diff --git a/policy-20070703.patch b/policy-20070703.patch
index ef3316b..4a8480a 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -280,8 +280,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.5/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.5/policy/global_tunables 2007-08-07 09:39:49.000000000 -0400
-@@ -133,3 +133,10 @@
++++ serefpolicy-3.0.5/policy/global_tunables 2007-08-21 14:01:26.000000000 -0400
+@@ -133,3 +133,18 @@
##
gen_tunable(write_untrusted_content,false)
@@ -292,6 +292,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+##
+gen_tunable(allow_console_login,false)
+
++
++##
++##
++## Allow xen to manage nfs files
++##
++##
++gen_tunable(xen_use_nfs,false)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.5/policy/mls
--- nsaserefpolicy/policy/mls 2007-07-03 07:06:36.000000000 -0400
+++ serefpolicy-3.0.5/policy/mls 2007-08-07 09:39:49.000000000 -0400
@@ -2903,7 +2911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/kernel/filesystem.if 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/kernel/filesystem.if 2007-08-21 13:48:48.000000000 -0400
@@ -1192,6 +1192,24 @@
########################################
@@ -3560,7 +3568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-20 15:04:52.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-21 14:00:56.000000000 -0400
@@ -30,6 +30,13 @@
##
@@ -4164,7 +4172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
fs_getattr_all_fs(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.5/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/automount.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/automount.te 2007-08-21 13:37:55.000000000 -0400
@@ -69,6 +69,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -4192,6 +4200,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
bind_search_cache(automount_t)
')
+@@ -173,6 +171,11 @@
+ ')
+
+ optional_policy(`
++ samba_read_config(automount_t)
++ samba_read_var_files(automount_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(automount_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.5/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/avahi.te 2007-08-07 09:39:49.000000000 -0400
@@ -5807,6 +5827,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
unconfined_domain(inetd_child_t)
+ inetd_service_domain(inetd_child_t,bin_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.5/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/kerberos.if 2007-08-21 10:33:38.000000000 -0400
+@@ -42,6 +42,10 @@
+ dontaudit $1 krb5_conf_t:file write;
+ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
+ dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
++
++ #kerberos libraries are attempting to set the correct file context
++ dontaudit $1 self:process setfscreate;
++ seutil_dontaudit_read_file_contexts($1)
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:tcp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.5/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/kerberos.te 2007-08-07 09:39:49.000000000 -0400
@@ -5969,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/mta.if 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/mta.if 2007-08-21 15:32:16.000000000 -0400
@@ -392,6 +392,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -7457,7 +7491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.5/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/samba.if 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/samba.if 2007-08-21 13:36:36.000000000 -0400
@@ -349,6 +349,7 @@
files_search_var($1)
files_search_var_lib($1)
@@ -7754,8 +7788,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.5/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/sendmail.te 2007-08-10 13:14:09.000000000 -0400
-@@ -130,6 +130,10 @@
++++ serefpolicy-3.0.5/policy/modules/services/sendmail.te 2007-08-21 15:36:07.000000000 -0400
+@@ -32,7 +32,6 @@
+ allow sendmail_t self:unix_dgram_socket create_socket_perms;
+ allow sendmail_t self:tcp_socket create_stream_socket_perms;
+ allow sendmail_t self:udp_socket create_socket_perms;
+-allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow sendmail_t sendmail_log_t:dir setattr;
+ manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
+@@ -49,6 +48,8 @@
+ # for piping mail to a command
+ kernel_read_system_state(sendmail_t)
+
++auth_use_nsswitch(sendmail_t)
++
+ corenet_all_recvfrom_unlabeled(sendmail_t)
+ corenet_all_recvfrom_netlabel(sendmail_t)
+ corenet_tcp_sendrecv_all_if(sendmail_t)
+@@ -93,9 +94,6 @@
+
+ miscfiles_read_localization(sendmail_t)
+
+-sysnet_dns_name_resolve(sendmail_t)
+-sysnet_read_config(sendmail_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+ userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+
+@@ -106,17 +104,14 @@
+ # Write to /var/spool/mail and /var/spool/mqueue.
+ mta_manage_queue(sendmail_t)
+ mta_manage_spool(sendmail_t)
++mta_sendmail_exec(sendmail_t)
+
+ optional_policy(`
+- clamav_search_lib(sendmail_t)
+-')
+-
+-optional_policy(`
+- nis_use_ypbind(sendmail_t)
++ cron_read_pipes(sendmail_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(sendmail_t)
++ clamav_search_lib(sendmail_t)
+ ')
+
+ optional_policy(`
+@@ -130,6 +125,10 @@
')
optional_policy(`
@@ -7884,7 +7966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.5/policy/modules/services/soundserver.if
--- nsaserefpolicy/policy/modules/services/soundserver.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-20 18:36:50.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-21 13:15:20.000000000 -0400
@@ -13,3 +13,64 @@
interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
@@ -7926,10 +8008,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+#
+interface(`soundserver_dontaudit_read_socket_files',`
+ gen_require(`
-+ type soundd_socket_t;
++ type soundd_var_run_t;
+ ')
+
-+ dontaudit $1 soundd_socket_t:sock_file r_file_perms;
++ dontaudit $1 soundd_var_run_t:sock_file r_file_perms;
+')
+
+########################################
@@ -7944,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+#
+interface(`soundserver_read_socket_files',`
+ gen_require(`
-+ type soundd_socket_t;
++ type soundd_var_run_t;
+ ')
+
+ allow $1 soundd_var_run_t:sock_file r_file_perms;
@@ -7952,7 +8034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.5/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-20 16:59:45.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-21 13:15:59.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(soundserver,1.3.0)
@@ -8012,7 +8094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
-files_pid_filetrans(soundd_t,soundd_var_run_t,file)
+manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
-+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir sock_file })
++files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
@@ -8212,7 +8294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.5/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-20 15:13:39.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-21 10:15:49.000000000 -0400
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -8222,7 +8304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# ssh client executable.
type ssh_exec_t;
-@@ -73,8 +73,12 @@
+@@ -73,6 +73,8 @@
manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
@@ -8230,12 +8312,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
-+# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
-+kernel_write_proc_files(sshd_t)
- # for X forwarding
- corenet_tcp_bind_xserver_port(sshd_t)
-@@ -100,6 +104,11 @@
+@@ -100,6 +102,11 @@
userdom_use_unpriv_users_ptys(sshd_t)
')
@@ -8247,7 +8325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +128,12 @@
+@@ -119,7 +126,12 @@
')
optional_policy(`
@@ -8819,7 +8897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/authlogin.if 2007-08-20 15:21:45.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/authlogin.if 2007-08-21 10:18:43.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -8849,10 +8927,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,6 +180,12 @@
+@@ -176,6 +180,16 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
++ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
++ kernel_write_proc_files(sshd_t)
++
++
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+
@@ -8862,7 +8944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
-@@ -196,22 +206,27 @@
+@@ -196,22 +210,27 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -8891,7 +8973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -309,9 +324,6 @@
+@@ -309,9 +328,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -8901,7 +8983,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -347,6 +359,37 @@
+@@ -329,6 +345,7 @@
+
+ optional_policy(`
+ kerberos_use($1)
++ kerberos_read_keytab($1)
+ ')
+
+ optional_policy(`
+@@ -347,6 +364,37 @@
########################################
##
@@ -8939,7 +9029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -695,6 +738,24 @@
+@@ -695,6 +743,24 @@
########################################
##
@@ -8964,7 +9054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain.
##
##
-@@ -1318,14 +1379,9 @@
+@@ -1318,14 +1384,9 @@
##
#
interface(`auth_use_nsswitch',`
@@ -8979,7 +9069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1437,163 @@
+@@ -1381,3 +1442,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -9348,7 +9438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.5/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/fstools.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/fstools.te 2007-08-21 14:01:43.000000000 -0400
@@ -69,6 +69,7 @@
dev_getattr_all_chr_files(fsadm_t)
@@ -9357,7 +9447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
-@@ -179,3 +180,8 @@
+@@ -179,3 +180,12 @@
fs_dontaudit_write_ramfs_pipes(fsadm_t)
rhgb_stub(fsadm_t)
')
@@ -9366,6 +9456,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+ xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
+')
++
++tunable_policy(`xen_use_nfs',`
++ fs_manage_nfs_files(fsadm_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.5/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.5/policy/modules/system/fusermount.fc 2007-08-07 09:39:49.000000000 -0400
@@ -10540,7 +10634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.5/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/modutils.te 2007-08-10 14:08:13.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/modutils.te 2007-08-21 09:07:48.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -10839,7 +10933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.5/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.if 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.if 2007-08-21 10:32:03.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -10848,7 +10942,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
########################################
-@@ -968,6 +969,26 @@
+@@ -778,6 +779,28 @@
+
+ ########################################
+ ##
++## dontaudit Read the file_contexts files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`seutil_dontaudit_read_file_contexts',`
++ gen_require(`
++ type selinux_config_t, default_context_t, file_context_t;
++ ')
++
++ files_search_etc($1)
++ dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms;
++ dontaudit $1 file_context_t:dir search_dir_perms;
++ dontaudit $1 file_context_t:file r_file_perms;
++')
++
++########################################
++##
+ ## Read and write the file_contexts files.
+ ##
+ ##
+@@ -968,6 +991,26 @@
########################################
##
@@ -10875,7 +10998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -979,7 +1000,7 @@
+@@ -979,7 +1022,7 @@
##
##
##
@@ -10884,7 +11007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
##
##
##
-@@ -1001,6 +1022,39 @@
+@@ -1001,6 +1044,39 @@
########################################
##
@@ -10924,7 +11047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
##
-@@ -1058,3 +1112,120 @@
+@@ -1058,3 +1134,120 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -12919,7 +13042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.5/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/xen.te 2007-08-09 14:54:50.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/xen.te 2007-08-21 14:01:46.000000000 -0400
@@ -176,6 +176,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
@@ -12962,7 +13085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -366,3 +369,13 @@
+@@ -366,3 +369,14 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
@@ -12973,9 +13096,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
+
-+fs_write_nfs_files(xend_t)
-+fs_read_nfs_files(xend_t)
-+fs_read_nfs_symlinks(xend_t)
++tunable_policy(`xen_use_nfs',`
++ fs_manage_nfs_files(xend_t)
++ fs_read_nfs_symlinks(xend_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.5/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.5/policy/modules/users/guest.fc 2007-08-07 09:39:49.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7f47bf0..9dd82ff 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,12 +12,12 @@
%endif
%define POLICYVER 21
%define libsepolver 2.0.3-2
-%define POLICYCOREUTILSVER 2.0.22-10
+%define POLICYCOREUTILSVER 2.0.23-1
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.5
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -74,7 +74,7 @@ SELinux Policy development package
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
%post devel
-[ -x /usr/sbin/sepolgen-ifgen ] && /usr/sbin/sepolgen-ifgen > /dev/null
+[ -x /usr/bin/sepolgen-ifgen ] && /usr/bin/sepolgen-ifgen > /dev/null
exit 0
%define setupCmds() \
@@ -338,7 +338,7 @@ Summary: SELinux mls base policy
Group: System Environment/Base
Provides: selinux-policy-base
Obsoletes: selinux-policy-mls-sources
-Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER}
+Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Prereq: policycoreutils >= %{POLICYCOREUTILSVER}
Prereq: coreutils
Prereq: selinux-policy = %{version}-%{release}
@@ -360,6 +360,9 @@ exit 0
%endif
%changelog
+* Tue Aug 21 2007 Dan Walsh 3.0.5-11
+- Add setransd for mls policy
+
* Mon Aug 20 2007 Dan Walsh 3.0.5-10
- Add ldconfig_cache_t