diff --git a/policy-20071130.patch b/policy-20071130.patch
index 66030ba..82d3eb7 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -8,106 +8,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.3.1/
- Label /proc/kallsyms with system_map_t.
- 64-bit capabilities from Stephen Smalley.
- Labeled networking peer object class updates.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
---- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400
-@@ -235,7 +235,7 @@
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
-
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -309,20 +309,22 @@
-
- # parse-rolemap modulename,outputfile
- define parse-rolemap
-- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+ echo "" >> $2
-+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
-
- # perrole-expansion modulename,outputfile
- define perrole-expansion
-- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-- $(call parse-rolemap,$1,$2)
-- $(verbose) echo "')" >> $2
--
-- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-- $(call parse-rolemap-compat,$1,$2)
-- $(verbose) echo "')" >> $2
-+ echo "No longer doing perrole-expansion"
-+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+# $(call parse-rolemap,$1,$2)
-+# $(verbose) echo "')" >> $2
-+
-+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+# $(call parse-rolemap-compat,$1,$2)
-+# $(verbose) echo "')" >> $2
- endef
-
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -521,6 +523,10 @@
- @mkdir -p $(appdir)/users
- $(verbose) $(INSTALL) -m 644 $^ $@
-
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+ @mkdir -p $(appdir)
-+ $(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- @mkdir -p $(appdir)
- $(verbose) $(INSTALL) -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
---- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
-- $(call perrole-expansion,$(basename $(@F)),$@.role)
-- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+# $(call perrole-expansion,$(basename $(@F)),$@.role)
-+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- $(verbose) $(genperm) $(avs) $(secclass) > $@
-- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
-
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -147,7 +147,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- $(verbose) echo "" > $@
-- $(call parse-rolemap,base,$@)
-+# $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400
-@@ -96,7 +96,7 @@
- #
- # Load the binary policy
- #
--reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
- @echo "Loading $(NAME) $(loadpath)"
- $(verbose) $(LOADPOLICY) -q $(loadpath)
- @touch $(tmpdir)/load
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-04-21 11:02:47.859787000 -0400
@@ -791,6 +691,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
+--- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500
++++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400
+@@ -235,7 +235,7 @@
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -309,20 +309,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -521,6 +523,10 @@
+ @mkdir -p $(appdir)/users
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++ @mkdir -p $(appdir)
++ $(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500
+++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-04-21 11:02:47.931714000 -0400
@@ -2577,6 +2533,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400
+@@ -55,7 +55,7 @@
+ #
+
+ # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++ allow $1_sudo_t self:key manage_key_perms;
++ allow $1_sudo_t $1_t:key search;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t,$2)
++ corecmd_bin_domtrans($1_sudo_t,$2)
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
+
+ kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+- kernel_search_key($1_sudo_t)
++ kernel_link_key($1_sudo_t)
+
+ dev_read_urand($1_sudo_t)
+
+ fs_search_auto_mountpoints($1_sudo_t)
+ fs_getattr_xattr_fs($1_sudo_t)
+
+- auth_domtrans_chk_passwd($1_sudo_t)
++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ # sudo stores a token in the pam_pid directory
+ auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
+ corecmd_read_bin_symlinks($1_sudo_t)
+- corecmd_getattr_all_executables($1_sudo_t)
++ corecmd_exec_all_executables($1_sudo_t)
+
+ domain_use_interactive_fds($1_sudo_t)
+ domain_sigchld_interactive_fds($1_sudo_t)
+@@ -106,32 +108,42 @@
+ files_getattr_usr_files($1_sudo_t)
+ # for some PAM modules and for cwd
+ files_dontaudit_search_home($1_sudo_t)
++ files_list_tmp($1_sudo_t)
+
+ init_rw_utmp($1_sudo_t)
+
+ libs_use_ld_so($1_sudo_t)
+ libs_use_shared_libs($1_sudo_t)
+
++ logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+ miscfiles_read_localization($1_sudo_t)
+
++ mta_per_role_template($1, $1_sudo_t, $3)
++
+ userdom_manage_user_home_content_files($1,$1_sudo_t)
+ userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
+ userdom_manage_user_tmp_files($1,$1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
++ userdom_exec_user_home_content_files($1,$1_sudo_t)
+ userdom_use_user_terminals($1,$1_sudo_t)
+ userdom_use_unpriv_users_fds($1_sudo_t)
+ # for some PAM modules and for cwd
++ userdom_search_sysadm_home_content_dirs($1_sudo_t)
+ userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+
+- ifdef(`TODO',`
+- # for when the network connection is killed
+- dontaudit unpriv_userdomain $1_sudo_t:process signal;
+-
+- ifdef(`mta.te', `
+- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+- ')
++ domain_role_change_exemption($1_sudo_t)
++ userdom_spec_domtrans_all_users($1_sudo_t)
+
+- ') dnl end TODO
++ selinux_validate_context($1_sudo_t)
++ selinux_compute_relabel_context($1_sudo_t)
++ selinux_getattr_fs($1_sudo_t)
++ seutil_read_config($1_sudo_t)
++ seutil_search_default_contexts($1_sudo_t)
++
++ term_use_all_user_ttys($1_sudo_t)
++ term_use_all_user_ptys($1_sudo_t)
++ term_relabel_all_user_ttys($1_sudo_t)
++ term_relabel_all_user_ptys($1_sudo_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-04-21 11:02:48.064582000 -0400
@@ -2707,109 +2766,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
')
#######################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400
-@@ -55,7 +55,7 @@
- #
-
- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
-@@ -68,33 +68,35 @@
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+ allow $1_sudo_t self:key manage_key_perms;
-+ allow $1_sudo_t $1_t:key search;
-
- # Enter this derived domain from the user domain
- domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t,$2)
-+ corecmd_bin_domtrans($1_sudo_t,$2)
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
-
- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-- kernel_search_key($1_sudo_t)
-+ kernel_link_key($1_sudo_t)
-
- dev_read_urand($1_sudo_t)
-
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
-- auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
- auth_use_nsswitch($1_sudo_t)
-
- corecmd_read_bin_symlinks($1_sudo_t)
-- corecmd_getattr_all_executables($1_sudo_t)
-+ corecmd_exec_all_executables($1_sudo_t)
-
- domain_use_interactive_fds($1_sudo_t)
- domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +108,42 @@
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
-+ files_list_tmp($1_sudo_t)
-
- init_rw_utmp($1_sudo_t)
-
- libs_use_ld_so($1_sudo_t)
- libs_use_shared_libs($1_sudo_t)
-
-+ logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-
-+ mta_per_role_template($1, $1_sudo_t, $3)
-+
- userdom_manage_user_home_content_files($1,$1_sudo_t)
- userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
- userdom_manage_user_tmp_files($1,$1_sudo_t)
- userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
-+ userdom_exec_user_home_content_files($1,$1_sudo_t)
- userdom_use_user_terminals($1,$1_sudo_t)
- userdom_use_unpriv_users_fds($1_sudo_t)
- # for some PAM modules and for cwd
-+ userdom_search_sysadm_home_content_dirs($1_sudo_t)
- userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
-- ifdef(`TODO',`
-- # for when the network connection is killed
-- dontaudit unpriv_userdomain $1_sudo_t:process signal;
--
-- ifdef(`mta.te', `
-- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-- ')
-+ domain_role_change_exemption($1_sudo_t)
-+ userdom_spec_domtrans_all_users($1_sudo_t)
-
-- ') dnl end TODO
-+ selinux_validate_context($1_sudo_t)
-+ selinux_compute_relabel_context($1_sudo_t)
-+ selinux_getattr_fs($1_sudo_t)
-+ seutil_read_config($1_sudo_t)
-+ seutil_search_default_contexts($1_sudo_t)
-+
-+ term_use_all_user_ttys($1_sudo_t)
-+ term_use_all_user_ptys($1_sudo_t)
-+ term_relabel_all_user_ttys($1_sudo_t)
-+ term_relabel_all_user_ptys($1_sudo_t)
- ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-21 11:02:48.075572000 -0400
@@ -6849,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-21 11:02:48.458345000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-22 15:54:10.151463000 -0400
@@ -75,6 +75,7 @@
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
@@ -7520,8 +7476,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-21 16:42:25.522539000 -0400
-@@ -1266,6 +1266,24 @@
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-23 10:14:31.898476000 -0400
+@@ -110,6 +110,11 @@
+ ##
+ #
+ interface(`files_config_file',`
++ gen_require(`
++ attribute etcfile;
++ ')
++
++ typeattribute $1 etcfile;
+ files_type($1)
+ ')
+
+@@ -1266,6 +1271,24 @@
########################################
##
@@ -32498,7 +32731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1170,6 @@ +@@ -1164,7 +1176,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -32506,26 +32739,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1193,12 +1198,15 @@ +@@ -1193,12 +1204,15 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ hal_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` + cron_per_role_template($1, $1_t, $1_r) ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1215,27 @@ +@@ -1207,7 +1221,27 @@ ') optional_policy(` @@ -32554,7 +32787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1312,6 @@ +@@ -1284,8 +1318,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -32563,7 +32796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1333,6 @@ +@@ -1307,8 +1339,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -32572,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1387,6 @@ +@@ -1363,13 +1393,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -32586,7 +32819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1439,7 @@ +@@ -1422,6 +1445,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -32594,7 +32827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1805,14 @@ +@@ -1787,10 +1811,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -32610,7 +32843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1908,11 @@ +@@ -1886,11 +1914,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -32624,7 +32857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1942,11 @@ +@@ -1920,11 +1948,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -32638,7 +32871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1990,12 @@ +@@ -1968,12 +1996,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -32654,7 +32887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2025,11 @@ +@@ -2003,10 +2031,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -32668,7 +32901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2061,47 @@ +@@ -2038,11 +2067,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -32718,7 +32951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2133,10 @@ +@@ -2074,10 +2139,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -32731,7 +32964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2166,11 @@ +@@ -2107,11 +2172,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -32745,7 +32978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2200,11 @@ +@@ -2141,11 +2206,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32760,7 +32993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2234,14 @@ +@@ -2175,10 +2240,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -32777,7 +33010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2271,11 @@ +@@ -2208,11 +2277,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -32791,7 +33024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2305,11 @@ +@@ -2242,11 +2311,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -32805,7 +33038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2339,10 @@ +@@ -2276,10 +2345,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -32818,7 +33051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2374,12 @@ +@@ -2311,12 +2380,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -32834,7 +33067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2411,10 @@ +@@ -2348,10 +2417,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -32847,7 +33080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2446,12 @@ +@@ -2383,12 +2452,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -32863,7 +33096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2483,12 @@ +@@ -2420,12 +2489,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -32879,7 +33112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2520,12 @@ +@@ -2457,12 +2526,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -32895,7 +33128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2570,11 @@ +@@ -2507,11 +2576,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -32909,7 +33142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2619,11 @@ +@@ -2556,11 +2625,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -32923,7 +33156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2663,11 @@ +@@ -2600,11 +2669,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -32937,7 +33170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2697,11 @@ +@@ -2634,11 +2703,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -32951,7 +33184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2731,11 @@ +@@ -2668,11 +2737,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -32965,7 +33198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2767,10 @@ +@@ -2704,10 +2773,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -32978,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2802,10 @@ +@@ -2739,10 +2808,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -32991,7 +33224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2835,12 @@ +@@ -2772,12 +2841,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -33007,7 +33240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2872,10 @@ +@@ -2809,10 +2878,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -33020,7 +33253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2907,48 @@ +@@ -2844,10 +2913,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -33071,7 +33304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2978,12 @@ +@@ -2877,12 +2984,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -33087,7 +33320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3015,10 @@ +@@ -2914,10 +3021,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -33100,7 +33333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3050,12 @@ +@@ -2949,12 +3056,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -33116,7 +33349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3087,11 @@ +@@ -2986,11 +3093,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -33130,7 +33363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3123,11 @@ +@@ -3022,11 +3129,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -33144,7 +33377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3159,11 @@ +@@ -3058,11 +3165,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -33158,7 +33391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3195,11 @@ +@@ -3094,11 +3201,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -33172,7 +33405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3231,11 @@ +@@ -3130,11 +3237,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -33186,7 +33419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3280,10 @@ +@@ -3179,10 +3286,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -33199,7 +33432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3324,10 @@ +@@ -3223,10 +3330,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -33212,7 +33445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3355,24 @@ +@@ -3254,24 +3361,24 @@ ## ## # @@ -33241,7 +33474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##
#### This is a templated interface, and should only -@@ -3290,23 +3391,24 @@ +@@ -3290,23 +3397,24 @@ ## ## # @@ -33273,7 +33506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##
##
## This is a templated interface, and should only
-@@ -3321,18 +3423,89 @@
+@@ -3321,13 +3429,84 @@
##
##
##