-01-18 18:24:22.720530134 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc	2010-01-18 18:27:02.752530994 +0100
@@ -2,7 +2,7 @@
 # e.g.:
 # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 /usr/sbin/mock			    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 /usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2010-01-18 18:24:22.722530039 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2010-01-18 18:27:02.753530981 +0100
@@ -39,6 +39,8 @@
 type unconfined_exec_t;
 init_system_domain(unconfined_t, unconfined_exec_t)
 role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
 
 domain_user_exemption_target(unconfined_t)
 allow system_r unconfined_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te	2010-01-18 18:24:22.724546986 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te	2010-01-18 18:27:02.754531109 +0100
@@ -15,7 +15,7 @@
 
 ## <desc>
 ## <p>
-## Allow xguest to configure Network Manager
+## Allow xguest to configure Network Manager and connect to apache ports
 ## </p>
 ## </desc>
 gen_tunable(xguest_connect_network, true)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te	2010-01-18 18:24:22.727540243 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2010-01-18 18:27:02.754531109 +0100
@@ -96,6 +96,7 @@
 corenet_tcp_connect_ftp_port(abrt_t)
 corenet_tcp_connect_all_ports(abrt_t)
 
+dev_getattr_all_chr_files(abrt_t)
 dev_read_urand(abrt_t)
 dev_rw_sysfs(abrt_t)
 dev_dontaudit_read_memory_dev(abrt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2010-01-18 18:24:22.736530563 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-01-18 18:27:02.756530665 +0100
@@ -16,6 +16,7 @@
 		attribute httpd_exec_scripts;
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
+		type httpd_sys_content_t;
 	')
 	#This type is for webpages
 	type httpd_$1_content_t;
@@ -123,6 +124,8 @@
 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
 		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
 		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+        allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2010-01-18 18:24:22.739530246 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.te	2010-01-18 18:30:54.720781297 +0100
@@ -309,7 +309,7 @@
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
 
 # Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te	2010-01-18 18:27:02.757542944 +0100
@@ -31,7 +31,7 @@
 #
 
 allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-allow apcupsd_t self:process signal;
+allow apcupsd_t self:process { signal signull };
 allow apcupsd_t self:fifo_file rw_file_perms;
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
 allow apcupsd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/avahi.fc	2010-01-19 11:57:43.789607625 +0100
@@ -6,4 +6,4 @@
 
 /var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
 
-/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)  	gen_context(system_u:object_r:avahi_var_lib_t,s0)    
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2010-01-18 18:24:22.771540183 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-01-18 18:27:02.758531199 +0100
@@ -555,6 +555,7 @@
 logging_send_syslog_msg(cupsd_lpd_t)
 
 miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
 
 cups_stream_connect(cupsd_lpd_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-01-18 18:32:00.705531307 +0100
@@ -277,6 +277,8 @@
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(dovecot_deliver_t)
+	fs_manage_nfs_dirs(dovecot_t)
 	fs_manage_nfs_files(dovecot_deliver_t)
 	fs_manage_nfs_symlinks(dovecot_deliver_t)
 	fs_manage_nfs_files(dovecot_t)
@@ -284,6 +286,8 @@
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(dovecot_deliver_t)
+	fs_manage_cifs_dirs(dovecot_t)
 	fs_manage_cifs_files(dovecot_deliver_t)
 	fs_manage_cifs_symlinks(dovecot_deliver_t)
 	fs_manage_cifs_files(dovecot_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-01-18 18:24:22.784531151 +0100
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if	2010-01-18 18:27:02.761531161 +0100
@@ -138,6 +138,24 @@
 	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 
+#######################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
+     
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ftp.if	2010-01-18 18:27:02.762530869 +0100
@@ -115,6 +115,43 @@
 	role $2 types ftpdctl_t;
 ')
 
+######################################
+## <summary>
+##  Allow domain dyntransition to sftpd-anon domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd_anon',`
+    gen_require(`
+        type anon_sftpd_t;
+    ')
+
+    allow $1 anon_sftpd_t:process dyntransition;
+')
+
+######################################
+## <summary>
+##  Allow domain dyntransition to sftpd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd',`
+    gen_require(`
+        type sftpd_t;
+    ')
+
+    allow $1 sftpd_t:process dyntransition;
+	allow sftpd_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2010-01-18 18:24:22.787539983 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ftp.te	2010-01-18 18:27:02.763531066 +0100
@@ -53,6 +53,39 @@
 ## </desc>
 gen_tunable(ftp_home_dir, false)
 
+## <desc>
+## <p>
+## Allow anon internal-sftp to upload files, used for 
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to login to local users and 
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(sftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow interlnal-sftp to read and write files 
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to read and write files 
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(sftp_enable_homedirs, false)
+
 type ftpd_t;
 type ftpd_exec_t;
 init_daemon_domain(ftpd_t, ftpd_exec_t)
@@ -93,6 +126,14 @@
 	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
 ')
 
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
+type sftpd_anon_t;
+domain_type(sftpd_anon_t)
+role system_r types sftpd_anon_t;
+
 ########################################
 #
 # ftpd local policy
@@ -342,3 +383,76 @@
 files_read_etc_files(ftpdctl_t)
 
 userdom_use_user_terminals(ftpdctl_t)
+
+#######################################
+#
+# sftpd-anon local policy
+#
+
+files_read_etc_files(sftpd_anon_t)
+
+miscfiles_read_public_files(sftpd_anon_t)
+
+tunable_policy(`sftpd_anon_write',`
+	miscfiles_manage_public_files(sftpd_anon_t)
+')
+
+#######################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+    allow sftpd_t self:capability { dac_override dac_read_search };
+    fs_read_noxattr_fs_files(sftpd_t)
+    auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
+    ssh_manage_user_home_files(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs',`
+    allow sftpd_t self:capability { dac_override dac_read_search };
+
+	# allow access to /home
+	files_list_home(sftpd_t)
+    userdom_read_user_home_content_files(sftpd_t)
+    userdom_manage_user_home_content(sftpd_t)
+
+    auth_read_all_dirs_except_shadow(sftpd_t)
+    auth_read_all_files_except_shadow(sftpd_t)
+    auth_read_all_symlinks_except_shadow(sftpd_t)
+', `
+   # Needed for permissive mode, to make sure everything gets labeled correctly
+   userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+')
+
+tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(sftpd_t)
+    fs_manage_nfs_files(sftpd_t)
+	fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',`
+	fs_manage_cifs_dirs(sftpd_t)
+	fs_manage_cifs_files(sftpd_t)
+	fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+    fs_read_cifs_files(sftpd_t)
+    fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+    fs_read_nfs_files(sftpd_t)
+    fs_read_nfs_symlinks(ftpd_t)
+')   
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te	2010-01-18 18:24:22.790540016 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.te	2010-01-18 18:27:02.764531054 +0100
@@ -73,7 +73,7 @@
 #
 
 allow gitd_type self:fifo_file rw_fifo_file_perms;
-allow gitd_type self:tcp_socket create_socket_perms;
+allow gitd_type self:tcp_socket create_stream_socket_perms;
 allow gitd_type self:udp_socket create_socket_perms;
 allow gitd_type self:unix_dgram_socket create_socket_perms;
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if	2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if	2010-01-19 17:08:35.663632666 +0100
@@ -86,6 +86,7 @@
 
 	optional_policy(`
 		sssd_read_config_files($1)
+		sssd_read_public_files($1)
 	')
 
 	tunable_policy(`allow_kerberos',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te	2010-01-18 18:24:22.809536705 +0100
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te	2010-01-19 11:45:44.999857263 +0100
@@ -1,5 +1,5 @@
 
-policy_module(memcached, 1.1.0)
+policy_module(memcached, 1.1.1)
 
 ########################################
 #
@@ -22,9 +22,12 @@
 #
 
 allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { fork setrlimit signal_perms };
 allow memcached_t self:tcp_socket create_stream_socket_perms;
 allow memcached_t self:udp_socket { create_socket_perms listen };
 allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
 
 corenet_all_recvfrom_unlabeled(memcached_t)
 corenet_udp_sendrecv_generic_if(memcached_t)
@@ -42,12 +45,15 @@
 manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
 files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
 
-files_read_etc_files(memcached_t)
-
+kernel_read_kernel_sysctls(memcached_t)
 kernel_read_system_state(memcached_t)
 
+files_read_etc_files(memcached_t)
+
 auth_use_nsswitch(memcached_t)
 
 miscfiles_read_localization(memcached_t)
 
-sysnet_dns_name_resolve(memcached_t)
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc	2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc	2010-01-18 18:27:02.765531460 +0100
@@ -27,26 +27,62 @@
 
 # check disk plugins
 /usr/lib(64)?/nagios/plugins/check_disk  	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb		--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ide_smart 	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid	--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 
 # system plugins
-/usr/lib(64)?/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_file_age  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus	--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_log		--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mailq		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_nagios    	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_procs  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 
 # services plugins
 /usr/lib(64)?/nagios/plugins/check_cluster   	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_dhcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_dns		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_http      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_mysql     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query 	--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ntp.*     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ping      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_real		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_rpc       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_tcp		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_time		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.*		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh		--		gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te	2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te	2010-01-18 18:27:02.766531099 +0100
@@ -118,6 +118,9 @@
 corenet_udp_sendrecv_all_ports(nagios_t)
 corenet_tcp_connect_all_ports(nagios_t)
 
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)    
+
 dev_read_sysfs(nagios_t)
 dev_read_urand(nagios_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te	2010-01-18 18:24:22.843530414 +0100
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te	2010-01-18 18:27:02.767531435 +0100
@@ -85,6 +85,7 @@
 corenet_udp_bind_generic_node(openvpn_t)
 corenet_tcp_bind_openvpn_port(openvpn_t)
 corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
 corenet_tcp_connect_openvpn_port(openvpn_t)
 corenet_tcp_connect_http_port(openvpn_t)
 corenet_tcp_connect_http_cache_port(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-18 18:27:02.768530934 +0100
@@ -443,6 +443,7 @@
 
 optional_policy(`
 	spamassassin_domtrans_client(postfix_pipe_t)
+    spamassassin_kill_client(postfix_pipe_t)
 ')
 
 optional_policy(`
@@ -486,7 +487,7 @@
 ')
 
 optional_policy(`
-	sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
 ')
 
 optional_policy(`
@@ -573,6 +574,8 @@
 # Postfix smtp delivery local policy
 #
 
+allow postfix_smtp_t self:capability { sys_chroot };
+
 # connect to master process
 stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-01-18 18:27:02.770531119 +0100
@@ -286,6 +286,8 @@
 
 allow smbd_t winbind_t:process { signal signull };
 
+allow smbd_t swat_t:process signal;  
+
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
 kernel_read_network_state(smbd_t)
@@ -485,6 +487,8 @@
 
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 
+allow nmbd_t swat_t:process signal;
+
 allow nmbd_t smbcontrol_t:process signal;
 
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +665,7 @@
 allow swat_t self:udp_socket create_socket_perms;
 allow swat_t self:unix_stream_socket connectto;
 
+samba_domtrans_nmbd(swat_t)
 allow swat_t nmbd_t:process { signal signull };
 
 allow swat_t nmbd_exec_t:file mmap_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2010-01-18 18:24:22.889530888 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te	2010-01-18 18:27:02.771531176 +0100
@@ -136,6 +136,8 @@
 
 optional_policy(`
 	fail2ban_read_lib_files(sendmail_t)
+    fail2ban_rw_stream_sockets(sendmail_t)
+
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-18 18:24:22.892539860 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te	2010-01-19 14:20:15.303858953 +0100
@@ -25,9 +25,9 @@
 #
 # Local policy
 #
-allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if	2010-01-18 18:24:22.895529974 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if	2010-01-18 18:27:02.773531151 +0100
@@ -267,6 +267,24 @@
 	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
 ')
 
+######################################
+## <summary>
+##  Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+    gen_require(`
+        type spamc_t;
+    ')
+
+    allow $1 spamc_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te	2010-01-18 18:24:22.899530064 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te	2010-01-18 18:27:02.774530790 +0100
@@ -8,31 +8,6 @@
 
 ## <desc>
 ## <p>
-## Allow sftp to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_anon_write, false)
-
-## <desc>
-## <p>
-## Allow sftp to login to local users and 
-## read/write all files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_full_access, false)
-
-## <desc>
-## <p>
-## Allow interlnal-sftp to read and write files 
-## in the user ssh home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_ssh_home_dir, false)
-
-## <desc>
-## <p>
 ## allow host key based authentication
 ## </p>
 ## </desc>
@@ -69,10 +44,6 @@
 type sshd_tmpfs_t;
 files_tmpfs_file(sshd_tmpfs_t)
 
-type sftpd_t;
-domain_type(sftpd_t)
-role system_r types sftpd_t;
-
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 ')
@@ -361,6 +332,11 @@
 ')
 
 optional_policy(`
+    ftp_dyntransition_sftpd(sshd_t)
+    ftp_dyntransition_sftpd_anon(sshd_t)
+')
+
+optional_policy(`
 	gitosis_manage_var_lib(sshd_t)
 ')
 
@@ -468,49 +444,3 @@
 	udev_read_db(ssh_keygen_t)
 ')
 
-#######################################
-#
-# sftp Local policy
-#
-
-allow ssh_server sftpd_t:process dyntransition;
-
-ssh_sigchld(sftpd_t)
-
-files_read_all_files(sftpd_t)
-files_read_all_symlinks(sftpd_t)
-
-fs_read_noxattr_fs_files(sftpd_t)
-fs_read_nfs_files(sftpd_t)
-fs_read_cifs_files(sftpd_t)
-
-# allow access to /home by default
-userdom_manage_user_home_content_dirs(sftpd_t)
-userdom_manage_user_home_content_files(sftpd_t)
-userdom_manage_user_home_content_symlinks(sftpd_t)
-
-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
-
-tunable_policy(`allow_sftpd_anon_write',`
-    miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`allow_sftpd_full_access',`
-    allow sftpd_t self:capability { dac_override dac_read_search };
-    fs_read_noxattr_fs_files(sftpd_t)
-    auth_manage_all_files_except_shadow(sftpd_t)
-')
-
-tunable_policy(`sftpd_ssh_home_dir',`
-    ssh_manage_user_home_files(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-    fs_manage_nfs_dirs(sftpd_t)
-    fs_manage_nfs_files(sftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-    fs_manage_cifs_dirs(sftpd_t)
-    fs_manage_cifs_files(sftpd_t)
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc	2010-01-18 18:24:22.900529842 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc	2010-01-19 17:08:41.212631842 +0100
@@ -4,6 +4,8 @@
 
 /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
 
+/var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
+
 /var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
 
 /var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if	2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if	2010-01-19 17:08:45.945631552 +0100
@@ -12,8 +12,7 @@
 #
 interface(`sssd_domtrans',`
 	gen_require(`
-		type sssd_t;
-                type sssd_exec_t;
+		type sssd_t, sssd_exec_t;
 	')
 
 	domtrans_pattern($1, sssd_exec_t, sssd_t)
@@ -26,7 +25,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -40,6 +39,25 @@
 
 ########################################
 ## <summary>
+##	Read sssd public files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+	gen_require(`
+		type sssd_public_t;
+	')
+
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
 ##	Read sssd PID files.
 ## </summary>
 ## <param name="domain">
@@ -59,7 +77,7 @@
 
 ########################################
 ## <summary>
-##	Manage sssd var_run files.
+##	Read sssd config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,18 +85,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_manage_pids',`
+interface(`sssd_read_config_files',`
 	gen_require(`
-		type sssd_var_run_t;
+		type sssd_config_t;
 	')
 
-	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
-	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_config_t, sssd_config_t)
 ')
 
 ########################################
 ## <summary>
-##	Search sssd lib directories.
+##	Manage sssd var_run files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -86,18 +104,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_search_lib',`
+interface(`sssd_manage_pids',`
 	gen_require(`
-		type sssd_var_lib_t;
+		type sssd_var_run_t;
 	')
 
-	allow $1 sssd_var_lib_t:dir search_dir_perms;
-	files_search_var_lib($1)
+	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Read sssd lib files.
+##	Search sssd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -105,18 +123,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_read_lib_files',`
+interface(`sssd_search_lib',`
 	gen_require(`
 		type sssd_var_lib_t;
 	')
 
+	allow $1 sssd_var_lib_t:dir search_dir_perms;
 	files_search_var_lib($1)
-	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Read sssd config files.
+##	dontaudit search sssd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -124,19 +142,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_read_config_files',`
+interface(`sssd_dontaudit_search_lib',`
 	gen_require(`
-		type sssd_config_t;
+		type sssd_var_lib_t;
 	')
 
-	sssd_search_lib($1)
-	read_files_pattern($1, sssd_config_t, sssd_config_t)
+	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	sssd lib files.
+##	Read sssd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -144,18 +161,19 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_manage_lib_files',`
+interface(`sssd_read_lib_files',`
 	gen_require(`
 		type sssd_var_lib_t;
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Manage sssd var_lib files.
+##	Create, read, write, and delete
+##	sssd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -163,17 +181,15 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_manage_var_lib',`
+interface(`sssd_manage_lib_files',`
 	gen_require(`
 		type sssd_var_lib_t;
 	')
 
-         manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+	files_search_var_lib($1)
          manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
-         manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -238,16 +254,13 @@
 #
 interface(`sssd_admin',`
 	gen_require(`
-		type sssd_t;
+		type sssd_t, sssd_public_t;
+		type sssd_initrc_exec_t;
 	')
 
 	allow $1 sssd_t:process { ptrace signal_perms getattr };
 	read_files_pattern($1, sssd_t, sssd_t)
 
-	gen_require(`
-		type sssd_initrc_exec_t;
-	')
-
 	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
@@ -257,4 +270,6 @@
 	sssd_manage_pids($1)
 
 	sssd_manage_lib_files($1)
+
+	admin_pattern($1, sssd_public_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te	2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.te	2010-01-19 17:08:54.487643800 +0100
@@ -1,5 +1,5 @@
 
-policy_module(sssd, 1.0.0)
+policy_module(sssd, 1.0.1)
 
 ########################################
 #
@@ -13,6 +13,9 @@
 type sssd_initrc_exec_t;
 init_script_file(sssd_initrc_exec_t)
 
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
 type sssd_var_lib_t;
 files_type(sssd_var_lib_t)
 
@@ -31,6 +34,9 @@
 allow sssd_t self:fifo_file rw_file_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -43,8 +49,6 @@
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
 
-fs_list_inotifyfs(sssd_t)
-
 kernel_read_system_state(sssd_t)
 
 corecmd_exec_bin(sssd_t)
@@ -58,6 +62,8 @@
 files_read_etc_files(sssd_t)
 files_read_usr_files(sssd_t)
 
+fs_list_inotifyfs(sssd_t)
+
 auth_use_nsswitch(sssd_t)
 auth_domtrans_chk_passwd(sssd_t)
 auth_domtrans_upd_passwd(sssd_t)
@@ -69,7 +75,7 @@
 
 miscfiles_read_localization(sssd_t)
 
-userdom_manage_tmp_role(system_t, sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
 
 optional_policy(`
 	dbus_system_bus_client(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te	2010-01-19 12:02:02.773609654 +0100
@@ -50,6 +50,7 @@
 manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
 files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
 
+kernel_read_system_state(tftpd_t)
 kernel_read_kernel_sysctls(tftpd_t)
 kernel_list_proc(tftpd_t)
 kernel_read_proc_symlinks(tftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2010-01-18 18:24:22.915540061 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-01-18 18:27:02.776530834 +0100
@@ -226,7 +226,7 @@
 sysnet_domtrans_ifconfig(virtd_t)
 sysnet_read_config(virtd_t)
 
-userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_list_admin_dir(virtd_t)
 userdom_getattr_all_users(virtd_t)
 userdom_list_user_home_content(virtd_t)
 userdom_read_all_users_state(virtd_t)
@@ -430,6 +430,8 @@
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
 dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_urand(virt_domain)
 dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc	2010-01-18 18:24:22.917530119 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2010-01-18 18:27:02.777542764 +0100
@@ -65,6 +65,8 @@
 /usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/lxdm       --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -105,6 +107,7 @@
 /var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
 
 /var/spool/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
@@ -116,6 +119,7 @@
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid   -- gen_context(system_u:object_r:xdm_var_run_t,s0)  
 /var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-18 18:24:22.923530253 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-01-18 18:27:02.779530727 +0100
@@ -301,6 +301,8 @@
 manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
+allow xauth_t xserver_t:unix_stream_socket connectto;  
+
 domain_use_interactive_fds(xauth_t)
 
 dev_rw_xserver_misc(xauth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te	2010-01-18 18:27:02.780542727 +0100
@@ -125,6 +125,10 @@
 ')
 
 optional_policy(`
+	brctl_domtrans(hotplug_t)
+')
+
+optional_policy(`
 	consoletype_exec(hotplug_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2010-01-18 18:24:22.936530091 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-01-18 18:27:02.782531248 +0100
@@ -212,6 +212,10 @@
 ')
 
 optional_policy(`
+	dbus_system_bus_client(init_t)
+')
+
+optional_policy(`
 	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 	# the directory. But we do not want to allow this.
@@ -872,6 +876,7 @@
 
 optional_policy(`
 	unconfined_domain(initrc_t)
+	domain_role_change_exemption(initrc_t)
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc	2010-01-18 18:27:02.783531305 +0100
@@ -1,3 +1,5 @@
+
+/sbin/brcm_iscsiuio     --  	gen_context(system_u:object_r:iscsid_exec_t,s0)
 /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 
 /var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te	2010-01-18 18:24:22.943530492 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te	2010-01-18 18:27:02.783531305 +0100
@@ -35,10 +35,13 @@
 allow iscsid_t self:unix_dgram_socket create_socket_perms;
 allow iscsid_t self:sem create_sem_perms;
 allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow iscsid_t self:netlink_socket create_socket_perms;
 allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
 allow iscsid_t self:tcp_socket create_stream_socket_perms;
 
+can_exec(iscsid_t, iscsid_exec_t)
+
 manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
 files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
 
@@ -67,6 +70,7 @@
 corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
 domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2010-01-18 18:24:22.945540594 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-01-19 12:16:16.415620342 +0100
@@ -245,6 +245,7 @@
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -433,8 +434,14 @@
 /usr/lib(64)?/octagaplayer/libapplication\.so		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /opt/AutoScan/usr/lib/libvte\.so.*			     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.*                    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.*          -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/bin/bsnes		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/firefox/plugins/libractrl\.so	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLcore\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.*      --   gen_context(system_u:object_r:textrel_shlib_t,s0)  
+
+/usr/local/MATHWORKS_R2009B/bin/glnxa64/libtbb.so.*	--   gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if	2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if	2010-01-18 18:27:02.787531116 +0100
@@ -618,3 +618,22 @@
 	manage_lnk_files_pattern($1, locale_t, locale_t)
 ')
 
+#######################################
+## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+    gen_require(`
+        type fonts_cache_t;
+    ')
+
+    allow $1 fonts_cache_t:dir setattr;    
+')
+     
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-01-18 18:27:02.788530824 +0100
@@ -181,6 +181,7 @@
 	auth_read_all_dirs_except_shadow(mount_t)
 	auth_read_all_files_except_shadow(mount_t)
 	files_mounton_non_security(mount_t)
+	files_rw_all_inherited_files(mount_t)
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-01-18 18:24:22.967540599 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te	2010-01-18 18:27:02.789530951 +0100
@@ -190,6 +190,7 @@
 
 init_use_script_fds(load_policy_t)
 init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
 
 miscfiles_read_localization(load_policy_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if	2010-01-18 18:27:02.790542463 +0100
@@ -21,6 +21,8 @@
 	allow $1 self:capability all_capabilities;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
+    allow $1 self:socket_class_set create_socket_perms;
+
 	# Transition to myself, to make get_ordered_context_list happy.
 	allow $1 self:process transition;
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc	2010-01-18 18:24:22.977540055 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc	2010-01-18 18:27:02.791532114 +0100
@@ -6,4 +6,5 @@
 /dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 /dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)?    gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.gvfs(/.*)?	<<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2010-01-18 18:24:22.983531669 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2010-01-18 18:27:02.794530889 +0100
@@ -3631,6 +3631,24 @@
 
 ########################################
 ## <summary>
+##	Allow domain to list /root
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+	gen_require(`
+		type admin_home_t;
+	')
+
+	allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Allow Search /root
 ## </summary>
 ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2010-01-18 18:24:22.987540070 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te	2010-01-18 18:27:02.796530655 +0100
@@ -248,6 +248,7 @@
 #
 
 allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
 
@@ -268,6 +269,7 @@
 
 domain_dontaudit_ptrace_all_domains(xenconsoled_t)
 
+files_read_etc_files(xenconsoled_t)
 files_read_usr_files(xenconsoled_t)
 
 fs_list_tmpfs(xenconsoled_t)
@@ -286,6 +288,10 @@
 xen_manage_log(xenconsoled_t)
 xen_stream_connect_xenstore(xenconsoled_t)
 
+optional_policy(`
+   ptchown_domtrans(xenconsoled_t)
+')
+
 ########################################
 #
 # Xen store local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-01-18 18:24:22.988541733 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt	2010-01-18 18:27:02.798533004 +0100
@@ -28,7 +28,7 @@
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 
 
 #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users	2010-01-18 18:24:22.989541023 +0100
+++ serefpolicy-3.6.32/policy/users	2010-01-18 18:27:02.799531176 +0100
@@ -15,7 +15,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no