diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc	2010-01-18 18:24:22.545542516 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc	2010-02-03 20:56:22.897834567 +0100
@@ -1,4 +1,3 @@
 
 /bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
 
-/usr/sbin/mcelog	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.6.32/policy/modules/admin/mcelog.fc
--- nsaserefpolicy/policy/modules/admin/mcelog.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.fc	2010-02-03 17:54:52.841394806 +0100
@@ -0,0 +1,2 @@
+
+/usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.6.32/policy/modules/admin/mcelog.if
--- nsaserefpolicy/policy/modules/admin/mcelog.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.if	2010-02-03 17:55:31.442144688 +0100
@@ -0,0 +1,20 @@
+
+## <summary>policy for mcelog</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run mcelog.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mcelog_domtrans',`
+	gen_require(`
+		type mcelog_t, mcelog_exec_t;
+	')
+
+	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.6.32/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te	2010-02-09 09:59:05.624865373 +0100
@@ -0,0 +1,31 @@
+
+policy_module(mcelog,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcelog_t;
+type mcelog_exec_t;
+application_domain(mcelog_t, mcelog_exec_t)
+cron_system_entry(mcelog_t, mcelog_exec_t)
+
+permissive mcelog_t;
+
+########################################
+#
+# mcelog local policy
+#
+allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
+dev_read_raw_memory(mcelog_t)
+dev_read_kmsg(mcelog_t)
+
+files_read_etc_files(mcelog_t)
+
+miscfiles_read_localization(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2010-01-18 18:24:22.564530406 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te	2010-02-01 20:30:49.318160848 +0100
@@ -108,6 +108,7 @@
 miscfiles_read_localization(prelink_t)
 
 userdom_use_user_terminals(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
 userdom_manage_user_home_content(prelink_t)
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2010-01-18 18:24:22.565530533 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/readahead.te	2010-02-09 10:21:28.868615982 +0100
@@ -62,6 +62,8 @@
 fs_search_auto_mountpoints(readahead_t)
 fs_getattr_all_pipes(readahead_t)
 fs_getattr_all_files(readahead_t)
+fs_read_cgroup_files(readahead_t)
+fs_read_tmpfs_files(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 fs_list_inotifyfs(readahead_t)
 fs_dontaudit_search_ramfs(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2010-01-18 18:24:22.567540216 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if	2010-01-29 10:12:23.130864561 +0100
@@ -189,22 +189,22 @@
 		type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
 	')
 
-	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
- 	dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
-	dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms;
+	dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+    dontaudit $1 rpm_t:tcp_socket { read write };
+    dontaudit $1 rpm_t:unix_dgram_socket { read write };
 	dontaudit $1 rpm_t:shm rw_shm_perms;
 
 	dontaudit $1 rpm_script_t:fd use;
-	dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
+    dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
 
-	dontaudit $1 rpm_var_run_t:file write_file_perms;
+    dontaudit $1 rpm_var_run_t:file write;
 
-	dontaudit $1 rpm_tmp_t:file rw_file_perms;
+    dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
  	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
- 	dontaudit $1 rpm_tmpfs_t:file write_file_perms;
-	dontaudit $1 rpm_script_tmp_t:file write_file_perms;
-	dontaudit $1 rpm_var_lib_t:file { read write };
-	dontaudit $1 rpm_var_cache_t:file  { read write };
+    dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+    dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+    dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+    dontaudit $1 rpm_var_cache_t:file  rw_inherited_file_perms;
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te	2010-01-18 18:24:22.573543214 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te	2010-01-25 11:03:49.548441857 +0100
@@ -48,6 +48,8 @@
 files_read_etc_files(smoltclient_t)
 files_read_usr_files(smoltclient_t)
 
+logging_send_syslog_msg(smoltclient_t)
+
 miscfiles_read_localization(smoltclient_t)
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-01-18 18:24:22.584530156 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te	2010-02-08 14:09:13.659608943 +0100
@@ -122,6 +122,10 @@
 # on user home dir
 userdom_dontaudit_search_user_home_content(chfn_t)
 
+optional_policy(`
+	nx_exec_server(chfn_t)
+')
+
 ########################################
 #
 # Crack local policy
@@ -252,7 +256,7 @@
 # Passwd local policy
 #
 
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow passwd_t self:process { setrlimit setfscreate };
 allow passwd_t self:fd use;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.6.32/policy/modules/apps/cdrecord.te
--- nsaserefpolicy/policy/modules/apps/cdrecord.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/cdrecord.te	2010-02-09 09:59:13.342615577 +0100
@@ -32,6 +32,8 @@
 allow cdrecord_t self:unix_dgram_socket create_socket_perms;
 allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
 
+corecmd_exec_bin(cdrecord_t) 
+
 # allow searching for cdrom-drive
 dev_list_all_dev_nodes(cdrecord_t) 
 dev_read_sysfs(cdrecord_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te	2010-01-18 18:24:22.588542189 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te	2010-02-02 14:30:20.961067885 +0100
@@ -59,7 +59,8 @@
 miscfiles_read_fonts(chrome_sandbox_t)
 
 optional_policy(`
-	gnome_write_inherited_config(chrome_sandbox_t)
+	gnome_rw_inherited_config(chrome_sandbox_t)
+	gnome_list_home_config(chrome_sandbox_t)
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te	2010-01-18 18:24:22.593530742 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te	2010-02-02 18:41:27.873067758 +0100
@@ -59,6 +59,10 @@
 iptables_initrc_domtrans(firewallgui_t)
 
 optional_policy(`
+	gnome_read_gconf_home_files(firewallgui_t)
+') 
+
+optional_policy(`
         policykit_dbus_chat(firewallgui_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc	2010-01-18 18:24:22.594539949 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc	2010-02-03 10:39:06.085145272 +0100
@@ -3,6 +3,15 @@
 HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
 HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.*	gen_context(system_u:object_r:gstreamer_home_t,s0)
+
+/root/\.config(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.gnome2(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.pulse(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gstreamer-.*	gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.Xdefaults 	--	gen_context(system_u:object_r:gnome_home_t,s0)
 
 /etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if	2010-01-18 18:24:22.595534558 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if	2010-02-03 22:59:15.907072357 +0100
@@ -72,6 +72,24 @@
 	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 ')
 
+#######################################
+## <summary>
+##  Dontaudit search gnome homedir content 
+## </summary>
+## <param name="user_domain">
+##  <summary>
+##  The type of the user domain.
+##  </summary>
+## </param>
+#
+interface(`gnome_dontaudit_search_config',`
+    gen_require(`
+        attribute gnome_home_type;
+    ')
+
+    dontaudit $1 gnome_home_type:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	manage gnome homedir content (.config)
@@ -84,12 +102,12 @@
 #
 interface(`gnome_manage_config',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;	
 	')
 
-	allow $1 gnome_home_t:dir manage_dir_perms;
-	allow $1 gnome_home_t:file manage_file_perms;
-	allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
+	allow $1 gnome_home_type:dir manage_dir_perms;
+	allow $1 gnome_home_type:file manage_file_perms;
+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
 	userdom_search_user_home_dirs($1)
 ')
 
@@ -129,17 +147,17 @@
 #
 template(`gnome_read_config',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;	
 	')
 
-	list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-	read_files_pattern($1, gnome_home_t, gnome_home_t)
-	read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+	read_files_pattern($1, gnome_home_type, gnome_home_type)
+	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
 ')
 
 ########################################
 ## <summary>
-##	read gconf config files
+##	Read gconf config files
 ## </summary>
 ## <param name="userdomain_prefix">
 ##	<summary>
@@ -238,6 +256,24 @@
 	manage_files_pattern($1, gconf_home_t, gconf_home_t)
 ')
 
+#######################################
+## <summary>
+## Read gnome homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_list_home_config',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	allow $1 gnome_home_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to gnome over an unix stream socket.
@@ -255,11 +291,29 @@
 #
 interface(`gnome_stream_connect',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;	
 	')
 
 	# Connect to pulseaudit server
-	stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
+	stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+#######################################
+## <summary>
+## Read/Write all inherited gnome home config 
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_rw_inherited_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	allow $1 gnome_home_type:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -274,8 +328,9 @@
 #
 interface(`gnome_write_inherited_config',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;
 	')
 
-	allow $1 gnome_home_t:file rw_inherited_file_perms;
+	allow $1 gnome_home_type:file rw_inherited_file_perms;
 ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te	2010-01-18 18:24:22.596529936 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te	2010-02-03 22:11:10.235822052 +0100
@@ -7,11 +7,12 @@
 #
 
 attribute gnomedomain;
+attribute gnome_home_type;
 
 type gconf_etc_t;
 files_config_file(gconf_etc_t)
 
-type gconf_home_t;
+type gconf_home_t, gnome_home_type;
 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
 typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
 typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,12 +32,15 @@
 application_domain(gconfd_t, gconfd_exec_t)
 ubac_constrained(gconfd_t)
 
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
 typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
 typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
 typealias gnome_home_t alias unconfined_gnome_home_t;
 userdom_user_home_content(gnome_home_t)
 
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
 type gconfdefaultsm_t;
 type gconfdefaultsm_exec_t;
 dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc	2010-01-19 12:03:52.541857693 +0100
@@ -1,5 +1,7 @@
 HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 
+/root/\.gnupg(/.+)?  gen_context(system_u:object_r:gpg_secret_t,s0)
+
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te	2010-01-18 18:24:22.605530382 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te	2010-01-20 16:53:29.744859902 +0100
@@ -112,11 +112,6 @@
 
 userdom_use_user_terminals(gpg_t)
 
-optional_policy(`
-	cron_system_entry(gpg_t, gpg_exec_t)
-	cron_read_system_job_tmp_files(gpg_t)
-')
-
 ########################################
 #
 # GPG helper local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te	2010-01-18 18:24:22.610530600 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te	2010-02-08 11:58:12.837586833 +0100
@@ -56,6 +56,10 @@
 userdom_dontaudit_search_admin_dir(kdumpgui_t)
 
 optional_policy(`
+	gnome_dontaudit_search_config(kdumpgui_t)
+')    
+
+optional_policy(`
         dev_rw_lvm_control(kdumpgui_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc	2010-01-18 18:24:22.616539953 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc	2010-01-18 18:27:02.741544960 +0100
@@ -11,6 +11,7 @@
 /usr/bin/netscape		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-snapshot	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany			--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/epiphany-bin		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc	2010-01-18 18:24:22.626536127 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc	2010-01-21 18:31:18.271612626 +0100
@@ -1,6 +1,5 @@
 HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
-HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te	2010-01-18 18:24:22.631540185 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te	2010-01-19 11:53:14.080857057 +0100
@@ -73,6 +73,7 @@
 
 sysnet_dns_name_resolve(podsleuth_t)
 
+userdom_read_user_tmpfs_files(podsleuth_t)
 userdom_signal_unpriv_users(podsleuth_t)
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc	2010-02-01 17:25:46.487082096 +0100
@@ -1 +1,3 @@
+/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
 /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if	2010-01-18 18:24:22.632542198 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if	2010-02-01 17:25:51.033096867 +0100
@@ -137,10 +137,10 @@
 #
 interface(`pulseaudio_stream_connect',`
 	gen_require(`
-		type pulseaudio_t;
+                type pulseaudio_t, pulseaudio_var_run_t;
 	')
 
 	allow $1 pulseaudio_t:process signull;
 	allow pulseaudio_t $1:process signull;
-	allow $1 pulseaudio_t:unix_stream_socket connectto;
+        stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2010-01-18 18:24:22.633540020 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te	2010-02-01 17:25:54.881332083 +0100
@@ -11,6 +11,9 @@
 application_domain(pulseaudio_t, pulseaudio_exec_t)
 role system_r types pulseaudio_t;
 
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+
 ########################################
 #
 # pulseaudio local policy
@@ -24,6 +27,11 @@
 allow pulseaudio_t self:udp_socket create_socket_perms;
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+
 can_exec(pulseaudio_t, pulseaudio_exec_t)
 
 kernel_getattr_proc(pulseaudio_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te	2010-01-18 18:24:22.646540277 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te	2010-02-08 10:39:43.173336716 +0100
@@ -52,6 +52,10 @@
 userdom_dontaudit_search_admin_dir(sambagui_t)
 
 optional_policy(`
+	gnome_dontaudit_search_config(sambagui_t)
+')
+
+optional_policy(`
 	consoletype_exec(sambagui_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if	2010-01-18 18:24:22.648539903 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2010-01-22 15:41:50.752727640 +0100
@@ -45,9 +45,10 @@
 	allow sandbox_x_domain $1:process { sigchld signal };
 	allow sandbox_x_domain sandbox_x_domain:process signal;
 	# Dontaudit leaked file descriptors
-	dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
+	dontaudit sandbox_x_domain $1:fifo_file { read write };
 	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
 	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
 	
 	manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
 	manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -103,9 +104,10 @@
 #
 template(`sandbox_x_domain_template',`
 	gen_require(`
-		type xserver_exec_t;
+		type xserver_exec_t, sandbox_devpts_t;
 		type sandbox_xserver_t;
 		attribute sandbox_domain, sandbox_x_domain;
+		attribute sandbox_file_type;
 	')
 
 	type $1_t, sandbox_x_domain;
@@ -122,7 +124,7 @@
 	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
 
 	# window manager
-	miscfiles_setattr_fonts_dirs($1_t)
+	miscfiles_setattr_fonts_cache_dirs($1_t)
 	allow $1_t self:capability setuid;
 
 	type $1_client_t, sandbox_x_domain;
@@ -156,6 +158,8 @@
 	ps_process_pattern(sandbox_xserver_t, $1_t)
 	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
 	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+	allow $1_client_t $1_t:unix_stream_socket connectto;
+	allow $1_t $1_client_t:unix_stream_socket connectto;
 
 	can_exec($1_client_t, $1_file_t)
 	manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
@@ -163,10 +167,6 @@
 	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
 	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
 	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
-
-	optional_policy(`
-		xserver_common_app($1_t)
-	')
 ')
 
 ########################################
@@ -187,3 +187,39 @@
 
 	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+	gen_require(`
+		attribute sandbox_file_type;
+	')
+
+	delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+##	allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+	gen_require(`
+		attribute sandbox_file_type;
+	')
+
+	delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2010-01-18 18:24:22.649539960 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te	2010-02-01 20:25:27.706170172 +0100
@@ -10,14 +10,15 @@
 #
 
 sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
 sandbox_x_domain_template(sandbox_x)
 sandbox_x_domain_template(sandbox_web)
 sandbox_x_domain_template(sandbox_net)
 
 type sandbox_xserver_t;
 domain_type(sandbox_xserver_t)
-xserver_common_app(sandbox_xserver_t)
 permissive sandbox_xserver_t;
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
 
 type sandbox_xserver_tmpfs_t;
 files_tmpfs_file(sandbox_xserver_tmpfs_t)
@@ -92,10 +93,6 @@
 	')
 ')
 
-optional_policy(`
-	xserver_common_app(sandbox_xserver_t)
-')
-
 ########################################
 #
 # sandbox local policy
@@ -104,7 +101,7 @@
 ## internal communication is often done using fifo and unix sockets.
 allow sandbox_domain self:fifo_file manage_file_perms;
 allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
-allow sandbox_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
 
 gen_require(`
 	type usr_t, lib_t, locale_t;
@@ -132,7 +129,7 @@
 allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
 allow sandbox_x_domain self:shm create_shm_perms;
 allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
-allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
 allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
 dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
@@ -161,14 +158,14 @@
 
 auth_dontaudit_read_login_records(sandbox_x_domain)
 auth_dontaudit_write_login_records(sandbox_x_domain)
-#auth_use_nsswitch(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
 auth_search_pam_console_data(sandbox_x_domain)
 
 init_read_utmp(sandbox_x_domain)
 init_dontaudit_write_utmp(sandbox_x_domain)
 
 miscfiles_read_localization(sandbox_x_domain)
-miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
 
 term_getattr_pty_fs(sandbox_x_domain)
 term_use_ptmx(sandbox_x_domain)
@@ -179,12 +176,24 @@
 miscfiles_read_fonts(sandbox_x_domain)
 
 optional_policy(`
+	cups_stream_connect(sandbox_x_domain)
+	cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+	dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
 	gnome_read_gconf_config(sandbox_x_domain)
 ')
 
 optional_policy(`
-	cups_stream_connect(sandbox_x_domain)
-	cups_read_rw_config(sandbox_x_domain)
+	nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+	sssd_dontaudit_search_lib(sandbox_x_domain)
 ')
 
 userdom_dontaudit_use_user_terminals(sandbox_x_domain)
@@ -207,10 +216,8 @@
 
 corenet_tcp_connect_ipp_port(sandbox_x_client_t)
 
-#auth_use_nsswitch(sandbox_x_client_t)
+auth_use_nsswitch(sandbox_x_client_t)
 
-dbus_system_bus_client(sandbox_x_client_t)
-dbus_read_config(sandbox_x_client_t)
 selinux_get_fs_mount(sandbox_x_client_t)
 selinux_validate_context(sandbox_x_client_t)
 selinux_compute_access_vector(sandbox_x_client_t)
@@ -239,6 +246,8 @@
 kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
 
 dev_read_rand(sandbox_web_client_t)
+dev_read_sound(sandbox_web_client_t)    
+dev_write_sound(sandbox_web_client_t)
 
 # Browse the web, connect to printer
 corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
@@ -267,7 +276,7 @@
 corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
 corenet_tcp_connect_speech_port(sandbox_web_client_t)
 
-#auth_use_nsswitch(sandbox_web_client_t)
+auth_use_nsswitch(sandbox_web_client_t)
 
 dbus_system_bus_client(sandbox_web_client_t)
 dbus_read_config(sandbox_web_client_t)
@@ -279,6 +288,8 @@
 selinux_compute_user_contexts(sandbox_web_client_t)
 seutil_read_default_contexts(sandbox_web_client_t)
 
+userdom_rw_user_tmpfs_files(sandbox_web_client_t)
+
 optional_policy(`
 	nsplugin_read_rw_files(sandbox_web_client_t)
 	nsplugin_rw_exec(sandbox_web_client_t)
@@ -310,7 +321,7 @@
 corenet_tcp_connect_all_ports(sandbox_net_client_t)
 corenet_sendrecv_all_client_packets(sandbox_net_client_t)
 
-#auth_use_nsswitch(sandbox_net_client_t)
+auth_use_nsswitch(sandbox_net_client_t)
 
 dbus_system_bus_client(sandbox_net_client_t)
 dbus_read_config(sandbox_net_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/vmware.if	2010-01-25 17:40:10.448685801 +0100
@@ -30,6 +30,24 @@
 	allow $2 vmware_t:process signal;
 ')
 
+#######################################
+## <summary>
+## 	Execute vmware host executables
+## </summary>
+## <param name="domain">
+## <summary>
+## 	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_exec_host',`
+	gen_require(`
+		type vmware_host_exec_t;
+	')
+
+	can_exec($1, vmware_host_exec_t)
+')
+      
 ########################################
 ## <summary>
 ##	Read VMWare system configuration files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te	2010-01-18 18:24:22.655542539 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/vmware.te	2010-02-01 20:38:46.148160807 +0100
@@ -32,6 +32,10 @@
 type vmware_host_pid_t alias vmware_var_run_t;
 files_pid_file(vmware_host_pid_t)
 
+type vmware_host_tmp_t;
+files_tmp_file(vmware_host_tmp_t)
+ubac_constrained(vmware_host_tmp_t)
+
 type vmware_log_t;
 typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
 typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
@@ -87,6 +91,11 @@
 manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)	
 logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
 
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })   
+
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_read_system_state(vmware_host_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if	2010-01-18 18:24:22.657540000 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if	2010-01-18 18:27:02.744541291 +0100
@@ -143,6 +143,10 @@
 	userdom_unpriv_usertype($1, $1_wine_t)
 	userdom_manage_tmpfs_role($2, $1_wine_t)
 
+	tunable_policy(`wine_mmap_zero_ignore',`
+		allow $1_wine_t self:memprotect mmap_zero;
+	')
+
 	domain_mmap_low_type($1_wine_t)
 	tunable_policy(`mmap_low_allowed',`
 		domain_mmap_low($1_wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te	2010-01-18 18:24:22.664530344 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.te	2010-01-18 18:27:02.745530942 +0100
@@ -6,6 +6,15 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors
+## </p>
+## </desc>
+#
+gen_tunable(wine_mmap_zero_ignore, false)
+
+
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@@ -29,6 +38,11 @@
 manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
 files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
 
+tunable_policy(`wine_mmap_zero_ignore',`
+	allow wine_t self:memprotect mmap_zero;
+')
+
+
 domain_mmap_low_type(wine_t)
 tunable_policy(`mmap_low_allowed',`
 	domain_mmap_low(wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-01-18 18:24:22.665531100 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-02-09 09:59:17.989881706 +0100
@@ -219,7 +219,7 @@
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/.*\.sh               gen_context(system_u:object_r:bin_t,s0)
-/usr/share/cluster/ocf-shellfunc --     gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/ocf-shellfuncs  --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock  --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/SAPInstance  --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/SAPDatabase  --      gen_context(system_u:object_r:bin_t,s0)
@@ -237,6 +237,7 @@
 /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py       --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/compiler\.pl	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in	2010-02-02 15:20:43.717067439 +0100
@@ -1703,6 +1703,24 @@
 	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
 ')
 
+#######################################
+## <summary>
+## dontaudit Read and write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_rw_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dontaudit $1 tun_tap_device_t:chr_file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Getattr the point-to-point device.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-01-18 18:24:22.668540002 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in	2010-01-19 12:10:56.565608631 +0100
@@ -92,8 +92,8 @@
 network_port(dbskkd, tcp,1178,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
-network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp,547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-01-18 18:24:22.670530409 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2010-02-04 19:33:02.466936526 +0100
@@ -64,6 +64,7 @@
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.* 	-c  gen_context(system_u:object_r:dlm_control_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
@@ -83,6 +84,7 @@
 /dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.*  	-c gen_context(system_u:object_r:clock_device_t,s0)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
@@ -103,6 +105,7 @@
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
 /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usbmon.+       -c  gen_context(system_u:object_r:usbmon_device_t,s0)
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
@@ -162,6 +165,8 @@
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 
+/dev/uio[0-9]+      	-c  	gen_context(system_u:object_r:userio_device_t,s0)
+
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2010-01-18 18:24:22.673530022 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-02-09 09:59:21.541627154 +0100
@@ -1398,6 +1398,42 @@
 	rw_chr_files_pattern($1, device_t, crypt_device_t)
 ')
 
+#######################################
+## <summary>
+##  Set the attributes of the dlm control devices.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_setattr_dlm_control',`
+    gen_require(`
+        type device_t, kvm_device_t;
+    ')
+
+    setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+## <summary>
+##  Read and write the the dlm control device
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_rw_dlm_control',`
+    gen_require(`
+        type device_t, dlm_control_device_t;
+    ')
+
+    rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
 ########################################
 ## <summary>
 ##	getattr the dri devices.
@@ -1728,6 +1764,24 @@
 
 ########################################
 ## <summary>
+##	Write to the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the ksm devices.
 ## </summary>
 ## <param name="domain">
@@ -3551,6 +3605,24 @@
 	rw_chr_files_pattern($1, device_t, usb_device_t)
 ')
 
+######################################
+## <summary>
+##  Read USB monitor devices.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_read_usbmon_dev',`
+    gen_require(`
+        type device_t, usbmon_device_t;
+    ')
+
+    read_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a usbfs filesystem.
@@ -3833,6 +3905,24 @@
 	write_chr_files_pattern($1, device_t, v4l_device_t)
 ')
 
+#####################################
+## <summary>
+##  Read or write userio device.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+    	gen_require(`
+        	type device_t, userio_device_t;
+    	')
+
+    	rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write VMWare devices.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te	2010-01-18 18:24:22.675530137 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te	2010-02-04 19:25:03.244936343 +0100
@@ -59,6 +59,12 @@
 type crypt_device_t;
 dev_node(crypt_device_t)
 
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
 type dri_device_t;
 dev_node(dri_device_t)
 
@@ -228,11 +234,23 @@
 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 
 #
+# usbmon_device_t is the type for /dev/usbmon
+#
+type usbmon_device_t;
+dev_node(usbmon_device_t)
+
+#
 # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
 #
 type usb_device_t;
 dev_node(usb_device_t)
 
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2010-01-18 18:24:22.691530426 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/files.if	2010-01-29 10:02:38.893864113 +0100
@@ -5537,3 +5537,23 @@
 
 	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all leaked files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_leaks',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	dontaudit $1 file_type:file rw_inherited_file_perms;
+	dontaudit $1 file_type:lnk_file { read };
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-01-18 18:24:22.697530142 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2010-02-09 09:59:39.756615405 +0100
@@ -3496,6 +3496,24 @@
 
 ########################################
 ## <summary>
+##	Read generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
 ##	Read and write generic tmpfs files.
 ## </summary>
 ## <param name="domain">
@@ -4297,6 +4315,26 @@
 
 ########################################
 ## <summary>
+##	Read files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	read_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
 ##	Read and write files on cgroup
 ##	file systems.
 ## </summary>
@@ -4409,3 +4447,23 @@
 	write_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
+
+########################################
+## <summary>
+##	Do not audit attempts to read or write
+##	all leaked filesystems files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_leaks',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+	dontaudit $1 filesystem_type:lnk_file { read };
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	2010-01-18 18:24:22.720530134 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc	2010-02-02 10:47:12.668175161 +0100
@@ -2,7 +2,10 @@
 # e.g.:
 # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp   		--  gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
+
 /usr/sbin/mock			    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 /usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2010-01-18 18:24:22.722530039 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2010-01-18 18:27:02.753530981 +0100
@@ -39,6 +39,8 @@
 type unconfined_exec_t;
 init_system_domain(unconfined_t, unconfined_exec_t)
 role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
 
 domain_user_exemption_target(unconfined_t)
 allow system_r unconfined_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te	2010-01-18 18:24:22.724546986 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te	2010-01-18 18:27:02.754531109 +0100
@@ -15,7 +15,7 @@
 
 ## <desc>
 ## <p>
-## Allow xguest to configure Network Manager
+## Allow xguest to configure Network Manager and connect to apache ports
 ## </p>
 ## </desc>
 gen_tunable(xguest_connect_network, true)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if	2010-01-18 18:24:22.726539977 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.if	2010-02-01 21:01:00.945160840 +0100
@@ -35,6 +35,11 @@
 	')
 
         domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit abrt_helper_t $1:socket_class_set { read write };
+		fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+	')
 ')
 
 ######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te	2010-01-18 18:24:22.727540243 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2010-02-04 16:36:56.307403800 +0100
@@ -96,6 +96,7 @@
 corenet_tcp_connect_ftp_port(abrt_t)
 corenet_tcp_connect_all_ports(abrt_t)
 
+dev_getattr_all_chr_files(abrt_t)
 dev_read_urand(abrt_t)
 dev_rw_sysfs(abrt_t)
 dev_dontaudit_read_memory_dev(abrt_t)
@@ -176,6 +177,16 @@
 	sssd_stream_connect(abrt_t)
 ')
 
+ifdef(`hide_broken_symptoms', `
+	gen_require(`
+        attribute domain;
+	')
+
+	allow abrt_t self:capability sys_resource;    
+	allow abrt_t domain:file write;
+	allow abrt_t domain:process setrlimit;
+')
+
 permissive abrt_t;
 
 ########################################
@@ -200,10 +211,13 @@
 files_read_etc_files(abrt_helper_t)
 files_dontaudit_all_non_security_leaks(abrt_helper_t)
 
+fs_getattr_all_fs(abrt_helper_t)
 fs_list_inotifyfs(abrt_helper_t)
 
 auth_use_nsswitch(abrt_helper_t)
 
+logging_send_syslog_msg(abrt_helper_t)
+
 miscfiles_read_localization(abrt_helper_t)
 
 userdom_dontaudit_use_user_terminals(abrt_helper_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te	2010-01-18 18:24:22.729540009 +0100
+++ serefpolicy-3.6.32/policy/modules/services/afs.te	2010-01-20 13:19:16.795611181 +0100
@@ -1,5 +1,5 @@
 
-policy_module(afs, 1.5.0)
+policy_module(afs, 1.5.1)
 
 ########################################
 #
@@ -72,7 +72,7 @@
 #
 
 allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
-allow afs_t self:process setsched;
+allow afs_t self:process { fork setsched signal };
 allow afs_t self:udp_socket create_socket_perms;
 allow afs_t self:fifo_file rw_file_perms;
 allow afs_t self:unix_stream_socket create_stream_socket_perms;
@@ -105,6 +105,8 @@
 
 miscfiles_read_localization(afs_t)
 
+sysnet_dns_name_resolve(afs_t)
+
 ########################################
 #
 # AFS bossserver local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.32/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te	2010-01-18 18:24:22.731542358 +0100
+++ serefpolicy-3.6.32/policy/modules/services/aisexec.te	2010-02-04 21:53:44.131187049 +0100
@@ -75,8 +75,6 @@
 corenet_tcp_bind_reserved_port(aisexec_t)
 corenet_udp_bind_cluster_port(aisexec_t)
 
-ccs_stream_connect(aisexec_t)
-
 corecmd_exec_bin(aisexec_t)
 
 kernel_read_system_state(aisexec_t)
@@ -95,6 +93,11 @@
 
 logging_send_syslog_msg(aisexec_t)
 
+optional_policy(`
+	ccs_stream_connect(aisexec_t)
+')
+
+optional_policy(`
 # to communication with RHCS
 dlm_controld_manage_tmpfs_files(aisexec_t)
 dlm_controld_rw_semaphores(aisexec_t)
@@ -109,4 +112,5 @@
 groupd_manage_tmpfs_files(aisexec_t)
 groupd_rw_semaphores(aisexec_t)
 groupd_rw_shm(aisexec_t)
+')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.32/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2010-01-18 18:24:22.732530124 +0100
+++ serefpolicy-3.6.32/policy/modules/services/amavis.te	2010-02-01 21:16:32.215094407 +0100
@@ -138,6 +138,7 @@
 
 auth_dontaudit_read_shadow(amavis_t)
 
+init_read_utmp(amavis_t)
 init_stream_connect_script(amavis_t)
 
 logging_send_syslog_msg(amavis_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2010-01-18 18:24:22.733530530 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.fc	2010-01-27 17:22:29.733863060 +0100
@@ -12,6 +12,7 @@
 /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/lighttpd    	--      gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/zabbix/web(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 
 /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2010-01-18 18:24:22.736530563 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-02-01 15:06:59.560081274 +0100
@@ -16,6 +16,7 @@
 		attribute httpd_exec_scripts;
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
+		type httpd_sys_content_t;
 	')
 	#This type is for webpages
 	type httpd_$1_content_t;
@@ -55,6 +56,7 @@
 	allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
 
 	allow httpd_$1_script_t self:fifo_file rw_file_perms;
+	allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
 	allow httpd_$1_script_t self:unix_stream_socket connectto;
 
 	allow httpd_$1_script_t httpd_t:fifo_file write;
@@ -123,6 +125,8 @@
 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
 		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
 		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+        allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
@@ -1167,6 +1171,29 @@
 	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
 ')
 
+#######################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit $1 httpd_t:tcp_socket { read write };
+	dontaudit $1 httpd_t:unix_dgram_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { read write };
+')
+
+
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2010-01-18 18:24:22.739530246 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.te	2010-02-03 20:16:18.858822145 +0100
@@ -309,7 +309,7 @@
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
 
 # Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -363,10 +363,10 @@
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
 
-setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
+files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
 
 manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -400,6 +400,7 @@
 dev_rw_crypto(httpd_t)
 
 fs_getattr_all_fs(httpd_t)
+fs_list_inotifyfs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
 fs_read_iso9660_files(httpd_t)
 
@@ -612,6 +613,11 @@
 		avahi_dbus_chat(httpd_t)
 	')
 ')
+
+optional_policy(`
+	gitosis_read_var_lib(httpd_t)
+')
+
 optional_policy(`
 	kerberos_keytab_template(httpd, httpd_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te	2010-01-18 18:27:02.757542944 +0100
@@ -31,7 +31,7 @@
 #
 
 allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-allow apcupsd_t self:process signal;
+allow apcupsd_t self:process { signal signull };
 allow apcupsd_t self:fifo_file rw_file_perms;
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
 allow apcupsd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te	2010-01-18 18:24:22.741530430 +0100
+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te	2010-01-27 17:37:31.626864275 +0100
@@ -64,6 +64,7 @@
 corenet_udp_sendrecv_all_ports(arpwatch_t)
 
 dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
 
 fs_getattr_all_fs(arpwatch_t)
 fs_search_auto_mountpoints(arpwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/avahi.fc	2010-01-19 21:19:40.967763409 +0100
@@ -6,4 +6,4 @@
 
 /var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
 
-/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)?  	gen_context(system_u:object_r:avahi_var_lib_t,s0)    
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc	2010-01-18 18:24:22.753540198 +0100
+++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc	2010-02-02 18:56:12.191317011 +0100
@@ -1,4 +1,6 @@
 
+/etc/chrony\.keys                  --     gen_context(system_u:object_r:chronyd_keys_t,s0)
+
 /etc/rc\.d/init\.d/chronyd         --      gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
 
 /usr/sbin/chronyd                  --      gen_context(system_u:object_r:chronyd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te	2010-01-18 18:24:22.755539963 +0100
+++ serefpolicy-3.6.32/policy/modules/services/chronyd.te	2010-02-02 18:55:49.615067744 +0100
@@ -12,6 +12,9 @@
 type chronyd_initrc_exec_t;
 init_script_file(chronyd_initrc_exec_t)
 
+type chronyd_keys_t;
+files_type(chronyd_keys_t)
+
 # var/lib files
 type chronyd_var_lib_t;
 files_type(chronyd_var_lib_t)
@@ -30,11 +33,14 @@
 # chronyd local policy
 #
 
-allow chronyd_t self:capability { setuid setgid sys_time };
-allow chronyd_t self:process { getcap setcap };
+allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:process { getcap setcap setrlimit };
 
 allow chronyd_t self:udp_socket create_socket_perms;
 allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:shm create_shm_perms;
+
+allow chronyd_t chronyd_keys_t:file read_file_perms;
 
 # chronyd var/lib files
 manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -64,4 +70,7 @@
 
 miscfiles_read_localization(chronyd_t)
 
-permissive chronyd_t;
+optional_policy(`
+    gpsd_rw_shm(chronyd_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te	2010-01-18 18:24:22.764539991 +0100
+++ serefpolicy-3.6.32/policy/modules/services/corosync.te	2010-02-04 21:49:37.774952184 +0100
@@ -73,6 +73,8 @@
 
 kernel_read_system_state(corosync_t)
 
+domain_read_all_domains_state(corosync_t)
+
 corenet_udp_bind_netsupport_port(corosync_t)
 
 corecmd_exec_bin(corosync_t)
@@ -92,6 +94,7 @@
 
 userdom_rw_user_tmpfs_files(corosync_t)
 
+optional_policy(`
 # to communication with RHCS
 dlm_controld_manage_tmpfs_files(corosync_t)
 dlm_controld_rw_semaphores(corosync_t)
@@ -95,12 +98,11 @@
 # to communication with RHCS
 dlm_controld_manage_tmpfs_files(corosync_t)
 dlm_controld_rw_semaphores(corosync_t)
-
 fenced_manage_tmpfs_files(corosync_t)
 fenced_rw_semaphores(corosync_t)
-
 gfs_controld_manage_tmpfs_files(corosync_t)
 gfs_controld_rw_semaphores(corosync_t)
+')
 
 optional_policy(`
         ccs_read_config(corosync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2010-01-18 18:24:22.769530360 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cron.te	2010-02-03 21:39:39.157822554 +0100
@@ -323,6 +323,10 @@
 	udev_read_db(crond_t)
 ')
 
+optional_policy(`
+	mta_system_content(crond_var_run_t)
+')
+
 ########################################
 #
 # System cron process domain
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2010-01-18 18:24:22.771540183 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-02-01 21:13:34.192326070 +0100
@@ -265,6 +265,7 @@
 # invoking ghostscript needs to read fonts
 miscfiles_read_fonts(cupsd_t)
 miscfiles_setattr_fonts_dirs(cupsd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_t)
 
 seutil_read_config(cupsd_t)
 sysnet_exec_ifconfig(cupsd_t)
@@ -430,10 +431,12 @@
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_read_all_users_state(cupsd_config_t)   
 userdom_rw_user_tmp_files(cupsd_config_t)
 
 cups_stream_connect(cupsd_config_t)
 
+gnome_dontaudit_search_config(cupsd_config_t)
 lpd_read_config(cupsd_config_t)
 
 ifdef(`distro_redhat',`
@@ -555,6 +558,7 @@
 logging_send_syslog_msg(cupsd_lpd_t)
 
 miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
 
 cups_stream_connect(cupsd_lpd_t)
 
@@ -567,7 +571,7 @@
 # cups_pdf local policy
 #
 
-allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
+allow cups_pdf_t self:capability { chown fsetid fowner setuid setgid dac_override };
 allow cups_pdf_t self:fifo_file rw_file_perms;
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if	2010-01-18 18:24:22.774530577 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dbus.if	2010-02-09 15:13:10.361616292 +0100
@@ -375,6 +375,8 @@
 	dbus_system_bus_client($1)
 	dbus_connect_system_bus($1)
 
+	ps_process_pattern(system_dbusd_t, $1)
+
 	userdom_dontaudit_search_admin_dir($1)
 
 	optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-02-08 11:55:25.971336166 +0100
@@ -82,6 +82,7 @@
 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 
 manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
 
@@ -94,6 +95,7 @@
 corenet_tcp_sendrecv_generic_node(dovecot_t)
 corenet_tcp_sendrecv_all_ports(dovecot_t)
 corenet_tcp_bind_generic_node(dovecot_t)
+corenet_tcp_bind_mail_port(dovecot_t)
 corenet_tcp_bind_pop_port(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
@@ -277,6 +279,8 @@
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(dovecot_deliver_t)
+	fs_manage_nfs_dirs(dovecot_t)
 	fs_manage_nfs_files(dovecot_deliver_t)
 	fs_manage_nfs_symlinks(dovecot_deliver_t)
 	fs_manage_nfs_files(dovecot_t)
@@ -284,6 +288,8 @@
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(dovecot_deliver_t)
+	fs_manage_cifs_dirs(dovecot_t)
 	fs_manage_cifs_files(dovecot_deliver_t)
 	fs_manage_cifs_symlinks(dovecot_deliver_t)
 	fs_manage_cifs_files(dovecot_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-01-18 18:24:22.784531151 +0100
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if	2010-01-18 18:27:02.761531161 +0100
@@ -138,6 +138,24 @@
 	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 
+#######################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
+     
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ftp.if	2010-02-08 00:21:16.418154590 +0100
@@ -115,6 +115,43 @@
 	role $2 types ftpdctl_t;
 ')
 
+######################################
+## <summary>
+##  Allow domain dyntransition to sftpd-anon domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd_anon',`
+    gen_require(`
+        type sftpd_anon_t;
+    ')
+
+    allow $1 sftpd_anon_t:process dyntransition;
+')
+
+######################################
+## <summary>
+##  Allow domain dyntransition to sftpd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd',`
+    gen_require(`
+        type sftpd_t;
+    ')
+
+    allow $1 sftpd_t:process dyntransition;
+	allow sftpd_t $1:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2010-01-18 18:24:22.787539983 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ftp.te	2010-01-18 18:27:02.763531066 +0100
@@ -53,6 +53,39 @@
 ## </desc>
 gen_tunable(ftp_home_dir, false)
 
+## <desc>
+## <p>
+## Allow anon internal-sftp to upload files, used for 
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to login to local users and 
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(sftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow interlnal-sftp to read and write files 
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to read and write files 
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(sftp_enable_homedirs, false)
+
 type ftpd_t;
 type ftpd_exec_t;
 init_daemon_domain(ftpd_t, ftpd_exec_t)
@@ -93,6 +126,14 @@
 	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
 ')
 
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
+type sftpd_anon_t;
+domain_type(sftpd_anon_t)
+role system_r types sftpd_anon_t;
+
 ########################################
 #
 # ftpd local policy
@@ -342,3 +383,76 @@
 files_read_etc_files(ftpdctl_t)
 
 userdom_use_user_terminals(ftpdctl_t)
+
+#######################################
+#
+# sftpd-anon local policy
+#
+
+files_read_etc_files(sftpd_anon_t)
+
+miscfiles_read_public_files(sftpd_anon_t)
+
+tunable_policy(`sftpd_anon_write',`
+	miscfiles_manage_public_files(sftpd_anon_t)
+')
+
+#######################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+    allow sftpd_t self:capability { dac_override dac_read_search };
+    fs_read_noxattr_fs_files(sftpd_t)
+    auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
+    ssh_manage_user_home_files(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs',`
+    allow sftpd_t self:capability { dac_override dac_read_search };
+
+	# allow access to /home
+	files_list_home(sftpd_t)
+    userdom_read_user_home_content_files(sftpd_t)
+    userdom_manage_user_home_content(sftpd_t)
+
+    auth_read_all_dirs_except_shadow(sftpd_t)
+    auth_read_all_files_except_shadow(sftpd_t)
+    auth_read_all_symlinks_except_shadow(sftpd_t)
+', `
+   # Needed for permissive mode, to make sure everything gets labeled correctly
+   userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+')
+
+tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(sftpd_t)
+    fs_manage_nfs_files(sftpd_t)
+	fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',`
+	fs_manage_cifs_dirs(sftpd_t)
+	fs_manage_cifs_files(sftpd_t)
+	fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+    fs_read_cifs_files(sftpd_t)
+    fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+    fs_read_nfs_files(sftpd_t)
+    fs_read_nfs_symlinks(ftpd_t)
+')   
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc	2010-01-18 18:24:22.788540040 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.fc	2010-02-09 12:46:59.674881314 +0100
@@ -1,9 +1,16 @@
-/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+HOME_DIR/public_git(/.*)?			gen_context(system_u:object_r:git_session_content_t, s0)
+HOME_DIR/\.gitconfig		--		gen_context(system_u:object_r:git_session_content_t, s0)
 
-/srv/git(/.*)?					gen_context(system_u:object_r:git_data_t, s0)
+/srv/git(/.*)?					gen_context(system_u:object_r:git_system_content_t, s0)
 
 /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t, s0)
 
-# Conflict with Fedora cgit fc spec.
-/var/lib/git(/.*)?				gen_context(system_u:object_r:git_data_t, s0)
+/var/cache/cgit(/.*)?				gen_context(system_u:object_r:httpd_git_content_rw_t,s0)
+/var/www/cgi-bin/cgit		--		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+
+/var/www/git(/.*)?				gen_context(system_u:object_r:httpd_git_content_t,s0)
+
+/var/www/git/gitweb.cgi			gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+
+/var/lib/git(/.*)?				gen_context(system_u:object_r:git_system_content_t, s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if	2010-01-18 18:24:22.789540167 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.if	2010-02-09 12:46:59.675881993 +0100
@@ -1,4 +1,4 @@
-## <summary>Git daemon is a really simple server for Git repositories.</summary>
+## <summary>Git - Fast Version Control System.</summary>
 ## <desc>
 ##	<p>
 ##		A really simple TCP git daemon that normally listens on
@@ -6,27 +6,6 @@
 ##		connection asking for a service, and will serve that
 ##		service if it is enabled.
 ##	</p>
-##	<p>
-##		It verifies that the directory has the magic file
-##		git-daemon-export-ok, and it will refuse to export any
-##		git directory that has not explicitly been marked for
-##		export this way (unless the --export-all parameter is
-##		specified). If you pass some directory paths as
-##		git-daemon arguments, you can further restrict the
-##		offers to a whitelist comprising of those.
-##	</p>
-##	<p>
-##		By default, only upload-pack service is enabled, which
-##		serves git-fetch-pack and git-ls-remote clients, which
-##		are invoked from git-fetch, git-pull, and git-clone.
-##	</p>
-##	<p>
-##		This is ideally suited for read-only updates, i.e.,
-##		pulling from git repositories.
-##	</p>
-##	<p>
-##		An upload-archive also exists to serve git-archive.
-##	</p>
 ## </desc>
 
 #######################################
@@ -46,50 +25,172 @@
 #
 interface(`git_session_role', `
 	gen_require(`
-		type gitd_session_t, gitd_exec_t, git_home_t;
+		type git_session_t, gitd_exec_t;
 	')
 
 	########################################
 	#
-	# Git daemon session data declarations.
+	# Git daemon session shared declarations.
 	#
 
-	## <desc>
-	## <p>
-	## Allow transitions to the Git daemon
-	## session domain.
-	## </p>
-	## </desc>
-	gen_tunable(gitd_session_transition, false)
+	role $1 types git_session_t;
+
+	########################################
+	#
+	# Git daemon session shared policy.
+	#
+
+	domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+	allow $2 git_session_t:process { ptrace signal_perms };
+	ps_process_pattern($2, git_session_t)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for Git
+##	daemon shared repository content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`git_content_template',`
 
-	role $1 types gitd_session_t;
+	gen_require(`
+		attribute git_system_content;
+		attribute git_content;
+	')
 
 	########################################
 	#
-	# Git daemon session data policy.
+	# Git daemon content shared declarations.
+	#
+
+	type git_$1_content_t, git_system_content, git_content;
+	files_type(git_$1_content_t)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for Git
+##	daemon shared repository roles.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
 	#
+template(`git_role_template',`
 
-	tunable_policy(`gitd_session_transition', `
-		domtrans_pattern($2, gitd_exec_t, gitd_session_t)
-	', `
-		can_exec($2, gitd_exec_t)
+	gen_require(`
+		class context contains;
+		role system_r;
 	')
 
-	allow $2 gitd_session_t:process { ptrace signal_perms };
-	ps_process_pattern($2, gitd_session_t)
+	########################################
+	#
+	# Git daemon role shared declarations.
+	#
+
+	attribute $1_usertype;
 
-	exec_files_pattern($2, git_home_t, git_home_t)
-	manage_dirs_pattern($2, git_home_t, git_home_t)
-	manage_files_pattern($2, git_home_t, git_home_t)
+	type $1_t;
+	userdom_unpriv_usertype($1, $1_t)
+	domain_type($1_t)
 
-	relabel_dirs_pattern($2, git_home_t, git_home_t)
-	relabel_files_pattern($2, git_home_t, git_home_t)
+	role $1_r types $1_t;
+	allow system_r $1_r;
+
+	########################################
+	#
+	# Git daemon role shared policy.
+	#
+
+	allow $1_t self:context contains;
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+
+	corecmd_exec_bin($1_t)
+	corecmd_bin_entry_type($1_t)
+	corecmd_shell_entry_type($1_t)
+
+	domain_interactive_fd($1_t)
+	domain_user_exemption_target($1_t)
+
+	kernel_read_system_state($1_t)
+
+	files_read_etc_files($1_t)
+	files_dontaudit_search_home($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	git_rwx_generic_system_content($1_t)
+
+	ssh_rw_stream_sockets($1_t)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1_t)
+		fs_manage_cifs_dirs($1_t)
+		fs_manage_cifs_files($1_t)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1_t)
+		fs_manage_nfs_dirs($1_t)
+		fs_manage_nfs_files($1_t)
+	')
+
+	optional_policy(`
+		nscd_read_pid($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Allow specified domain access to the
+##	specified Git daemon content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	Type of the object that access is allowed to.
+##	</summary>
+## </param>
+#
+interface(`git_content_delegation',`
+	gen_require(`
+		type $1, $2;
+	')
+
+	exec_files_pattern($1, $2, $2)
+	manage_dirs_pattern($1, $2, $2)
+	manage_files_pattern($1, $2, $2)
+	files_search_var($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Allow the specified domain to execute
-##	Git daemon data files.
+##	Allow the specified domain to manage
+##	and execute all Git daemon content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -98,19 +199,46 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`git_execute_data_files', `
+interface(`git_rwx_all_content',`
 	gen_require(`
-		type git_data_t;
+		attribute git_content;
 	')
 
-	exec_files_pattern($1, git_data_t, git_data_t)
+	exec_files_pattern($1, git_content, git_content)
+	manage_dirs_pattern($1, git_content, git_content)
+	manage_files_pattern($1, git_content, git_content)
+	userdom_search_user_home_dirs($1)
 	files_search_var($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
-##	Git daemon data content.
+##	and execute all Git daemon system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -119,20 +247,33 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`git_manage_data_content', `
+interface(`git_rwx_all_system_content',`
 	gen_require(`
-		type git_data_t;
+		attribute git_system_content;
 	')
 
-	manage_dirs_pattern($1, git_data_t, git_data_t)
-	manage_files_pattern($1, git_data_t, git_data_t)
+	exec_files_pattern($1, git_system_content, git_system_content)
+	manage_dirs_pattern($1, git_system_content, git_system_content)
+	manage_files_pattern($1, git_system_content, git_system_content)
 	files_search_var($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
-##	Git daemon home content.
+##	and execute Git daemon generic system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -141,20 +282,33 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`git_manage_home_content', `
+interface(`git_rwx_generic_system_content',`
 	gen_require(`
-		type git_home_t;
+		type git_system_content_t;
+	')
+
+	exec_files_pattern($1, git_system_content_t, git_system_content_t)
+	manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
+	manage_files_pattern($1, git_system_content_t, git_system_content_t)
+	files_search_var($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_exec_cifs_files($1)
+		fs_manage_cifs_dirs($1)
+		fs_manage_cifs_files($1)
 	')
 
-	manage_dirs_pattern($1, git_home_t, git_home_t)
-	manage_files_pattern($1, git_home_t, git_home_t)
-	files_search_home($1)
+	tunable_policy(`git_system_use_nfs',`
+		fs_exec_nfs_files($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
-##	Git daemon home content.
+##	all Git daemon content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -163,20 +317,41 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`git_read_home_content', `
+interface(`git_read_all_content_files',`
 	gen_require(`
-		type git_home_t;
+		attribute git_content;
+	')
+
+	list_dirs_pattern($1, git_content, git_content)
+	read_files_pattern($1, git_content, git_content)
+	userdom_search_user_home_dirs($1)
+	files_search_var_lib($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
 	')
 
-	list_dirs_pattern($1, git_home_t, git_home_t)
-	read_files_pattern($1, git_home_t, git_home_t)
-	files_search_home($1)
+	tunable_policy(`git_system_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
-##	Git daemon data content.
+##	Git daemon session content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -185,20 +360,30 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`git_read_data_content', `
+interface(`git_read_session_content_files',`
 	gen_require(`
-		type git_data_t;
+		type git_session_content_t;
 	')
 
-	list_dirs_pattern($1, git_data_t, git_data_t)
-	read_files_pattern($1, git_data_t, git_data_t)
-	files_search_var($1)
+	list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+	read_files_pattern($1, git_session_content_t, git_session_content_t)
+	userdom_search_user_home_dirs($1)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Allow the specified domain to relabel
-##	Git daemon data content.
+##	Allow the specified domain to read
+##	all Git daemon system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -207,20 +392,30 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`git_relabel_data_content', `
+interface(`git_read_all_system_content_files',`
 	gen_require(`
-		type git_data_t;
+		attribute git_system_content;
 	')
 
-	relabel_dirs_pattern($1, git_data_t, git_data_t)
-	relabel_files_pattern($1, git_data_t, git_data_t)
-	files_search_var($1)
+	list_dirs_pattern($1, git_system_content, git_system_content)
+	read_files_pattern($1, git_system_content, git_system_content)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Allow the specified domain to relabel
-##	Git daemon home content.
+##	Allow the specified domain to read
+##	Git daemon generic system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -229,57 +424,112 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`git_relabel_home_content', `
+interface(`git_read_generic_system_content_files',`
 	gen_require(`
-		type git_home_t;
+		type git_system_content_t;
 	')
 
-	relabel_dirs_pattern($1, git_home_t, git_home_t)
-	relabel_files_pattern($1, git_home_t, git_home_t)
-	files_search_home($1)
+	list_dirs_pattern($1, git_system_content_t, git_system_content_t)
+	read_files_pattern($1, git_system_content_t, git_system_content_t)
+	files_search_var_lib($1)
+
+	tunable_policy(`git_system_use_cifs',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+	')
+
+	tunable_policy(`git_system_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate an
-##	Git daemon system environment
+##	Allow the specified domain to relabel
+##	all Git daemon content.
 ## </summary>
-## <param name="userdomain_prefix">
+## <param name="domain">
 ##	<summary>
-##	Prefix of the domain. Example, user would be
-##	the prefix for the user_t domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
+#
+interface(`git_relabel_all_content',`
+	gen_require(`
+		attribute git_content;
+	')
+
+	relabel_dirs_pattern($1, git_content, git_content)
+	relabel_files_pattern($1, git_content, git_content)
+	userdom_search_user_home_dirs($1)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to relabel
+##	all Git daemon system content.
+## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <rolecap/>
+#
+interface(`git_relabel_all_system_content',`
+	gen_require(`
+		attribute git_system_content;
+	')
+
+	relabel_dirs_pattern($1, git_system_content, git_system_content)
+	relabel_files_pattern($1, git_system_content, git_system_content)
+	files_search_var_lib($1)
+')
+
+########################################
 ##	<summary>
-##	The role to be allowed to manage the Git daemon domain.
+##	Allow the specified domain to relabel
+##	Git daemon generic system content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-interface(`git_system_admin', `
+interface(`git_relabel_generic_system_content',`
 	gen_require(`
-		type gitd_t, gitd_exec_t;
+		type git_system_content_t;
 	')
 
-	allow $1 gitd_t:process { getattr ptrace signal_perms };
-	ps_process_pattern($1, gitd_t)
-
-	kernel_search_proc($1)
-
-	manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
-
-	# This will not work since git-shell needs to execute gitd content thus public content files.
-	# There is currently no clean way to execute public content files.
-	# miscfiles_manage_public_files($1)
+	relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
+	relabel_files_pattern($1, git_system_content_t, git_system_content_t)
+	files_search_var_lib($1)
+')
 
-	git_manage_data_content($1)
-	git_relabel_data_content($1)
+########################################
+## <summary>
+##	Allow the specified domain to relabel
+##	Git daemon session content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_relabel_session_content',`
+	gen_require(`
+		type git_session_content_t;
+	')
 
-	seutil_domtrans_setfiles($1)
+	relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
+	relabel_files_pattern($1, git_session_content_t, git_session_content_t)
+	userdom_search_user_home_dirs($1)
 ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te	2010-01-18 18:24:22.790540016 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.te	2010-02-09 12:46:59.675881993 +0100
@@ -1,13 +1,5 @@
 
-policy_module(git, 1.0)
-
-attribute gitd_type;
-attribute git_content_type;
-
-########################################
-#
-# Git daemon system private declarations.
-#
+policy_module(git, 1.0.3)
 
 ## <desc>
 ## <p>
@@ -34,20 +26,29 @@
 #
 # Git daemon global private declarations.
 #
+
+attribute git_domains;
+attribute git_system_content;
+attribute git_content;
+
 type gitd_exec_t;
 
-type gitd_t, gitd_type;
-inetd_service_domain(gitd_t, gitd_exec_t)
-role system_r types gitd_t;
+########################################
+#
+# Git daemon system private declarations.
+#
 
-type git_data_t, git_content_type;
-files_type(git_data_t)
+type git_system_t, git_domains;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
 
-permissive gitd_t;
+type git_system_content_t, git_system_content, git_content;
+files_type(git_system_content_t)
+typealias git_system_content_t alias git_data_t;
 
 ########################################
 #
-# Git daemon session session private declarations.
+# Git daemon session private declarations.
 #
 
 ## <desc>
@@ -58,85 +59,82 @@
 ## </desc>
 gen_tunable(git_session_bind_all_unreserved_ports, false)
 
-type gitd_session_t, gitd_type;
-application_domain(gitd_session_t, gitd_exec_t)
-ubac_constrained(gitd_session_t)
-
-type git_home_t, git_content_type;
-userdom_user_home_content(git_home_t)
+type git_session_t, git_domains;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
 
-permissive gitd_session_t;
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
 
 ########################################
 #
 # Git daemon global private policy.
 #
 
-allow gitd_type self:fifo_file rw_fifo_file_perms;
-allow gitd_type self:tcp_socket create_socket_perms;
-allow gitd_type self:udp_socket create_socket_perms;
-allow gitd_type self:unix_dgram_socket create_socket_perms;
+allow git_domains self:fifo_file rw_fifo_file_perms;
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
+allow git_domains self:tcp_socket { create_socket_perms listen };
+allow git_domains self:udp_socket create_socket_perms;
+allow git_domains self:unix_dgram_socket create_socket_perms;
 
-corenet_all_recvfrom_netlabel(gitd_type)
-corenet_all_recvfrom_unlabeled(gitd_type)
+corenet_all_recvfrom_netlabel(git_domains)
+corenet_all_recvfrom_unlabeled(git_domains)
 
-corenet_tcp_sendrecv_all_if(gitd_type)
-corenet_tcp_sendrecv_all_nodes(gitd_type)
-corenet_tcp_sendrecv_all_ports(gitd_type)
+corenet_tcp_bind_generic_node(git_domains)
 
-corenet_tcp_bind_all_nodes(gitd_type)
-corenet_tcp_bind_git_port(gitd_type)
+corenet_tcp_sendrecv_generic_if(git_domains)
+corenet_tcp_sendrecv_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_port(git_domains)
 
-corecmd_exec_bin(gitd_type)
+corenet_tcp_bind_git_port(git_domains)
+corenet_sendrecv_git_server_packets(git_domains)
 
-files_read_etc_files(gitd_type)
-files_read_usr_files(gitd_type)
+corecmd_exec_bin(git_domains)
 
-fs_search_auto_mountpoints(gitd_type)
+files_read_etc_files(git_domains)
+files_read_usr_files(git_domains)
 
-kernel_read_system_state(gitd_type)
+fs_search_auto_mountpoints(git_domains)
 
-logging_send_syslog_msg(gitd_type)
+kernel_read_system_state(git_domains)
 
-auth_use_nsswitch(gitd_type)
+auth_use_nsswitch(git_domains)
 
-miscfiles_read_localization(gitd_type)
+logging_send_syslog_msg(git_domains)
+
+miscfiles_read_localization(git_domains)
 
 ########################################
 #
 # Git daemon system repository private policy.
 #
 
-list_dirs_pattern(gitd_t, git_content_type, git_content_type)
-read_files_pattern(gitd_t, git_content_type, git_content_type)
-files_search_var(gitd_t)
-
-# This will not work since git-shell needs to execute gitd content thus public content files.
-# There is currently no clean way to execute public content files.
-# miscfiles_read_public_files(gitd_t)
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var(git_system_t)
 
 tunable_policy(`git_system_enable_homedirs', `
-	userdom_search_user_home_dirs(gitd_t)
+	userdom_search_user_home_dirs(git_system_t)
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
-	fs_list_nfs(gitd_t)
-	fs_read_nfs_files(gitd_t)
+	fs_list_nfs(git_system_t)
+	fs_read_nfs_files(git_system_t)
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
-	fs_list_cifs(gitd_t)
-	fs_read_cifs_files(gitd_t)
+	fs_list_cifs(git_system_t)
+	fs_read_cifs_files(git_system_t)
 ')
 
 tunable_policy(`git_system_use_cifs', `
-	fs_list_cifs(gitd_t)
-	fs_read_cifs_files(gitd_t)
+	fs_list_cifs(git_system_t)
+	fs_read_cifs_files(git_system_t)
 ')
 
 tunable_policy(`git_system_use_nfs', `
-	fs_list_nfs(gitd_t)
-	fs_read_nfs_files(gitd_t)
+	fs_list_nfs(git_system_t)
+	fs_read_nfs_files(git_system_t)
 ')
 
 ########################################
@@ -144,24 +142,24 @@
 # Git daemon session repository private policy.
 #
 
-list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
-read_files_pattern(gitd_session_t, git_home_t, git_home_t)
-userdom_search_user_home_dirs(gitd_session_t)
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
 
-userdom_use_user_terminals(gitd_session_t)
+userdom_use_user_terminals(git_session_t)
 
 tunable_policy(`git_session_bind_all_unreserved_ports', `
-	corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
+	corenet_tcp_bind_all_unreserved_ports(git_session_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs', `
-	fs_list_nfs(gitd_session_t)
-	fs_read_nfs_files(gitd_session_t)
+	fs_list_nfs(git_session_t)
+	fs_read_nfs_files(git_session_t)
 ')
 
 tunable_policy(`use_samba_home_dirs', `
-	fs_list_cifs(gitd_session_t)
-	fs_read_cifs_files(gitd_session_t)
+	fs_list_cifs(git_session_t)
+	fs_read_cifs_files(git_session_t)
 ')
 
 ########################################
@@ -169,5 +167,16 @@
 # cgi git Declarations
 #
 
+optional_policy(`
 apache_content_template(git)
-git_read_data_content(httpd_git_script_t)
+	git_read_session_content_files(httpd_git_script_t)
+	files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
+
+########################################
+#
+# Git-shell private policy.
+#
+
+#git_role_template(git_shell)
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if	2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if	2010-01-22 17:08:10.300604739 +0100
@@ -85,7 +85,7 @@
 	seutil_dontaudit_read_file_contexts($1)
 
 	optional_policy(`
-		sssd_read_config_files($1)
+		sssd_read_public_files($1)
 	')
 
 	tunable_policy(`allow_kerberos',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc	2010-02-09 10:45:23.074866029 +0100
@@ -1,8 +1,12 @@
 
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/openldap/slapd\.d(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
+
 /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dirsrv.* --  gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
 
 /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
+/usr/sbin/ns-slapd 	--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
 ifdef(`distro_debian',`
 /usr/lib/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -10,8 +14,12 @@
 
 /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
 /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
+/var/lib/dirsrv(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
+
+/var/log/dirsrv(/.*)?		gen_context(system_u:object_r:slapd_log_t,s0)
 
 /var/run/ldapi		-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ldap.te	2010-01-29 10:41:13.184864510 +0100
@@ -28,6 +28,9 @@
 type slapd_replog_t;
 files_type(slapd_replog_t)
 
+type slapd_log_t;
+logging_log_file(slapd_log_t)
+
 type slapd_tmp_t;
 files_tmp_file(slapd_tmp_t)
 
@@ -68,6 +71,10 @@
 manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
 manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
 
+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
 manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
 manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
 files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te	2010-01-18 18:24:22.806540025 +0100
+++ serefpolicy-3.6.32/policy/modules/services/lircd.te	2010-02-01 20:50:49.950161278 +0100
@@ -1,5 +1,5 @@
 
-policy_module(lircd, 1.0.0)
+policy_module(lircd, 1.0.1)
 
 ########################################
 #
@@ -24,9 +24,10 @@
 # lircd local policy
 #
 
-allow lircd_t self:process signal;
+allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:process { fork signal };
 allow lircd_t self:unix_dgram_socket create_socket_perms;
-allow lircd_t self:fifo_file rw_file_perms;
+allow lircd_t self:fifo_file rw_fifo_file_perms;
 allow lircd_t self:tcp_socket create_stream_socket_perms;
 
 # etc file
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te	2010-01-18 18:24:22.808530642 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mailman.te	2010-01-22 17:16:41.576604913 +0100
@@ -55,6 +55,7 @@
 	apache_search_sys_script_state(mailman_cgi_t)
 	apache_read_config(mailman_cgi_t)
 	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+	apache_dontaudit_leaks(mailman_cgi_t)
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te	2010-01-18 18:24:22.809536705 +0100
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te	2010-01-19 11:45:44.999857263 +0100
@@ -1,5 +1,5 @@
 
-policy_module(memcached, 1.1.0)
+policy_module(memcached, 1.1.1)
 
 ########################################
 #
@@ -22,9 +22,12 @@
 #
 
 allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { fork setrlimit signal_perms };
 allow memcached_t self:tcp_socket create_stream_socket_perms;
 allow memcached_t self:udp_socket { create_socket_perms listen };
 allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
 
 corenet_all_recvfrom_unlabeled(memcached_t)
 corenet_udp_sendrecv_generic_if(memcached_t)
@@ -42,12 +45,15 @@
 manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
 files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
 
-files_read_etc_files(memcached_t)
-
+kernel_read_kernel_sysctls(memcached_t)
 kernel_read_system_state(memcached_t)
 
+files_read_etc_files(memcached_t)
+
 auth_use_nsswitch(memcached_t)
 
 miscfiles_read_localization(memcached_t)
 
-sysnet_dns_name_resolve(memcached_t)
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if	2010-01-18 18:24:22.812540439 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.if	2010-02-09 12:33:50.721866005 +0100
@@ -786,6 +786,25 @@
 	allow $1 mqueue_spool_t:dir search_dir_perms;
 ')
 
+#####################################
+## <summary>
+## 	List the mail queue.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`mta_list_queue',`
+	gen_require(`
+ 		type mqueue_spool_t;
+	')
+
+	allow $1 mqueue_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+') 
+
 #######################################
 ## <summary>
 ##	Read the mail queue.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2010-01-18 18:24:22.813543710 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.te	2010-02-02 10:43:31.244162625 +0100
@@ -132,6 +132,7 @@
 
 optional_policy(`
 	fail2ban_append_log(system_mail_t)
+	fail2ban_dontaudit_leaks(system_mail_t)
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te	2010-01-18 18:24:22.815530066 +0100
+++ serefpolicy-3.6.32/policy/modules/services/munin.te	2010-02-09 12:34:15.400865901 +0100
@@ -134,6 +134,7 @@
 optional_policy(`
 	mta_read_config(munin_t)
 	mta_send_mail(munin_t)
+	mta_list_queue(munin_t)
 	mta_read_queue(munin_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te	2010-01-18 18:24:22.819530575 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mysql.te	2010-02-08 11:12:04.320336459 +0100
@@ -44,7 +44,7 @@
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+allow mysqld_t self:capability { dac_override setgid setuid sys_resource ipc_lock net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -147,6 +147,8 @@
 dontaudit mysqld_safe_t self:capability sys_ptrace;
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
+allow mysqld_safe_t mysqld_t:process signal_perms;
+
 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
 
 manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc	2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc	2010-02-09 13:30:45.031616023 +0100
@@ -23,30 +23,66 @@
 /usr/lib(64)?/cgi-bin/nagios(/.+)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 /usr/lib(64)?/nagios/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 
-
+# admin plugins
+/usr/lib(64)?/nagios/plugins/check_mailq        --      gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
 
 # check disk plugins
 /usr/lib(64)?/nagios/plugins/check_disk  	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb		--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ide_smart 	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid	--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 
 # system plugins
-/usr/lib(64)?/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_file_age  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus	--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_log		--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_nagios    	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_procs  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 
 # services plugins
 /usr/lib(64)?/nagios/plugins/check_cluster   	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_dhcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_dns		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_http      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_mysql     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query 	--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ntp.*     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_ping      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_real		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_rpc       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_tcp		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 /usr/lib(64)?/nagios/plugins/check_time		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.*		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh		--		gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if	2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.if	2010-02-09 12:44:57.821616516 +0100
@@ -150,6 +150,8 @@
         # needed by command.cfg
         domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
     
+	allow nagios_t nagios_$1_plugin_t:process signal_perms;
+
         # cjp: leaked file descriptor
         dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te	2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te	2010-02-09 13:29:19.023616028 +0100
@@ -45,6 +45,11 @@
 type nrpe_var_run_t;
 files_pid_file(nrpe_var_run_t)
 
+# creates nagios_admin_plugin_exec_t for executable
+# and nagios_admin_plugin_t for domain
+nagios_plugin_template(admin)
+permissive nagios_admin_plugin_t; 
+
 # creates nagios_checkdisk_plugin_exec_t for executable
 # and nagios_checkdisk_plugin_t for domain
 nagios_plugin_template(checkdisk)
@@ -118,6 +123,9 @@
 corenet_udp_sendrecv_all_ports(nagios_t)
 corenet_tcp_connect_all_ports(nagios_t)
 
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)    
+
 dev_read_sysfs(nagios_t)
 dev_read_urand(nagios_t)
 
@@ -264,6 +272,41 @@
 	udev_read_db(nrpe_t)
 ')
 
+######################################
+#
+# local policy for admin check plugins 
+#
+
+allow nagios_admin_plugin_t self:capability { setuid setgid dac_override };
+
+allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_admin_plugin_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(nagios_admin_plugin_t)
+kernel_read_kernel_sysctls(nagios_admin_plugin_t)
+
+corecmd_read_bin_files(nagios_admin_plugin_t)
+corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+dev_read_urand(nagios_admin_plugin_t)
+
+files_read_etc_files(nagios_admin_plugin_t)
+
+libs_use_lib_files(nagios_admin_plugin_t)
+libs_use_ld_so(nagios_admin_plugin_t) 
+
+logging_send_syslog_msg(nagios_admin_plugin_t)
+
+sysnet_read_config(nagios_admin_plugin_t)
+
+nscd_dontaudit_search_pid(nagios_admin_plugin_t) 
+
+optional_policy(`
+	mta_read_config(nagios_admin_plugin_t)
+	mta_list_queue(nagios_admin_plugin_t)
+	mta_read_queue(nagios_admin_plugin_t)
+	mta_sendmail_exec(nagios_admin_plugin_t)
+') 
 
 ######################################
 #
@@ -315,6 +358,10 @@
 	mysql_stream_connect(nagios_services_plugin_t)
 ')
 
+optional_policy(`
+    snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
+')
+
 ######################################
 #
 # local policy for system check plugins 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc	2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc	2010-02-01 18:05:10.499091573 +0100
@@ -17,6 +17,7 @@
 /etc/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
 
 /var/log/wicd(/.*)? 			gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wicd.*    				gen_context(system_u:object_r:NetworkManager_log_t,s0)    
 /var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2010-01-18 18:24:22.825542512 +0100
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te	2010-02-01 20:40:02.343160698 +0100
@@ -51,6 +51,7 @@
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 
 can_exec(NetworkManager_t, NetworkManager_exec_t)
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
 
 manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc	2010-01-18 18:24:22.826540614 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nis.fc	2010-01-29 09:57:02.171614102 +0100
@@ -14,3 +14,8 @@
 /usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
 
 /var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)
+
+/var/run/ypxfrd.*	--	gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+/var/run/ypbind.*	--	gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.*	--	gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.*	--	gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te	2010-01-18 18:24:22.828542614 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nis.te	2010-01-29 09:57:06.796318812 +0100
@@ -47,6 +47,9 @@
 type ypxfr_exec_t;
 init_daemon_domain(ypxfr_t, ypxfr_exec_t)
 
+type ypxfr_var_run_t;
+files_pid_file(ypxfr_var_run_t)
+
 type nis_initrc_exec_t;
 init_script_file(nis_initrc_exec_t)
 
@@ -312,6 +315,9 @@
 
 allow ypxfr_t ypserv_conf_t:file read_file_perms;
 
+manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
+files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
+
 corenet_all_recvfrom_unlabeled(ypxfr_t)
 corenet_all_recvfrom_netlabel(ypxfr_t)
 corenet_tcp_sendrecv_generic_if(ypxfr_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if	2010-01-18 18:24:22.840530591 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nx.if	2010-01-26 14:43:43.595472728 +0100
@@ -18,6 +18,24 @@
 	spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
 ')
 
+#######################################
+## <summary>
+## Execute the NX server.
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`nx_exec_server',`
+	gen_require(`
+		type nx_server_exec_t;
+    ')
+	
+	can_exec($1, nx_server_exec_t)
+')
+ 
 ########################################
 ## <summary>
 ##	Read nx home directory content
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te	2010-01-18 18:24:22.843530414 +0100
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te	2010-01-26 14:19:37.820463477 +0100
@@ -85,6 +85,7 @@
 corenet_udp_bind_generic_node(openvpn_t)
 corenet_tcp_bind_openvpn_port(openvpn_t)
 corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
 corenet_tcp_connect_openvpn_port(openvpn_t)
 corenet_tcp_connect_http_port(openvpn_t)
 corenet_tcp_connect_http_cache_port(openvpn_t)
@@ -102,6 +103,9 @@
 
 auth_use_pam(openvpn_t)
 
+init_read_utmp(openvpn_t)
+init_dontaudit_write_utmp(openvpn_t)  
+
 logging_send_syslog_msg(openvpn_t)
 
 miscfiles_read_localization(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te	2010-01-18 18:24:22.847540282 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2010-02-09 10:12:27.273913281 +0100
@@ -41,6 +41,19 @@
 allow plymouthd_t self:fifo_file rw_fifo_file_perms;
 allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
 
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
+
 kernel_read_system_state(plymouthd_t)
 kernel_request_load_module(plymouthd_t)
 kernel_change_ring_buffer_level(plymouthd_t)
@@ -56,21 +69,9 @@
 files_read_usr_files(plymouthd_t)
 
 miscfiles_read_localization(plymouthd_t)
+miscfiles_manage_fonts_cache(plymouthd_t)
 miscfiles_read_fonts(plymouthd_t)
 
-manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
-manage_files_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
-files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
-
-manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
-manage_files_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
-files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
-
-manage_dirs_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
-manage_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
-manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
-files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
-
 ########################################
 #
 # Plymouth private policy
@@ -80,8 +81,11 @@
 allow plymouth_t self:fifo_file rw_file_perms;
 allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
 
+kernel_read_system_state(plymouth_t)
 kernel_stream_connect(plymouth_t)
 
+term_use_ptmx(plymouth_t)   
+
 domain_use_interactive_fds(plymouth_t)
 
 files_read_etc_files(plymouth_t)
@@ -90,6 +94,8 @@
 
 plymouth_stream_connect(plymouth_t)
 
+sysnet_read_config(plymouth_t)
+
 optional_policy(`
 	lvm_domtrans(plymouth_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te	2010-01-18 18:24:22.850542758 +0100
+++ serefpolicy-3.6.32/policy/modules/services/policykit.te	2010-02-02 15:30:16.529067989 +0100
@@ -89,6 +89,10 @@
 	')
 ')
 
+optional_policy(`
+    gnome_read_config(policykit_t)
+')
+
 ########################################
 #
 # polkit_auth local policy
@@ -115,6 +119,8 @@
 manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
 
+dev_read_video_dev(policykit_auth_t)
+
 files_read_etc_files(policykit_auth_t)
 files_read_usr_files(policykit_auth_t)
 files_search_home(policykit_auth_t)
@@ -129,7 +135,9 @@
 
 miscfiles_read_localization(policykit_auth_t)
 miscfiles_read_fonts(policykit_auth_t)
+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)  
 
+userdom_read_admin_home_files(policykit_auth_t)
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-18 18:27:02.768530934 +0100
@@ -443,6 +443,7 @@
 
 optional_policy(`
 	spamassassin_domtrans_client(postfix_pipe_t)
+    spamassassin_kill_client(postfix_pipe_t)
 ')
 
 optional_policy(`
@@ -486,7 +487,7 @@
 ')
 
 optional_policy(`
-	sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
 ')
 
 optional_policy(`
@@ -573,6 +574,8 @@
 # Postfix smtp delivery local policy
 #
 
+allow postfix_smtp_t self:capability { sys_chroot };
+
 # connect to master process
 stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.32/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ppp.fc	2010-02-01 15:04:13.696080784 +0100
@@ -3,6 +3,8 @@
 #
 /etc/rc\.d/init\.d/ppp		--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
+/root/.ppprc   				--	gen_context(system_u:object_r:pppd_etc_t,s0) 
+
 /etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
 /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te	2010-01-18 18:24:22.860530341 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ppp.te	2010-02-01 17:54:50.906099781 +0100
@@ -71,7 +71,7 @@
 # PPPD Local policy
 #
 
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
 dontaudit pppd_t self:capability sys_tty_config;
 allow pppd_t self:process signal;
 allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -192,6 +192,10 @@
 ')
 
 optional_policy(`
+	hal_dontaudit_rw_dgram_sockets(pppd_t)
+')
+
+optional_policy(`
 	mta_send_mail(pppd_t)
 	mta_system_content(pppd_etc_t)
 	mta_system_content(pppd_etc_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te	2010-01-18 18:24:22.861530469 +0100
+++ serefpolicy-3.6.32/policy/modules/services/prelude.te	2010-01-26 15:37:38.488473779 +0100
@@ -250,6 +250,8 @@
 files_read_etc_files(prelude_lml_t)
 files_read_etc_runtime_files(prelude_lml_t)
 
+fs_getattr_all_fs(prelude_lml_t)
+fs_list_inotifyfs(prelude_lml_t)
 fs_rw_anon_inodefs_files(prelude_lml_t)
 
 auth_use_nsswitch(prelude_lml_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if	2010-01-18 18:24:22.870539995 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if	2010-01-29 10:16:32.195864190 +0100
@@ -16,7 +16,7 @@
         ')
 
         corecmd_search_bin($1)
-        domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+        domtrans_pattern($1,rgmanager_exec_t,rgmanager_t)
 
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te	2010-01-18 18:24:22.871540122 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te	2010-02-04 21:16:05.525935129 +0100
@@ -22,6 +22,9 @@
 type rgmanager_tmp_t;
 files_tmp_file(rgmanager_tmp_t)
 
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
 # log files
 type rgmanager_var_log_t;
 logging_log_file(rgmanager_var_log_t)
@@ -51,6 +54,10 @@
 manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
 files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
 
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
+
 # log files
 manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
 logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
@@ -60,9 +67,6 @@
 manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
 files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
 
-aisexec_stream_connect(rgmanager_t)
-groupd_stream_connect(rgmanager_t)
-
 corecmd_exec_bin(rgmanager_t)
 corecmd_exec_sbin(rgmanager_t)
 corecmd_exec_shell(rgmanager_t)
@@ -74,7 +78,8 @@
 fs_getattr_xattr_fs(rgmanager_t)
 
 # need to write to /dev/misc/dlm-control 
-dev_manage_generic_chr_files(rgmanager_t)
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
 dev_search_sysfs(rgmanager_t)
 
 domain_read_all_domains_state(rgmanager_t)
@@ -109,6 +114,11 @@
 ')
 
 # rgmanager can run resource scripts 
+optional_policy(`
+	aisexec_stream_connect(rgmanager_t)
+	corosync_stream_connect(rgmanager_t)
+	groupd_stream_connect(rgmanager_t)
+')
 
 optional_policy(`
         apache_domtrans(rgmanager_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc	2010-01-18 18:24:22.872542275 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc	2010-02-04 14:38:28.643078705 +0100
@@ -1,19 +1,19 @@
 
-/sbin/dlm_controld                     --      gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/dlm_controld                 --      gen_context(system_u:object_r:dlm_controld_exec_t,s0)
 /var/log/cluster/dlm_controld\.log.*   --      gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
 /var/run/dlm_controld\.pid             --      gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
 
-/sbin/fenced                           --      gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fenced                      --      gen_context(system_u:object_r:fenced_exec_t,s0)
 /usr/sbin/fence_node                   --      gen_context(system_u:object_r:fenced_exec_t,s0)
 /var/log/cluster/fenced\.log.*         --      gen_context(system_u:object_r:fenced_var_log_t,s0)
 /var/run/fenced\.pid                   --      gen_context(system_u:object_r:fenced_var_run_t,s0)
 /var/run/cluster/fenced_override       --      gen_context(system_u:object_r:fenced_var_run_t,s0)
 
-/sbin/gfs_controld                     --      gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/gfs_controld                 --      gen_context(system_u:object_r:gfs_controld_exec_t,s0)
 /var/log/cluster/gfs_controld\.log.*   --      gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
 /var/run/gfs_controld\.pid             --      gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
 
-/sbin/groupd                           --      gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/groupd                       --      gen_context(system_u:object_r:groupd_exec_t,s0)
 /var/run/groupd\.pid                   --      gen_context(system_u:object_r:groupd_var_run_t,s0)
 
 /usr/sbin/qdiskd                       --      gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te	2010-01-18 18:24:22.874530726 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te	2010-02-04 21:25:24.804186866 +0100
@@ -126,12 +126,11 @@
 files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file })
 
 stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-aisexec_stream_connect(dlm_controld_t)
-ccs_stream_connect(dlm_controld_t)
-groupd_stream_connect(dlm_controld_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
 kernel_read_system_state(dlm_controld_t)
 
+dev_rw_dlm_control(dlm_controld_t)
 dev_rw_sysfs(dlm_controld_t)
 
 fs_manage_configfs_files(dlm_controld_t)
@@ -146,6 +145,12 @@
 
 miscfiles_read_localization(dlm_controld_t)
 
+optional_policy(`
+	aisexec_stream_connect(dlm_controld_t)
+	ccs_stream_connect(dlm_controld_t)
+	corosync_stream_connect(dlm_controld_t)
+')
+
 #######################################
 #
 # fenced local policy
@@ -183,8 +188,6 @@
 files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file })
 
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-aisexec_stream_connect(fenced_t)
-ccs_stream_connect(fenced_t)
 
 corecmd_exec_bin(fenced_t)
 
@@ -214,9 +217,11 @@
 
 optional_policy(`
         ccs_read_config(fenced_t)
+		ccs_stream_connect(fenced_t)
 ')
 
 optional_policy(`
+	aisexec_stream_connect(fenced_t)
 	corosync_stream_connect(fenced_t)
 ')
 
@@ -253,19 +258,17 @@
 manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
 files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file })
 
-stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
-
-aisexec_stream_connect(gfs_controld_t)
-ccs_stream_connect(gfs_controld_t)
-groupd_stream_connect(gfs_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
 kernel_read_system_state(gfs_controld_t)
 
 storage_getattr_removable_dev(gfs_controld_t)
 
-dev_manage_generic_chr_files(gfs_controld_t)
-#dev_read_sysfs(gfs_controld_t)
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+
 dev_rw_sysfs(gfs_controld_t)
 
 init_rw_script_tmp_files(gfs_controld_t)
@@ -278,6 +281,12 @@
 miscfiles_read_localization(gfs_controld_t)
 
 optional_policy(`
+	aisexec_stream_connect(gfs_controld_t)
+	ccs_stream_connect(gfs_controld_t)
+	corosync_stream_connect(gfs_controld_t)
+')
+
+optional_policy(`
         lvm_exec(gfs_controld_t)
         dev_rw_lvm_control(gfs_controld_t)
 ')
@@ -309,8 +318,6 @@
 manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
 files_pid_filetrans(groupd_t, groupd_var_run_t, { file })
 
-aisexec_stream_connect(groupd_t)
-
 dev_list_sysfs(groupd_t)
 
 files_read_etc_files(groupd_t)
@@ -326,6 +333,10 @@
 
 logging_send_syslog_msg(groupd_t)
 
+optional_policy(`
+	aisexec_stream_connect(groupd_t)
+')
+
 ######################################
 #
 # qdiskd local policy
@@ -359,9 +370,6 @@
 manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
 files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file })
 
-aisexec_stream_connect(qdiskd_t)
-ccs_stream_connect(qdiskd_t)
-
 corecmd_getattr_sbin_files(qdiskd_t)
 corecmd_exec_shell(qdiskd_t)
 
@@ -399,6 +407,11 @@
 miscfiles_read_localization(qdiskd_t)
 
 optional_policy(`
+	aisexec_stream_connect(qdiskd_t)
+	ccs_stream_connect(qdiskd_t)
+')
+
+optional_policy(`
         netutils_domtrans_ping(qdiskd_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-02-09 10:52:45.543866160 +0100
@@ -208,7 +208,7 @@
 files_read_usr_symlinks(samba_net_t)
 
 auth_use_nsswitch(samba_net_t)
-auth_rw_cache(samba_net_t)
+auth_manage_cache(samba_net_t)
 
 logging_send_syslog_msg(samba_net_t)
 
@@ -286,6 +286,8 @@
 
 allow smbd_t winbind_t:process { signal signull };
 
+allow smbd_t swat_t:process signal;  
+
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
 kernel_read_network_state(smbd_t)
@@ -327,6 +329,7 @@
 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
 auth_domtrans_upd_passwd(smbd_t)
+auth_manage_cache(smbd_t)
 
 domain_use_interactive_fds(smbd_t)
 domain_dontaudit_list_all_domains_state(smbd_t)
@@ -350,7 +353,7 @@
 miscfiles_read_public_files(smbd_t)
 
 userdom_use_unpriv_users_fds(smbd_t)
-userdom_dontaudit_search_user_home_dirs(smbd_t)
+userdom_search_user_home_content(smbd_t)
 userdom_signal_all_users(smbd_t)
 
 usermanage_read_crack_db(smbd_t)
@@ -485,6 +488,8 @@
 
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 
+allow nmbd_t swat_t:process signal;
+
 allow nmbd_t smbcontrol_t:process signal;
 
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +666,7 @@
 allow swat_t self:udp_socket create_socket_perms;
 allow swat_t self:unix_stream_socket connectto;
 
+samba_domtrans_nmbd(swat_t)
 allow swat_t nmbd_t:process { signal signull };
 
 allow swat_t nmbd_exec_t:file mmap_file_perms;
@@ -829,6 +835,7 @@
 corenet_tcp_bind_generic_node(winbind_t)
 corenet_udp_bind_generic_node(winbind_t)
 corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_all_unreserved_ports(winbind_t)
 
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
@@ -838,7 +845,7 @@
 
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
-auth_rw_cache(winbind_t)
+auth_manage_cache(winbind_t)
 
 domain_use_interactive_fds(winbind_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2010-01-18 18:24:22.889530888 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te	2010-02-09 15:04:54.083866070 +0100
@@ -30,7 +30,7 @@
 #
 
 allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process { setpgid setrlimit signal signull };
+allow sendmail_t self:process { setpgid setsched setrlimit signal signull };
 allow sendmail_t self:fifo_file rw_fifo_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -136,6 +136,8 @@
 
 optional_policy(`
 	fail2ban_read_lib_files(sendmail_t)
+    fail2ban_rw_stream_sockets(sendmail_t)
+
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2010-01-18 18:24:22.891530024 +0100
+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te	2010-02-03 22:59:41.283821731 +0100
@@ -177,6 +177,10 @@
 userdom_signull_unpriv_users(setroubleshoot_fixit_t)
 
 optional_policy(`
+	gnome_dontaudit_search_config(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
 	rpm_signull(setroubleshoot_fixit_t)
 	rpm_read_db(setroubleshoot_fixit_t)
 	rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-18 18:24:22.892539860 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te	2010-01-19 14:20:15.303858953 +0100
@@ -25,9 +25,9 @@
 #
 # Local policy
 #
-allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te	2010-01-18 18:24:22.893530558 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snort.te	2010-01-27 17:37:08.744613818 +0100
@@ -78,6 +78,7 @@
 dev_read_sysfs(snort_t)
 dev_read_rand(snort_t)
 dev_read_urand(snort_t)
+dev_read_usbmon_dev(snort_t)
 
 domain_use_interactive_fds(snort_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if	2010-01-18 18:24:22.895529974 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if	2010-01-18 18:27:02.773531151 +0100
@@ -267,6 +267,24 @@
 	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
 ')
 
+######################################
+## <summary>
+##  Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+    gen_require(`
+        type spamc_t;
+    ')
+
+    allow $1 spamc_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2010-01-18 18:24:22.896530172 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te	2010-02-09 12:37:21.512866130 +0100
@@ -147,6 +147,8 @@
 
 kernel_read_kernel_sysctls(spamassassin_t)
 
+corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
+
 dev_read_urand(spamassassin_t)
 
 fs_search_auto_mountpoints(spamassassin_t)
@@ -470,6 +473,10 @@
 userdom_search_user_home_dirs(spamd_t)
 
 optional_policy(`
+	dcc_domtrans_cdcc(spamd_t)
+')
+
+optional_policy(`
 	exim_manage_spool_dirs(spamd_t)
 	exim_manage_spool_files(spamd_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te	2010-01-18 18:24:22.899530064 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te	2010-02-08 00:22:54.835167354 +0100
@@ -8,31 +8,6 @@
 
 ## <desc>
 ## <p>
-## Allow sftp to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_anon_write, false)
-
-## <desc>
-## <p>
-## Allow sftp to login to local users and 
-## read/write all files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_full_access, false)
-
-## <desc>
-## <p>
-## Allow interlnal-sftp to read and write files 
-## in the user ssh home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_ssh_home_dir, false)
-
-## <desc>
-## <p>
 ## allow host key based authentication
 ## </p>
 ## </desc>
@@ -69,10 +44,6 @@
 type sshd_tmpfs_t;
 files_tmpfs_file(sshd_tmpfs_t)
 
-type sftpd_t;
-domain_type(sftpd_t)
-role system_r types sftpd_t;
-
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 ')
@@ -365,6 +337,11 @@
 ')
 
 optional_policy(`
+    ftp_dyntransition_sftpd(sshd_t)
+    ftp_dyntransition_sftpd_anon(sshd_t)
+')
+
+optional_policy(`
 	xserver_getattr_xauth(sshd_t)
 ')
 
@@ -468,49 +445,3 @@
 	udev_read_db(ssh_keygen_t)
 ')
 
-#######################################
-#
-# sftp Local policy
-#
-
-allow ssh_server sftpd_t:process dyntransition;
-
-ssh_sigchld(sftpd_t)
-
-files_read_all_files(sftpd_t)
-files_read_all_symlinks(sftpd_t)
-
-fs_read_noxattr_fs_files(sftpd_t)
-fs_read_nfs_files(sftpd_t)
-fs_read_cifs_files(sftpd_t)
-
-# allow access to /home by default
-userdom_manage_user_home_content_dirs(sftpd_t)
-userdom_manage_user_home_content_files(sftpd_t)
-userdom_manage_user_home_content_symlinks(sftpd_t)
-
-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
-
-tunable_policy(`allow_sftpd_anon_write',`
-    miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`allow_sftpd_full_access',`
-    allow sftpd_t self:capability { dac_override dac_read_search };
-    fs_read_noxattr_fs_files(sftpd_t)
-    auth_manage_all_files_except_shadow(sftpd_t)
-')
-
-tunable_policy(`sftpd_ssh_home_dir',`
-    ssh_manage_user_home_files(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-    fs_manage_nfs_dirs(sftpd_t)
-    fs_manage_nfs_files(sftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-    fs_manage_cifs_dirs(sftpd_t)
-    fs_manage_cifs_files(sftpd_t)
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc	2010-01-18 18:24:22.900529842 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc	2010-01-19 17:08:41.212631842 +0100
@@ -4,6 +4,8 @@
 
 /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
 
+/var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
+
 /var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
 
 /var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if	2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if	2010-01-19 17:08:45.945631552 +0100
@@ -12,8 +12,7 @@
 #
 interface(`sssd_domtrans',`
 	gen_require(`
-		type sssd_t;
-                type sssd_exec_t;
+		type sssd_t, sssd_exec_t;
 	')
 
 	domtrans_pattern($1, sssd_exec_t, sssd_t)
@@ -26,7 +25,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -40,6 +39,25 @@
 
 ########################################
 ## <summary>
+##	Read sssd public files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+	gen_require(`
+		type sssd_public_t;
+	')
+
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
 ##	Read sssd PID files.
 ## </summary>
 ## <param name="domain">
@@ -59,7 +77,7 @@
 
 ########################################
 ## <summary>
-##	Manage sssd var_run files.
+##	Read sssd config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,18 +85,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_manage_pids',`
+interface(`sssd_read_config_files',`
 	gen_require(`
-		type sssd_var_run_t;
+		type sssd_config_t;
 	')
 
-	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
-	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_config_t, sssd_config_t)
 ')
 
 ########################################
 ## <summary>
-##	Search sssd lib directories.
+##	Manage sssd var_run files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -86,18 +104,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_search_lib',`
+interface(`sssd_manage_pids',`
 	gen_require(`
-		type sssd_var_lib_t;
+		type sssd_var_run_t;
 	')
 
-	allow $1 sssd_var_lib_t:dir search_dir_perms;
-	files_search_var_lib($1)
+	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Read sssd lib files.
+##	Search sssd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -105,18 +123,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_read_lib_files',`
+interface(`sssd_search_lib',`
 	gen_require(`
 		type sssd_var_lib_t;
 	')
 
+	allow $1 sssd_var_lib_t:dir search_dir_perms;
 	files_search_var_lib($1)
-	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Read sssd config files.
+##	dontaudit search sssd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -124,19 +142,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_read_config_files',`
+interface(`sssd_dontaudit_search_lib',`
 	gen_require(`
-		type sssd_config_t;
+		type sssd_var_lib_t;
 	')
 
-	sssd_search_lib($1)
-	read_files_pattern($1, sssd_config_t, sssd_config_t)
+	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	sssd lib files.
+##	Read sssd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -144,18 +161,19 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_manage_lib_files',`
+interface(`sssd_read_lib_files',`
 	gen_require(`
 		type sssd_var_lib_t;
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Manage sssd var_lib files.
+##	Create, read, write, and delete
+##	sssd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -163,17 +181,15 @@
 ##	</summary>
 ## </param>
 #
-interface(`sssd_manage_var_lib',`
+interface(`sssd_manage_lib_files',`
 	gen_require(`
 		type sssd_var_lib_t;
 	')
 
-         manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+	files_search_var_lib($1)
          manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
-         manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -238,16 +254,13 @@
 #
 interface(`sssd_admin',`
 	gen_require(`
-		type sssd_t;
+		type sssd_t, sssd_public_t;
+		type sssd_initrc_exec_t;
 	')
 
 	allow $1 sssd_t:process { ptrace signal_perms getattr };
 	read_files_pattern($1, sssd_t, sssd_t)
 
-	gen_require(`
-		type sssd_initrc_exec_t;
-	')
-
 	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
@@ -257,4 +270,6 @@
 	sssd_manage_pids($1)
 
 	sssd_manage_lib_files($1)
+
+	admin_pattern($1, sssd_public_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te	2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.te	2010-01-19 17:08:54.487643800 +0100
@@ -1,5 +1,5 @@
 
-policy_module(sssd, 1.0.0)
+policy_module(sssd, 1.0.1)
 
 ########################################
 #
@@ -13,6 +13,9 @@
 type sssd_initrc_exec_t;
 init_script_file(sssd_initrc_exec_t)
 
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
 type sssd_var_lib_t;
 files_type(sssd_var_lib_t)
 
@@ -31,6 +34,9 @@
 allow sssd_t self:fifo_file rw_file_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -43,8 +49,6 @@
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
 
-fs_list_inotifyfs(sssd_t)
-
 kernel_read_system_state(sssd_t)
 
 corecmd_exec_bin(sssd_t)
@@ -58,6 +62,8 @@
 files_read_etc_files(sssd_t)
 files_read_usr_files(sssd_t)
 
+fs_list_inotifyfs(sssd_t)
+
 auth_use_nsswitch(sssd_t)
 auth_domtrans_chk_passwd(sssd_t)
 auth_domtrans_upd_passwd(sssd_t)
@@ -69,7 +75,7 @@
 
 miscfiles_read_localization(sssd_t)
 
-userdom_manage_tmp_role(system_t, sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
 
 optional_policy(`
 	dbus_system_bus_client(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te	2010-01-19 12:02:02.773609654 +0100
@@ -50,6 +50,7 @@
 manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
 files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
 
+kernel_read_system_state(tftpd_t)
 kernel_read_kernel_sysctls(tftpd_t)
 kernel_list_proc(tftpd_t)
 kernel_read_proc_symlinks(tftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te	2010-01-18 18:24:22.905534669 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tgtd.te	2010-01-26 14:33:27.943463104 +0100
@@ -63,6 +63,7 @@
 files_read_etc_files(tgtd_t)
 
 storage_getattr_fixed_disk_dev(tgtd_t)
+storage_manage_fixed_disk(tgtd_t)
 
 logging_send_syslog_msg(tgtd_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc
--- nsaserefpolicy/policy/modules/services/tuned.fc	2010-01-18 18:24:22.907534364 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tuned.fc	2010-02-03 17:28:43.165143461 +0100
@@ -3,4 +3,7 @@
 
 /usr/sbin/tuned			--	gen_context(system_u:object_r:tuned_exec_t,s0)
 
+/var/log/tuned(/.*)?      	gen_context(system_u:object_r:tuned_log_t,s0)
+/var/log/tuned\.log    	--  gen_context(system_u:object_r:tuned_log_t,s0)
+
 /var/run/tuned\.pid		--	gen_context(system_u:object_r:tuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te	2010-01-18 18:24:22.909530847 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tuned.te	2010-02-03 17:35:32.298159249 +0100
@@ -13,6 +13,9 @@
 type tuned_initrc_exec_t;
 init_script_file(tuned_initrc_exec_t)
 
+type tuned_log_t;
+logging_log_file(tuned_log_t)
+
 type tuned_var_run_t;
 files_pid_file(tuned_var_run_t)
 
@@ -26,6 +29,10 @@
 dontaudit tuned_t self:capability { dac_override sys_tty_config };
 allow tuned_t self:fifo_file rw_fifo_file_perms;
 
+manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file)
+
 manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
 files_pid_filetrans(tuned_t, tuned_var_run_t, { file })
 
@@ -36,7 +43,7 @@
 kernel_read_system_state(tuned_t)
 
 dev_read_sysfs(tuned_t)
-
+dev_read_urand(tuned_t)
 # to allow cpu tuning
 dev_rw_netcontrol(tuned_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc	2010-02-02 19:00:16.333067308 +0100
@@ -0,0 +1,6 @@
+
+/usr/sbin/usbmuxd	--	gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd	-s 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+
+/var/run/usbmuxd\.lock  --  gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.6.32/policy/modules/services/usbmuxd.if
--- nsaserefpolicy/policy/modules/services/usbmuxd.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.if	2010-02-02 19:06:22.735067968 +0100
@@ -0,0 +1,64 @@
+## <summary>Daemon for communicating with Apple's iPod Touch and iPhone</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run usbmuxd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usbmuxd_domtrans',`
+	gen_require(`
+		type usbmuxd_t, usbmuxd_exec_t;
+	')
+
+	domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
+')
+
+#######################################
+## <summary>
+##  Execute usbmuxd in the usbmuxd domain, and
+##  allow the specified role the usbmuxd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed the usbmuxd domain.
+##  </summary>
+## </param>
+#
+interface(`usbmuxd_run',`
+    gen_require(`
+        type usbmuxd_t;
+    ')
+
+    usbmuxd_domtrans($1)
+    role $2 types usbmuxd_t;
+')
+
+#####################################
+## <summary>
+##      Connect to usbmuxd over a unix domain
+##      stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`usbmuxd_stream_connect',`
+        gen_require(`
+                type usbmuxd_t, usbmuxd_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te	2010-02-02 19:28:04.029318349 +0100
@@ -0,0 +1,44 @@
+
+policy_module(usbmuxd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmuxd_t;
+type usbmuxd_exec_t;
+application_domain(usbmuxd_t, usbmuxd_exec_t)
+
+type usbmuxd_var_run_t;
+files_pid_file(usbmuxd_var_run_t)
+
+permissive usbmuxd_t;
+
+########################################
+#
+# usbmuxd local policy
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
+allow usbmuxd_t self:process { fork };
+
+# Init script handling
+domain_use_interactive_fds(usbmuxd_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
+
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2010-01-18 18:24:22.915540061 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-02-01 17:46:33.611080298 +0100
@@ -226,7 +226,7 @@
 sysnet_domtrans_ifconfig(virtd_t)
 sysnet_read_config(virtd_t)
 
-userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_list_admin_dir(virtd_t)
 userdom_getattr_all_users(virtd_t)
 userdom_list_user_home_content(virtd_t)
 userdom_read_all_users_state(virtd_t)
@@ -370,6 +370,7 @@
 
 tunable_policy(`virt_use_fusefs',`
 	fs_read_fusefs_files(svirt_t)
+	fs_read_fusefs_symlinks(svirt_t)
 ')
 
 tunable_policy(`virt_use_nfs',`
@@ -430,6 +431,8 @@
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
 dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_urand(virt_domain)
 dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc	2010-01-18 18:24:22.917530119 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2010-02-03 14:24:48.062145095 +0100
@@ -65,6 +65,8 @@
 /usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/lxdm       --  gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -105,6 +107,7 @@
 /var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
 /var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
 
 /var/spool/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
@@ -116,7 +119,11 @@
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid  --	gen_context(system_u:object_r:xdm_var_run_t,s0)  
+/var/run/lxdm\.auth -- 	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)?  	gen_context(system_u:object_r:xdm_var_run_t,s0)   
 /var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.*  	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-18 18:24:22.923530253 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-02-09 10:08:14.902615674 +0100
@@ -253,6 +253,7 @@
 allow xdm_t iceauth_home_t:file read_file_perms;
 
 dev_read_rand(iceauth_t)
+dev_dontaudit_read_urand(iceauth_t)  
 
 fs_search_auto_mountpoints(iceauth_t)
 
@@ -301,6 +302,9 @@
 manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
+allow xauth_t xserver_t:unix_stream_socket connectto;  
+
+domain_dontaudit_leaks(xauth_t)
 domain_use_interactive_fds(xauth_t)
 
 dev_rw_xserver_misc(xauth_t)
@@ -309,8 +313,12 @@
 files_read_usr_files(xauth_t)
 files_search_pids(xauth_t)
 files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
 
+fs_dontaudit_leaks(xauth_t)
 fs_getattr_all_fs(xauth_t)
+fs_read_nfs_symlinks(xauth_t)
 fs_search_auto_mountpoints(xauth_t)
 
 # cjp: why?
@@ -506,6 +514,7 @@
 dev_dontaudit_rw_misc(xdm_t)
 dev_getattr_video_dev(xdm_t)
 dev_setattr_video_dev(xdm_t)
+dev_read_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
 dev_read_sound(xdm_t)
@@ -582,6 +591,7 @@
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
 userdom_stream_connect(xdm_t)
+userdom_manage_user_tmp_files(xdm_t)
 userdom_manage_user_tmp_dirs(xdm_t)
 userdom_manage_user_tmp_sockets(xdm_t)
 userdom_manage_tmpfs_role(system_r, xdm_t)
@@ -668,6 +678,7 @@
 
 optional_policy(`
 	gnome_read_gconf_config(xdm_t)
+	gnome_read_config(xdm_t)
 ')
 
 optional_policy(`
@@ -675,6 +686,10 @@
 ')
 
 optional_policy(`
+	java_exec(xdm_t)
+')   
+
+optional_policy(`
 	loadkeys_exec(xdm_t)
 ')
 
@@ -712,6 +727,7 @@
 optional_policy(`
 	pulseaudio_exec(xdm_t)
 	pulseaudio_dbus_chat(xdm_t)
+	pulseaudio_stream_connect(xdm_t)
 ')
 
 # On crash gdm execs gdb to dump stack
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te	2010-01-18 18:24:22.925530368 +0100
+++ serefpolicy-3.6.32/policy/modules/system/application.te	2010-02-09 12:51:23.459615874 +0100
@@ -1,5 +1,5 @@
 
-policy_module(application, 1.1.0)
+policy_module(application, 1.1.1)
 
 # Attribute of user applications
 attribute application_domain_type;
@@ -7,14 +7,18 @@
 # Executables to be run by user
 attribute application_exec_type;
 
-userdom_append_user_home_content_files(application_domain_type)
-userdom_write_user_tmp_files(application_domain_type)
-logging_rw_all_logs(application_domain_type)
+userdom_inherit_append_user_home_content_files(application_domain_type)
 userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
 
 files_dontaudit_search_all_dirs(application_domain_type)
 
 optional_policy(`
+	afs_rw_udp_sockets(application_domain_type)
+')
+
+optional_policy(`
 	ssh_sigchld(application_domain_type)
 	ssh_rw_stream_sockets(application_domain_type)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc	2010-01-18 18:24:22.930540014 +0100
+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc	2010-01-27 18:13:10.349614395 +0100
@@ -18,6 +18,7 @@
 /sbin/make_reiser4	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/mkdosfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/mke2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/mkreiserfs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.32/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hostname.te	2010-01-29 10:03:19.733864870 +0100
@@ -27,15 +27,18 @@
 
 dev_read_sysfs(hostname_t)
 
+domain_dontaudit_leaks(hostname_t)
 domain_use_interactive_fds(hostname_t)
 
 files_read_etc_files(hostname_t)
+files_dontaudit_leaks(hostname_t)
 files_dontaudit_search_var(hostname_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dirs(hostname_t)
 
 fs_getattr_xattr_fs(hostname_t)
 fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_leaks(hostname_t)
 fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
 
 term_dontaudit_use_console(hostname_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te	2010-01-18 18:27:02.780542727 +0100
@@ -125,6 +125,10 @@
 ')
 
 optional_policy(`
+	brctl_domtrans(hotplug_t)
+')
+
+optional_policy(`
 	consoletype_exec(hotplug_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if	2010-01-18 18:24:22.933540325 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.if	2010-02-09 09:59:47.912615584 +0100
@@ -165,6 +165,7 @@
 		type init_t;
 		role system_r;
 		attribute daemon;
+		attribute initrc_transition_domain;
 	')
 
 	typeattribute $1 daemon;
@@ -180,6 +181,8 @@
 	# Handle upstart direct transition to a executable
 	domtrans_pattern(init_t,$2,$1)
 	allow init_t $1:process siginh;
+	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+	allow $1 initrc_transition_domain:fd use;
 
 	# daemons started from init will
 	# inherit fds from init for the console
@@ -273,6 +276,7 @@
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute initrc_transition_domain;
 	')
 
 	application_domain($1,$2)
@@ -281,6 +285,8 @@
 
 	domtrans_pattern(initrc_t,$2,$1)
 	allow initrc_t $1:process siginh;
+	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+	allow $1 initrc_transition_domain:fd use;
 
 	ifdef(`hide_broken_symptoms',`
 		# RHEL4 systems seem to have a stray
@@ -554,7 +560,7 @@
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 initctl_t:fifo_file write;
+	allow $1 initctl_t:fifo_file write_file_perms;
 ')
 
 ########################################
@@ -775,8 +781,10 @@
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
+		attribute initrc_transition_domain;
 	')
 
+	typeattribute $1 initrc_transition_domain;
 	domtrans_pattern($1, $2, initrc_t)
 	files_search_etc($1)
 ')
@@ -1686,3 +1694,26 @@
 	allow $1 initrc_t:sem rw_sem_perms;
 ')
 
+#######################################
+## <summary>
+## 	Dontaudit read and write an leaked init scrip file descriptors
+## </summary>
+## <param name="domain">
+## 	<summary>
+## 	The type of the process performing this action.
+## 	</summary>
+## </param>
+#
+interface(`init_dontaudit_script_leaks',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:tcp_socket { read write };
+	dontaudit $1 initrc_t:udp_socket { read write };
+	dontaudit $1 initrc_t:unix_dgram_socket { read write };
+	dontaudit $1 initrc_t:unix_stream_socket { read write };
+	dontaudit $1 initrc_t:shm rw_shm_perms;
+	init_dontaudit_use_script_ptys($1)
+	init_dontaudit_use_script_fds($1)
+') 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2010-01-18 18:24:22.936530091 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-02-09 15:33:01.072616199 +0100
@@ -40,6 +40,7 @@
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
 
 # Mark process types as daemons
 attribute daemon;
@@ -47,7 +48,7 @@
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t, initrc_transition_domain;
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
@@ -118,6 +119,7 @@
 
 allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
 allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
 
 # For /var/run/shutdown.pid.
 allow init_t init_var_run_t:file manage_file_perms;
@@ -191,6 +193,7 @@
 ')
 
 ifdef(`distro_redhat',`
+	fs_read_tmpfs_symlinks(init_t)
 	fs_rw_tmpfs_chr_files(init_t)
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
@@ -212,6 +215,11 @@
 ')
 
 optional_policy(`
+	dbus_connect_system_bus(init_t)
+	dbus_system_bus_client(init_t)
+')
+
+optional_policy(`
 	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 	# the directory. But we do not want to allow this.
@@ -224,6 +232,10 @@
 ')
 
 optional_policy(`
+	sssd_stream_connect(init_t)
+')
+
+optional_policy(`
 	unconfined_domain(init_t)
 ')
 
@@ -312,6 +324,7 @@
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
+dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
 dev_rw_sysfs(initrc_t)
@@ -531,6 +544,7 @@
 	# Needs to cp localtime to /var dirs
 	files_write_var_dirs(initrc_t)
 
+	fs_read_tmpfs_symlinks(initrc_t)
 	fs_rw_tmpfs_chr_files(initrc_t)
 
 	storage_manage_fixed_disk(initrc_t)
@@ -872,6 +886,7 @@
 
 optional_policy(`
 	unconfined_domain(initrc_t)
+	domain_role_change_exemption(initrc_t)
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
@@ -885,6 +900,9 @@
 	# Allow SELinux aware applications to request rpm_script_t execution
 	rpm_transition_script(initrc_t)
 
+	optional_policy(`
+		rtkit_daemon_system_domain(initrc_t)
+	')
 	
 	optional_policy(`
 		gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te	2010-01-18 18:24:22.939530053 +0100
+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2010-01-27 17:43:20.027613211 +0100
@@ -215,6 +215,8 @@
 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 
+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };    
+
 allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
 
 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if	2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.if	2010-02-09 10:36:30.616615893 +0100
@@ -67,6 +67,13 @@
 	optional_policy(`
 		modutils_run_insmod(iptables_t, $2)
 	')
+
+ifdef(`hide_broken_symptoms', `
+    dontaudit iptables_t $1:unix_stream_socket rw_socket_perms;
+    dontaudit iptables_t $1:tcp_socket rw_socket_perms;
+    dontaudit iptables_t $1:udp_socket rw_socket_perms;
+')
+
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te	2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.te	2010-02-02 15:25:03.135335306 +0100
@@ -52,6 +52,7 @@
 kernel_use_fds(iptables_t)
 
 corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
 
 dev_read_sysfs(iptables_t)
 
@@ -71,6 +72,7 @@
 
 auth_use_nsswitch(iptables_t)
 
+init_dontaudit_script_leaks(iptables_t)
 init_use_fds(iptables_t)
 init_use_script_ptys(iptables_t)
 # to allow rules to be saved on reboot:
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc	2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc	2010-02-02 15:17:13.812067843 +0100
@@ -1,5 +1,8 @@
+
+/sbin/brcm_iscsiuio     --  gen_context(system_u:object_r:iscsid_exec_t,s0)
 /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 
 /var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
 /var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
 /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te	2010-01-18 18:24:22.943530492 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te	2010-02-02 15:08:50.761068281 +0100
@@ -14,6 +14,9 @@
 type iscsi_lock_t;
 files_lock_file(iscsi_lock_t)
 
+type iscsi_log_t;
+logging_log_file(iscsi_log_t)
+
 type iscsi_tmp_t;
 files_tmp_file(iscsi_tmp_t)
 
@@ -35,10 +38,13 @@
 allow iscsid_t self:unix_dgram_socket create_socket_perms;
 allow iscsid_t self:sem create_sem_perms;
 allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow iscsid_t self:netlink_socket create_socket_perms;
 allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
 allow iscsid_t self:tcp_socket create_stream_socket_perms;
 
+can_exec(iscsid_t, iscsid_exec_t)
+
 manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
 files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
 
@@ -51,6 +57,9 @@
 read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
 files_search_var_lib(iscsid_t)
 
+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+
 manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
 files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
 
@@ -67,6 +76,7 @@
 corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
 domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2010-01-18 18:24:22.945540594 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-02-02 10:45:09.949162869 +0100
@@ -245,8 +245,12 @@
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/lib(64)?/libmp3lame\.so.*      --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.*        --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -396,10 +400,8 @@
 /usr/lib(64)?/libgsm\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libImlib2\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjackserver\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmp3lame\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libOSMesa.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libOSMesa.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmpeg2\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -433,8 +435,16 @@
 /usr/lib(64)?/octagaplayer/libapplication\.so		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /opt/AutoScan/usr/lib/libvte\.so.*			     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.*                    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.*          -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/real/RealPlayer/plugins/.*\.so(\.[^/]*)*	 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/bin/bsnes		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/firefox/plugins/libractrl\.so	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLcore\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.*      --   gen_context(system_u:object_r:textrel_shlib_t,s0)  
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.*  --	gen_context(system_u:object_r:textrel_shlib_t,s0)	
+
+/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.*	--   gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2010-01-18 18:24:22.948530849 +0100
+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te	2010-01-21 14:31:52.834862007 +0100
@@ -207,7 +207,7 @@
 allow sulogin_t self:capability dac_override;
 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
-allow sulogin_t self:fifo_file rw_file_perms;
+allow sulogin_t self:fifo_file rw_fifo_file_perms;
 allow sulogin_t self:unix_dgram_socket create_socket_perms;
 allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
 allow sulogin_t self:unix_dgram_socket sendto;
@@ -241,6 +241,9 @@
 userdom_search_user_home_dirs(sulogin_t)
 userdom_use_user_ptys(sulogin_t)
 
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
+
 ifdef(`enable_mls',`
 sysadm_shell_domtrans(sulogin_t)
 ',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc	2010-01-18 18:24:22.949542779 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.fc	2010-02-01 20:28:30.386409309 +0100
@@ -69,3 +69,5 @@
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 
+/var/webmin(/.*)?  gen_context(system_u:object_r:var_log_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if	2010-01-18 18:24:22.950540043 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.if	2010-02-09 12:55:48.458629829 +0100
@@ -641,6 +641,24 @@
 	append_files_pattern($1, logfile, logfile)
 ')
 
+######################################
+## <summary>
+##  Append to all log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+    gen_require(`
+        attribute logfile;
+    ')
+
+    allow $1 logfile:file { getattr append };
+')
+
 ########################################
 ## <summary>
 ##	Read all log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2010-01-18 18:24:22.951535142 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.te	2010-02-09 15:09:42.278616082 +0100
@@ -101,6 +101,7 @@
 
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
+kernel_setsched(auditctl_t)
 
 domain_read_all_domains_state(auditctl_t)
 domain_use_interactive_fds(auditctl_t)
@@ -489,6 +490,10 @@
 ')
 
 optional_policy(`
+	mysql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
 	postgresql_stream_connect(syslogd_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if	2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if	2010-01-22 16:24:01.851857861 +0100
@@ -618,3 +618,40 @@
 	manage_lnk_files_pattern($1, locale_t, locale_t)
 ')
 
+#######################################
+## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+    gen_require(`
+        type fonts_cache_t;
+    ')
+
+    allow $1 fonts_cache_t:dir setattr;    
+')
+
+#######################################
+## <summary>
+##  Dontaudit attempts to set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
+    gen_require(`
+        type fonts_cache_t;
+    ')
+
+    allow $1 fonts_cache_t:dir setattr;
+')   
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te	2010-01-18 18:24:22.959530712 +0100
+++ serefpolicy-3.6.32/policy/modules/system/modutils.te	2010-02-09 09:59:53.815865530 +0100
@@ -131,6 +131,7 @@
 kernel_read_debugfs(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(insmod_t)
+kernel_request_load_module(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
 kernel_read_hotplug_sysctls(insmod_t)
 kernel_setsched(insmod_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-02-08 11:03:56.385336831 +0100
@@ -155,6 +155,8 @@
 seutil_read_config(mount_t)
 
 userdom_use_all_users_fds(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
+userdom_read_user_home_content_files(mount_t)
 userdom_manage_user_home_content_dirs(mount_t)
 
 ifdef(`distro_redhat',`
@@ -181,6 +183,7 @@
 	auth_read_all_dirs_except_shadow(mount_t)
 	auth_read_all_files_except_shadow(mount_t)
 	files_mounton_non_security(mount_t)
+	files_rw_all_inherited_files(mount_t)
 ')
 
 optional_policy(`
@@ -260,6 +263,18 @@
 	samba_read_config(mount_t)
 ')
 
+optional_policy(`
+	ssh_exec(mount_t)
+')
+
+optional_policy(`
+    usbmuxd_stream_connect(mount_t)
+')
+
+optional_policy(`
+	vmware_exec_host(mount_t)
+')
+
 ########################################
 #
 # Unconfined mount local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-01-18 18:24:22.967540599 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te	2010-01-18 18:27:02.789530951 +0100
@@ -190,6 +190,7 @@
 
 init_use_script_fds(load_policy_t)
 init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
 
 miscfiles_read_localization(load_policy_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-01-18 18:24:22.971530073 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te	2010-01-27 18:34:03.409614110 +0100
@@ -87,6 +87,7 @@
 
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
+kernel_search_network_sysctl(dhcpc_t)
 kernel_read_kernel_sysctls(dhcpc_t)
 kernel_request_load_module(dhcpc_t)
 kernel_use_fds(dhcpc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te	2010-01-18 18:24:22.973540245 +0100
+++ serefpolicy-3.6.32/policy/modules/system/udev.te	2010-02-09 09:59:57.514626722 +0100
@@ -100,6 +100,7 @@
 # udev_node.c/node_symlink() symlink labels are explicitly
 # preserved, instead of short circuiting the relabel
 dev_relabel_generic_symlinks(udev_t)
+dev_manage_generic_symlinks(udev_t)
 
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
@@ -273,6 +274,10 @@
 ')
 
 optional_policy(`
+	usbmuxd_domtrans(udev_t)
+')
+
+optional_policy(`
 	vbetool_domtrans(udev_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if	2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if	2010-01-18 18:27:02.790542463 +0100
@@ -21,6 +21,8 @@
 	allow $1 self:capability all_capabilities;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
+    allow $1 self:socket_class_set create_socket_perms;
+
 	# Transition to myself, to make get_ordered_context_list happy.
 	allow $1 self:process transition;
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc	2010-01-18 18:24:22.977540055 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc	2010-01-18 18:27:02.791532114 +0100
@@ -6,4 +6,5 @@
 /dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 /dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)?    gen_context(system_u:object_r:home_cert_t,s0)
 HOME_DIR/\.gvfs(/.*)?	<<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2010-01-18 18:24:22.983531669 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if	2010-02-01 20:32:18.731160012 +0100
@@ -3631,6 +3631,24 @@
 
 ########################################
 ## <summary>
+##	Allow domain to list /root
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+	gen_require(`
+		type admin_home_t;
+	')
+
+	allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Allow Search /root
 ## </summary>
 ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2010-01-18 18:24:22.987540070 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te	2010-01-25 17:55:42.768687784 +0100
@@ -248,6 +248,7 @@
 #
 
 allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
 
@@ -268,6 +269,7 @@
 
 domain_dontaudit_ptrace_all_domains(xenconsoled_t)
 
+files_read_etc_files(xenconsoled_t)
 files_read_usr_files(xenconsoled_t)
 
 fs_list_tmpfs(xenconsoled_t)
@@ -286,6 +288,10 @@
 xen_manage_log(xenconsoled_t)
 xen_stream_connect_xenstore(xenconsoled_t)
 
+optional_policy(`
+   ptchown_domtrans(xenconsoled_t)
+')
+
 ########################################
 #
 # Xen store local policy
@@ -329,6 +335,7 @@
 
 files_read_usr_files(xenstored_t)
 
+fs_manage_xenfs_files(xenstored_t)
 fs_search_xenfs(xenstored_t)
 
 storage_raw_read_fixed_disk(xenstored_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-01-18 18:24:22.988541733 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt	2010-02-09 10:00:01.300658461 +0100
@@ -28,8 +28,7 @@
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 
 #
 # Datagram socket classes.
@@ -227,7 +226,7 @@
 define(`create_lnk_file_perms',`{ create getattr }')
 define(`rename_lnk_file_perms',`{ getattr rename }')
 define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
 define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users	2010-01-18 18:24:22.989541023 +0100
+++ serefpolicy-3.6.32/policy/users	2010-01-18 18:27:02.799531176 +0100
@@ -15,7 +15,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no