Blob Blame Raw
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.13/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,15 +1,6 @@
-system_r:crond_t:s0		user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0		system_r:system_crond_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
 system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context	2009-02-10 15:07:15.000000000 +0100
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,6 @@
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:initrc_su_t:s0		guest_r:guest_t:s0
+guest_r:guest_t:s0		guest_r:guest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,11 +1,7 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
-staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
 #
 # Uncomment if you want to automatically login as sysadm_r
 #
-#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.5.13/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/seusers	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,3 @@
 system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,10 +1,12 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:staff_crond_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+system_r:initrc_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_t:s0		staff_r:staff_t:s0
 sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
 sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -6,4 +6,6 @@
 system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
 system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
 system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:initrc_su_t:s0		unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
 system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context	2009-02-10 15:07:15.000000000 +0100
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0	
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,8 +1,9 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:user_crond_t:s0
+system_r:crond_t:s0		user_r:user_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
-
+system_r:initrc_su_t:s0		user_r:user_t:s0
+user_r:user_t:s0		user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,7 @@
+system_r:local_login_t	xguest_r:xguest_t:s0
+system_r:remote_login_t	xguest_r:xguest_t:s0
+system_r:sshd_t		xguest_r:xguest_t:s0
+system_r:crond_t	xguest_r:xguest_t:s0
+system_r:xdm_t		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0	xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0	xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.13/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,15 +1,6 @@
-system_r:crond_t:s0		user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0		system_r:system_crond_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
 system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,11 +1,11 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+system_r:local_login_t:s0	sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
 
-staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+staff_r:staff_su_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_su_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
 
 #
 # Uncomment if you want to automatically login as sysadm_r
 #
-#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:staff_crond_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:user_crond_t:s0
+system_r:crond_t:s0		user_r:user_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,7 @@
+system_r:local_login_t	xguest_r:xguest_t:s0
+system_r:remote_login_t	xguest_r:xguest_t:s0
+system_r:sshd_t		xguest_r:xguest_t:s0
+system_r:crond_t	xguest_r:xguest_t:s0
+system_r:xdm_t		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0	xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0	xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,4 @@
+system_r:local_login_t	guest_r:guest_t
+system_r:remote_login_t	guest_r:guest_t
+system_r:sshd_t		guest_r:guest_t
+system_r:crond_t	guest_r:guest_crond_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts
--- nsaserefpolicy/config/appconfig-standard/root_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,11 +1,7 @@
 system_r:crond_t	unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
 system_r:local_login_t  unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
 
-staff_r:staff_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-sysadm_r:sysadm_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-user_r:user_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-
 #
 # Uncomment if you want to automatically login as sysadm_r
 #
-#system_r:sshd_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+system_r:sshd_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
 system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
 system_r:remote_login_t		staff_r:staff_t
 system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t		staff_r:staff_crond_t
+system_r:crond_t		staff_r:staff_t
 system_r:xdm_t			staff_r:staff_t
 staff_r:staff_su_t		staff_r:staff_t
 staff_r:staff_sudo_t		staff_r:staff_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
 system_r:local_login_t		user_r:user_t
 system_r:remote_login_t		user_r:user_t
 system_r:sshd_t			user_r:user_t
-system_r:crond_t		user_r:user_crond_t
+system_r:crond_t		user_r:user_t
 system_r:xdm_t			user_r:user_t
 user_r:user_su_t		user_r:user_t
 user_r:user_sudo_t		user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,5 @@
+system_r:local_login_t	xguest_r:xguest_t
+system_r:remote_login_t	xguest_r:xguest_t
+system_r:sshd_t		xguest_r:xguest_t
+system_r:crond_t	xguest_r:xguest_crond_t
+system_r:xdm_t		xguest_r:xguest_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.13/Makefile
--- nsaserefpolicy/Makefile	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/Makefile	2009-02-10 15:07:15.000000000 +0100
@@ -311,20 +311,22 @@
 
 # parse-rolemap modulename,outputfile
 define parse-rolemap
-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+	echo "" >> $2
+#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
 endef
 
 # perrole-expansion modulename,outputfile
 define perrole-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-	$(call parse-rolemap,$1,$2)
-	$(verbose) echo "')" >> $2
-
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-	$(call parse-rolemap-compat,$1,$2)
-	$(verbose) echo "')" >> $2
+	echo "No longer doing perrole-expansion"
+#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+#	$(call parse-rolemap,$1,$2)
+#	$(verbose) echo "')" >> $2
+
+#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+#	$(call parse-rolemap-compat,$1,$2)
+#	$(verbose) echo "')" >> $2
 endef
 
 # create-base-per-role-tmpl modulenames,outputfile
@@ -523,6 +525,10 @@
 	@mkdir -p $(appdir)/users
 	$(verbose) $(INSTALL) -m 644 $^ $@
 
+$(appdir)/initrc_context: $(tmpdir)/initrc_context
+	@mkdir -p $(appdir)
+	$(verbose) $(INSTALL) -m 644 $< $@
+
 $(appdir)/%: $(appconf)/%
 	@mkdir -p $(appdir)
 	$(verbose) $(INSTALL) -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.5.13/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/man/man8/nfs_selinux.8	2009-02-10 15:07:15.000000000 +0100
@@ -1,24 +1,25 @@
-.TH  "nfs_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.TH  "nfs_selinux"  "8"  "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
 .SH "NAME"
-nfs_selinux \- Security Enhanced Linux Policy for NFS
+nfs_selinux \- Security-Enhanced Linux Policy for NFS
 .SH "DESCRIPTION"
 
-Security-Enhanced Linux secures the nfs server via flexible mandatory access
+Security-Enhanced Linux secures the NFS server via flexible mandatory access
 control.  
 .SH BOOLEANS
-SELinux policy is customizable based on least access required.  So by 
-default SElinux policy does not allow nfs to share files.  If you want to 
-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
+SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
 
 .TP
 setsebool -P nfs_export_all_ro 1
 .TP
-If you want to share files read/write you must set the nfs_export_all_rw boolean.
+If you want to share NFS partitions, and allow read and write access to those NFS partitions, turn the nfs_export_all_rw boolean on:
 .TP
 setsebool -P nfs_export_all_rw 1
 
 .TP
-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
+
+.TP
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
 .TP
 setsebool -P use_nfs_home_dirs 1
 .TP
@@ -26,5 +27,5 @@
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 
-.SH "SEE ALSpppO"
+.SH "SEE ALSO"
 selinux(8), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.5.13/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8	2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/man/man8/samba_selinux.8	2009-02-10 15:07:15.000000000 +0100
@@ -14,11 +14,17 @@
 .TP
 chcon -t samba_share_t /var/eng
 .TP
-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+.TP
+semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
+.TP
+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
 .TP
-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
 /var/eng(/.*)? system_u:object_r:samba_share_t
+.TP
+Run the restorecon command to apply the changes:
+.TP
+restorecon -R -v /var/eng/
 
 .SH SHARING FILES
 If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/flask/access_vectors	2009-02-10 15:07:15.000000000 +0100
@@ -616,6 +616,7 @@
 	nlmsg_write
 	nlmsg_relay
 	nlmsg_readpriv
+	nlmsg_tty_audit
 }
 
 class netlink_ip6fw_socket
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.13/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/global_tunables	2009-02-10 15:07:15.000000000 +0100
@@ -34,7 +34,7 @@
 
 ## <desc>
 ## <p>
-## Enable polyinstantiated directory support.
+## Allow login programs to use polyinstantiated directories.
 ## </p>
 ## </desc>
 gen_tunable(allow_polyinstantiation,false)
@@ -61,15 +61,6 @@
 
 ## <desc>
 ## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-## </p>
-## </desc>
-gen_tunable(mail_read_content,false)
-
-## <desc>
-## <p>
 ## Allow any files/directories to be exported read/write via NFS.
 ## </p>
 ## </desc>
@@ -129,3 +120,12 @@
 ## </p>
 ## </desc>
 gen_tunable(write_untrusted_content,false)
+
+## <desc>
+## <p>
+## Allow direct login to the console device. Required for System 390
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.5.13/policy/mcs
--- nsaserefpolicy/policy/mcs	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/mcs	2009-02-10 15:07:15.000000000 +0100
@@ -67,7 +67,7 @@
 # Note that getattr on files is always permitted.
 #
 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
 
 mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
 	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
@@ -75,7 +75,7 @@
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	     ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
 
 # At this time we do not restrict "ps" type operations via MCS.  This
 # will probably change in future.
@@ -84,10 +84,10 @@
 
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
 
 mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	((( h1 dom h2 ) and ( l2 eq h2 ))  or ( t1 == mlsfilewrite ));
 
 mlsconstrain process { transition dyntransition }
 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.5.13/policy/mls
--- nsaserefpolicy/policy/mls	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/mls	2009-02-10 15:07:15.000000000 +0100
@@ -381,11 +381,18 @@
 	 ( t1 == mlsxwinread ));
 
 # the x_drawable "write" ops (implicit single level)
-mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage }
+mlsconstrain x_drawable { create destroy write setattr send manage }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsxwinwrite ));
 
+# the x_drawable "write" ops that have special handling on root window
+mlsconstrain x_drawable { add_child remove_child }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwrite ) or
+	 ( t2 eq rootwindow_type ));
+
 # No MLS restrictions: x_drawable { show hide override }
 
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.13/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/alsa.te	2009-03-05 13:26:46.000000000 +0100
@@ -43,6 +43,7 @@
 
 dev_read_sound(alsa_t)
 dev_write_sound(alsa_t)
+dev_read_sysfs(alsa_t)
 
 corecmd_exec_bin(alsa_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.13/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/anaconda.te	2009-02-10 15:07:15.000000000 +0100
@@ -31,6 +31,7 @@
 modutils_domtrans_insmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
 
 unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.13/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te	2009-02-10 15:07:15.000000000 +0100
@@ -27,6 +27,9 @@
 
 fs_list_inotifyfs(certwatch_t)
 
+auth_manage_cache(certwatch_t)
+auth_filetrans_cache(certwatch_t)
+
 libs_use_ld_so(certwatch_t)
 libs_use_shared_libs(certwatch_t)
 
@@ -37,6 +40,7 @@
 
 optional_policy(`
 	apache_exec_modules(certwatch_t)
+	apache_read_config(certwatch_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.13/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/consoletype.te	2009-02-10 15:07:15.000000000 +0100
@@ -8,9 +8,11 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-application_executable_file(consoletype_exec_t)
-init_domain(consoletype_t, consoletype_exec_t)
-init_system_domain(consoletype_t, consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t, consoletype_exec_t)
+#init_system_domain(consoletype_t, consoletype_exec_t)
+application_domain(consoletype_t, consoletype_exec_t)
+
 role system_r types consoletype_t;
 
 ########################################
@@ -18,7 +20,7 @@
 # Local declarations
 #
 
-allow consoletype_t self:capability sys_admin;
+allow consoletype_t self:capability { sys_admin sys_tty_config };
 allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow consoletype_t self:fd use;
 allow consoletype_t self:fifo_file rw_fifo_file_perms;
@@ -42,6 +44,7 @@
 mls_file_read_all_levels(consoletype_t)
 mls_file_write_all_levels(consoletype_t)
 
+term_use_console(consoletype_t)
 term_use_all_terms(consoletype_t)
 
 init_use_fds(consoletype_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.5.13/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/kismet.if	2009-02-18 10:16:20.000000000 +0100
@@ -16,6 +16,7 @@
 	')
 
 	domtrans_pattern($1, kismet_exec_t, kismet_t)
+	allow kismet_t $1:process signull;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te	2009-02-18 10:11:52.000000000 +0100
@@ -20,16 +20,24 @@
 type kismet_log_t;
 logging_log_file(kismet_log_t)
 
+type kismet_tmpfs_t;
+files_tmpfs_file(kismet_tmpfs_t)
+
+type kismet_tmp_t;
+files_tmp_file(kismet_tmp_t)
+
 ########################################
 #
 # kismet local policy
 #
 
-allow kismet_t self:capability { net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:process signal_perms;
 allow kismet_t self:fifo_file rw_file_perms;
 allow kismet_t self:packet_socket create_socket_perms;
-allow kismet_t self:unix_dgram_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
 allow kismet_t self:unix_stream_socket create_stream_socket_perms;
+allow kismet_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;
@@ -43,15 +51,50 @@
 allow kismet_t kismet_var_run_t:dir manage_dir_perms;
 files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
 
-kernel_search_debugfs(kismet_t)
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
+
+manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
 
 corecmd_exec_bin(kismet_t)
+corecmd_exec_shell(kismet_t)
+
+corenet_all_recvfrom_unlabeled(kismet_t)
+corenet_all_recvfrom_netlabel(kismet_t)
+corenet_tcp_sendrecv_all_if(kismet_t)
+corenet_tcp_sendrecv_all_nodes(kismet_t)
+corenet_tcp_sendrecv_all_ports(kismet_t)
+corenet_tcp_bind_all_nodes(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
+corenet_tcp_connect_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
 
 auth_use_nsswitch(kismet_t)
 
 files_read_etc_files(kismet_t)
+files_read_usr_files(kismet_t)
+
+fs_getattr_tmpfs(kismet_t)
 
 libs_use_ld_so(kismet_t)
 libs_use_shared_libs(kismet_t)
 
 miscfiles_read_localization(kismet_t)
+
+userdom_read_generic_user_tmpfs_files(kismet_t)
+
+sysadm_dontaudit_manage_home_files(kismet_t)
+
+optional_policy(`
+	dbus_system_bus_client_template(kismet, kismet_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(kismet_t)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.13/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/logrotate.te	2009-03-30 16:34:18.000000000 +0200
@@ -119,6 +119,7 @@
 seutil_dontaudit_read_config(logrotate_t)
 
 userdom_use_unpriv_users_fds(logrotate_t)
+userdom_list_sysadm_home_dirs(logrotate_t)
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
 cron_search_spool(logrotate_t)
@@ -152,6 +153,10 @@
 ')
 
 optional_policy(`
+ 	bind_manage_cache(logrotate_t)
+')
+
+optional_policy(`
 	consoletype_exec(logrotate_t)
 ')
 
@@ -186,9 +191,16 @@
 ')
 
 optional_policy(`
+	psad_read_etc(logrotate_t)
+        psad_domtrans(logrotate_t)
+	psad_signull(logrotate_t)
+')
+
+optional_policy(`
 	slrnpull_manage_spool(logrotate_t)
 ')
 
 optional_policy(`
-	squid_signal(logrotate_t)
+        squid_domtrans(logrotate_t)
 ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.13/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te	2009-02-10 15:07:15.000000000 +0100
@@ -43,6 +43,8 @@
 kernel_read_fs_sysctls(logwatch_t)
 kernel_read_kernel_sysctls(logwatch_t)
 kernel_read_system_state(logwatch_t)
+kernel_read_network_state(logwatch_t)
+kernel_read_net_sysctls(logwatch_t)
 
 corecmd_exec_bin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
@@ -54,18 +56,19 @@
 domain_read_all_domains_state(logwatch_t)
 
 files_list_var(logwatch_t)
+files_read_var_symlinks(logwatch_t)
 files_read_etc_files(logwatch_t)
 files_read_etc_runtime_files(logwatch_t)
 files_read_usr_files(logwatch_t)
 files_search_spool(logwatch_t)
 files_search_mnt(logwatch_t)
-files_dontaudit_search_home(logwatch_t)
-files_dontaudit_search_boot(logwatch_t)
 # Execs df and if file system mounted with a context avc raised
-files_dontaudit_search_all_dirs(logwatch_t)
+files_search_all(logwatch_t)
+files_getattr_all_file_type_fs(logwatch_t)
 
 fs_getattr_all_fs(logwatch_t)
 fs_dontaudit_list_auto_mountpoints(logwatch_t)
+fs_list_inotifyfs(logwatch_t)
 
 term_dontaudit_getattr_pty_dirs(logwatch_t)
 term_dontaudit_list_ptys(logwatch_t)
@@ -87,6 +90,7 @@
 selinux_dontaudit_getattr_dir(logwatch_t)
 
 sysnet_dns_name_resolve(logwatch_t)
+sysnet_exec_ifconfig(logwatch_t)
 
 mta_send_mail(logwatch_t)
 
@@ -131,4 +135,5 @@
 
 optional_policy(`
 	samba_read_log(logwatch_t)
+	samba_read_share_files(logwatch_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.13/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/mrtg.te	2009-02-10 15:07:15.000000000 +0100
@@ -116,6 +116,7 @@
 selinux_dontaudit_getattr_dir(mrtg_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
 
 sysadm_use_terms(mrtg_t)
 sysadm_dontaudit_read_home_content_files(mrtg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te	2009-02-10 15:07:15.000000000 +0100
@@ -130,6 +130,8 @@
 files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
+kernel_read_system_state(ping_t)
+
 auth_use_nsswitch(ping_t)
 
 libs_use_ld_so(ping_t)
@@ -149,6 +151,15 @@
 ')
 
 optional_policy(`
+	munin_append_log(ping_t)
+	munin_dontaudit_rw_tcp_sockets(ping_t)
+')
+
+optional_policy(`
+	nagios_dontaudit_rw_pipes(ping_t)
+')
+
+optional_policy(`
 	pcmcia_use_cardmgr_fds(ping_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.13/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/prelink.te	2009-02-10 15:07:15.000000000 +0100
@@ -26,7 +26,7 @@
 # Local policy
 #
 
-allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
 allow prelink_t self:process { execheap execmem execstack signal };
 allow prelink_t self:fifo_file rw_fifo_file_perms;
 
@@ -40,7 +40,7 @@
 read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 logging_log_filetrans(prelink_t, prelink_log_t, file)
 
-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
 files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
 fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
 
@@ -49,8 +49,7 @@
 allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
 
 kernel_read_system_state(prelink_t)
-kernel_dontaudit_search_kernel_sysctl(prelink_t)
-kernel_dontaudit_search_sysctl(prelink_t)
+kernel_read_kernel_sysctls(prelink_t)
 
 corecmd_manage_all_executables(prelink_t)
 corecmd_relabel_all_executables(prelink_t)
@@ -65,6 +64,8 @@
 files_read_etc_files(prelink_t)
 files_read_etc_runtime_files(prelink_t)
 files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
 
@@ -81,6 +82,11 @@
 
 miscfiles_read_localization(prelink_t)
 
+# prelink executables in the user homedir
+unprivuser_manage_home_content_files(prelink_t)
+unprivuser_mmap_home_content_files(prelink_t)
+unprivuser_dontaudit_home_content_files(prelink_t)
+
 optional_policy(`
 	amanda_manage_lib(prelink_t)
 ')
@@ -88,3 +94,7 @@
 optional_policy(`
 	cron_system_entry(prelink_t, prelink_exec_t)
 ')
+
+optional_policy(`
+	unconfined_domain(prelink_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.13/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/rpm.fc	2009-02-10 15:07:15.000000000 +0100
@@ -11,7 +11,8 @@
 
 /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-
+/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 ifdef(`distro_redhat', `
@@ -21,14 +22,17 @@
 /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 
 /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
-
-/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
 /var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
 
 # SuSE
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.13/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/rpm.if	2009-02-10 15:07:15.000000000 +0100
@@ -152,6 +152,24 @@
 
 ########################################
 ## <summary>
+##	dontaudit read and write an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_pipes',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	rpm over dbus.
 ## </summary>
@@ -173,6 +191,48 @@
 
 ########################################
 ## <summary>
+##	dontaudit attempts to Send and receive messages from
+##	rpm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_dbus_chat',`
+	gen_require(`
+		type rpm_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 rpm_t:dbus send_msg;
+	dontaudit rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rpm_script over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+	gen_require(`
+		type rpm_script_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rpm_script_t:dbus send_msg;
+	allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete the RPM log.
 ## </summary>
 ## <param name="domain">
@@ -192,6 +252,24 @@
 
 ########################################
 ## <summary>
+##	Search RPM log directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpm_search_log',`
+	gen_require(`
+		type rpm_log_t;
+	')
+
+	allow $1 rpm_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Inherit and use file descriptors from RPM scripts.
 ## </summary>
 ## <param name="domain">
@@ -210,6 +288,24 @@
 
 ########################################
 ## <summary>
+##	dontaudit and use file descriptors from RPM scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_use_script_fds',`
+	gen_require(`
+		type rpm_script_t;
+	')
+
+	dontaudit $1 rpm_script_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete RPM
 ##	script temporary files.
 ## </summary>
@@ -225,7 +321,29 @@
 	')
 
 	files_search_tmp($1)
+	manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
 	manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+	manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+##	read, RPM
+##	script temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+	gen_require(`
+		type rpm_script_tmp_t;
+	')
+
+	read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+	read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
 ')
 
 ########################################
@@ -289,3 +407,175 @@
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
+
+
+########################################
+## <summary>
+##	Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_transition_script',`
+	gen_require(`
+		type rpm_script_t;
+	')
+
+	allow $1 rpm_script_t:process transition;
+
+	allow $1 rpm_script_t:fd use;
+	allow rpm_script_t $1:fd use;
+	allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+	allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	allow domain to read, 
+##	write RPM tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_rw_tmp_files',`
+	gen_require(`
+		type rpm_tmp_t;
+	')
+
+	allow $1 rpm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read, 
+##	write RPM tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_tmp_files',`
+	gen_require(`
+		type rpm_tmp_t;
+	')
+
+	dontaudit $1 rpm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read, 
+##	write RPM shm
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_shm',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	dontaudit $1 rpm_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Read/write rpm tmpfs files.
+## </summary>
+## <desc>
+##	<p>
+##	Read/write rpm tmpfs files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_rw_tmpfs_files',`
+	gen_require(`
+		type rpm_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 rpm_tmpfs_t:dir list_dir_perms;
+	rw_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t)
+	read_lnk_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Transition to system_r when execute an rpm script
+## </summary>
+## <desc>
+##      <p>
+##	Execute rpm script in a specified role
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_role">
+##	<summary>
+##	Role to transition from.
+##	</summary>
+## </param>
+interface(`rpm_role_transition',`
+	gen_require(`
+		type rpm_exec_t;
+	')
+
+	role_transition $1 rpm_exec_t system_r;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write, and delete the 
+##	RPM var run files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_write_pid_files',`
+	gen_require(`
+		type rpm_var_run_t;
+	')
+
+	dontaudit $1 rpm_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_signull',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	allow $1 rpm_t:process signull;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.13/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/rpm.te	2009-02-10 17:18:11.000000000 +0100
@@ -31,6 +31,10 @@
 files_type(rpm_var_lib_t)
 typealias rpm_var_lib_t alias var_lib_rpm_t;
 
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+mta_system_content(rpm_var_run_t)
+
 type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
@@ -52,7 +56,8 @@
 # rpm Local policy
 #
 
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+
 allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
 allow rpm_t self:fd use;
@@ -68,6 +73,8 @@
 allow rpm_t self:sem create_sem_perms;
 allow rpm_t self:msgq create_msgq_perms;
 allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
 
 allow rpm_t rpm_log_t:file manage_file_perms;
 logging_log_filetrans(rpm_t, rpm_log_t, file)
@@ -87,8 +94,12 @@
 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
 files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
 
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
 
 corecmd_exec_all_executables(rpm_t)
 
@@ -115,6 +126,7 @@
 fs_manage_nfs_symlinks(rpm_t)
 fs_getattr_all_fs(rpm_t)
 fs_search_auto_mountpoints(rpm_t)
+fs_list_inotifyfs(rpm_t)
 
 mls_file_read_all_levels(rpm_t)
 mls_file_write_all_levels(rpm_t)
@@ -177,10 +189,20 @@
 ')
 
 optional_policy(`
+	optional_policy(`
 	hal_dbus_chat(rpm_t)
 ')
 
 optional_policy(`
+		networkmanager_dbus_chat(rpm_t)
+	')
+
+	optional_policy(`
+		dbus_system_domain(rpm_t, rpm_exec_t)
+	')
+')
+
+optional_policy(`
 	prelink_domtrans(rpm_t)
 ')
 
@@ -188,6 +210,7 @@
 	unconfined_domain(rpm_t)
 	# yum-updatesd requires this
 	unconfined_dbus_chat(rpm_t)
+	unconfined_dbus_chat(rpm_script_t)
 ')
 
 ifdef(`TODO',`
@@ -213,8 +236,8 @@
 # rpm-script Local policy
 #
 
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_nice mknod kill };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
 allow rpm_script_t self:fd use;
 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
 allow rpm_script_t self:unix_dgram_socket create_socket_perms;
@@ -225,12 +248,15 @@
 allow rpm_script_t self:sem create_sem_perms;
 allow rpm_script_t self:msgq create_msgq_perms;
 allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 allow rpm_script_t rpm_tmp_t:file read_file_perms;
 
 allow rpm_script_t rpm_script_tmp_t:dir mounton;
 manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
 
 manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -283,6 +309,7 @@
 auth_use_nsswitch(rpm_script_t)
 # ideally we would not need this
 auth_manage_all_files_except_shadow(rpm_script_t)
+auth_relabel_shadow(rpm_script_t)
 
 corecmd_exec_all_executables(rpm_script_t)
 
@@ -296,6 +323,7 @@
 files_exec_etc_files(rpm_script_t)
 files_read_etc_runtime_files(rpm_script_t)
 files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
 
 init_domtrans_script(rpm_script_t)
 
@@ -315,6 +343,7 @@
 seutil_domtrans_loadpolicy(rpm_script_t)
 seutil_domtrans_setfiles(rpm_script_t)
 seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)
 
 userdom_use_all_users_fds(rpm_script_t)
 
@@ -333,6 +362,10 @@
 ')
 
 optional_policy(`
+	lvm_domtrans(rpm_script_t)
+')
+
+optional_policy(`
 	tzdata_domtrans(rpm_t)
 	tzdata_domtrans(rpm_script_t)
 ')
@@ -340,6 +373,7 @@
 optional_policy(`
 	unconfined_domain(rpm_script_t)
 	unconfined_domtrans(rpm_script_t)
+	unconfined_execmem_domtrans(rpm_script_t)
 
 	optional_policy(`
 		java_domtrans(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.13/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/sudo.if	2009-02-10 15:07:15.000000000 +0100
@@ -55,7 +55,7 @@
 	#
 
 	# Use capabilities.
-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
@@ -68,33 +68,36 @@
 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_sudo_t self:unix_dgram_socket sendto;
 	allow $1_sudo_t self:unix_stream_socket connectto;
-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
+	allow $1_sudo_t self:key manage_key_perms;
+	allow $1_sudo_t $1_t:key search;
 
 	# Enter this derived domain from the user domain
 	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
 
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_sudo_t, $2)
+	corecmd_bin_domtrans($1_sudo_t, $2)
 	allow $2 $1_sudo_t:fd use;
 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
 	allow $2 $1_sudo_t:process sigchld;
 
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
-	kernel_search_key($1_sudo_t)
+	kernel_link_key($1_sudo_t)
 
 	dev_read_urand($1_sudo_t)
+	dev_rw_generic_usb_dev($1_sudo_t)
 
 	fs_search_auto_mountpoints($1_sudo_t)
 	fs_getattr_xattr_fs($1_sudo_t)
 
-	auth_domtrans_chk_passwd($1_sudo_t)
+	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
 	auth_use_nsswitch($1_sudo_t)
 
 	corecmd_read_bin_symlinks($1_sudo_t)
-	corecmd_getattr_all_executables($1_sudo_t)
+	corecmd_exec_all_executables($1_sudo_t)
 
 	domain_use_interactive_fds($1_sudo_t)
 	domain_sigchld_interactive_fds($1_sudo_t)
@@ -106,32 +109,50 @@
 	files_getattr_usr_files($1_sudo_t)
 	# for some PAM modules and for cwd
 	files_dontaudit_search_home($1_sudo_t)
+	files_list_tmp($1_sudo_t)
 
 	init_rw_utmp($1_sudo_t)
 
 	libs_use_ld_so($1_sudo_t)
 	libs_use_shared_libs($1_sudo_t)
 
+	logging_send_audit_msgs($1_sudo_t)
 	logging_send_syslog_msg($1_sudo_t)
 
 	miscfiles_read_localization($1_sudo_t)
 
-	userdom_manage_user_home_content_files($1, $1_sudo_t)
-	userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
-	userdom_manage_user_tmp_files($1, $1_sudo_t)
-	userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
+	mta_per_role_template($1, $1_sudo_t, $3)
+
+	unprivuser_manage_home_content_files($1_sudo_t)
+	unprivuser_manage_home_content_symlinks($1_sudo_t)
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_sudo_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_files($1_sudo_t)
+	')
+	unprivuser_manage_tmp_files($1_sudo_t)
+	unprivuser_manage_tmp_symlinks($1_sudo_t)
+	userdom_exec_user_home_content_files($1, $1_sudo_t)
 	userdom_use_user_terminals($1, $1_sudo_t)
 	userdom_use_unpriv_users_fds($1_sudo_t)
 	# for some PAM modules and for cwd
+	sysadm_search_home_content_dirs($1_sudo_t)
 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+	userdom_manage_all_users_keys($1_sudo_t)
 
-	ifdef(`TODO',`
-	# for when the network connection is killed
-	dontaudit unpriv_userdomain $1_sudo_t:process signal;
-
-	ifdef(`mta.te', `
-	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-	')
+	domain_role_change_exemption($1_sudo_t)
+	userdom_spec_domtrans_all_users($1_sudo_t)
 
-	') dnl end TODO
+	selinux_validate_context($1_sudo_t)
+	selinux_compute_relabel_context($1_sudo_t)
+	selinux_getattr_fs($1_sudo_t)
+	seutil_read_config($1_sudo_t)
+	seutil_search_default_contexts($1_sudo_t)
+
+	term_use_all_user_ttys($1_sudo_t)
+	term_use_all_user_ptys($1_sudo_t)
+	term_relabel_all_user_ttys($1_sudo_t)
+	term_relabel_all_user_ptys($1_sudo_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.13/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/su.if	2009-02-10 15:07:15.000000000 +0100
@@ -41,15 +41,13 @@
 
 	allow $2 $1_su_t:process signal;
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
-	allow $1_su_t self:key { search write };
+	allow $1_su_t self:key manage_key_perms;
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
 
-	# Transition from the user domain to this domain.
 	domtrans_pattern($2, su_exec_t, $1_su_t)
 
 	# By default, revert to the calling domain when a shell is executed.
@@ -89,28 +87,24 @@
 	libs_use_ld_so($1_su_t)
 	libs_use_shared_libs($1_su_t)
 
+	logging_send_audit_msgs($1_su_t)
 	logging_send_syslog_msg($1_su_t)
 
 	miscfiles_read_localization($1_su_t)
 
-	ifdef(`distro_rhel4',`
-		domain_role_change_exemption($1_su_t)
-		domain_subj_id_change_exemption($1_su_t)
-		domain_obj_id_change_exemption($1_su_t)
-
-		selinux_get_fs_mount($1_su_t)
-		selinux_validate_context($1_su_t)
-		selinux_compute_access_vector($1_su_t)
-		selinux_compute_create_context($1_su_t)
-		selinux_compute_relabel_context($1_su_t)
-		selinux_compute_user_contexts($1_su_t)
+	auth_login_pgm_domain($1_su_t)
 
 		seutil_read_config($1_su_t)
 		seutil_read_default_contexts($1_su_t)
 
 		# Only allow transitions to unprivileged user domains.
 		userdom_spec_domtrans_unpriv_users($1_su_t)
-	')
+
+	# Deal with unconfined_terminals.
+	term_use_all_user_ttys($1_su_t)
+	term_use_all_user_ptys($1_su_t)
+	term_relabel_all_user_ttys($1_su_t)
+	term_relabel_all_user_ptys($1_su_t)
 
 	optional_policy(`
 		cron_read_pipes($1_su_t)
@@ -120,10 +114,17 @@
 		kerberos_use($1_su_t)
 	')
 
-	ifdef(`TODO',`
-	# Caused by su - init scripts
-	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-	') dnl end TODO
+	optional_policy(`
+		xserver_domtrans_user_xauth($1, $1_su_t)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_search_nfs($1_su_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_search_cifs($1_su_t)
+	')
 ')
 
 #######################################
@@ -172,14 +173,14 @@
 	domain_interactive_fd($1_su_t)
 	role $3 types $1_su_t;
 
-	allow $2 $1_su_t:process signal;
+	allow $2 $1_su_t:process { getsched signal };
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
-	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:process { getsched setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:key { search write };
+	allow $1_su_t $1_t:key search;
 
 	# Transition from the user domain to this domain.
 	domtrans_pattern($2, su_exec_t, $1_su_t)
@@ -188,7 +189,7 @@
 	corecmd_shell_domtrans($1_su_t, $2)
 	allow $2 $1_su_t:fd use;
 	allow $2 $1_su_t:fifo_file rw_file_perms;
-	allow $2 $1_su_t:process sigchld;
+	allow $2 $1_su_t:process { getsched signal sigchld };
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
@@ -203,15 +204,15 @@
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
 
-	auth_domtrans_user_chk_passwd($1, $1_su_t)
+	auth_run_chk_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t })
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
-	auth_rw_faillog($1_su_t)
 
-	corecmd_search_bin($1_su_t)
+	corecmd_exec_bin($1_su_t)
 
 	domain_use_interactive_fds($1_su_t)
 
+	files_read_usr_symlinks($1_su_t)
 	files_read_etc_files($1_su_t)
 	files_read_etc_runtime_files($1_su_t)
 	files_search_var_lib($1_su_t)
@@ -226,12 +227,14 @@
 	libs_use_ld_so($1_su_t)
 	libs_use_shared_libs($1_su_t)
 
+	logging_send_audit_msgs($1_su_t)
 	logging_send_syslog_msg($1_su_t)
 
 	miscfiles_read_localization($1_su_t)
 
-	userdom_use_user_terminals($1, $1_su_t)
+	sysadm_search_home_dirs($1_su_t)
 	userdom_search_user_home_dirs($1, $1_su_t)
+	userdom_use_user_terminals($1, $1_su_t)
 
 	ifdef(`distro_rhel4',`
 		domain_role_change_exemption($1_su_t)
@@ -295,13 +298,7 @@
 		xserver_domtrans_user_xauth($1, $1_su_t)
 	')
 
-	ifdef(`TODO',`
-	allow $1_su_t $1_home_t:file manage_file_perms;
-
-	# Access sshd cookie files.
-	allow $1_su_t sshd_tmp_t:file rw_file_perms;
-	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-	') dnl end TODO
+	userdom_search_all_users_home_dirs($1_su_t)
 ')
 
 #######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te	2009-02-10 15:07:15.000000000 +0100
@@ -22,12 +22,16 @@
 dev_read_urand(tmpreaper_t)
 
 fs_getattr_xattr_fs(tmpreaper_t)
+fs_list_inotifyfs(tmpreaper_t)
 
 files_read_etc_files(tmpreaper_t)
 files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
 # why does it need setattr?
 files_setattr_all_tmp_dirs(tmpreaper_t)
+files_getattr_lost_found_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
 
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
@@ -42,6 +46,26 @@
 
 cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
 
+userdom_delete_all_users_home_content_dirs(tmpreaper_t)
+userdom_delete_all_users_home_content_files(tmpreaper_t)
+userdom_delete_all_users_home_content_symlinks(tmpreaper_t)
+
+optional_policy(`
+	amavis_manage_spool_files(tmpreaper_t)
+')
+
+optional_policy(`
+	apache_delete_sys_content_rw(tmpreaper_t)
+')
+
+optional_policy(`
+	kismet_manage_log(tmpreaper_t)
+')
+
 optional_policy(`
 	lpd_manage_spool(tmpreaper_t)
 ')
+
+optional_policy(`
+	unconfined_domain(tmpreaper_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.13/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/usermanage.te	2009-02-10 15:07:15.000000000 +0100
@@ -97,6 +97,7 @@
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(chfn_t)
+corecmd_exec_bin(chfn_t)
 
 domain_use_interactive_fds(chfn_t)
 
@@ -236,9 +237,9 @@
 seutil_read_config(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
-
 # for when /root is the cwd
 sysadm_dontaudit_search_home_dirs(groupadd_t)
+userdom_dontaudit_search_all_users_home_content(groupadd_t)
 
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
@@ -298,6 +299,7 @@
 term_use_all_user_ttys(passwd_t)
 term_use_all_user_ptys(passwd_t)
 
+auth_domtrans_chk_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
@@ -317,6 +319,7 @@
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
 
 libs_use_ld_so(passwd_t)
 libs_use_shared_libs(passwd_t)
@@ -335,6 +338,7 @@
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_all_users_home_content(passwd_t)
+unprivuser_stream_connect(passwd_t)
 
 optional_policy(`
 	nscd_domtrans(passwd_t)
@@ -502,6 +506,9 @@
 seutil_domtrans_setfiles(useradd_t)
 
 userdom_use_unpriv_users_fds(useradd_t)
+# for when /root is the cwd
+sysadm_dontaudit_search_home_dirs(useradd_t)
+userdom_dontaudit_search_all_users_home_content(useradd_t)
 # Add/remove user home directories
 userdom_manage_all_users_home_content_dirs(useradd_t)
 userdom_manage_all_users_home_content_files(useradd_t)
@@ -524,6 +531,16 @@
 ')
 
 optional_policy(`
+	tunable_policy(`samba_domain_controller',`
+		samba_append_log(useradd_t)
+	')
+')
+
+optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+optional_policy(`
+	unconfined_domain(useradd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.5.13/policy/modules/admin/vbetool.if
--- nsaserefpolicy/policy/modules/admin/vbetool.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/vbetool.if	2009-02-10 15:07:15.000000000 +0100
@@ -18,3 +18,34 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, vbetool_exec_t, vbetool_t)
 ')
+
+########################################
+## <summary>
+##	Execute vbetool in the vbetool domain, and
+##	allow the specified role the vbetool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the vbetool domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the vbetool domain to use.
+##	</summary>
+## </param>
+#
+interface(`vbetool_run',`
+	gen_require(`
+		type vbetool_t;
+	')
+
+	vbetool_domtrans($1)
+	role $2 types vbetool_t;
+	allow vbetool_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.13/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/vbetool.te	2009-02-10 15:07:15.000000000 +0100
@@ -23,6 +23,9 @@
 dev_rwx_zero(vbetool_t)
 dev_read_sysfs(vbetool_t)
 
+domain_mmap_low_type(vbetool_t)
+domain_mmap_low(vbetool_t)
+
 term_use_unallocated_ttys(vbetool_t)
 
 libs_use_ld_so(vbetool_t)
@@ -35,3 +38,9 @@
 	hal_write_log(vbetool_t)
 	hal_dontaudit_append_lib_files(vbetool_t)
 ')
+
+optional_policy(`
+	xserver_exec_pid(vbetool_t)
+	xserver_write_pid(vbetool_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.13/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/admin/vpn.if	2009-02-10 15:07:15.000000000 +0100
@@ -53,6 +53,24 @@
 
 ########################################
 ## <summary>
+##	Send sigkill to VPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_sigkill',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to VPN clients.
 ## </summary>
 ## <param name="domain">
@@ -71,6 +89,24 @@
 
 ########################################
 ## <summary>
+##	Send signull to VPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vpn_signull',`
+	gen_require(`
+		type vpnc_t;
+	')
+
+	allow $1 vpnc_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	Vpnc over dbus.
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.5.13/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/awstats.te	2009-03-30 14:37:02.000000000 +0200
@@ -28,6 +28,8 @@
 awstats_rw_pipes(awstats_t)
 awstats_cgi_exec(awstats_t)
 
+can_exec(awstats_t, awstats_exec_t)
+
 manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
 manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
 files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
@@ -47,6 +49,8 @@
 # e.g. /usr/share/awstats/lang/awstats-en.txt
 files_read_usr_files(awstats_t)
 
+fs_list_inotifyfs(awstats_t)
+
 libs_read_lib_files(awstats_t)
 libs_use_ld_so(awstats_t)
 libs_use_shared_libs(awstats_t)
@@ -55,6 +59,8 @@
 
 sysnet_dns_name_resolve(awstats_t)
 
+logging_read_generic_logs(awstats_t)
+
 apache_read_log(awstats_t)
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.13/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,4 @@
-HOME_DIR/\.ethereal(/.*)? 		gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+HOME_DIR/\.ethereal(/.*)? 		gen_context(system_u:object_r:ethereal_home_t,s0)
 
 /usr/sbin/ethereal.*		--	gen_context(system_u:object_r:ethereal_exec_t,s0)
 /usr/sbin/tethereal.*		--	gen_context(system_u:object_r:tethereal_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.13/policy/modules/apps/ethereal.if
--- nsaserefpolicy/policy/modules/apps/ethereal.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.if	2009-02-10 15:07:15.000000000 +0100
@@ -35,6 +35,7 @@
 template(`ethereal_per_role_template',`
 
 	gen_require(`
+		type ethereal_home_t, ethereal_tmp_t;
 		type ethereal_exec_t;
 	')
 
@@ -48,12 +49,8 @@
 	application_domain($1_ethereal_t, ethereal_exec_t)
 	role $3 types $1_ethereal_t;
 
-	type $1_ethereal_home_t alias $1_ethereal_rw_t;
-	files_poly_member($1_ethereal_home_t)
-	userdom_user_home_content($1, $1_ethereal_home_t)
-
-	type $1_ethereal_tmp_t;
-	files_tmp_file($1_ethereal_tmp_t)
+	typealias ethereal_home_t alias $1_ethereal_home_t;
+	typealias ethereal_tmp_t alias $1_ethereal_tmp_t;
 
 	type $1_ethereal_tmpfs_t;
 	files_tmpfs_file($1_ethereal_tmpfs_t)
@@ -78,15 +75,15 @@
 	corecmd_search_bin($1_ethereal_t)
 
 	# /home/.ethereal
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir)
+	manage_dirs_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t)
+	manage_files_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t)
+	manage_lnk_files_pattern($1_ethereal_t, ethereal_home_t, ethereal_home_t)
+	userdom_user_home_dir_filetrans($1, $1_ethereal_t, ethereal_home_t, dir)
 
 	# Store temporary files
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
-	files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
+	manage_dirs_pattern($1_ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+	manage_files_pattern($1_ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+	files_tmp_filetrans($1_ethereal_t, ethereal_tmp_t, { dir file })
 
 	manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
 	manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
@@ -99,12 +96,12 @@
 	allow $1_ethereal_t $2:fd use;
 	allow $1_ethereal_t $2:process sigchld;
 
-	manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
+	manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+	manage_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
 
 	kernel_read_kernel_sysctls($1_ethereal_t)
 	kernel_read_system_state($1_ethereal_t)
@@ -134,7 +131,7 @@
 
 	sysnet_read_config($1_ethereal_t)
 
-	userdom_manage_user_home_content_files($1, $1_ethereal_t)
+	unprivuser_manage_home_content_files($1_ethereal_t)
 	
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_ethereal_t)
@@ -152,28 +149,11 @@
 		nscd_socket_use($1_ethereal_t)
 	')
 
-	# Manual transition from userhelper 
-	optional_policy(`
-		userhelper_use_user_fd($1, $1_ethereal_t)
-		userhelper_sigchld_user($1, $1_ethereal_t)
-	')
-
 	optional_policy(`
 		xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
 		xserver_create_xdm_tmp_sockets($1_ethereal_t)
 	')
 	
-	ifdef(`TODO',`
-		# Why does it write this?
-		optional_policy(`
-			dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
-		')
-		#TODO
-		gnome_application($1_ethereal, $1)
-		gnome_file_dialog($1_ethereal, $1)
-		# FIXME: policy is incomplete
-	')
-	
 ')
 
 #######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.13/policy/modules/apps/ethereal.te
--- nsaserefpolicy/policy/modules/apps/ethereal.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.te	2009-02-10 15:07:15.000000000 +0100
@@ -16,6 +16,13 @@
 type tethereal_tmp_t;
 files_tmp_file(tethereal_tmp_t)
 
+type ethereal_home_t;
+files_poly_member(ethereal_home_t)
+userdom_user_home_content(user, ethereal_home_t)
+
+type ethereal_tmp_t;
+files_tmp_file(ethereal_tmp_t)
+
 ########################################
 #
 # Tethereal policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.13/policy/modules/apps/games.if
--- nsaserefpolicy/policy/modules/apps/games.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/games.if	2009-02-10 15:07:15.000000000 +0100
@@ -130,10 +130,10 @@
 
 	sysnet_read_config($1_games_t)
 
-	userdom_manage_user_tmp_dirs($1,$1_games_t)
-	userdom_manage_user_tmp_files($1,$1_games_t)
-	userdom_manage_user_tmp_symlinks($1,$1_games_t)
-	userdom_manage_user_tmp_sockets($1,$1_games_t)
+	unprivuser_manage_tmp_dirs($1_games_t)
+	unprivuser_manage_tmp_files($1_games_t)
+	unprivuser_manage_tmp_symlinks($1_games_t)
+	unprivuser_manage_tmp_sockets($1_games_t)
 	# Suppress .icons denial until properly implemented
 	userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
 	
@@ -165,3 +165,23 @@
 		')
 	')
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	games data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`games_rw_data',`
+	gen_require(`
+		type games_data_t;
+	')
+
+	rw_files_pattern($1, games_data_t, games_data_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.5.13/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/gitosis.fc	2009-03-20 09:26:47.000000000 +0100
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve			--        gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)?                            gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.5.13/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/gitosis.if	2009-03-20 09:26:47.000000000 +0100
@@ -0,0 +1,94 @@
+## <summary>gitosis interface</summary>
+
+#######################################
+## <summary>
+##      Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+        gen_require(`
+                type gitosis_t, gitosis_exec_t;
+        ')
+
+        domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+##      Execute gitosis-serve in the gitosis domain, and
+##      allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed the gpsd domain.
+##      </summary>
+## </param>
+## <param name="terminal">
+##      <summary>
+##      The type of the role's terminal.
+##      </summary>
+## </param>
+#
+interface(`gitosis_run',`
+        gen_require(`
+                type gitosis_t;
+        ')
+
+        gitosis_domtrans($1)
+        role $2 types gitosis_t;
+        allow gitosis_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##      Allow the specified domain to read
+##      gitosis lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gitosis_read_var_lib',`
+        gen_require(`
+                type gitosis_var_lib_t;
+
+        ')
+
+        read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+	read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+        list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+##      Allow the specified domain to manage
+##      gitosis lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gitosis_manage_var_lib',`
+        gen_require(`
+                type gitosis_var_lib_t;
+
+        ')
+
+        manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+        manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+	manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.5.13/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/gitosis.te	2009-03-20 09:27:40.000000000 +0100
@@ -0,0 +1,43 @@
+policy_module(gitosis,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+
+corecmd_exec_bin(gitosis_t) 
+corecmd_exec_shell(gitosis_t)
+
+kernel_read_system_state(gitosis_t)
+
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+libs_use_ld_so(gitosis_t)
+libs_use_shared_libs(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+optional_policy(`
+	ssh_rw_pipes(gitosis_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.13/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gnome.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,8 +1,10 @@
-HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
-HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
+HOME_DIR/.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
 
-/etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
+/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
 
-/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
-
-/usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+HOME_DIR/.pulse(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.13/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gnome.if	2009-02-10 15:07:15.000000000 +0100
@@ -36,6 +36,7 @@
 	gen_require(`
 		type gconfd_exec_t, gconf_etc_t;
 		attribute gnomedomain;
+		type gconf_home_t, gconf_tmp_t;
 	')
 
 	##############################
@@ -47,14 +48,9 @@
 	application_domain($1_gconfd_t, gconfd_exec_t)
 	role $3 types $1_gconfd_t;
 
-	type $1_gconf_home_t;
-	userdom_user_home_content($1, $1_gconf_home_t)
-
-	type $1_gnome_home_t;
-	userdom_user_home_content($1, $1_gnome_home_t)
-
-	type $1_gconf_tmp_t;
-	files_tmp_file($1_gconf_tmp_t)
+	typealias gnome_home_t alias $1_gnome_home_t;
+	typealias gconf_home_t alias $1_gconf_home_t;
+	typealias gconf_tmp_t alias $1_gconf_tmp_t;
 
 	##############################
 	#
@@ -64,21 +60,18 @@
 	allow $1_gconfd_t self:process getsched;
  	allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
 
-	manage_dirs_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
-	manage_files_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
-	userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
-
-	manage_dirs_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
-	manage_files_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
-	userdom_user_tmp_filetrans($1, $1_gconfd_t, $1_gconf_tmp_t, { dir file })
-
-	domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
-	allow $1_gconfd_t $2:fd use;
-	allow $1_gconfd_t $2:fifo_file write;
-	allow $1_gconfd_t $2:unix_stream_socket connectto;
+	manage_dirs_pattern($1_gconfd_t, gconf_home_t, gconf_home_t)
+	manage_files_pattern($1_gconfd_t, gconf_home_t, gconf_home_t)
 
-	allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
-	read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t)
+	manage_dirs_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t)
+	manage_files_pattern($1_gconfd_t, gconf_tmp_t, gconf_tmp_t)
+	userdom_user_home_dir_filetrans($1, $1_gconfd_t, gconf_home_t, dir)
+	userdom_user_tmp_filetrans($1, $1_gconfd_t, gconf_tmp_t, { dir file })
+	userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t, dir)
+
+	domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t)
+	allow $1_gconfd_t $2:unix_stream_socket connectto;
+	allow $2 $1_gconfd_t:unix_stream_socket connectto;
 
 	ps_process_pattern($2, $1_gconfd_t)
 
@@ -86,6 +79,10 @@
 
 	files_read_etc_files($1_gconfd_t)
 
+	fs_list_inotifyfs($1_gconfd_t)
+
+	auth_use_nsswitch($1_gconfd_t)
+
 	libs_use_ld_so($1_gconfd_t)
 	libs_use_shared_libs($1_gconfd_t)
 
@@ -93,11 +90,8 @@
 
 	logging_send_syslog_msg($1_gconfd_t)
 
-	userdom_manage_user_tmp_sockets($1, $1_gconfd_t)
-	userdom_manage_user_tmp_dirs($1, $1_gconfd_t)
-	userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t,dir)
-
-	gnome_stream_connect_gconf_template($1, $2)
+	unprivuser_manage_tmp_sockets($1_gconfd_t)
+	unprivuser_manage_tmp_dirs($1_gconfd_t)
 
 	optional_policy(`
 		nscd_dontaudit_search_pid($1_gconfd_t)
@@ -107,6 +101,10 @@
 		xserver_use_xdm_fds($1_gconfd_t)
 		xserver_rw_xdm_pipes($1_gconfd_t)
 	')
+
+#	optional_policy(`
+#		mozilla_stream_connect_template($1, $1_gconfd_t)
+#	')
 ')
 	
 ########################################
@@ -127,20 +125,39 @@
 #
 template(`gnome_stream_connect_gconf_template',`
 	gen_require(`
-		type $1_gconfd_t, $1_gconf_tmp_t;
+		type $1_gconfd_t, gconf_tmp_t;
 	')
 
-	read_files_pattern($2, $1_gconf_tmp_t, $1_gconf_tmp_t)
+	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
 	allow $2 $1_gconfd_t:unix_stream_socket connectto;
 ')
 
+
+########################################
+## <summary>
+##	Send general signals to all gconf domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_signal_all',`
+	gen_require(`
+		attribute gnomedomain;
+	')
+
+	allow $1 gnomedomain:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Run gconfd in the role-specific gconfd domain.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Run gconfd in the role-specfic gconfd domain.
+##	Run gconfd in the role-specific gconfd domain.
 ##	</p>
 ##	<p>
 ##	This is a templated interface, and should only
@@ -169,7 +186,7 @@
 
 ########################################
 ## <summary>
-##	manage gnome homedir content (.config)
+##	read gnome homedir content (.config)
 ## </summary>
 ## <param name="userdomain_prefix">
 ##	<summary>
@@ -183,11 +200,97 @@
 ##	</summary>
 ## </param>
 #
+template(`gnome_read_gnome_config',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	read_files_pattern($2, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+##	manage gnome homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>nn
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
 template(`gnome_manage_user_gnome_config',`
 	gen_require(`
-		type $1_gnome_home_t;
+		type gnome_home_t;
+	')
+
+	manage_dirs_pattern($2, gnome_home_t, gnome_home_t)
+	manage_files_pattern($2, gnome_home_t, gnome_home_t)
+	manage_lnk_files_pattern($2, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+##	Execute gconf programs in 
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+	gen_require(`
+		type gconfd_exec_t;
+	')
+
+	can_exec($1, gconfd_exec_t)
+')
+########################################
+## <summary>
+##	Read gconf home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	allow $1 gconf_home_t:dir list_dir_perms;
+	read_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+##	Connect to gnome over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+	gen_require(`
+		type gnome_home_t;
 	')
 
-	allow $2 $1_gnome_home_t:dir manage_dir_perms;
-	allow $2 $1_gnome_home_t:file manage_file_perms;
+	# Connect to pulseaudit server
+	stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.13/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gnome.te	2009-03-12 13:00:13.000000000 +0100
@@ -8,8 +8,33 @@
 
 attribute gnomedomain;
 
-type gconf_etc_t;
-files_type(gconf_etc_t)
-
 type gconfd_exec_t;
 application_executable_file(gconfd_exec_t)
+
+type gnome_home_t;
+userdom_user_home_type(gnome_home_t)
+userdom_user_home_content(user, gnome_home_t)
+
+type gconf_home_t;
+userdom_user_home_content(user, gconf_home_t)
+
+type gconf_tmp_t;
+files_tmp_file(gconf_tmp_t)
+
+typealias gnome_home_t alias unconfined_gnome_home_t;
+typealias gconf_home_t alias unconfined_gconf_home_t;
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+
+##############################
+#
+# Declarations
+#
+type gconfd_t, gnomedomain;
+application_domain(gconfd_t, gconfd_exec_t)
+role system_r types gconfd_t;
+
+##############################
+#
+# Local Policy
+#
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.13/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gpg.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,9 +1,9 @@
-HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 
-/usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg2?		--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
 
-/usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib(64)?/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.13/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gpg.if	2009-02-10 15:07:15.000000000 +0100
@@ -37,6 +37,9 @@
 template(`gpg_per_role_template',`
 	gen_require(`
 		type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t;
+		type gpg_t, gpg_helper_t;
+		type gpg_agent_t, gpg_pinentry_t;
+		type gpg_agent_tmp_t, gpg_secret_t;
 	')
 
 	########################################
@@ -44,290 +47,61 @@
 	# Declarations
 	#
 
-	type $1_gpg_t;
-	application_domain($1_gpg_t, gpg_exec_t)
-	role $3 types $1_gpg_t;
-
-	type $1_gpg_agent_t;
-	application_domain($1_gpg_agent_t, gpg_agent_exec_t)
-	role $3 types $1_gpg_agent_t;
-
-	type $1_gpg_agent_tmp_t;
-	files_tmp_file($1_gpg_agent_tmp_t)
-
-	type $1_gpg_secret_t;
-	userdom_user_home_content($1, $1_gpg_secret_t)
-
-	type $1_gpg_helper_t;
-	application_domain($1_gpg_helper_t, gpg_helper_exec_t)
-	role $3 types $1_gpg_helper_t;
-
-	type $1_gpg_pinentry_t;
-	application_domain($1_gpg_pinentry_t, pinentry_exec_t)
-	role $3 types $1_gpg_pinentry_t;
+	typealias gpg_t alias $1_gpg_t;
+	role $3 types gpg_t;
 
-	########################################
-	#
-	# GPG local policy
-	#
-
-	allow $1_gpg_t self:capability { ipc_lock setuid };
-	allow { $2 $1_gpg_t } $1_gpg_t:process signal;
-	# setrlimit is for ulimit -c 0
-	allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
-	allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
-	allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
-	# transition from the gpg domain to the helper domain
-	domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
-
-	manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
- 	userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
-
-	# transition from the userdomain to the derived domain
-	domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
-
-	# allow ps to show gpg
-	ps_process_pattern($2, $1_gpg_t)
-
-	corenet_all_recvfrom_unlabeled($1_gpg_t)
-	corenet_all_recvfrom_netlabel($1_gpg_t)
-	corenet_tcp_sendrecv_all_if($1_gpg_t)
-	corenet_udp_sendrecv_all_if($1_gpg_t)
-	corenet_tcp_sendrecv_all_nodes($1_gpg_t)
-	corenet_udp_sendrecv_all_nodes($1_gpg_t)
-	corenet_tcp_sendrecv_all_ports($1_gpg_t)
-	corenet_udp_sendrecv_all_ports($1_gpg_t)
-	corenet_tcp_connect_all_ports($1_gpg_t)
-	corenet_sendrecv_all_client_packets($1_gpg_t)
-
-	dev_read_rand($1_gpg_t)
-	dev_read_urand($1_gpg_t)
-
-	fs_getattr_xattr_fs($1_gpg_t)
-
-	domain_use_interactive_fds($1_gpg_t)
-
-	files_read_etc_files($1_gpg_t)
-	files_read_usr_files($1_gpg_t)
-	files_dontaudit_search_var($1_gpg_t)
-
-	libs_use_shared_libs($1_gpg_t)
-	libs_use_ld_so($1_gpg_t)
-
-	miscfiles_read_localization($1_gpg_t)
-
-	logging_send_syslog_msg($1_gpg_t)
-
-	sysnet_read_config($1_gpg_t)
-
-	userdom_use_user_terminals($1, $1_gpg_t)
+	typealias gpg_agent_t alias  $1_gpg_agent_t;
+	role $3 types gpg_agent_t;
 
-	optional_policy(`
-		nis_use_ypbind($1_gpg_t)
-	')
-
-	ifdef(`TODO',`
-	# Read content to encrypt/decrypt/sign
-	read_content($1_gpg_t, $1)
-
-	# Write content to encrypt/decrypt/sign
-	write_trusted($1_gpg_t, $1)
-	') dnl end TODO
-
-	########################################
-	#
-	# GPG helper local policy
-	#
-
-	# for helper programs (which automatically fetch keys)
-	# Note: this is only tested with the hkp interface. If you use eg the 
-	# mail interface you will likely need additional permissions.
-
-	allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
-	allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
-
-	# communicate with the user 
-	allow $1_gpg_helper_t $2:fd use;
-	allow $1_gpg_helper_t $2:fifo_file write;
-
-	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+	typealias gpg_helper_t alias  $1_gpg_helper_t;
+	role $3 types gpg_helper_t;
 
-	corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
-	corenet_all_recvfrom_netlabel($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
-	corenet_raw_sendrecv_all_if($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_if($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
-	corenet_tcp_bind_all_nodes($1_gpg_helper_t)
-	corenet_udp_bind_all_nodes($1_gpg_helper_t)
-	corenet_tcp_connect_all_ports($1_gpg_helper_t)
-
-	dev_read_urand($1_gpg_helper_t)
-
-	files_read_etc_files($1_gpg_helper_t)
-	# for nscd
-	files_dontaudit_search_var($1_gpg_helper_t)
+	typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
+	role $3 types gpg_pinentry_t;
 
-	libs_use_ld_so($1_gpg_helper_t)
-	libs_use_shared_libs($1_gpg_helper_t)
+	typealias gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
+	typealias gpg_secret_t alias $1_gpg_secret_t;
 
-	sysnet_read_config($1_gpg_helper_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
-	')
-
-	optional_policy(`
-		xserver_use_xdm_fds($1_gpg_t)
-		xserver_rw_xdm_pipes($1_gpg_t)
-	')
-
-	########################################
-	#
-	# GPG agent local policy
-	#
+	# transition from the userdomain to the derived domain
+	domtrans_pattern($2, gpg_exec_t, gpg_t)
 
-	# rlimit: gpg-agent wants to prevent coredumps
-	allow $1_gpg_agent_t self:process setrlimit;
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
 
-	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
-	allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
+	allow $2 gpg_t:process signal_perms;
 
-	# Allow the gpg-agent to manage its tmp files (socket)
-	manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
-	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-	manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
+	# Thunderbird leaks descriptors
+	dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+	dontaudit gpg_t $2:udp_socket rw_socket_perms;
+	dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
+	dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
+	#Leaked File Descriptors
+	dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
+	dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
 
-	# allow gpg to connect to the gpg agent
-	stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t)
+	# allow ps to show gpg
+	ps_process_pattern($2, gpg_t)
 
 	# allow ps to show gpg-agent
 	ps_process_pattern($2, $1_gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
-
-	# Allow the user to manage gpg-agent tmp files (socket)
-	manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
-
-	corecmd_search_bin($1_gpg_agent_t)
-
-	domain_use_interactive_fds($1_gpg_agent_t)
-
-	libs_use_ld_so($1_gpg_agent_t)
-	libs_use_shared_libs($1_gpg_agent_t)
-
-	miscfiles_read_localization($1_gpg_agent_t)
+	allow $2 gpg_agent_t:process signal_perms;
 
+	userdom_use_user_terminals($1, gpg_t)
 	# Write to the user domain tty.
-	userdom_use_user_terminals($1, $1_gpg_agent_t)
-	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-	userdom_search_user_home_dirs($1, $1_gpg_agent_t)
-
-	tunable_policy(`gpg_agent_env_file',`
-		# write ~/.gpg-agent-info or a similar to the users home dir
-		# or subdir (gpg-agent --write-env-file option)
-		#
-		userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file)
-		userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t)
-		userdom_manage_user_home_content_files($1, $1_gpg_agent_t)
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_gpg_agent_t)
-		fs_manage_nfs_files($1_gpg_agent_t)
-		fs_manage_nfs_symlinks($1_gpg_agent_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_gpg_agent_t)
-		fs_manage_cifs_files($1_gpg_agent_t)
-		fs_manage_cifs_symlinks($1_gpg_agent_t)
-	')
-
-	##############################
-	#
-	# Pinentry local policy
-	#
-
-	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-	allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
-	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
-	# from the user.
-	domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
-
-	# read /proc/meminfo
-	kernel_read_system_state($1_gpg_pinentry_t)
+	userdom_use_user_terminals($1, gpg_agent_t)
 
-	files_read_usr_files($1_gpg_pinentry_t)
-	# read /etc/X11/qtrc
-	files_read_etc_files($1_gpg_pinentry_t)
-
-	libs_use_ld_so($1_gpg_pinentry_t)
-	libs_use_shared_libs($1_gpg_pinentry_t)
-
-	miscfiles_read_fonts($1_gpg_pinentry_t)
-	miscfiles_read_localization($1_gpg_pinentry_t)
-
-	# for .Xauthority
-	userdom_read_user_home_content_files($1, $1_gpg_pinentry_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_read_nfs_files($1_gpg_pinentry_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_read_cifs_files($1_gpg_pinentry_t)
-	')
-
-	optional_policy(`
-		xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
-	')
-
-	ifdef(`TODO',`
-	allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
-	# wants to put some lock files into the user home dir, seems to work fine without
-	dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-	dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
-	tunable_policy(`use_nfs_home_dirs',`
-		dontaudit $1_gpg_pinentry_t nfs_t:dir write;
-		dontaudit $1_gpg_pinentry_t nfs_t:file write;
-	')
+	# communicate with the user 
+	allow gpg_helper_t $2:fd use;
+	allow gpg_helper_t $2:fifo_file rw_fifo_file_perms;
 
-	tunable_policy(`use_samba_home_dirs',`
-		dontaudit $1_gpg_pinentry_t cifs_t:dir write;
-		dontaudit $1_gpg_pinentry_t cifs_t:file write;
-	')
+	userdom_use_user_terminals($1, gpg_helper_t)
+	unprivuser_manage_home_content_files(gpg_helper_t)
 
-	dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
-	') dnl end TODO
+	manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.13/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gpg.te	2009-02-10 15:07:15.000000000 +0100
@@ -15,15 +15,255 @@
 gen_tunable(gpg_agent_env_file, false)
 
 # Type for gpg or pgp executables.
+type gpg_t;
 type gpg_exec_t;
+application_domain(gpg_t, gpg_exec_t)
+
+type gpg_helper_t;
 type gpg_helper_exec_t;
-application_executable_file(gpg_exec_t)
-application_executable_file(gpg_helper_exec_t)
+application_domain(gpg_helper_t, gpg_helper_exec_t)
 
 # Type for the gpg-agent executable.
+type gpg_agent_t;
 type gpg_agent_exec_t;
-application_executable_file(gpg_agent_exec_t)
+application_domain(gpg_agent_t, gpg_agent_exec_t)
 
 # type for the pinentry executable
+type gpg_pinentry_t;
 type pinentry_exec_t;
-application_executable_file(pinentry_exec_t)
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+
+type gpg_agent_tmp_t;
+files_tmp_file(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+userdom_user_home_content(user, gpg_secret_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+allow gpg_t self:process signal;
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { setrlimit getcap setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+allow gpg_t gpg_secret_t:dir create_dir_perms;
+
+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+
+kernel_read_sysctl(gpg_t)
+
+unprivuser_home_dir_filetrans_home_content(gpg_t, file)
+unprivuser_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+unprivuser_manage_home_content_files(gpg_t)
+unprivuser_manage_tmp_files(gpg_t)
+unprivuser_stream_connect(gpg_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_all_if(gpg_t)
+corenet_udp_sendrecv_all_if(gpg_t)
+corenet_tcp_sendrecv_all_nodes(gpg_t)
+corenet_udp_sendrecv_all_nodes(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+auth_use_nsswitch(gpg_t)
+
+libs_use_shared_libs(gpg_t)
+libs_use_ld_so(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+########################################
+#
+# GPG helper local policy
+#
+
+allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the 
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_all_if(gpg_helper_t)
+corenet_raw_sendrecv_all_if(gpg_helper_t)
+corenet_udp_sendrecv_all_if(gpg_helper_t)
+corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
+corenet_udp_sendrecv_all_nodes(gpg_helper_t)
+corenet_raw_sendrecv_all_nodes(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_all_nodes(gpg_helper_t)
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+
+fs_list_inotifyfs(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
+
+libs_use_ld_so(gpg_helper_t)
+libs_use_shared_libs(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(gpg_t)
+	xserver_rw_xdm_pipes(gpg_t)
+')
+
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_t)
+	fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_t)
+	fs_manage_cifs_files(gpg_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+# allow gpg to connect to the gpg agent
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+corecmd_search_bin(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+libs_use_ld_so(gpg_agent_t)
+libs_use_shared_libs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+unprivuser_search_home_dirs(gpg_agent_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_agent_t)
+	fs_manage_nfs_files(gpg_agent_t)
+	fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_agent_t)
+	fs_manage_cifs_files(gpg_agent_t)
+	fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`gpg_agent_env_file',`
+	# write ~/.gpg-agent-info or a similar to the users home dir
+	# or subdir (gpg-agent --write-env-file option)
+	#
+	unprivuser_home_dir_filetrans_home_content(gpg_agent_t, file)
+	unprivuser_manage_home_content_dirs(gpg_agent_t)
+	unprivuser_manage_home_content_files(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase 
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+libs_use_ld_so(gpg_pinentry_t)
+libs_use_shared_libs(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+unprivuser_read_home_content_files(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+	xserver_stream_connect_xdm_xserver(gpg_pinentry_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.13/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/java.fc	2009-02-10 15:07:15.000000000 +0100
@@ -2,15 +2,16 @@
 # /opt
 #
 /opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:java_exec_t,s0)
-/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)?	-- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
 
 #
 # /usr
 #
 /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gappletviewer  --	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +21,11 @@
 /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar  	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.13/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/java.if	2009-02-10 15:07:15.000000000 +0100
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`java_per_role_template',`
+template(`java_plugin_per_role_template',`
 	gen_require(`
 		type java_exec_t;
 	')
@@ -57,18 +57,21 @@
 	# Local policy
 	#
 
-	allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
+	allow $1_javaplugin_t self:process {  execmem execstack signal_perms getsched ptrace setsched };
 	allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
-	allow $1_javaplugin_t self:tcp_socket create_socket_perms;
+	allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms;
 	allow $1_javaplugin_t self:udp_socket create_socket_perms;
 	
+	allow $1_javaplugin_t $1_t:process signull;
+	allow $1_javaplugin_t $1_t:unix_stream_socket connectto;
+	allow $1_t $1_javaplugin_t:unix_stream_socket connectto;
 	allow $1_javaplugin_t $2:unix_stream_socket connectto;
-	allow $1_javaplugin_t $2:unix_stream_socket { read write };
-	userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
+	allow $1_javaplugin_t $2:tcp_socket { read write };
 
 	manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
 	manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
 	files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir })
+	allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
 
 	manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
 	manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
@@ -76,14 +79,9 @@
 	manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
 	fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 
-	rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-	read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-
 	can_exec($1_javaplugin_t, java_exec_t)
 	
-	# The user role is authorized for this domain.
-	domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-	allow $1_javaplugin_t $2:fd use;
+	domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
 	# Unrestricted inheritance from the caller.
 	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
 	allow $1_javaplugin_t $2:process signull;
@@ -94,7 +92,7 @@
 	kernel_read_system_state($1_javaplugin_t)
 
 	# Search bin directory under javaplugin for javaplugin executable
-	corecmd_search_bin($1_javaplugin_t)
+	corecmd_exec_bin($1_javaplugin_t)
 
 	corenet_all_recvfrom_unlabeled($1_javaplugin_t)
 	corenet_all_recvfrom_netlabel($1_javaplugin_t)
@@ -107,10 +105,12 @@
 	corenet_tcp_connect_all_ports($1_javaplugin_t)
 	corenet_sendrecv_all_client_packets($1_javaplugin_t)
 
+	dev_list_sysfs($1_javaplugin_t)
 	dev_read_sound($1_javaplugin_t)
 	dev_write_sound($1_javaplugin_t)
 	dev_read_urand($1_javaplugin_t)
 	dev_read_rand($1_javaplugin_t)
+	dev_write_rand($1_javaplugin_t)
 
 	files_read_etc_files($1_javaplugin_t)
 	files_read_usr_files($1_javaplugin_t)
@@ -122,6 +122,9 @@
 
 	fs_getattr_xattr_fs($1_javaplugin_t)
 	fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+	fs_getattr_tmpfs($1_javaplugin_t)
+
+	auth_use_nsswitch($1_javaplugin_t)
 
 	libs_use_ld_so($1_javaplugin_t)
 	libs_use_shared_libs($1_javaplugin_t)
@@ -132,23 +135,23 @@
 	# Read global fonts and font config
 	miscfiles_read_fonts($1_javaplugin_t)
 
-	sysnet_read_config($1_javaplugin_t)
-
+	unprivuser_manage_home_content_files($1_javaplugin_t)
 	userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t)
 	userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t)
 	userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_dirs($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_files($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_pipes($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_sockets($1, $1_javaplugin_t)
-	userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file })
+	unprivuser_manage_tmp_dirs($1_javaplugin_t)
+	unprivuser_manage_tmp_files($1_javaplugin_t)
+	unprivuser_manage_tmp_sockets($1_javaplugin_t)
+	userdom_read_user_tmpfs_files($1, $1_javaplugin_t)
+	unprivuser_manage_home_content_dirs($1_javaplugin_t)
+	unprivuser_manage_home_content_files($1_javaplugin_t)
+	unprivuser_manage_home_content_symlinks($1_javaplugin_t)
+	unprivuser_manage_home_content_pipes($1_javaplugin_t)
+	unprivuser_manage_home_content_sockets($1_javaplugin_t)
+	unprivuser_home_dir_filetrans_home_content($1_javaplugin_t, { file lnk_file sock_file fifo_file })
 
 	tunable_policy(`allow_java_execstack',`
 		allow $1_javaplugin_t self:process execstack;
-
-		allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-
 		libs_legacy_use_shared_libs($1_javaplugin_t)
 		libs_legacy_use_ld_so($1_javaplugin_t)
 
@@ -156,16 +159,63 @@
 	')
 
 	optional_policy(`
-		nis_use_ypbind($1_javaplugin_t)
+		xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
 	')
 
-	optional_policy(`
-		nscd_socket_use($1_javaplugin_t)
 	')
 
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
+#######################################
+## <summary>
+##	The per role template for the java module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for java applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`java_per_role_template',`
+	gen_require(`
+		type java_exec_t;
 	')
+
+	type $1_java_t;
+	domain_type($1_java_t)
+	domain_entry_file($1_java_t, java_exec_t)
+	role $3 types $1_java_t;
+
+	domain_interactive_fd($1_java_t)
+
+	userdom_unpriv_usertype($1, $1_java_t)
+
+	allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
+	allow $2 $1_java_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+	allow $1_java_t $2:tcp_socket { read write };
+
+	domtrans_pattern($2, java_exec_t, $1_java_t)
+
+	dev_read_urand($1_java_t)
+	dev_read_rand($1_java_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_java_t)
 ')
 
 ########################################
@@ -219,3 +269,85 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, java_exec_t, java_t)
 ')
+
+########################################
+## <summary>
+##	Execute a java in the specified domain
+## </summary>
+## <desc>
+##	<p>
+##	Execute the java command in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain. 
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`java_spec_domtrans',`
+	gen_require(`
+		type java_exec_t;
+	')
+
+	domain_trans($1, java_exec_t, $2)
+	type_transition $1 java_exec_t:process $2;
+')
+
+########################################
+## <summary>
+##	Execute java in the java domain, and
+##	allow the specified role the java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the java domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the java domain to use.
+##	</summary>
+## </param>
+#
+interface(`java_run',`
+	gen_require(`
+		type java_t;
+	')
+
+	java_domtrans($1)
+	role $2 types java_t;
+	allow java_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`java_exec',`
+	gen_require(`
+		type java_exec_t;
+	')
+
+	ca_exec($1, java_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.13/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/java.te	2009-02-10 15:07:15.000000000 +0100
@@ -6,16 +6,10 @@
 # Declarations
 #
 
-## <desc>
-## <p>
-## Allow java executable stack
-## </p>
-## </desc>
-gen_tunable(allow_java_execstack, false)
-
 type java_t;
 type java_exec_t;
 init_system_domain(java_t, java_exec_t)
+typealias java_t alias unconfined_java_t;
 
 ########################################
 #
@@ -23,11 +17,30 @@
 #
 
 # execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { getsched sigkill execheap execmem execstack };
+
+libs_legacy_use_shared_libs(java_t)
 
+optional_policy(`
 init_dbus_chat_script(java_t)
+	optional_policy(`
+		hal_dbus_chat(java_t)
+	')
 
 optional_policy(`
-	unconfined_domain_noaudit(java_t)
 	unconfined_dbus_chat(java_t)
 ')
+')
+
+optional_policy(`
+	rpm_domtrans(java_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(java_t)
+')
+
+optional_policy(`
+	xserver_rw_xdm_xserver_shm(java_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.13/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/livecd.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.13/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/livecd.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,56 @@
+
+## <summary>policy for livecd</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+	gen_require(`
+		type livecd_t;
+                type livecd_exec_t;
+	')
+
+	domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+
+########################################
+## <summary>
+##	Execute livecd in the livecd domain, and
+##	allow the specified role the livecd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the livecd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`livecd_run',`
+	gen_require(`
+		type livecd_t;
+	')
+
+	livecd_domtrans($1)
+	role $2 types livecd_t;
+	allow livecd_t $3:chr_file rw_term_perms;
+	
+	seutil_run_setfiles_mac(livecd_t, $2, $3)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.13/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/livecd.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,26 @@
+policy_module(livecd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+########################################
+#
+# livecd local policy
+#
+dontaudit livecd_t self:capability2 mac_admin;
+
+unconfined_domain_noaudit(livecd_t)
+domain_ptrace_all_domains(livecd_t)
+
+optional_policy(`
+	hal_dbus_chat(livecd_t)
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.13/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/loadkeys.te	2009-02-10 15:07:15.000000000 +0100
@@ -32,7 +32,6 @@
 term_dontaudit_use_console(loadkeys_t)
 term_use_unallocated_ttys(loadkeys_t)
 
-init_dontaudit_use_fds(loadkeys_t)
 init_dontaudit_use_script_ptys(loadkeys_t)
 
 libs_use_ld_so(loadkeys_t)
@@ -45,3 +44,7 @@
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
+
+unprivuser_dontaudit_write_home_content_files(loadkeys_t)
+unprivuser_dontaudit_list_home_dirs(loadkeys_t)
+sysadm_dontaudit_list_home_dirs(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.13/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mono.if	2009-02-10 15:07:15.000000000 +0100
@@ -21,7 +21,106 @@
 
 ########################################
 ## <summary>
-##	Execute the mono program in the caller domain.
+##	Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+	gen_require(`
+		type mono_t;
+	')
+
+	allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##	Execute mono in the mono domain, and
+##	allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mono domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the mono domain to use.
+##	</summary>
+## </param>
+#
+interface(`mono_run',`
+	gen_require(`
+		type mono_t;
+	')
+
+	mono_domtrans($1)
+	role $2 types mono_t;
+	allow mono_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##	The per role template for the mono module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for mono applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`mono_per_role_template',`
+	gen_require(`
+		type mono_exec_t;
+	')
+
+	type $1_mono_t;
+	domain_type($1_mono_t)
+	domain_entry_file($1_mono_t, mono_exec_t)
+	role $3 types $1_mono_t;
+
+	domain_interactive_fd($1_mono_t)
+
+	userdom_unpriv_usertype($1, $1_mono_t)
+
+	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+	allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+	domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_mono_t)
+	corecmd_bin_domtrans($1_mono_t, $1_t)
+')
+
+########################################
+## <summary>
+##	Execute the mono program in the mono domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,7 +130,7 @@
 #
 interface(`mono_exec',`
 	gen_require(`
-		type mono_t, mono_exec_t;
+		type mono_exec_t;
 	')
 
 	corecmd_search_bin($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.13/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mono.te	2009-02-10 15:07:15.000000000 +0100
@@ -15,7 +15,7 @@
 # Local policy
 #
 
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
 
 unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
 
@@ -46,3 +46,7 @@
 	unconfined_dbus_chat(mono_t)
 	unconfined_dbus_connect(mono_t)
 ')
+
+optional_policy(`
+	xserver_rw_xdm_xserver_shm(mono_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.13/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,8 +1,8 @@
-HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 
 #
 # /bin
@@ -17,7 +17,6 @@
 #
 # /etc
 #
-/etc/mozpluggerrc 		--	gen_context(system_u:object_r:mozilla_conf_t,s0)
 
 #
 # /lib
@@ -29,3 +28,5 @@
 /usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.13/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.if	2009-02-10 15:07:15.000000000 +0100
@@ -35,7 +35,10 @@
 template(`mozilla_per_role_template',`
 	gen_require(`
 		type mozilla_conf_t, mozilla_exec_t;
+		type mozilla_home_t, mozilla_tmp_t;
 	')
+	gen_tunable(browser_confine_$1, false)
+	gen_tunable(browser_write_$1_data, false)
 
 	########################################
 	#
@@ -45,36 +48,44 @@
 	application_domain($1_mozilla_t, mozilla_exec_t)
 	role $3 types $1_mozilla_t;
 
-	type $1_mozilla_home_t alias $1_mozilla_rw_t;
-	files_poly_member($1_mozilla_home_t)
-	userdom_user_home_content($1, $1_mozilla_home_t)
-
 	type $1_mozilla_tmpfs_t;
 	files_tmpfs_file($1_mozilla_tmpfs_t)
 
+	typealias mozilla_home_t alias $1_mozilla_home_t;
+	typealias mozilla_tmp_t alias $1_mozilla_tmp_t;
+
+	########################################
+	#
+	# Local booleans
+	#
+
 	########################################
 	#
 	# Local policy
 	#
 
 	allow $1_mozilla_t self:capability { sys_nice setgid setuid };
-	allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+	allow $1_mozilla_t self:process { ptrace sigkill signal signull setsched getsched setrlimit };
 	allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
 	allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
 	allow $1_mozilla_t self:sem create_sem_perms;
 	allow $1_mozilla_t self:socket create_socket_perms;
 	allow $1_mozilla_t self:unix_stream_socket { listen accept };
 	# Browse the web, connect to printer
-	allow $1_mozilla_t self:tcp_socket create_socket_perms;
-	allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+	allow $1_mozilla_t self:tcp_socket create_stream_socket_perms;
 
 	# for bash - old mozilla binary
 	can_exec($1_mozilla_t, mozilla_exec_t)
 
+	domain_read_all_domains_state($1_mozilla_t)
+
+	fs_getattr_tmpfs($1_mozilla_t)
+	fs_manage_tmpfs_files($1_mozilla_t)
+
 	# X access, Home files
-	manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
+	manage_dirs_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t)
+	manage_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t)
+	manage_lnk_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t)
 	userdom_search_user_home_dirs($1, $1_mozilla_t)
 
 	# Mozpluggerrc
@@ -89,22 +100,47 @@
 	allow $2 $1_mozilla_t:unix_stream_socket connectto;
 
 	# X access, Home files
-	manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-
-	manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+	manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
 
 	allow $1_mozilla_t $2:process signull;
 
+	tunable_policy(`browser_confine_$1',`
 	domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+	',`
+		can_exec($2, mozilla_exec_t)
+	')
+
+	unprivuser_read_home_content_files($1_mozilla_t)
+	unprivuser_read_home_content_symlinks($1_mozilla_t)
+	unprivuser_read_tmp_files($1_mozilla_t)
+	unprivuser_manage_tmp_dirs($1_mozilla_t)
+	unprivuser_manage_tmp_files($1_mozilla_t)
+	unprivuser_manage_tmp_sockets($1_mozilla_t)
+	userdom_tmp_filetrans_user_tmp($1, $1_mozilla_t, { file dir sock_file })
+	userdom_read_user_tmpfs_files($1, $1_mozilla_t)
+
+	ifdef(`enable_mls',`',`
+		fs_search_removable($1_mozilla_t)
+		fs_read_removable_files($1_mozilla_t)
+		fs_read_removable_symlinks($1_mozilla_t)
+	')
+
+	tunable_policy(`browser_write_$1_data',`
+		unprivuser_manage_home_content_dirs($1_mozilla_t)
+		unprivuser_manage_home_content_files($1_mozilla_t)
+		unprivuser_manage_home_content_symlinks($1_mozilla_t)
+		unprivuser_manage_home_content_pipes($1_mozilla_t)
+		unprivuser_home_dir_filetrans_home_content($1_mozilla_t, { file dir lnk_file })
+		',`
+		# helper apps will try to create .files
+		userdom_dontaudit_create_user_home_content_files($1, $1_mozilla_t)
+		userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_mozilla_home_t, dir)
+	')
 	# Unrestricted inheritance from the caller.
 	allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
 
@@ -112,17 +148,20 @@
 	ps_process_pattern($2, $1_mozilla_t)
 	allow $2 $1_mozilla_t:process signal_perms;
 	
+	kernel_read_fs_sysctls($1_mozilla_t)
 	kernel_read_kernel_sysctls($1_mozilla_t)
 	kernel_read_network_state($1_mozilla_t)
 	# Access /proc, sysctl
-	kernel_read_system_state($1_mozilla_t)
-	kernel_read_net_sysctls($1_mozilla_t)
+	kernel_dontaudit_read_system_state($1_mozilla_t)
+#	kernel_read_system_state($1_mozilla_t)
+#	kernel_read_net_sysctls($1_mozilla_t)
 
 	# Look for plugins 
 	corecmd_list_bin($1_mozilla_t)
 	# for bash - old mozilla binary
 	corecmd_exec_shell($1_mozilla_t)
 	corecmd_exec_bin($1_mozilla_t)
+	application_exec($1_mozilla_t)
 
 	# Browse the web, connect to printer
 	corenet_all_recvfrom_unlabeled($1_mozilla_t)
@@ -137,9 +176,9 @@
 	corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
 	corenet_tcp_connect_http_port($1_mozilla_t)
 	corenet_tcp_connect_http_cache_port($1_mozilla_t)
+	corenet_tcp_connect_flash_port($1_mozilla_t)
 	corenet_tcp_connect_ftp_port($1_mozilla_t)
 	corenet_tcp_connect_ipp_port($1_mozilla_t)
-	corenet_tcp_connect_generic_port($1_mozilla_t)
 	corenet_sendrecv_http_client_packets($1_mozilla_t)
 	corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
 	corenet_sendrecv_ftp_client_packets($1_mozilla_t)
@@ -148,6 +187,7 @@
 	# Should not need other ports
 	corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
 	corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
+	corenet_tcp_connect_speech_port($1_mozilla_t)
 
 	dev_read_urand($1_mozilla_t)
 	dev_read_rand($1_mozilla_t)
@@ -165,13 +205,28 @@
 	files_read_var_files($1_mozilla_t)
 	files_read_var_symlinks($1_mozilla_t)
  	files_dontaudit_getattr_boot_dirs($1_mozilla_t)
+	files_dontaudit_list_non_security($1_mozilla_t)
+	files_dontaudit_getattr_non_security_files($1_mozilla_t)
+	files_dontaudit_getattr_non_security_symlinks($1_mozilla_t)
+	files_dontaudit_getattr_non_security_pipes($1_mozilla_t)
+	files_dontaudit_getattr_non_security_sockets($1_mozilla_t)
+
+	dev_dontaudit_getattr_all_blk_files($1_mozilla_t)
+	dev_dontaudit_getattr_all_chr_files($1_mozilla_t)
 
 	fs_search_auto_mountpoints($1_mozilla_t)
 	fs_list_inotifyfs($1_mozilla_t)
+	fs_manage_dos_dirs($1_mozilla_t)
+	fs_manage_dos_files($1_mozilla_t)
 	fs_rw_tmpfs_files($1_mozilla_t)
+	fs_read_noxattr_fs_files($1_mozilla_t)
+
+	selinux_dontaudit_getattr_fs($1_mozilla_t)
 
 	term_dontaudit_getattr_pty_dirs($1_mozilla_t)
 	
+	auth_use_nsswitch($1_mozilla_t)
+
 	libs_use_ld_so($1_mozilla_t)
 	libs_use_shared_libs($1_mozilla_t)
 
@@ -180,17 +235,10 @@
 	miscfiles_read_fonts($1_mozilla_t)
 	miscfiles_read_localization($1_mozilla_t)
 
-	# Browse the web, connect to printer
-	sysnet_dns_name_resolve($1_mozilla_t)
-	sysnet_read_config($1_mozilla_t)
-	
-	userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
-	userdom_manage_user_home_content_files($1, $1_mozilla_t)
-	userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
-	userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
-	userdom_manage_user_tmp_files($1, $1_mozilla_t)
-	userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
+	userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
+	userdom_dontaudit_use_user_terminals($1, $1_mozilla_t)
 	
+	xserver_read_xdm_pid($1_mozilla_t)
 	xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
 	xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
 	xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
@@ -211,131 +259,8 @@
 		fs_manage_cifs_symlinks($1_mozilla_t)
 	')
 
-	# Uploads, local html
-	tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_mozilla_t)
-		files_list_home($1_mozilla_t)
-		fs_read_nfs_files($1_mozilla_t)
-		fs_read_nfs_symlinks($1_mozilla_t)
-	
-	',`
-		files_dontaudit_list_home($1_mozilla_t)
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_read_nfs_files($1_mozilla_t)
-		fs_dontaudit_list_nfs($1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_mozilla_t)
-		files_list_home($1_mozilla_t)
-		fs_read_cifs_files($1_mozilla_t)
-		fs_read_cifs_symlinks($1_mozilla_t)
-	',`
-		files_dontaudit_list_home($1_mozilla_t)
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_read_cifs_files($1_mozilla_t)
-		fs_dontaudit_list_cifs($1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content',`
-		userdom_list_user_tmp($1, $1_mozilla_t)
-		userdom_read_user_tmp_files($1, $1_mozilla_t)
-		userdom_read_user_tmp_symlinks($1, $1_mozilla_t)
-		userdom_search_user_home_dirs($1, $1_mozilla_t)
-		userdom_read_user_home_content_files($1, $1_mozilla_t)
-		userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
-		
-		ifdef(`enable_mls',`',`
-			fs_search_removable($1_mozilla_t)
-			fs_read_removable_files($1_mozilla_t)
-			fs_read_removable_symlinks($1_mozilla_t)
-		')
-	',`
-		files_dontaudit_list_tmp($1_mozilla_t)
-		files_dontaudit_list_home($1_mozilla_t)
-		fs_dontaudit_list_removable($1_mozilla_t)
-		fs_dontaudit_read_removable_files($1_mozilla_t)
-		userdom_dontaudit_list_user_tmp($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content && read_default_t',`
-		files_list_default($1_mozilla_t)
-		files_read_default_files($1_mozilla_t)
-		files_read_default_symlinks($1_mozilla_t)
-	',`
-		files_dontaudit_read_default_files($1_mozilla_t)
-		files_dontaudit_list_default($1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content && read_untrusted_content',`
-		files_list_tmp($1_mozilla_t)
-		files_list_home($1_mozilla_t)
-		userdom_search_user_home_dirs($1, $1_mozilla_t)
-	
-		userdom_list_user_untrusted_content($1, $1_mozilla_t)
-		userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t)
-	',`
-		files_dontaudit_list_tmp($1_mozilla_t)
-		files_dontaudit_list_home($1_mozilla_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
-	')
-
-	# Save web pages
-	tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
-		files_search_home($1_mozilla_t)
-
-		fs_search_auto_mountpoints($1_mozilla_t)
-		fs_manage_nfs_dirs($1_mozilla_t)
-		fs_manage_nfs_files($1_mozilla_t)
-		fs_manage_nfs_symlinks($1_mozilla_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
-		fs_dontaudit_manage_nfs_files($1_mozilla_t)
-	')
-
-	tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
-		files_search_home($1_mozilla_t)
-
-		fs_search_auto_mountpoints($1_mozilla_t)
-		fs_manage_cifs_dirs($1_mozilla_t)
-		fs_manage_cifs_files($1_mozilla_t)
-		fs_manage_cifs_symlinks($1_mozilla_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
-		fs_dontaudit_manage_cifs_files($1_mozilla_t)
-	')
-
-	tunable_policy(`write_untrusted_content',`
-		files_search_home($1_mozilla_t)
-		userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
-		files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file)
-		files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir)
-
-		userdom_manage_user_untrusted_content_files($1, $1_mozilla_t)
-		userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
-		userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
-		',`
-		files_dontaudit_list_home($1_mozilla_t)
-		files_dontaudit_list_tmp($1_mozilla_t)
-
-		userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t)
-		userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t)
-
+	optional_policy(`
+		alsa_read_rw_config($1_mozilla_t)
 	')
 
 	optional_policy(`
@@ -350,57 +275,52 @@
 	optional_policy(`
 		cups_read_rw_config($1_mozilla_t)
 		cups_dbus_chat($1_mozilla_t)
+		cups_stream_connect($1_mozilla_t)
 	')
 
 	optional_policy(`
 		dbus_system_bus_client_template($1_mozilla, $1_mozilla_t)
-		dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t)
+#		dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t)
+		dbus_chat_user_bus($1, $1_mozilla_t)
+		dbus_connectto_user_bus($1, $1_mozilla_t)
 	')
 
 	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_mozilla_t)
+		networkmanager_dbus_chat($1_mozilla_t)
 	')
 
 	optional_policy(`
-		java_domtrans_user_javaplugin($1, $1_mozilla_t)
+		gnome_exec_gconf($1_mozilla_t)
+		gnome_manage_user_gnome_config($1,$1_mozilla_t)
 	')
 
 	optional_policy(`
-		lpd_domtrans_user_lpr($1, $1_mozilla_t)
+		java_plugin_per_role_template($1, $1_mozilla_t, $1_r)
 	')
 
+#	optional_policy(`
+#		openoffice_plugin_per_role_template($1, $1_mozilla_t, $1_r)
+#	')
+
 	optional_policy(`
-		mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
-		mplayer_read_user_home_files($1, $1_mozilla_t)
+		lpd_domtrans_user_lpr($1, $1_mozilla_t)
 	')
 
 	optional_policy(`
-		nscd_socket_use($1_mozilla_t)
+		nsplugin_domtrans_user($1, $1_mozilla_t)
+		nsplugin_domtrans_user_config($1, $1_mozilla_t)
+		nsplugin_manage_home_files($1, $1_mozilla_t)
 	')
 
 	optional_policy(`
-		thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
+		mplayer_domtrans_mplayer($1, $1_mozilla_t)
+		mplayer_read_user_home_files($1, $1_mozilla_t)
 	')
 
-	ifdef(`TODO',`
-		#NOTE commented out in strict.
-		######### Launch email client, and make webcal links work
-		#ifdef(`evolution.te', `
-		#domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
-		#domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-		#')
-	
-		# Macros for mozilla/mozilla (or other browser) domains.
-		# FIXME: Rules were removed to centralize policy in a gnome_app macro
-		# A similar thing might be necessary for mozilla compiled without GNOME
-		# support (is this possible?). 
-
-		# GNOME integration
 		optional_policy(`
-			gnome_application($1_mozilla, $1)
-			gnome_file_dialog($1_mozilla, $1)
-		')
+		thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
 	')
+
 ')
 
 ########################################
@@ -430,11 +350,11 @@
 #
 template(`mozilla_read_user_home_files',`
 	gen_require(`
-		type $1_mozilla_home_t;
+		type mozilla_home_t;
 	')
 
-	allow $2 $1_mozilla_home_t:dir list_dir_perms;
-	allow $2 $1_mozilla_home_t:file read_file_perms;
+	allow $2 mozilla_home_t:dir list_dir_perms;
+	allow $2 mozilla_home_t:file read_file_perms;
 ')
 
 ########################################
@@ -464,11 +384,10 @@
 #
 template(`mozilla_write_user_home_files',`
 	gen_require(`
-		type $1_mozilla_home_t;
+		type mozilla_home_t;
 	')
 
-	allow $2 $1_mozilla_home_t:dir list_dir_perms;
-	allow $2 $1_mozilla_home_t:file write;
+	write_files_pattern($2, mozilla_home_t, mozilla_home_t)
 ')
 
 ########################################
@@ -573,3 +492,27 @@
 
 	allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
 ')
+
+########################################
+## <summary>
+##	mozilla connection template.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`mozilla_stream_connect_template',`
+	gen_require(`
+		type $1_mozilla_t;
+	')
+
+	allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.13/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.te	2009-02-10 15:07:15.000000000 +0100
@@ -6,15 +6,20 @@
 # Declarations
 #
 
-## <desc>
-## <p>
-## Control mozilla content access
-## </p>
-## </desc>
-gen_tunable(mozilla_read_content, false)
-
 type mozilla_conf_t;
 files_config_file(mozilla_conf_t)
 
 type mozilla_exec_t;
 application_executable_file(mozilla_exec_t)
+
+type mozilla_home_t alias user_mozilla_rw_t;
+files_poly_member(mozilla_home_t)
+userdom_user_home_content(user, mozilla_home_t)
+
+type mozilla_tmp_t;
+files_tmp_file(mozilla_tmp_t)
+
+typealias mozilla_home_t alias unconfined_mozilla_home_t;
+typealias mozilla_tmp_t alias unconfined_mozilla_tmp_t;
+typealias mozilla_home_t alias user_mozilla_home_t;
+typealias mozilla_tmp_t alias user_mozilla_tmp_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,13 +1,9 @@
 #
-# /etc
-#
-/etc/mplayer(/.*)?		gen_context(system_u:object_r:mplayer_etc_t,s0)
-
-#
 # /usr
 #
+/usr/bin/vlc		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
 /usr/bin/mplayer	--	gen_context(system_u:object_r:mplayer_exec_t,s0)
 /usr/bin/mencoder	--	gen_context(system_u:object_r:mencoder_exec_t,s0)
 /usr/bin/xine		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
 
-HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:mplayer_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.13/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.if	2009-02-10 15:07:15.000000000 +0100
@@ -34,7 +34,8 @@
 #
 template(`mplayer_per_role_template',`
 	gen_require(`
-		type mencoder_exec_t, mplayer_exec_t, mplayer_etc_t;
+		type mencoder_exec_t, mplayer_exec_t;
+		type user_mplayer_home_t;
 	')
 
 	########################################
@@ -50,9 +51,7 @@
 	application_domain($1_mplayer_t, mplayer_exec_t)
 	role $3 types $1_mplayer_t;
 
-	type $1_mplayer_home_t alias $1_mplayer_rw_t;
-	files_poly_member($1_mplayer_home_t)
-	userdom_user_home_content($1,$1_mplayer_home_t)
+	typealias mplayer_home_t alias $1_mplayer_home_t;
 
 	type $1_mplayer_tmpfs_t;
 	files_tmpfs_file($1_mplayer_tmpfs_t)
@@ -62,9 +61,9 @@
 	# mencoder local policy
 	#
 
-	manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
+	manage_dirs_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t)
+	manage_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t)
+	manage_lnk_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t)
 
 	# Read global config
 	allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
@@ -200,7 +199,7 @@
 	')
 
 	tunable_policy(`write_untrusted_content',`
-		userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
+		unprivuser_manage_untrusted_content_files($1_mplayer_t)
 	')
 
 	# Save encoded files
@@ -255,9 +254,9 @@
 	allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
  	allow $1_mplayer_t self:sem create_sem_perms;
 
-	manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
+	manage_dirs_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t)
+	manage_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t)
+	manage_lnk_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t)
 	userdom_search_user_home_dirs($1, $1_mplayer_t)
 
 	manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
@@ -272,12 +271,12 @@
 	read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
 
 	# Home access
-	manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+	manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+	manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
 
 	# domain transition
 	domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
@@ -307,6 +306,7 @@
 	dev_write_sound_mixer($1_mplayer_t)
 	# RTC clock 
 	dev_read_realtime_clock($1_mplayer_t)
+	dev_read_urand($1_mplayer_t)
 
 	# Access to DVD/CD/V4L
 	storage_raw_read_removable_device($1_mplayer_t)
@@ -340,6 +340,7 @@
 	userdom_read_user_tmp_symlinks($1, $1_mplayer_t)
 	userdom_read_user_home_content_files($1, $1_mplayer_t)
 	userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
+	userdom_write_user_tmp_sockets($1, $1_mplayer_t)
 
 	xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
 	
@@ -467,9 +468,11 @@
 ##	</summary>
 ## </param>
 #
-template(`mplayer_domtrans_user_mplayer',`
+template(`mplayer_domtrans_mplayer',`
 	gen_require(`
-		type $1_mplayer_t, mplayer_exec_t;
+		type mplayer_exec_t;
+		type $1_mplayer_t;
+
 	')
 
 	domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
@@ -477,6 +480,25 @@
 
 ########################################
 ## <summary>
+##      Execute mplayer in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+#
+interface(`mplayer_exec',`
+	gen_require(`
+		type mplayer_exec_t;
+	')
+
+	can_exec($1, mplayer_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read mplayer per user homedir
 ## </summary>
 ## <desc>
@@ -502,8 +524,8 @@
 #
 template(`mplayer_read_user_home_files',`
 	gen_require(`
-		type $1_mplayer_home_t;
+		type mplayer_home_t;
 	')
 
-	read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+	read_files_pattern($2, mplayer_home_t, mplayer_home_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.13/policy/modules/apps/mplayer.te
--- nsaserefpolicy/policy/modules/apps/mplayer.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.te	2009-02-10 15:07:15.000000000 +0100
@@ -22,3 +22,7 @@
 type mplayer_exec_t;
 corecmd_executable_file(mplayer_exec_t)
 application_executable_file(mplayer_exec_t)
+
+type mplayer_home_t alias user_mplayer_rw_t;
+userdom_user_home_content(user, mplayer_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,13 @@
+
+/usr/bin/nspluginscan	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
+
+HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/totem(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/gxine(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,318 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	allow $1 nsplugin_rw_t:file manage_file_perms;
+	allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+         manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+         manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+         manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for nsplugin web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`nsplugin_per_role_template_notrans',`
+	gen_require(`
+		type nsplugin_rw_t;
+		type nsplugin_home_t;
+		type nsplugin_exec_t;
+		type nsplugin_config_exec_t;
+		type nsplugin_t;
+		type nsplugin_config_t;
+	')
+
+	role $3 types nsplugin_t;
+	role $3 types nsplugin_config_t;
+
+	allow nsplugin_t $2:process signull;
+
+	list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	can_exec($2, nsplugin_rw_t)
+
+	#Leaked File Descriptors
+	dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
+	dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
+	dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
+	dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
+	dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
+	dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
+	dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
+	dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
+	dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
+	dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
+	allow nsplugin_t $2:unix_stream_socket connectto;
+	dontaudit nsplugin_t $2:process ptrace;
+
+	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+	allow $2 nsplugin_t:unix_stream_socket connectto;
+
+	# Connect to pulseaudit server
+	stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+	gnome_stream_connect(nsplugin_t, $2)
+
+	userdom_use_user_terminals($1, nsplugin_t)
+	userdom_use_user_terminals($1, nsplugin_config_t)
+	userdom_dontaudit_setattr_user_home_content_files($1, nsplugin_t)
+
+	optional_policy(`
+		dbus_dontaudit_connectto_user_bus($1, nsplugin_t)
+	')
+
+	xserver_common_app($1, nsplugin_t)
+')
+
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for nsplugin web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`nsplugin_per_role_template',`
+	gen_require(`
+		type nsplugin_exec_t;
+		type nsplugin_config_exec_t;
+		type nsplugin_t;
+		type nsplugin_config_t;
+	')
+
+	nsplugin_per_role_template_notrans($1, $2, $3)
+
+	domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+	domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for nsplugin web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_domtrans_user',`
+	gen_require(`
+		type nsplugin_exec_t;
+		type nsplugin_t;
+	')
+
+	domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+	allow $2 nsplugin_t:unix_stream_socket connectto;
+	allow nsplugin_t $2:process signal;
+')
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for nsplugin web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_domtrans_user_config',`
+	gen_require(`
+		type nsplugin_config_exec_t;
+		type nsplugin_config_t;
+	')
+
+	domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+######################################
+## <summary>
+##     Create, read, write, and delete
+##     nsplugin home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_files',`
+       gen_require(`
+               type nsplugin_home_t;
+       ')
+
+       manage_files_pattern($2, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+##	Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+##	Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	can_exec($1, nsplugin_rw_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,290 @@
+
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nsplugin code to execmem/execstack
+## </p>
+## </desc>
+gen_tunable(allow_nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(user, nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+domain_type(nsplugin_t)
+domain_entry_file(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+application_executable_file(nsplugin_exec_t)
+application_executable_file(nsplugin_config_exec_t)
+
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability sys_tty_config;
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
+
+tunable_policy(`allow_nsplugin_execmem',`
+	allow nsplugin_t self:process { execstack execmem };
+	allow nsplugin_config_t self:process { execstack execmem };
+')
+	
+tunable_policy(`nsplugin_can_network',`
+	corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
+userdom_manage_tmpfs(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_streaming_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_usr_files(nsplugin_t)
+files_read_etc_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_list_inotifyfs(nsplugin_t)
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_use_ld_so(nsplugin_t)
+libs_use_shared_libs(nsplugin_t)
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+
+unprivuser_manage_tmp_dirs(nsplugin_t)
+unprivuser_manage_tmp_files(nsplugin_t)
+unprivuser_manage_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
+unprivuser_read_tmpfs_files(nsplugin_t)
+unprivuser_rw_semaphores(nsplugin_t)
+unprivuser_delete_tmpfs_files(nsplugin_t)
+
+unprivuser_read_home_content_symlinks(nsplugin_t)
+unprivuser_read_home_content_files(nsplugin_t)
+unprivuser_read_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
+
+optional_policy(`
+	alsa_read_rw_config(nsplugin_t)
+')
+
+optional_policy(`
+	cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+		dbus_system_bus_client_template(nsplugin, nsplugin_t)
+')
+
+optional_policy(`
+	gnome_exec_gconf(nsplugin_t)
+	gnome_manage_user_gnome_config(user, nsplugin_t)
+	gnome_read_gconf_home_files(nsplugin_t)
+	allow nsplugin_t gnome_home_t:sock_file write;
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(user, nsplugin_t)
+	mozilla_write_user_home_files(user, nsplugin_t)
+')
+
+optional_policy(`
+	mplayer_exec(nsplugin_t)
+	mplayer_read_user_home_files(user, nsplugin_t)
+')
+
+optional_policy(`
+	unconfined_execmem_signull(nsplugin_t)
+	unconfined_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+	xserver_stream_connect_xdm(nsplugin_t)
+	xserver_stream_connect_xdm_xserver(nsplugin_t)
+	xserver_rw_xdm_xserver_shm(nsplugin_t)
+	xserver_read_xdm_tmp_files(nsplugin_t)
+	xserver_read_xdm_pid(nsplugin_t)
+	xserver_read_user_xauth(user, nsplugin_t)
+	xserver_read_user_iceauth(user, nsplugin_t)
+	xserver_use_user_fonts(user, nsplugin_t)
+	xserver_manage_home_fonts(nsplugin_t)
+	xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+fs_list_inotifyfs(nsplugin_config_t)
+fs_search_auto_mountpoints(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+libs_use_ld_so(nsplugin_config_t)
+libs_use_shared_libs(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_all_users_home_content(nsplugin_config_t)
+unprivuser_read_home_content_files(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_getattr_nfs(nsplugin_t)
+	fs_manage_nfs_dirs(nsplugin_t)
+	fs_manage_nfs_files(nsplugin_t)
+	fs_read_nfs_symlinks(nsplugin_t)
+	fs_manage_nfs_named_pipes(nsplugin_t)
+	fs_manage_nfs_dirs(nsplugin_config_t)
+	fs_manage_nfs_files(nsplugin_config_t)
+	fs_manage_nfs_named_pipes(nsplugin_config_t)
+	fs_read_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_getattr_cifs(nsplugin_t)
+	fs_manage_cifs_dirs(nsplugin_t)
+	fs_manage_cifs_files(nsplugin_t)
+	fs_read_cifs_symlinks(nsplugin_t)
+	fs_manage_cifs_named_pipes(nsplugin_t)
+	fs_manage_cifs_dirs(nsplugin_config_t)
+	fs_manage_cifs_files(nsplugin_config_t)
+	fs_manage_cifs_named_pipes(nsplugin_config_t)
+	fs_read_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+	xserver_read_home_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(user, nsplugin_config_t)
+')
+
+optional_policy(`
+	gen_require(`
+		type unconfined_mono_t;
+	')
+	allow nsplugin_t unconfined_mono_t:process signull;
+')
+
+unconfined_execmem_exec(nsplugin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.13/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,106 @@
+## <summary>Openoffice</summary>
+
+#######################################
+## <summary>
+##	The per role template for the openoffice module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for openoffice plugins that are executed by a browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+interface(`openoffice_plugin_per_role_template',`
+	gen_require(`
+		type openoffice_exec_t;
+		type $1_openoffice_t;
+	')
+	
+	########################################
+	#
+	# Local policy
+	#
+
+	domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
+	allow $2  $1_openoffice_t:process { signal sigkill };
+')
+
+#######################################
+## <summary>
+##	The per role template for the openoffice module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for openoffice applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`openoffice_per_role_template',`
+	gen_require(`
+		type openoffice_exec_t;
+	')
+
+	type $1_openoffice_t;
+	domain_type($1_openoffice_t)
+	domain_entry_file($1_openoffice_t, openoffice_exec_t)
+	role $3 types $1_openoffice_t;
+
+	domain_interactive_fd($1_openoffice_t)
+
+	userdom_unpriv_usertype($1, $1_openoffice_t)
+	userdom_exec_user_home_content_files($1, $1_openoffice_t)
+
+	allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+
+	allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+	allow $1_openoffice_t $2:tcp_socket { read write };
+
+	domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
+
+	dev_read_urand($1_openoffice_t)
+	dev_read_rand($1_openoffice_t)
+
+	fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+
+	allow $2 $1_openoffice_t:process { signal sigkill };
+	allow $1_openoffice_t $2:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.13/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,14 @@
+
+policy_module(openoffice, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc
--- nsaserefpolicy/policy/modules/apps/podsleuth.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,2 +1,4 @@
 
 /usr/bin/podsleuth	--	gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/usr/libexec/hal-podsleuth       --      gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/var/cache/podsleuth(/.*)?		gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.13/policy/modules/apps/podsleuth.if
--- nsaserefpolicy/policy/modules/apps/podsleuth.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.if	2009-02-10 15:07:15.000000000 +0100
@@ -16,4 +16,38 @@
 	')
 
 	domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+	allow $1 podsleuth_t:process signal;
 ')
+
+
+########################################
+## <summary>
+##	Execute podsleuth in the podsleuth domain, and
+##	allow the specified role the podsleuth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the podsleuth domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`podsleuth_run',`
+	gen_require(`
+		type podsleuth_t;
+	')
+
+	podsleuth_domtrans($1)
+	role $2 types podsleuth_t;
+	dontaudit podsleuth_t $3:chr_file rw_term_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te	2009-02-10 15:07:15.000000000 +0100
@@ -11,24 +11,64 @@
 application_domain(podsleuth_t, podsleuth_exec_t)
 role system_r types podsleuth_t;
 
+type podsleuth_tmp_t;
+files_tmp_file(podsleuth_tmp_t)
+
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+
 ########################################
 #
 # podsleuth local policy
 #
-
-allow podsleuth_t self:process { signal getsched execheap execmem };
+allow podsleuth_t self:capability { sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
 allow podsleuth_t self:fifo_file rw_file_perms;
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+allow podsleuth_t self:udp_socket create_socket_perms;
 
 kernel_read_system_state(podsleuth_t)
 
+corecmd_exec_bin(podsleuth_t)
+corenet_tcp_connect_http_port(podsleuth_t)
+
 dev_read_urand(podsleuth_t)
 
 files_read_etc_files(podsleuth_t)
 
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+
+fs_mount_nfs(podsleuth_t)
+fs_unmount_nfs(podsleuth_t)
+fs_getattr_nfs(podsleuth_t)
+fs_read_nfs_files(podsleuth_t)
+fs_search_nfs(podsleuth_t)
+
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+storage_raw_rw_fixed_disk(podsleuth_t)
+
 libs_use_ld_so(podsleuth_t)
 libs_use_shared_libs(podsleuth_t)
 
+sysnet_dns_name_resolve(podsleuth_t)
+
 miscfiles_read_localization(podsleuth_t)
 
 dbus_system_bus_client_template(podsleuth, podsleuth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.5.13/policy/modules/apps/ptchown.fc
--- nsaserefpolicy/policy/modules/apps/ptchown.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/ptchown.fc	2009-08-14 14:12:49.000000000 +0200
@@ -0,0 +1,2 @@
+
+/usr/libexec/pt_chown	--	gen_context(system_u:object_r:ptchown_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.5.13/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/ptchown.if	2009-08-14 14:12:49.000000000 +0200
@@ -0,0 +1,22 @@
+
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ptchown.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ptchown_domtrans',`
+	gen_require(`
+		type ptchown_t;
+                type ptchown_exec_t;
+	')
+
+	domtrans_pattern($1,ptchown_exec_t,ptchown_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.5.13/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/ptchown.te	2009-08-21 09:47:20.000000000 +0200
@@ -0,0 +1,39 @@
+policy_module(ptchown,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ptchown_t;
+type ptchown_exec_t;
+application_domain(ptchown_t, ptchown_exec_t)
+role system_r types ptchown_t;
+
+permissive ptchown_t;
+
+########################################
+#
+# ptchown local policy
+#
+
+allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+# Init script handling
+domain_use_interactive_fds(ptchown_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow ptchown_t self:fifo_file rw_file_perms;
+allow ptchown_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(ptchown_t)
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
+term_use_generic_ptys(ptchown_t)
+term_setattr_generic_ptys(ptchown_t)
+term_setattr_all_user_ptys(ptchown_t)
+term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc	2009-02-25 19:55:15.000000000 +0100
@@ -1,2 +1,7 @@
 /usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 /usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
+
+/var/cache/libvirt(/.*)? 	gen_context(system_u:object_r:qemu_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)?   	gen_context(system_u:object_r:qemu_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if	2009-02-10 15:07:15.000000000 +0100
@@ -46,6 +46,96 @@
 	qemu_domtrans($1)
 	role $2 types qemu_t;
 	allow qemu_t $3:chr_file rw_file_perms;
+
+	optional_policy(`
+		samba_run_smb(qemu_t, $2, $3)
+	')
+')
+
+#######################################
+## <summary>
+##	The per role template for the qemu module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for qemu web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`qemu_per_role_template_notrans',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	role $3 types qemu_t;
+
+	xserver_common_app($1, qemu_t)
+')
+
+
+#######################################
+## <summary>
+##	The per role template for the qemu module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for qemu web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`qemu_per_role_template',`
+	gen_require(`
+		type qemu_exec_t;
+	')
+  
+	qemu_per_role_template_notrans($1, $2, $3)
+  
+	domtrans_pattern($2, qemu_exec_t, qemu_t)
+ 	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
 ')
 
 ########################################
@@ -68,6 +158,64 @@
 
 ########################################
 ## <summary>
+##	Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_setsched',`
+	gen_require(`
+		type qemu_t;
+	')
+  
+	allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
+##	Execute qemu_exec_t 
+##	in the specified domain but do not
+##	do it automatically. This is an explicit
+##	transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Execute qemu_exec_t 
+##	in the specified domain.  This allows
+##	the specified domain to qemu programs
+##	on these filesystems in the specified
+##	domain.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`qemu_spec_domtrans',`
+	gen_require(`
+		type qemu_exec_t;
+	')
+  
+	read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+	domain_transition_pattern($1, qemu_exec_t, $2)
+  
+	allow $3 $1:fd use;
+	allow $3 $1:fifo_file rw_fifo_file_perms;
+	allow $3 $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Send a signal to qemu.
 ## </summary>
 ## <param name="domain">
@@ -104,114 +252,191 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run qemu unconfined.
+##	Execute qemu programs in the qemu domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the PAM domain to use.
 ## </summary>
 ## </param>
 #
-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_runas',`
 	gen_require(`
-		type qemu_unconfined_t, qemu_exec_t;
+		type qemu_t;
 	')
 
-	domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
+	qemu_domtrans($1)
+	allow qemu_t $3:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Creates types and rules for a basic
-##	qemu process domain.
+##	Execute qemu programs in the role.
 ## </summary>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	Prefix for the domain.
+##	The role to allow the PAM domain.
 ##	</summary>
 ## </param>
 #
-template(`qemu_domain_template',`
+interface(`qemu_role',`
+	gen_require(`
+		type qemu_t;
+	')
+	role $1 types qemu_t;
+')
 
-	##############################
-	#
-	# Local Policy
+########################################
+## <summary>
+##	Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
 	#
+interface(`qemu_unconfined_role',`
+	gen_require(`
+		type qemu_unconfined_t;
+	')
+	role $1 types qemu_unconfined_t;
+')
 
-	type $1_t;
-	domain_type($1_t)
-
-	type $1_tmp_t;
-	files_tmp_file($1_tmp_t)
 
-	##############################
-	#
-	# Local Policy
+########################################
+## <summary>
+##	Execute a domain transition to run qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
 	#
+interface(`qemu_domtrans_unconfined',`
+	gen_require(`
+		type qemu_unconfined_t, qemu_exec_t;
+	')
 
-	allow $1_t self:capability { dac_read_search dac_override };
-	allow $1_t self:process { execstack execmem signal getsched };
-	allow $1_t self:fifo_file rw_file_perms;
-	allow $1_t self:shm create_shm_perms;
-	allow $1_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_t self:tcp_socket create_stream_socket_perms;
+	domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
+')
 
-	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+########################################
+## <summary>
+##	Execute qemu programs in the qemu unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the PAM domain to use.
+##	</summary>
+## </param>
+#
+interface(`qemu_runas_unconfined',`
+	gen_require(`
+		type qemu_unconfined_t;
+	')
 
-	kernel_read_system_state($1_t)
+	qemu_domtrans_unconfined($1)
+	allow qemu_unconfined_t $3:chr_file rw_file_perms;
+')
 
-	corenet_all_recvfrom_unlabeled($1_t)
-	corenet_all_recvfrom_netlabel($1_t)
-	corenet_tcp_sendrecv_all_if($1_t)
-	corenet_tcp_sendrecv_all_nodes($1_t)
-	corenet_tcp_sendrecv_all_ports($1_t)
-	corenet_tcp_bind_all_nodes($1_t)
-	corenet_tcp_bind_vnc_port($1_t)
-	corenet_rw_tun_tap_dev($1_t)
+########################################
+## <summary>
+##	Manage qemu temporary dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
 
-#	dev_rw_kvm($1_t)
+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
 
-	domain_use_interactive_fds($1_t)
+########################################
+## <summary>
+##	Manage qemu temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_files',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
 
-	files_read_etc_files($1_t)
-	files_read_usr_files($1_t)
-	files_read_var_files($1_t)
-	files_search_all($1_t)
+	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
 
-	fs_list_inotifyfs($1_t)
-	fs_rw_anon_inodefs_files($1_t)
-	fs_rw_tmpfs_files($1_t)
+########################################
+## <summary>
+##	Creates types and rules for a basic
+##	qemu process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`qemu_domain_template',`
 
-	storage_raw_write_removable_device($1_t)
-	storage_raw_read_removable_device($1_t)
+	gen_require(`
+		attribute qemutype;
+	')
 
-	term_use_ptmx($1_t)
-	term_getattr_pty_fs($1_t)
-	term_use_generic_ptys($1_t)
+	type $1_t, qemutype;
 
-	libs_use_ld_so($1_t)
-	libs_use_shared_libs($1_t)
+	type $1_tmp_t, qemutmpfile;
+	files_tmp_file($1_tmp_t)
 
-	miscfiles_read_localization($1_t)
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
 
-	sysnet_read_config($1_t)
+	type $1_image_t;
+	virt_image($1_image_t)
 
-#	optional_policy(`
-#		samba_domtrans_smb($1_t)
-#	')
+	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+	manage_files_pattern($1_t, $1_image_t, $1_image_t)
+	read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+	rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
 
-	optional_policy(`
-		virt_manage_images($1_t)
-		virt_read_config($1_t)
-		virt_read_lib_files($1_t)
-	')
+	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
 
-	optional_policy(`
-		xserver_stream_connect_xdm_xserver($1_t)
-		xserver_read_xdm_tmp_files($1_t)
-		xserver_read_xdm_pid($1_t)
-#		xserver_xdm_rw_shm($1_t)
-	')
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+	fs_getattr_tmpfs($1_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te	2009-04-06 22:47:33.000000000 +0200
@@ -6,6 +6,9 @@
 # Declarations
 #
 
+attribute qemutype;
+attribute qemutmpfile;
+
 ## <desc>
 ## <p>
 ## Allow qemu to connect fully to the network
@@ -13,16 +16,128 @@
 ## </desc>
 gen_tunable(qemu_full_network, false)
 
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
+## <desc>
+## <p>
+## Allow qemu to user serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+
 type qemu_exec_t;
 qemu_domain_template(qemu)
 application_domain(qemu_t, qemu_exec_t)
 role system_r types qemu_t;
 
+type qemu_cache_t;
+files_type(qemu_cache_t)
+
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t)
+
+########################################
+#
+# qemu common policy
+#
+allow qemutype self:capability { dac_read_search dac_override };
+allow qemutype self:process { execstack execmem signal getsched signull };
+
+allow qemutype self:fifo_file rw_file_perms;
+allow qemutype self:shm create_shm_perms;
+allow qemutype self:unix_stream_socket create_stream_socket_perms;
+allow qemutype self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
+
+manage_dirs_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(qemu_t, qemu_var_run_t, { file dir })
+
+kernel_read_system_state(qemutype)
+
+corenet_all_recvfrom_unlabeled(qemutype)
+corenet_all_recvfrom_netlabel(qemutype)
+corenet_tcp_sendrecv_all_if(qemutype)
+corenet_tcp_sendrecv_all_nodes(qemutype)
+corenet_tcp_sendrecv_all_ports(qemutype)
+corenet_tcp_bind_all_nodes(qemutype)
+corenet_tcp_bind_vnc_port(qemutype)
+corenet_rw_tun_tap_dev(qemutype)
+
+dev_read_sound(qemutype)
+dev_write_sound(qemutype)
+dev_rw_kvm(qemutype)
+dev_rw_qemu(qemutype)
+
+domain_use_interactive_fds(qemutype)
+
+files_read_etc_files(qemutype)
+files_read_usr_files(qemutype)
+files_read_var_files(qemutype)
+files_search_all(qemutype)
+
+fs_list_inotifyfs(qemutype)
+fs_rw_anon_inodefs_files(qemutype)
+fs_rw_tmpfs_files(qemutype)
+
+term_use_ptmx(qemutype)
+term_getattr_pty_fs(qemutype)
+term_use_generic_ptys(qemutype)
+
+auth_use_nsswitch(qemutype)
+
+libs_use_ld_so(qemutype)
+libs_use_shared_libs(qemutype)
+
+miscfiles_read_localization(qemutype)
+
+optional_policy(`
+	virt_read_config(qemutype)
+	virt_read_lib_files(qemutype)
+')
+
+optional_policy(`
+	xserver_stream_connect_xdm_xserver(qemutype)
+	xserver_read_xdm_tmp_files(qemutype)
+	xserver_read_xdm_pid(qemutype)
+	xserver_rw_xdm_xserver_shm(qemutype)
+')
+
 ########################################
 #
 # qemu local policy
 #
 
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+term_use_generic_ptys(qemu_t)
+term_use_ptmx(qemu_t)
+
 tunable_policy(`qemu_full_network',`
 	allow qemu_t self:udp_socket create_socket_perms;
 
@@ -35,6 +150,43 @@
 	corenet_tcp_connect_all_ports(qemu_t)
 ')
 
+tunable_policy(`qemu_use_comm',`
+        term_use_unallocated_ttys(qemu_t)
+        dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+	fs_manage_cifs_dirs(qemu_t)
+	fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+	fs_manage_nfs_dirs(qemu_t)
+	fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+	dev_rw_usbfs(qemu_t)
+	fs_manage_dos_dirs(qemu_t)
+	fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+	samba_domtrans_smb(qemu_t)
+')
+
+optional_policy(`
+	virt_manage_images(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
 ########################################
 #
 # qemu_unconfined local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,4 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,62 @@
+policy_module(sambagui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smb(sambagui_t)
+samba_domtrans_nmb(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_search_usr(sambagui_t)
+
+fs_list_inotifyfs(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+
+libs_use_ld_so(sambagui_t)
+libs_use_shared_libs(sambagui_t)
+
+# reading shadow by pdbedit
+#auth_read_shadow(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+nscd_dontaudit_search_pid(sambagui_t)
+
+optional_policy(`
+	consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+	polkit_dbus_chat(sambagui_t)
+')
+
+permissive sambagui_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # /home
 #
-HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
+HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:user_screen_ro_home_t,s0)
 
 #
 # /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.13/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/screen.if	2009-02-10 15:07:15.000000000 +0100
@@ -35,6 +35,7 @@
 template(`screen_per_role_template',`
 	gen_require(`
 		type screen_dir_t, screen_exec_t;
+		type user_screen_ro_home_t;
 	')
 
 	########################################
@@ -50,8 +51,9 @@
 	type $1_screen_tmp_t;
 	files_tmp_file($1_screen_tmp_t)
 
-	type $1_screen_ro_home_t;
-	files_type($1_screen_ro_home_t)
+	ifelse(`$1',`user',`',`
+		typealias user_screen_ro_home_t alias $1_screen_ro_home_t;
+	')
 
 	type $1_screen_var_run_t;
 	files_pid_file($1_screen_var_run_t)
@@ -81,9 +83,9 @@
 	filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
 	files_pid_filetrans($1_screen_t, screen_dir_t, dir)
 
-	allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
-	read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
+	allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms;
+	read_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
+	read_lnk_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
 
 	allow $1_screen_t $2:process signal;
 
@@ -91,12 +93,12 @@
 	allow $2 $1_screen_t:process signal;
 	allow $1_screen_t $2:process signal;
 
-	manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+	manage_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+	manage_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+	manage_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+	relabel_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+	relabel_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+	relabel_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
 	
 	kernel_read_system_state($1_screen_t)
 	kernel_read_kernel_sysctls($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.13/policy/modules/apps/screen.te
--- nsaserefpolicy/policy/modules/apps/screen.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/screen.te	2009-02-10 15:07:15.000000000 +0100
@@ -11,3 +11,7 @@
 
 type screen_exec_t;
 application_executable_file(screen_exec_t)
+
+type user_screen_ro_home_t;
+userdom_user_home_content(user, user_screen_ro_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.5.13/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/slocate.te	2009-02-10 15:07:15.000000000 +0100
@@ -22,7 +22,7 @@
 #
 
 allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
-allow locate_t self:process { execmem execheap execstack };
+allow locate_t self:process { execmem execheap execstack signal };
 allow locate_t self:fifo_file rw_fifo_file_perms;
 allow locate_t self:unix_stream_socket create_socket_perms;
 
@@ -46,6 +46,8 @@
 
 fs_getattr_all_fs(locate_t)
 fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
 fs_list_all(locate_t)
 fs_list_inotifyfs(locate_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc
--- nsaserefpolicy/policy/modules/apps/thunderbird.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc	2009-02-10 15:07:15.000000000 +0100
@@ -3,4 +3,4 @@
 #
 /usr/bin/thunderbird.*			--	gen_context(system_u:object_r:thunderbird_exec_t,s0)
 
-HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:user_thunderbird_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.13/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.if	2009-02-10 15:07:15.000000000 +0100
@@ -43,9 +43,9 @@
 	application_domain($1_thunderbird_t, thunderbird_exec_t)
 	role $3 types $1_thunderbird_t;
 
-	type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
-	files_poly_member($1_thunderbird_home_t)
-	userdom_user_home_content($1, $1_thunderbird_home_t)
+	ifelse(`$1',`user',`',`
+		typealias user_thunderbird_home_t alias $1_thunderbird_home_t;
+	')
 
 	type $1_thunderbird_tmpfs_t;
 	files_tmpfs_file($1_thunderbird_tmpfs_t)
@@ -64,9 +64,9 @@
 	allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
 
 	# Access ~/.thunderbird
-	manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
+	manage_dirs_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
+	manage_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
+	manage_lnk_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
 	userdom_search_user_home_dirs($1, $1_thunderbird_t)
 
 	manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
@@ -87,13 +87,13 @@
 	ps_process_pattern($2,$1_thunderbird_t)
 
 	# Access ~/.thunderbird
-	manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-
-	relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
+	manage_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+	manage_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+	manage_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+
+	relabel_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+	relabel_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+	relabel_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
 	
 	# Allow netstat
 	kernel_read_network_state($1_thunderbird_t)
@@ -153,10 +153,10 @@
 	miscfiles_read_fonts($1_thunderbird_t)
 	miscfiles_read_localization($1_thunderbird_t)
 
-	userdom_manage_user_tmp_dirs($1, $1_thunderbird_t)
+	unprivuser_manage_tmp_dirs($1_thunderbird_t)
 	userdom_read_user_tmp_files($1, $1_thunderbird_t)
 	userdom_write_user_tmp_sockets($1, $1_thunderbird_t)
-	userdom_manage_user_tmp_sockets($1, $1_thunderbird_t)
+	unprivuser_manage_tmp_sockets($1_thunderbird_t)
 	# .kde/....gtkrc
 	userdom_read_user_home_content_files($1, $1_thunderbird_t)
 
@@ -294,8 +294,8 @@
 		files_search_home($1_thunderbird_t)
 		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file)
 		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir)
-		userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t)
-		userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
+		unprivuser_manage_untrusted_content_files($1_thunderbird_t)
+		unprivuser_manage_untrusted_content_tmp_files($1_thunderbird_t)
 		userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
 		userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
 	',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.13/policy/modules/apps/thunderbird.te
--- nsaserefpolicy/policy/modules/apps/thunderbird.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.te	2009-02-10 15:07:15.000000000 +0100
@@ -8,3 +8,7 @@
 
 type thunderbird_exec_t;
 application_executable_file(thunderbird_exec_t)
+
+type user_thunderbird_home_t alias user_thunderbird_rw_t;
+userdom_user_home_content(user, user_thunderbird_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.13/policy/modules/apps/tvtime.if
--- nsaserefpolicy/policy/modules/apps/tvtime.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.if	2009-02-10 15:07:15.000000000 +0100
@@ -35,6 +35,7 @@
 template(`tvtime_per_role_template',`
 	gen_require(`
 		type tvtime_exec_t;
+		type user_tvtime_home_t, user_tvtime_tmp_t;
 	')
 
 	########################################
@@ -46,12 +47,10 @@
 	application_domain($1_tvtime_t, tvtime_exec_t)
 	role $3 types $1_tvtime_t;
 
-	type $1_tvtime_home_t alias $1_tvtime_rw_t;
-	userdom_user_home_content($1, $1_tvtime_home_t)
-	files_poly_member($1_tvtime_home_t)
-
-	type $1_tvtime_tmp_t;
-	files_tmp_file($1_tvtime_tmp_t)
+	ifelse(`$1',`user',`',`
+		typealias user_tvtime_home_t alias $1_tvtime_home_t;
+		typealias user_tvtime_tmp_t alias $1_tvtime_tmp_t;
+	')
 
 	type $1_tvtime_tmpfs_t;
 	files_tmpfs_file($1_tvtime_tmpfs_t)
@@ -67,14 +66,14 @@
 	allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
 
 	# X access, Home files
-	manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
-	userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir)
-
-	manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
-	manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
-	files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir })
+	manage_dirs_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
+	manage_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
+	manage_lnk_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
+	userdom_user_home_dir_filetrans($1, $1_tvtime_t, user_tvtime_home_t, dir)
+
+	manage_dirs_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
+	manage_files_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
+	files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t, { file dir })
 
 	manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
 	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
@@ -86,12 +85,12 @@
 	domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
 
 	# X access, Home files
-	manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+	manage_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+	manage_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+	manage_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+	relabel_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+	relabel_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+	relabel_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
 
 	# Allow the user domain to signal/ps.
 	ps_process_pattern($2,$1_tvtime_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.13/policy/modules/apps/tvtime.te
--- nsaserefpolicy/policy/modules/apps/tvtime.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.te	2009-02-10 15:07:15.000000000 +0100
@@ -11,3 +11,9 @@
 
 type tvtime_dir_t;
 files_pid_file(tvtime_dir_t)
+
+type user_tvtime_home_t alias user_tvtime_rw_t;
+userdom_user_home_content(user, user_tvtime_home_t)
+
+type user_tvtime_tmp_t;
+files_tmp_file(user_tvtime_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.13/policy/modules/apps/uml.fc
--- nsaserefpolicy/policy/modules/apps/uml.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/uml.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # HOME_DIR/
 #
-HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:user_uml_rw_t,s0)
 
 #
 # /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.13/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/vmware.fc	2009-02-11 10:10:27.000000000 +0100
@@ -1,9 +1,9 @@
 #
 # HOME_DIR/
 #
-HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:vmware_home_t,s0)
+HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
 
 #
 # /etc
@@ -21,32 +21,26 @@
 /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-guest.*		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-vmx		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 
 /usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
-/usr/lib/vmware/bin/vmplayer	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib/vmware/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 
-ifdef(`distro_redhat',`
-/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-')
-
 /usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
 /usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib64/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
 /usr/lib64/vmware/bin/vmware-vmx --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 
-/usr/sbin/vmware-guest.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
-
 ifdef(`distro_gentoo',`
 /opt/vmware/(workstation|player)/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
 /opt/vmware/(workstation|player)/bin/vmnet-dhcpd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -63,6 +57,5 @@
 ')
 
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
-
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.13/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/vmware.if	2009-02-10 15:07:15.000000000 +0100
@@ -47,11 +47,8 @@
 	domain_entry_file($1_vmware_t, vmware_exec_t)
 	role $3 types $1_vmware_t;
 
-	type $1_vmware_conf_t;
-	userdom_user_home_content($1, $1_vmware_conf_t)
-
-	type $1_vmware_file_t;
-	userdom_user_home_content($1, $1_vmware_file_t)
+	typealias vmware_home_t alias $1_vmware_file_t;
+	typealias vmware_home_t alias $1_vmware_conf_t;
 
 	type $1_vmware_tmp_t;
 	files_tmp_file($1_vmware_tmp_t)
@@ -84,12 +81,9 @@
 
 	can_exec($1_vmware_t, vmware_exec_t)
 
-	# User configuration files
-	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
-
 	# VMWare disks
-	manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
-	manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
+	manage_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
+	manage_lnk_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
 
 	allow $1_vmware_t $1_vmware_tmp_t:file execute;
 	manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.13/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/vmware.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,9 @@
 type vmware_exec_t;
 corecmd_executable_file(vmware_exec_t)
 
+type vmware_home_t;
+userdom_user_home_content(user, vmware_home_t)
+
 # VMWare host programs
 type vmware_host_t;
 type vmware_host_exec_t;
@@ -32,7 +35,7 @@
 
 allow vmware_host_t self:capability { setgid setuid net_raw };
 dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
 allow vmware_host_t self:fifo_file rw_fifo_file_perms;
 allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
@@ -48,6 +51,8 @@
 manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)	
 logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
 
+files_search_home(vmware_host_t)
+
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_list_proc(vmware_host_t)
 kernel_read_proc_symlinks(vmware_host_t)
@@ -108,3 +113,13 @@
 optional_policy(`
 	udev_read_db(vmware_host_t)
 ')
+
+optional_policy(`
+	unconfined_domain(vmware_host_t)
+')
+
+optional_policy(`
+	xserver_rw_xdm_xserver_shm(vmware_host_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te	2009-02-10 15:07:15.000000000 +0100
@@ -68,6 +68,8 @@
 
 fs_search_auto_mountpoints(webalizer_t)
 fs_getattr_xattr_fs(webalizer_t)
+fs_rw_anon_inodefs_files(webalizer_t)
+fs_list_inotifyfs(webalizer_t)
 
 files_read_etc_files(webalizer_t)
 files_read_etc_runtime_files(webalizer_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wine.fc	2009-03-16 15:53:56.000000000 +0100
@@ -1,4 +1,21 @@
-/usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
+HOME_DIR/cxoffice/bin/wine.+  		-- 	gen_context(system_u:object_r:wine_exec_t,s0)
 
-/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.*				--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/msiexec        		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad        		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/progman        		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32       		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit        		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller    		--      gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/cxoffice/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/bin/wine.*		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit 		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller 	--      gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/msiexec		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman		--      gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad		--	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi		--	gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wine.if	2009-02-10 15:07:15.000000000 +0100
@@ -49,3 +49,53 @@
 	role $2 types wine_t;
 	allow wine_t $3:chr_file rw_term_perms;
 ')
+
+#######################################
+## <summary>
+##	The per role template for the wine module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for wine applications.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`wine_per_role_template',`
+	gen_require(`
+		type wine_exec_t;
+	')
+
+	type $1_wine_t;
+	domain_type($1_wine_t)
+	domain_entry_file($1_wine_t, wine_exec_t)
+	role $3 types $1_wine_t;
+
+	domain_interactive_fd($1_wine_t)
+
+	userdom_unpriv_usertype($1, $1_wine_t)
+
+	allow $1_wine_t self:process { execheap execmem };
+
+	domtrans_pattern($2, wine_exec_t, $1_wine_t)
+
+	optional_policy(`
+		xserver_rw_xdm_xserver_shm($1_wine_t)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.13/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wine.te	2009-02-10 15:07:15.000000000 +0100
@@ -9,6 +9,7 @@
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
+role system_r types wine_t;
 
 ########################################
 #
@@ -17,10 +18,17 @@
 
 optional_policy(`
 	allow wine_t self:process { execstack execmem execheap };
+	domain_mmap_low_type(wine_t)
+	domain_mmap_low(wine_t)
 	unconfined_domain_noaudit(wine_t)
 	files_execmod_all_files(wine_t)
 
+')
+
  	optional_policy(`
  		hal_dbus_chat(wine_t)
  	')
+
+optional_policy(`
+	xserver_rw_xdm_xserver_shm(wine_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.13/policy/modules/apps/wireshark.if
--- nsaserefpolicy/policy/modules/apps/wireshark.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wireshark.if	2009-02-10 15:07:15.000000000 +0100
@@ -134,7 +134,7 @@
 
 	sysnet_read_config($1_wireshark_t)
 
-	userdom_manage_user_home_content_files($1, $1_wireshark_t)
+	unprivuser_manage_home_content_files($1_wireshark_t)
 	
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_wireshark_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.5.13/policy/modules/apps/wm.fc
--- nsaserefpolicy/policy/modules/apps/wm.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/wm.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,3 @@
+/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity	--	gen_context(system_u:object_r:wm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.5.13/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/wm.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,178 @@
+## <summary>Window Manager.</summary>
+
+#######################################
+## <summary>
+##	Template to create types and rules common to
+##	any window manager domains.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the X server domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`wm_domain_template',`
+	gen_require(`
+		type wm_exec_t;
+		type xserver_exec_t;
+		type tmpfs_t;
+		type proc_t;
+		type security_t, selinux_config_t;
+		type $1_t;
+		type $1_tmp_t;
+		type info_xproperty_t, xselection_t;
+		type $2_t, $2_xproperty_t, $2_input_xevent_t, $2_manage_xevent_t, $2_property_xevent_t;
+		type $2_focus_xevent_t, $2_client_xevent_t;
+		type $2_rootwindow_t, $2_xserver_t, $2_xserver_tmp_t;
+		type $1_xproperty_t;
+		type memory_device_t;
+		type output_xext_t;
+		type security_xext_t;
+		type $1_home_t;
+		type $1_tty_device_t;
+		type shell_exec_t;
+		type default_t;
+		type home_root_t;
+		type $1_home_dir_t;
+		type $2_home_t;
+
+		class x_colormap all_x_colormap_perms;
+		class x_device all_x_device_perms;
+		class x_drawable all_x_drawable_perms;
+		class x_property all_x_property_perms;
+		class x_server all_x_server_perms;
+		class x_resource all_x_resource_perms;
+		class x_screen all_x_screen_perms;
+		class x_synthetic_event all_x_synthetic_event_perms;
+		class x_event all_x_event_perms;
+		class x_selection all_x_selection_perms;
+		class x_extension all_x_extension_perms;
+		attribute $1_x_domain;
+	')
+
+	type $1_wm_t;
+	domain_type($1_wm_t)
+	domain_entry_file($1_wm_t,wm_exec_t)
+	role $1_r types $1_wm_t;
+
+	domtrans_pattern($1_t, wm_exec_t, $1_wm_t)
+
+	type $1_wm_tmpfs_t;
+#	xserver_use($2, $1, $1_wm_t)
+	xserver_user_x_domain_template($1, $1_wm, $1_wm_t, $1_wm_tmpfs_t)
+
+	files_read_etc_files($1_wm_t)
+
+	libs_use_ld_so($1_wm_t)
+	libs_use_shared_libs($1_wm_t)
+
+	nscd_dontaudit_search_pid($1_wm_t)
+
+	miscfiles_read_localization($1_wm_t)
+
+	dev_read_urand($1_wm_t)
+
+ 	files_list_tmp($1_wm_t)
+
+	allow $1_wm_t proc_t:file { read getattr };
+
+	allow $1_wm_t info_xproperty_t:x_property { write create };
+
+	allow $1_wm_t self:process getsched;
+	allow $1_wm_t self:x_drawable blend;
+
+	allow $1_wm_t tmpfs_t:file { read write };
+
+	allow $1_wm_t usr_t:file { read getattr };
+	allow $1_wm_t usr_t:lnk_file read;
+
+	allow $1_wm_t $1_tmp_t:dir { write search setattr remove_name getattr add_name };
+	allow $1_wm_t $1_tmp_t:sock_file { write create unlink };
+
+	allow $1_wm_t $1_t:unix_stream_socket connectto;
+	allow $1_wm_t self:fifo_file { write read };
+
+
+	allow $1_wm_t $2_client_xevent_t:x_synthetic_event send;
+	allow $1_wm_t $2_focus_xevent_t:x_event receive;
+	allow $1_wm_t $2_input_xevent_t:x_event receive;
+	allow $1_wm_t $2_manage_xevent_t:x_event receive;
+	allow $1_wm_t $2_manage_xevent_t:x_synthetic_event { receive send };
+	allow $1_wm_t $2_property_xevent_t:x_event receive;
+	allow $1_wm_t $2_xproperty_t:x_property { read write destroy };
+	allow $1_wm_t $2_rootwindow_t:x_colormap { install uninstall use add_color remove_color read };
+	allow $1_wm_t $2_rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override };
+	allow $1_wm_t $2_xproperty_t:x_property { write read };
+	allow $1_wm_t $2_xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write };
+	allow $1_wm_t $2_xserver_t:x_resource { read write };
+	allow $1_wm_t $2_xserver_t:x_screen setattr;
+	allow $1_wm_t xselection_t:x_selection setattr;
+
+	allow $1_wm_t $2_t:x_drawable { get_property setattr show receive manage send read getattr list_child set_property };
+        allow $1_wm_t $2_t:x_resource { read write };
+
+	ifdef(`enable_mls',`
+ 		mls_file_read_all_levels($1_wm_t)
+ 		mls_file_write_all_levels($1_wm_t)
+
+		mls_xwin_read_all_levels($1_wm_t)
+		mls_xwin_write_all_levels($1_wm_t)
+
+		mls_fd_use_all_levels($1_wm_t)
+	')
+
+	corecmd_exec_bin($1_wm_t)
+	can_exec($1_wm_t, { shell_exec_t })
+	domtrans_pattern($1_wm_t,bin_t,$1_t)
+
+	allow $1_t $1_wm_t:unix_stream_socket connectto;
+	allow $1_t $1_wm_t:x_drawable { receive get_property getattr list_child };
+
+	allow $1_t $1_wm_t:process signal;
+
+	optional_policy(`
+		dbus_system_bus_client_template($1_wm,$1_wm_t)
+		dbus_user_bus_client_template($1,$1_wm,$1_wm_t)
+	')
+	
+	allow $1_wm_t $1_home_t:dir { search getattr };
+	allow $1_wm_t $1_tty_device_t:chr_file { write read };
+	allow $1_wm_t $1_xproperty_t:x_property { read write destroy };
+	allow $1_wm_t default_t:dir search;
+	allow $1_wm_t home_root_t:dir search;
+	allow $1_wm_t $1_home_dir_t:dir search;
+	allow $1_wm_t $2_xserver_tmp_t:dir search;
+	allow $1_wm_t $2_xserver_tmp_t:lnk_file read;
+	allow $1_wm_t $1_home_dir_t:dir search_dir_perms;
+	manage_files_pattern($1_wm_t,$1_tmp_t,$1_tmp_t)
+	allow $1_wm_t $2_home_t:file { write read getattr };
+	allow $1_wm_t $2_xserver_t:unix_stream_socket connectto;
+	allow $1_wm_t $2_xserver_tmp_t:sock_file write;
+	manage_lnk_files_pattern($1_wm_t, $2_xserver_tmp_t, $2_xserver_tmp_t)
+	allow $1_wm_t security_xext_t:x_extension { query use };
+')
+
+########################################
+## <summary>
+##	Execute the wm program in the wm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wm_exec',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	can_exec($1, wm_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.5.13/policy/modules/apps/wm.te
--- nsaserefpolicy/policy/modules/apps/wm.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/wm.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,10 @@
+policy_module(wm,0.0.4)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+
+wm_domain_template(user,xdm)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc	2009-06-08 16:02:14.000000000 +0200
@@ -65,6 +65,8 @@
 
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
 
+/etc/racoon/scripts(/.*)?  		gen_context(system_u:object_r:bin_t,s0)
+
 /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
 
 
@@ -73,10 +75,16 @@
 /etc/sysconfig/libvirtd		-- gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/netconsole	-- gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/readonly-root 	-- gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/network-scripts/ifup-.*	-l gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/network-scripts/ifup.*   gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/net.*	gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/init.*	gen_context(system_u:object_r:bin_t,s0)
+
+#/etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
+#/etc/sysconfig/network-scripts/ifup-.*	-l gen_context(system_u:object_r:bin_t,s0)
+#/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+#/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0)
 
 /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
@@ -123,12 +131,18 @@
 
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
+/opt/real/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
+
 ifdef(`distro_gentoo',`
 /opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
 /opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
+/opt/gutenprint/cups/lib/filter(/.*)?		   gen_context(system_u:object_r:bin_t,s0)
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/Adobe(/.*)?/sidecars(/.*)?			   gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /usr
 #
@@ -176,6 +190,8 @@
 /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 
+/usr/lib/wicd/monitor.py       --       gen_context(system_u:object_r:bin_t, s0)
+
 /usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -184,10 +200,8 @@
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer(/.*)? 		gen_context(system_u:object_r:bin_t,s0)
 /usr/local/linuxprinter/filters(/.*)?   gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -202,6 +216,7 @@
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/Modules/init(/.*)?           gen_context(system_u:object_r:bin_t,s0)
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -222,14 +237,15 @@
 /usr/lib64/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib64/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vmware-tools/sbin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vmware-tools/sbin64(/.*)?      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin32(/.*)?      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin64(/.*)?      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/fedora-usermgmt/wrapper --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hplip/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
@@ -292,3 +308,14 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
+/usr/lib(64)?/nspluginwrapper/npconfig	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer	gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/ConsoleKit/scripts(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+/etc/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)?  gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.13/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.if	2009-02-10 15:07:15.000000000 +0100
@@ -894,6 +894,7 @@
 
 	read_lnk_files_pattern($1, bin_t, bin_t)
 	can_exec($1, chroot_exec_t)
+	allow $1 self:capability sys_chroot;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in	2009-02-10 15:07:15.000000000 +0100
@@ -1288,6 +1288,24 @@
 
 ########################################
 ## <summary>
+##	Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute port_type, reserved_port_type;
+	')
+
+	allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
@@ -1441,10 +1459,11 @@
 #
 interface(`corenet_tcp_bind_all_unreserved_ports',`
 	gen_require(`
-		attribute port_type, reserved_port_type;
+		attribute port_type;
+		type hi_reserved_port_t, reserved_port_t;
 	')
 
-	allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
 ')
 
 ########################################
@@ -1459,10 +1478,11 @@
 #
 interface(`corenet_udp_bind_all_unreserved_ports',`
 	gen_require(`
-		attribute port_type, reserved_port_type;
+		attribute port_type;
+		type hi_reserved_port_t, reserved_port_t;
 	')
 
-	allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
 ')
 
 ########################################
@@ -1560,6 +1580,24 @@
 
 ########################################
 ## <summary>
+##	Getattr the point-to-point device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_getattr_ppp_dev',`
+	gen_require(`
+		type ppp_device_t;
+	')
+
+	allow $1 ppp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
 ##	Read and write the point-to-point device.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2009-03-10 13:22:11.000000000 +0100
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.10.0)
+policy_module(corenetwork, 1.10.2)
 
 ########################################
 #
@@ -65,10 +65,13 @@
 type server_packet_t, packet_type, server_packet_type;
 
 network_port(afs_bos, udp,7007,s0)
+network_port(afs_client, udp,7001,s0)
 network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
 network_port(afs_ka, udp,7004,s0)
 network_port(afs_pt, udp,7002,s0)
 network_port(afs_vl, udp,7003,s0)
+network_port(agentx, udp,705,s0, tcp,705,s0)
+
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
@@ -79,26 +82,34 @@
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+network_port(certmaster, tcp,51235,s0)
 network_port(clamd, tcp,3310,s0)
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
 network_port(comsat, udp,512,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dccm, tcp,5679,s0, udp,5679,s0)
 network_port(dbskkd, tcp,1178,s0)
-network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0)
+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(festival, tcp,1314,s0)
 network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
 network_port(ftp_data, tcp,20,s0)
 network_port(ftp, tcp,21,s0)
+network_port(ftps, tcp,990,s0, udp,990,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
 network_port(giftd, tcp,1213,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(gpsd,tcp,2947,s0)
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
@@ -109,6 +120,7 @@
 network_port(ipp, tcp,631,s0, udp,631,s0)
 network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
 network_port(ircd, tcp,6667,s0)
+network_port(ipmi, udp,623,s0, udp,664,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
 network_port(isns, tcp,3205,s0, udp,3205,s0)
@@ -117,6 +129,8 @@
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(kismet, tcp,2501,s0)
+network_port(kprop, tcp,754,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -126,6 +140,7 @@
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
@@ -136,12 +151,21 @@
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
+network_port(pingd, tcp,9125,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
+network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0)
+network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0)
 network_port(postfix_policyd, tcp,10031,s0)
+network_port(pulseaudio, tcp,4713,s0)
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
 network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pxe, udp,4011,s0)
@@ -159,9 +183,11 @@
 network_port(rwho, udp,513,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
 network_port(spamd, tcp,783,s0)
+network_port(speech, tcp,8036,s0)
 network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -170,14 +196,17 @@
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
 network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
 network_port(transproxy, tcp,8081,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(wccp, udp,2048,s0)
-network_port(whois, tcp,43,s0, udp,43,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xfs, tcp,7100,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc	2009-04-07 09:18:47.000000000 +0200
@@ -1,8 +1,9 @@
 
 /dev			-d	gen_context(system_u:object_r:device_t,s0)
 /dev/.*				gen_context(system_u:object_r:device_t,s0)
-
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/(misc/)?agpgart	-c	gen_context(system_u:object_r:agp_device_t,s0)
@@ -12,44 +13,66 @@
 /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
+/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+         -c      gen_context(system_u:object_r:lirc_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -68,18 +91,20 @@
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
-/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -91,14 +116,20 @@
 
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
 
-/dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
 
+/dev/biometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+
 /dev/dri/.+		-c	gen_context(system_u:object_r:dri_device_t,s0)
 
 /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 
+/dev/input/.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/m.*  	-c 	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -106,10 +137,15 @@
 
 /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 
+/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
 /dev/pts(/.*)?			<<none>>
 
 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
 
+/dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+
 /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if	2009-04-06 22:35:09.000000000 +0200
@@ -65,7 +65,7 @@
 
 	relabelfrom_dirs_pattern($1, device_t, device_node)
 	relabelfrom_files_pattern($1, device_t, device_node)
-	relabelfrom_lnk_files_pattern($1, device_t, device_node)
+	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
 	relabelfrom_sock_files_pattern($1, device_t, device_node)
 	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@@ -185,6 +185,24 @@
 
 ########################################
 ## <summary>
+##	Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to relabel.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	Allow full relabeling (to and from) of directories in /dev.
 ## </summary>
 ## <param name="domain">
@@ -664,9 +682,10 @@
 interface(`dev_dontaudit_getattr_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
-	dontaudit $1 device_node:blk_file getattr;
+	dontaudit $1 { device_t device_node }:blk_file getattr;
 ')
 
 ########################################
@@ -701,9 +720,10 @@
 interface(`dev_dontaudit_getattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
-	dontaudit $1 device_node:chr_file getattr;
+	dontaudit $1 { device_t device_node }:chr_file getattr;
 ')
 
 ########################################
@@ -1062,6 +1082,98 @@
 
 ########################################
 ## <summary>
+##	Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the autofs device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_autofs',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write the PCMCIA card manager device.
 ## </summary>
 ## <param name="domain">
@@ -1160,6 +1272,25 @@
 
 ########################################
 ## <summary>
+##	Set the attributes of the CPU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_cpu_dev',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
 ##	Read the CPU identity.
 ## </summary>
 ## <param name="domain">
@@ -1282,7 +1413,7 @@
 		type dri_device_t;
 	')
 
-	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+	dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -1507,6 +1638,151 @@
 
 ########################################
 ## <summary>
+##	Read the kernel messages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##      Read and write to kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+#######################################
+## <summary>
+##      Read the lirc device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+#######################################
+## <summary>
+##      Read and write the lirc device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+#######################################
+## <summary>
+##      Automatic type transition to the type
+##      for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
 ##	Read the lvm comtrol device.
 ## </summary>
 ## <param name="domain">
@@ -1958,6 +2234,96 @@
 
 ########################################
 ## <summary>
+##	Get the attributes of the network control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_netcontrol_dev',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read the network control identity.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the network control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write to the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
@@ -2104,6 +2470,98 @@
 
 ########################################
 ## <summary>
+##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_printk',`
+	gen_require(`
+		type device_t, printk_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, printk_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read the QEMU device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the QEMU device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
 ##	Read from random number generator
 ##	devices (e.g., /dev/random)
 ## </summary>
@@ -2142,6 +2600,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to append to random
+##	number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_append_rand',`
+	gen_require(`
+		type random_device_t;
+	')
+
+	dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Write to the random device (e.g., /dev/random). This adds
 ##	entropy used to generate the random data read from the
 ##	random device.
@@ -2769,6 +3246,24 @@
 
 ########################################
 ## <summary>
+##	Read generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write generic the USB devices.
 ## </summary>
 ## <param name="domain">
@@ -2957,6 +3452,25 @@
 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 ')
 
+#######################################
+## <summary>
+##     Read and write generic the USB fifo files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_rw_generic_usb_pipes',`
+       gen_require(`
+               type usb_device_t;
+       ')
+
+       allow $1 device_t:dir search_dir_perms;
+       allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of video4linux devices.
@@ -3322,3 +3836,22 @@
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+#######################################
+## <summary>
+##      Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_setattr_tty',`
+       gen_require(`
+               type devtty_t;
+       ')
+
+       setattr_chr_files_pattern($1, devtty_t, devtty_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te	2009-04-07 00:12:12.000000000 +0200
@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.7.0)
+policy_module(devices, 1.7.1)
 
 ########################################
 #
@@ -32,6 +32,12 @@
 type apm_bios_t;
 dev_node(apm_bios_t)
 
+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
 type cardmgr_dev_t;
 dev_node(cardmgr_dev_t)
 files_tmp_file(cardmgr_dev_t)
@@ -66,12 +72,31 @@
 dev_node(framebuf_device_t)
 
 #
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
+#
 # Type for /dev/kmsg
 #
 type kmsg_device_t;
 dev_node(kmsg_device_t)
 
 #
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+
+#
+## Type for /dev/lirc
+##
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
 # Type for /dev/mapper/control
 #
 type lvm_control_t;
@@ -104,6 +129,12 @@
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
 #
+# network control devices 
+#
+type netcontrol_device_t;
+dev_node(netcontrol_device_t)
+
+#
 # null_device_t is the type of /dev/null.
 #
 type null_device_t;
@@ -128,6 +159,12 @@
 mls_file_write_within_range(printer_device_t)
 
 #
+# qemu control devices 
+#
+type qemu_device_t;
+dev_node(qemu_device_t)
+
+#
 # random_device_t is the type of /dev/random
 #
 type random_device_t;
@@ -157,6 +194,12 @@
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
 #
+# Type for /dev/tpm
+#
+type tpm_device_t;
+dev_node(tpm_device_t)
+
+#
 # urandom_device_t is the type of /dev/urandom
 #
 type urandom_device_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.if	2009-02-10 15:07:15.000000000 +0100
@@ -1247,18 +1247,34 @@
 ##	</summary>
 ## </param>
 #
-interface(`domain_mmap_low',`
+interface(`domain_mmap_low_type',`
 	gen_require(`
 		attribute mmap_low_domain_type;
 	')
 
-	allow $1 self:memprotect mmap_zero;
-
 	typeattribute $1 mmap_low_domain_type;
 ')
 
 ########################################
 ## <summary>
+##	Ability to mmap a low area of the address space,
+##      as configured by /proc/sys/kernel/mmap_min_addr.
+##      Preventing such mappings helps protect against
+##      exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to mmap low memory.
+##	</summary>
+## </param>
+#
+interface(`domain_mmap_low',`
+
+	allow $1 self:memprotect mmap_zero;
+')
+
+########################################
+## <summary>
 ##	Allow specified type to receive labeled
 ##	networking packets from all domains, over
 ##	all protocols (TCP, UDP, etc)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te	2009-02-18 14:25:11.000000000 +0100
@@ -5,6 +5,13 @@
 #
 # Declarations
 #
+## <desc>
+## <p>
+## Allow all domains to use other domains file descriptors
+## </p>
+## </desc>
+#
+gen_tunable(allow_domain_fd_use, true)
 
 # Mark process types as domains
 attribute domain;
@@ -80,11 +87,14 @@
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
 kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
 # Every domain gets the key ring, so we should default
 # to no one allowed to look at it; afs kernel support creates
 # a keyring
 kernel_dontaudit_search_key(domain)
 kernel_dontaudit_link_key(domain)
+userdom_dontaudit_search_all_users_keys(domain)
 
 # create child processes in the domain
 allow domain self:process { fork sigchld };
@@ -113,6 +123,7 @@
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
+	xserver_dontaudit_rw_xdm_home_files(domain)
 ')
 
 ########################################
@@ -131,6 +142,9 @@
 allow unconfined_domain_type domain:fd use;
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 
+allow unconfined_domain_type domain:dbus send_msg;
+allow domain unconfined_domain_type:dbus send_msg;
+
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
 
@@ -140,7 +154,7 @@
 
 # For /proc/pid
 allow unconfined_domain_type domain:dir list_dir_perms;
-allow unconfined_domain_type domain:file read_file_perms;
+allow unconfined_domain_type domain:file rw_file_perms;
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
@@ -148,3 +162,40 @@
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+tunable_policy(`allow_domain_fd_use',`
+	# Allow all domains to use fds past to them
+	allow domain domain:fd use;
+')
+
+optional_policy(`
+	cron_dontaudit_write_system_job_tmp_files(domain)
+	cron_rw_pipes(domain)
+	cron_rw_system_job_pipes(domain)
+ifdef(`hide_broken_symptoms',`
+	cron_dontaudit_rw_tcp_sockets(domain)
+	allow domain domain:key { link search };
+')
+')
+
+ifdef(`hide_broken_symptoms',`
+        dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
+')
+
+optional_policy(`
+	rpm_rw_pipes(domain)
+	rpm_dontaudit_use_script_fds(domain)
+	rpm_dontaudit_write_pid_files(domain)
+')
+
+optional_policy(`
+	rhgb_dontaudit_use_ptys(domain)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(domain)
+	unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.13/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/files.fc	2009-02-10 15:07:15.000000000 +0100
@@ -32,6 +32,7 @@
 /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /boot/lost\+found/.*		<<none>>
 /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
+/boot/efi(/.*)?/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
 
 #
 # /emul
@@ -49,6 +50,7 @@
 /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/hosts.deny		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/issue		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/files.if	2009-02-10 15:07:15.000000000 +0100
@@ -110,6 +110,11 @@
 ## </param>
 #
 interface(`files_config_file',`
+	gen_require(`
+		attribute etcfile;
+	')
+
+	typeattribute $1 etcfile;
 	files_type($1)
 ')
 
@@ -928,8 +933,8 @@
 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
-	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
 
 	# satisfy the assertions:
 	seutil_relabelto_bin_policy($1)
@@ -953,6 +958,32 @@
 ## </param>
 ## <rolecap/>
 #
+interface(`files_rw_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	rw_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+##	Manage all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain perfoming this action.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
 interface(`files_manage_all_files',`
 	gen_require(`
 		attribute file_type;
@@ -1060,6 +1091,24 @@
 ##	</summary>
 ## </param>
 #
+interface(`files_relabel_all_file_type_fs',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:filesystem { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`files_relabelto_all_file_type_fs',`
 	gen_require(`
 		attribute file_type;
@@ -1303,6 +1352,24 @@
 
 ########################################
 ## <summary>
+##	Remove entries from the tmp directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_tmp_dir_entry',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 tmp_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Unmount a rootfs filesystem.
 ## </summary>
 ## <param name="domain">
@@ -1889,6 +1956,26 @@
 
 ########################################
 ## <summary>
+##	Read config files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_config_files',`
+	gen_require(`
+		attribute etcfile;
+	')
+
+	allow $1 etcfile:dir list_dir_perms;
+	read_files_pattern($1, etcfile, etcfile)
+	read_lnk_files_pattern($1, etcfile, etcfile)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write generic files in /etc.
 ## </summary>
 ## <param name="domain">
@@ -2224,6 +2311,49 @@
 
 ########################################
 ## <summary>
+##	Delete directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_dirs_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_files_pattern($1, file_t, file_t)
+	delete_lnk_files_pattern($1, file_t, file_t)
+	delete_fifo_files_pattern($1, file_t, file_t)
+	delete_sock_files_pattern($1, file_t, file_t)
+	delete_blk_files_pattern($1, file_t, file_t)
+	delete_chr_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search directories on new filesystems
 ##	that have not yet been labeled.
 ## </summary>
@@ -2744,6 +2874,24 @@
 
 ########################################
 ## <summary>
+##	read files in /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_mnt_files',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	read_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete symbolic links in /mnt.
 ## </summary>
 ## <param name="domain">
@@ -3394,6 +3542,8 @@
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
+	files_delete_isid_type_dirs($1)
+	files_delete_isid_type_files($1)
 ')
 
 ########################################
@@ -3471,6 +3621,47 @@
 
 ########################################
 ## <summary>
+##	Delete generic directories in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	delete_dirs_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Delete generic files in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	delete_files_pattern($1, usr_t, usr_t)
+	delete_lnk_files_pattern($1, usr_t, usr_t)
+	delete_fifo_files_pattern($1, usr_t, usr_t)
+	delete_sock_files_pattern($1, usr_t, usr_t)
+	delete_blk_files_pattern($1, usr_t, usr_t)
+	delete_chr_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
@@ -3547,6 +3738,24 @@
 
 ########################################
 ## <summary>
+##	dontaudit write of /usr files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:file write;
+')
+
+########################################
+## <summary>
 ##	Relabel a file to the type used in /usr.
 ## </summary>
 ## <param name="domain">
@@ -4433,6 +4642,25 @@
 
 ########################################
 ## <summary>
+##	Read generic process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_generic_pids',`
+	gen_require(`
+		type var_t, var_run_t;
+	')
+
+	list_dirs_pattern($1,var_t,var_run_t)
+	read_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
@@ -4761,12 +4989,14 @@
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
 
+	fs_mount_tmpfs($1)
+	fs_unmount_tmpfs($1)
+
 	ifdef(`distro_redhat',`
 		# namespace.init
 		files_search_home($1)
 		corecmd_exec_bin($1)
 		seutil_domtrans_setfiles($1)
-		mount_domtrans($1)
 	')
 ')
 
@@ -4787,3 +5017,71 @@
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Create a core files in /
+## </summary>
+## <desc>
+##	<p>
+##	Create a core file in /,
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_dump_core',`
+	gen_require(`
+		type root_t;
+	')
+
+	manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+##     Create a default directory in /
+## </summary>
+## <desc>
+##     <p>
+##     Create a default_t direcrory in /
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+       gen_require(`
+               type root_t, default_t;
+       ')
+
+       allow $1 default_t:dir create;
+       filetrans_pattern($1, root_t, default_t, dir)
+')
+
+########################################
+## <summary>
+##	manage generic symbolic links
+##	in the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_generic_pids_symlinks',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.13/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/files.te	2009-02-10 15:07:15.000000000 +0100
@@ -52,11 +52,14 @@
 #
 # etc_t is the type of the system etc directories.
 #
-type etc_t;
+attribute etcfile;
+
+type etc_t, etcfile;
 files_type(etc_t)
 # compatibility aliases for removed types:
 typealias etc_t alias automount_etc_t;
 typealias etc_t alias snmpd_etc_t;
+typealias etc_t alias gconf_etc_t;
 
 #
 # etc_runtime_t is the type of various
@@ -174,6 +177,7 @@
 #
 type var_run_t;
 files_pid_file(var_run_t)
+files_mountpoint(var_run_t)
 
 #
 # var_spool_t is the type of /var/spool
@@ -197,10 +201,7 @@
 #
 # Rules for all tmp file types
 #
-
-allow tmpfile tmp_t:filesystem associate;
-
-fs_associate_tmpfs(tmpfile)
+allow file_type tmp_t:filesystem associate;
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if	2009-02-10 15:07:15.000000000 +0100
@@ -535,6 +535,24 @@
 
 ########################################
 ## <summary>
+##	Mounton a CIFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_cifs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Remount a CIFS or SMB network filesystem.
 ##	This allows some mount options to be changed.
 ## </summary>
@@ -737,6 +755,7 @@
 		attribute noxattrfs;
 	')
 
+	list_dirs_pattern($1, noxattrfs, noxattrfs)
 	read_files_pattern($1, noxattrfs, noxattrfs)
 ')
 
@@ -779,6 +798,25 @@
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
 ##	files on a CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
@@ -955,6 +993,46 @@
 
 ########################################
 ## <summary>
+##	Append files
+##	on a CIFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_append_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	append_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+##	dontaudit Append files
+##	on a CIFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:file append;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to create, read,
 ##	write, and delete files
 ##	on a CIFS or SMB network filesystem.
@@ -1209,6 +1287,25 @@
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete dirs
+##	on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_dos_dirs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	manage_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete files
 ##	on a DOS filesystem.
 ## </summary>
@@ -1228,6 +1325,26 @@
 
 ########################################
 ## <summary>
+##	Read and write files on hugetlbfs files
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_hugetlbfs_files',`
+	gen_require(`
+		type hugetlbfs_t;
+
+	')
+
+	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
 ##	Read eventpollfs files.
 ## </summary>
 ## <desc>
@@ -1287,24 +1404,6 @@
 
 ########################################
 ## <summary>
-##	Read and write hugetlbfs files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_rw_hugetlbfs_files',`
-	gen_require(`
-		type hugetlbfs_t;
-	')
-
-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-')
-
-########################################
-## <summary>
 ##	Search inotifyfs filesystem. 
 ## </summary>
 ## <param name="domain">
@@ -1478,6 +1577,24 @@
 
 ########################################
 ## <summary>
+##	Mounton a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_nfs',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Remount a NFS filesystem.  This allows
 ##	some mount options to be changed.
 ## </summary>
@@ -1681,7 +1798,7 @@
 		type nfs_t;
 	')
 
-	dontaudit $1 nfs_t:file { read write };
+	dontaudit $1 nfs_t:file rw_file_perms;
 ')
 
 ########################################
@@ -2002,6 +2119,47 @@
 
 ########################################
 ## <summary>
+##	Append files
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_append_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	append_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+##	dontaudit Append files
+##	on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:file append;
+')
+
+
+########################################
+## <summary>
 ##	Do not audit attempts to create,
 ##	read, write, and delete files
 ##	on a NFS filesystem.
@@ -2996,6 +3154,7 @@
 		type tmpfs_t;
 	')
 
+	dontaudit $1 tmpfs_t:dir rw_dir_perms;
 	dontaudit $1 tmpfs_t:file rw_file_perms;
 ')
 
@@ -3132,6 +3291,25 @@
 
 ########################################
 ## <summary>
+##	Read and write block nodes on removable filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_removable_blk_files',`
+	gen_require(`
+		type removable_t;
+	')
+
+	allow $1 removable_t:dir list_dir_perms;
+	rw_blk_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+## <summary>
 ##	Relabel block nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
@@ -3317,6 +3495,7 @@
 	')
 
 	allow $1 filesystem_type:filesystem getattr;
+	files_getattr_all_file_type_fs($1)
 ')
 
 ########################################
@@ -3644,3 +3823,142 @@
 	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
 	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
 ')
+
+########################################
+## <summary>
+##	Search directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_search_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_dirs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	manage_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+##	Read, a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	read_files_pattern($1,fusefs_t,fusefs_t)
+')
+
+########################################
+## <summary>
+##	Read symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_fusefs_symlinks',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	allow $1 fusefs_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_files',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:file manage_file_perms;
+')
Binary files nsaserefpolicy/policy/modules/kernel/.filesystem.if.swp and serefpolicy-3.5.13/policy/modules/kernel/.filesystem.if.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2009-03-18 09:34:45.000000000 +0100
@@ -21,7 +21,7 @@
 
 # Use xattrs for the following filesystem types.
 # Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -76,6 +76,11 @@
 allow cpusetfs_t self:filesystem associate;
 genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
 
+type ecryptfs_t;
+fs_noxattr_type(ecryptfs_t)
+files_mountpoint(ecryptfs_t)
+genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
+
 type eventpollfs_t;
 fs_type(eventpollfs_t)
 # change to task SID 20060628
@@ -141,6 +146,8 @@
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
 genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
 
 type vxfs_t;
 fs_noxattr_type(vxfs_t)
@@ -199,6 +206,11 @@
 genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
+# Labeling dosfs_t since these are removable file systems with the i
+# same security properties as dosfs_t
+genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
+
 
 type fusefs_t;
 fs_noxattr_type(fusefs_t)
@@ -236,11 +248,11 @@
 genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
 genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
 genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if	2009-02-10 15:07:15.000000000 +0100
@@ -1198,6 +1198,7 @@
 	')
 
 	dontaudit $1 proc_type:dir list_dir_perms;
+	dontaudit $1 proc_type:file getattr;
 ')
 
 ########################################
@@ -1234,9 +1235,11 @@
 interface(`kernel_read_sysctl',`
 	gen_require(`
 		type sysctl_t;
+		type proc_t;
 	')
 
 	list_dirs_pattern($1, proc_t, sysctl_t)
+	read_files_pattern($1, sysctl_t, sysctl_t)
 ')
 
 ########################################
@@ -1569,6 +1572,26 @@
 
 ########################################
 ## <summary>
+##	Read generic crypto sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_crypto_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_crypto_t;
+	')
+
+	read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
+
+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
+')
+
+########################################
+## <summary>
 ##	Read generic kernel sysctls.
 ## </summary>
 ## <param name="domain">
@@ -1768,6 +1791,7 @@
 	')
 
 	dontaudit $1 sysctl_type:dir list_dir_perms;
+	dontaudit $1 sysctl_type:file read_file_perms;
 ')
 
 ########################################
@@ -2582,6 +2606,24 @@
 
 ########################################
 ## <summary>
+##      Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelto_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+## <summary>
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te	2009-02-10 15:07:15.000000000 +0100
@@ -63,6 +63,15 @@
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
 
 #
+# infinibandeventfs fs
+#
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
+#
 # kvmFS
 #
 
@@ -120,6 +129,10 @@
 type sysctl_rpc_t, sysctl_type;
 genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
 
+# /proc/sys/crypto directory and files
+type sysctl_crypto_t, sysctl_type;
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
+
 # /proc/sys/fs directory and files
 type sysctl_fs_t, sysctl_type;
 files_mountpoint(sysctl_fs_t)
@@ -160,6 +173,7 @@
 #
 type unlabeled_t;
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
 
 # These initial sids are no longer used, and can be removed:
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -274,6 +288,8 @@
 	fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
+unprivuser_home_dir_filetrans_home_content(kernel_t, { file dir })
+
 tunable_policy(`read_default_t',`
 	files_list_default(kernel_t)
 	files_read_default_files(kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.13/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.if	2009-02-10 15:07:15.000000000 +0100
@@ -164,6 +164,7 @@
 		type security_t;
 	')
 
+	selinux_dontaudit_getattr_fs($1)
 	dontaudit $1 security_t:dir search_dir_perms;
 	dontaudit $1 security_t:file { getattr read };
 ')
@@ -185,6 +186,7 @@
 		type security_t;
 	')
 
+	selinux_get_fs_mount($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read };
 ')
@@ -265,6 +267,34 @@
 
 ########################################
 ## <summary>
+##	Allow caller to read the state of Booleans 
+## </summary>
+## <desc>
+##	<p>
+##	Allow caller read the state of Booleans 
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The process type allowed to set the Boolean.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_get_boolean',`
+	gen_require(`
+		type security_t;
+		attribute booleans_type;
+		bool secure_mode_policyload;
+	')
+
+	allow $1 security_t:dir list_dir_perms;
+	allow $1 booleans_type:dir list_dir_perms;
+	allow $1 booleans_type:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Allow caller to set the state of Booleans to
 ##	enable or disable conditional portions of the policy.
 ## </summary>
@@ -288,11 +318,13 @@
 interface(`selinux_set_boolean',`
 	gen_require(`
 		type security_t;
+		attribute booleans_type;
 		bool secure_mode_policyload;
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 booleans_type:dir list_dir_perms;
+	allow $1 booleans_type:file { getattr read write };
 
 	if(!secure_mode_policyload) {
 		allow $1 security_t:security setbool;
@@ -510,3 +542,23 @@
 
 	typeattribute $1 selinux_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_genbool',`
+	gen_require(`
+		attribute booleans_type;
+	')
+
+	type $1, booleans_type;
+	fs_type($1)
+	mls_trusted_object($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.13/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,7 @@
 attribute can_setenforce;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;
+attribute booleans_type;
 
 # 
 # security_t is the target type when checking
@@ -23,6 +24,11 @@
 genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
 genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
 
+type boolean_t, booleans_type;
+fs_type(boolean_t)
+mls_trusted_object(boolean_t)
+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
+
 neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
 neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
 neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc	2009-02-10 15:07:15.000000000 +0100
@@ -36,7 +36,7 @@
 /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/(raw/)?rawctl	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 ifdef(`distro_redhat', `
 /dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.5.13/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.if	2009-02-18 14:54:06.000000000 +0100
@@ -207,6 +207,7 @@
 	dev_list_all_dev_nodes($1)
 	allow $1 self:capability mknod;
 	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
+	allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.13/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/terminal.if	2009-02-10 15:07:15.000000000 +0100
@@ -250,9 +250,11 @@
 interface(`term_dontaudit_use_console',`
 	gen_require(`
 		type console_device_t;
+		type tty_device_t;
 	')
 
 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -529,7 +531,7 @@
 
 	dev_list_all_dev_nodes($1)
 	allow $1 devpts_t:dir list_dir_perms;
-	allow $1 devpts_t:chr_file { rw_term_perms lock append };
+	allow $1 devpts_t:chr_file { rw_term_perms lock append open };
 ')
 
 ########################################
@@ -588,7 +590,7 @@
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 ptmx_t:chr_file rw_file_perms;
+	allow $1 ptmx_t:chr_file { rw_file_perms open };
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.13/policy/modules/roles/guest.fc
--- nsaserefpolicy/policy/modules/roles/guest.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/guest.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.13/policy/modules/roles/guest.if
--- nsaserefpolicy/policy/modules/roles/guest.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/guest.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,161 @@
+## <summary>Least privledge terminal user role</summary>
+
+########################################
+## <summary>
+##	Change to the guest role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary> 
+## </param>
+## <rolecap/>
+#
+template(`guest_role_change_template',`
+	userdom_role_change_template($1, guest)
+')
+
+########################################
+## <summary>
+##	Change from the guest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the guest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`guest_role_change_to_template',`
+	userdom_role_change_template(guest, $1)
+')
+
+########################################
+## <summary>
+##	Search the guest users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`guest_search_home_dirs',`
+	gen_require(`
+		type guest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 guest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the guest
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`guest_dontaudit_search_home_dirs',`
+	gen_require(`
+		type guest_home_dir_t;
+	')
+
+	dontaudit $1 guest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete guest
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`guest_manage_home_dirs',`
+	gen_require(`
+		type guest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 guest_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to guest home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`guest_relabelto_home_dirs',`
+	gen_require(`
+		type guest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 guest_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the guest
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`guest_dontaudit_append_home_content_files',`
+	gen_require(`
+		type guest_home_t;
+	')
+
+	dontaudit $1 guest_home_t:file append;
+')
+
+########################################
+## <summary>
+##	Read files in the guest users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`guest_read_home_content_files',`
+	gen_require(`
+		type guest_home_dir_t, guest_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { guest_home_dir_t guest_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t)
+	read_lnk_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.13/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/guest.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,36 @@
+
+policy_module(guest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role xguest_r;
+
+userdom_restricted_user_template(guest)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+	java_per_role_template(guest, guest_t, guest_r)
+')
+
+optional_policy(`
+	mono_per_role_template(guest, guest_t, guest_r)
+')
+
+
+optional_policy(`
+	gen_require(`
+		type xguest_t;
+		role xguest_r;
+	')
+
+	mozilla_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.13/policy/modules/roles/logadm.fc
--- nsaserefpolicy/policy/modules/roles/logadm.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/logadm.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.13/policy/modules/roles/logadm.if
--- nsaserefpolicy/policy/modules/roles/logadm.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/logadm.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,44 @@
+## <summary>Audit administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`logadm_role_change_template',`
+	userdom_role_change_template($1, logadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`logadm_role_change_to_template',`
+	userdom_role_change_template(logadm, $1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.13/policy/modules/roles/logadm.te
--- nsaserefpolicy/policy/modules/roles/logadm.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/logadm.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,20 @@
+
+policy_module(logadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role logadm_r;
+
+userdom_base_user_template(logadm)
+
+########################################
+#
+# logadmin local policy
+#
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/staff.te	2009-03-27 09:03:11.000000000 +0100
@@ -4,27 +4,81 @@
 ########################################
 #
 # Declarations
-#
 
+#
 role staff_r;
 
-userdom_unpriv_user_template(staff)
+userdom_admin_login_user_template(staff)
 
 ########################################
 #
 # Local policy
 #
 
+kernel_read_ring_buffer(staff_t)
+kernel_getattr_core_if(staff_t)
+kernel_getattr_message_if(staff_t)
+kernel_read_software_raid_state(staff_t)
+
+term_use_unallocated_ttys(staff_t)
+
+auth_domtrans_pam_console(staff_t)
+
+libs_manage_shared_libs(staff_t)
+
 optional_policy(`
 	auditadm_role_change_template(staff)
 ')
 
 optional_policy(`
+	kerneloops_manage_tmp_files(staff_t)
+')
+
+optional_policy(`
+	logadm_role_change_template(staff)
+')
+
+optional_policy(`
+	postgresql_userdom_template(staff, staff_t, staff_r)
+')
+
+optional_policy(`
 	secadm_role_change_template(staff)
 ')
 
 optional_policy(`
+	ssh_per_role_template(staff, staff_t, staff_r)
+')
+
+optional_policy(`
 	sysadm_role_change_template(staff)
 	sysadm_dontaudit_use_terms(staff_t)
 ')
 
+optional_policy(`
+	usernetctl_run(staff_t, staff_r, { staff_devpts_t staff_tty_device_t })
+')
+
+optional_policy(`
+	unconfined_role_change_template(staff)
+')
+
+optional_policy(`
+	webadm_role_change_template(staff)
+')
+
+optional_policy(`
+	cron_admin_template(sysadm)
+')
+
+optional_policy(`
+	xguest_role_change_template(staff)
+')
+
+optional_policy(`
+	guest_role_change_template(staff)
+')
+
+optional_policy(`
+	unprivuser_role_change_template(staff)
+')
Binary files nsaserefpolicy/policy/modules/roles/.staff.te.swp and serefpolicy-3.5.13/policy/modules/roles/.staff.te.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if	2009-02-18 10:14:24.000000000 +0100
@@ -334,10 +334,10 @@
 #
 interface(`sysadm_getattr_home_dirs',`
 	gen_require(`
-		type sysadm_home_dir_t;
+		type admin_home_t;
 	')
 
-	allow $1 sysadm_home_dir_t:dir getattr;
+	allow $1 admin_home_t:dir getattr;
 ')
 
 ########################################
@@ -354,10 +354,29 @@
 #
 interface(`sysadm_dontaudit_getattr_home_dirs',`
 	gen_require(`
-		type sysadm_home_dir_t;
+		type admin_home_t;
 	')
 
-	dontaudit $1 sysadm_home_dir_t:dir getattr;
+	dontaudit $1 admin_home_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to 
+##	sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_write_home_dirs',`
+	gen_require(`
+		type admin_home_t;
+	')
+
+	dontaudit $1 admin_home_t:dir write;
 ')
 
 ########################################
@@ -372,10 +391,10 @@
 #
 interface(`sysadm_search_home_dirs',`
 	gen_require(`
-		type sysadm_home_dir_t;
+		type admin_home_t;
 	')
 
-	allow $1 sysadm_home_dir_t:dir search_dir_perms;
+	allow $1 admin_home_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -391,10 +410,10 @@
 #
 interface(`sysadm_dontaudit_search_home_dirs',`
 	gen_require(`
-		type sysadm_home_dir_t;
+		type admin_home_t;
 	')
 
-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+	dontaudit $1 admin_home_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -409,10 +428,10 @@
 #
 interface(`sysadm_list_home_dirs',`
 	gen_require(`
-		type sysadm_home_dir_t;
+		type admin_home_t;
 	')
 
-	allow $1 sysadm_home_dir_t:dir list_dir_perms;
+	allow $1 admin_home_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -428,10 +447,10 @@
 #
 interface(`sysadm_dontaudit_list_home_dirs',`
 	gen_require(`
-		type sysadm_home_dir_t;
+		type admin_home_t;
 	')
 
-	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+	dontaudit $1 admin_home_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -458,10 +477,10 @@
 #
 interface(`sysadm_home_dir_filetrans',`
 	gen_require(`
-		type sysadm_home_dir_t;
+		type admin_home_t;
 	')
 
-	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
+	filetrans_pattern($1, admin_home_t, $2, $3)
 ')
 
 ########################################
@@ -476,10 +495,10 @@
 #
 interface(`sysadm_search_home_content_dirs',`
 	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
+		type admin_home_t;
 	')
 
-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+	allow $1 admin_home_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -494,13 +513,12 @@
 #
 interface(`sysadm_read_home_content_files',`
 	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
+		type admin_home_t;
 	')
 
 	files_search_home($1)
-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
-	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
-	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+	read_files_pattern($1, admin_home_t, admin_home_t)
+	read_lnk_files_pattern($1, admin_home_t, admin_home_t)
 ')
 
 ########################################
@@ -516,12 +534,52 @@
 #
 interface(`sysadm_dontaudit_read_home_content_files',`
 	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
+		type admin_home_t;
 	')
 
-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-	dontaudit $1 sysadm_home_t:dir search_dir_perms;
-	dontaudit $1 sysadm_home_t:file read_file_perms;
+	dontaudit $1 admin_home_t:dir list_dir_perms;
+	dontaudit $1 admin_home_t:file read_file_perms;
+
+')
+########################################
+## <summary>
+##	Do not audit attempts to read sym links in the sysadm
+##	home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_read_home_sym_links',`
+	gen_require(`
+		type admin_home_t;
+	')
+
+	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+
+')
+
+######################################
+## <summary>
+##      Do not audit attempts to manage files in the sysadm
+##      home directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`sysadm_dontaudit_manage_home_files',`
+        gen_require(`
+                type admin_home_t;
+        ')
+
+        dontaudit $1 admin_home_t:dir manage_dir_perms;
+        dontaudit $1 admin_home_t:file manage_file_perms;
+        dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################
@@ -536,12 +594,12 @@
 #
 interface(`sysadm_read_tmp_files',`
 	gen_require(`
-		type sysadm_tmp_t;
+		type user_tmp_t;
 	')
 
 	files_search_tmp($1)
-	allow $1 sysadm_tmp_t:dir list_dir_perms;
-	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
-	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+	allow $1 user_tmp_t:dir list_dir_perms;
+	read_files_pattern($1, user_tmp_t, user_tmp_t)
+	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te	2009-02-10 15:07:15.000000000 +0100
@@ -15,7 +15,7 @@
 
 role sysadm_r;
 
-userdom_admin_user_template(sysadm)
+userdom_admin_login_user_template(sysadm)
 
 ifndef(`enable_mls',`
 	userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
@@ -110,10 +110,6 @@
 ')
 
 optional_policy(`
-	cron_admin_template(sysadm)
-')
-
-optional_policy(`
 	cvs_exec(sysadm_t)
 ')
 
@@ -171,6 +167,10 @@
 ')
 
 optional_policy(`
+	kerberos_exec_kadmind(sysadm_t)
+')
+
+optional_policy(`
 	kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
 ')
 
@@ -215,8 +215,8 @@
 
 optional_policy(`
 	netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+#	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+#	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if
--- nsaserefpolicy/policy/modules/roles/unprivuser.if	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if	2009-02-10 15:07:15.000000000 +0100
@@ -62,6 +62,26 @@
 	files_home_filetrans($1, user_home_dir_t, dir)
 ')
 
+
+########################################
+## <summary>
+##	Create generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_home_dir_filetrans',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	filetrans_pattern($1, user_home_dir_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	Search generic user home directories.
@@ -77,6 +97,7 @@
 		type user_home_dir_t;
 	')
 
+	files_search_home($1)
 	allow $1 user_home_dir_t:dir search_dir_perms;
 ')
 
@@ -177,11 +198,29 @@
 #
 interface(`unprivuser_manage_home_content_dirs',`
 	gen_require(`
-		type user_home_dir_t, user_home_t;
+		attribute user_home_dir_type, user_home_type;
 	')
 
 	files_search_home($1)
-	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	manage_dirs_pattern($1, { user_home_dir_type user_home_type }, user_home_type)
+')
+
+########################################
+## <summary>
+##	Don't audit list on the user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_list_home_dirs',`
+	gen_require(`
+		type user_home_t, user_home_dir_t;
+	')
+
+	dontaudit $1 { user_home_dir_t user_home_t }:dir list_dir_perms;
 ')
 
 ########################################
@@ -236,11 +275,30 @@
 #
 interface(`unprivuser_mmap_home_content_files',`
 	gen_require(`
-		type user_home_t;
+		attribute user_home_type;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_type:file execute;
+')
+
+########################################
+## <summary>
+##	Read link files in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_read_home_content_symlinks',`
+	gen_require(`
+		type user_home_t, user_home_dir_t;
 	')
 
 	files_search_home($1)
-	allow $1 user_home_t:file execute;
+	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 ')
 
 ########################################
@@ -342,3 +400,542 @@
 	manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write user home files.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to write user home files.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+template(`unprivuser_dontaudit_write_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file write;
+
+	fs_dontaudit_list_nfs($1)
+	fs_dontaudit_rw_nfs_files($1)
+
+	fs_dontaudit_list_cifs($1)
+	fs_dontaudit_rw_cifs_files($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to unlink user home files.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to unlink user home files.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+template(`unprivuser_dontaudit_unlink_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to manage users
+##	temporary directories.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to manage users
+##	temporary directories.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+template(`unprivuser_dontaudit_manage_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:dir manage_dir_perms;
+')
+
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary named sockets.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete user
+##	temporary named sockets.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`unprivuser_manage_tmp_sockets',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_read_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	read_files_pattern($1, user_tmp_t,  user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Write all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_write_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	write_files_pattern($1, user_tmp_t,  user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Write all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, user_tmp_t,  user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Write all unprivileged users lnk_files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_tmp_symlinks',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_lnk_files_pattern($1, user_tmp_t,  user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to relabel unpriv user
+##	home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_home_content_files',`
+	gen_require(`
+		attribute user_home_type;
+	')
+
+	dontaudit $1 user_home_type:file { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	unlink all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_unlink_tmp_files',`
+	gen_require(`
+		attribute user_tmpfile;
+	')
+
+	files_delete_tmp_dir_entry($1)
+	allow $1 user_tmpfile:file unlink;
+')
+
+########################################
+## <summary>
+##	Connect to unpriviledged users over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_stream_connect',`
+	gen_require(`
+		attribute user_tmpfile;
+		attribute userdomain;
+	')
+
+	stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary directories.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete user
+##	temporary directories.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`unprivuser_manage_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary named pipes.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete user
+##	temporary named pipes.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`unprivuser_manage_tmp_pipes',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage user untrusted files.
+## </summary>
+## <desc>
+##      <p>
+##      Create, read, write, and delete untrusted files.
+##      </p>
+##      <p>
+##      This is a templated interface, and should only
+##      be called from a per-userdomain template.
+##      </p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`unprivuser_manage_untrusted_content_files',`
+	gen_require(`
+		type user_untrusted_content_t;
+	')
+
+	manage_files_pattern($1, user_untrusted_content_t, user_untrusted_content_t)
+')
+
+########################################
+## <summary>
+##	Manage user untrusted tmp files.
+## </summary>
+## <desc>
+##      <p>
+##      Create, read, write, and delete untrusted tmp files.
+##      </p>
+##      <p>
+##      This is a templated interface, and should only
+##      be called from a per-userdomain template.
+##      </p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`unprivuser_manage_untrusted_content_tmp_files',`
+	gen_require(`
+		type user_untrusted_content_tmp_t;
+	')
+
+	manage_files_pattern($1, user_untrusted_content_tmp_t, user_untrusted_content_tmp_t)
+')
+
+########################################
+## <summary>
+##	RW unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_rw_semaphores',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Read user tmpfs files.
+## </summary>
+## <desc>
+##	<p>
+##	<p>
+##	read user temporary file system files
+##	</p>
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`unprivuser_read_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Unlink user tmpfs files.
+## </summary>
+## <desc>
+##	<p>
+##	Read/write user tmpfs files.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`unprivuser_delete_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 user_tmpfs_t:dir list_dir_perms;
+	delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	append all unprivileged users home directory
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_append_home_content_files',`
+	gen_require(`
+		attribute user_home_dir_type, user_home_type;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_type:dir list_dir_perms;
+	append_files_pattern($1, { user_home_dir_type user_home_type }, user_home_type)
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_append_nfs_files($1)
+	')
+	tunable_policy(`use_samba_home_dirs',`
+		fs_append_cifs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	dontaudit append all unprivileged users home directory
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_append_home_content_files',`
+	gen_require(`
+		attribute user_home_type;
+	')
+
+	dontaudit $1 user_home_type:file  append_file_perms;
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_dontaudit_append_nfs_files($1)
+	')
+	tunable_policy(`use_samba_home_dirs',`
+		fs_dontaudit_append_cifs_files($1)
+	')
+')
+
+########################################
+## <summary>
+##	dontaudit Read all unprivileged users home directory
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_read_home_content_files',`
+	gen_require(`
+		attribute user_home_dir_type, user_home_type;
+	')
+
+	files_search_home($1)
+	dontaudit $1 user_home_type:dir list_dir_perms;
+	dontaudit $1 user_home_type:file read_file_perms;
+	dontaudit $1 user_home_type:file read_lnk_file_perms;
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_dontaudit_read_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_dontaudit_read_cifs_files($1)
+	')
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,3 +13,18 @@
 
 userdom_unpriv_user_template(user)
 
+optional_policy(`
+	kerneloops_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+	postgresql_userdom_template(user, user_t, user_r)
+')
+
+optional_policy(`
+	rpm_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+	setroubleshoot_dontaudit_stream_connect(user_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.13/policy/modules/roles/webadm.fc
--- nsaserefpolicy/policy/modules/roles/webadm.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/webadm.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.13/policy/modules/roles/webadm.if
--- nsaserefpolicy/policy/modules/roles/webadm.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/webadm.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,44 @@
+## <summary>Policy for webadm role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`webadm_role_change_template',`
+	userdom_role_change_template($1, webadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`webadm_role_change_to_template',`
+	userdom_role_change_template(webadm, $1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.13/policy/modules/roles/webadm.te
--- nsaserefpolicy/policy/modules/roles/webadm.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/webadm.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,65 @@
+
+policy_module(webadm, 1.0.0)
+
+## <desc>
+## <p>
+## Allow webadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_read_user_files, false)
+
+## <desc>
+## <p>
+## Allow webadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_manage_user_files, false)
+
+########################################
+#
+# Declarations
+#
+
+role webadm_r;
+
+userdom_base_user_template(webadm)
+
+########################################
+#
+# webadmin local policy
+#
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+unprivuser_dontaudit_search_home_dirs(webadm_t)
+
+optional_policy(`
+	sysadm_role_change_template(webadm)
+	sysadm_dontaudit_read_home_content_files(webadm_t)
+')
+
+apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t })
+
+optional_policy(`
+tunable_policy(`webadm_read_user_files',`
+   unprivuser_read_home_content_files(webadm_t)
+   unprivuser_read_tmp_files(webadm_t)
+')
+')
+
+optional_policy(`
+tunable_policy(`webadm_manage_user_files',`
+   unprivuser_manage_home_content_dirs(webadm_t)
+   unprivuser_read_tmp_files(webadm_t)
+   unprivuser_write_tmp_files(webadm_t)
+')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.13/policy/modules/roles/xguest.fc
--- nsaserefpolicy/policy/modules/roles/xguest.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/xguest.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.13/policy/modules/roles/xguest.if
--- nsaserefpolicy/policy/modules/roles/xguest.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/xguest.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,161 @@
+## <summary>Least privledge X Windows user role</summary>
+
+########################################
+## <summary>
+##	Change to the xguest role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`xguest_role_change_template',`
+	userdom_role_change_template($1, xguest)
+')
+
+########################################
+## <summary>
+##	Change from the xguest role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the xguest role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`xguest_role_change_to_template',`
+	userdom_role_change_template(xguest, $1)
+')
+
+########################################
+## <summary>
+##	Search the xguest users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_search_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 xguest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the xguest
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xguest_dontaudit_search_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	dontaudit $1 xguest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete xguest
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_manage_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 xguest_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to xguest home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_relabelto_home_dirs',`
+	gen_require(`
+		type xguest_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 xguest_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the xguest
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xguest_dontaudit_append_home_content_files',`
+	gen_require(`
+		type xguest_home_t;
+	')
+
+	dontaudit $1 xguest_home_t:file append;
+')
+
+########################################
+## <summary>
+##	Read files in the xguest users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xguest_read_home_content_files',`
+	gen_require(`
+		type xguest_home_dir_t, xguest_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { xguest_home_dir_t xguest_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t)
+	read_lnk_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.13/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/xguest.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,87 @@
+
+policy_module(xguest, 1.0.0)
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media, true)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network, true)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth, true)
+
+########################################
+#
+# Declarations
+#
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+
+########################################
+#
+# Local policy
+#
+
+#optional_policy(`
+#	mozilla_per_role_template(xguest, xguest_t, xguest_r)
+#')
+
+optional_policy(`
+	java_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+	mono_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+	nsplugin_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+# Allow mounting of file systems
+optional_policy(`
+	tunable_policy(`xguest_mount_media',`
+		hal_dbus_chat(xguest_t)
+		init_read_utmp(xguest_t)
+		auth_list_pam_console_data(xguest_t)
+		kernel_read_fs_sysctls(xguest_t)
+		files_dontaudit_getattr_boot_dirs(xguest_t)
+		files_search_mnt(xguest_t)
+		fs_manage_noxattr_fs_files(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_manage_noxattr_fs_dirs(xguest_t)
+		fs_getattr_noxattr_fs(xguest_t)
+		fs_read_noxattr_fs_symlinks(xguest_t)
+	')
+')
+
+optional_policy(`
+	hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+	tunable_policy(`xguest_connect_network',`
+		networkmanager_dbus_chat(xguest_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`xguest_use_bluetooth',`
+		bluetooth_dbus_chat(xguest_t)
+	')
+')
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.13/policy/modules/services/aide.if
--- nsaserefpolicy/policy/modules/services/aide.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/aide.if	2009-02-10 15:07:15.000000000 +0100
@@ -70,9 +70,11 @@
 	allow $1 aide_t:process { ptrace signal_perms };
 	ps_process_pattern($1, aide_t)
 
+	aide_run($1, $2, $3)
+
 	files_list_etc($1)
-	manage_files_pattern($1, aide_db_t, aide_db_t)
+	admin_pattern($1, aide_db_t, aide_db_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, aide_log_t, aide_log_t)
+	admin_pattern($1, aide_log_t, aide_log_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.5.13/policy/modules/services/amavis.if
--- nsaserefpolicy/policy/modules/services/amavis.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/amavis.if	2009-02-10 15:07:15.000000000 +0100
@@ -189,6 +189,26 @@
 
 ########################################
 ## <summary>
+##      Read/write amavis PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`amavis_rw_pid_files',`
+        gen_require(`
+                type amavis_var_run_t;
+        ')
+
+        files_search_pids($1)
+	add_entry_dirs_pattern($1, amavis_var_run_t, amavis_var_run_t )
+        allow $1 amavis_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an amavis environment
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.5.13/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/amavis.te	2009-06-11 12:21:57.000000000 +0200
@@ -103,6 +103,8 @@
 kernel_dontaudit_read_proc_symlinks(amavis_t)
 kernel_dontaudit_read_system_state(amavis_t)
 
+fs_getattr_xattr_fs(amavis_t)
+
 # find perl
 corecmd_exec_bin(amavis_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/apache.fc	2009-06-03 08:00:14.000000000 +0200
@@ -1,16 +1,18 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 
 /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd			-d	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf.*			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
 /etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
 /etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 
 /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/git(/.*)?                         gen_context(system_u:object_r:httpd_sys_content_t,s0)
 
 /usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
 
@@ -22,6 +24,7 @@
 /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 /usr/lib(64)?/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 
+/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -32,12 +35,16 @@
 /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 
+/usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
 
+/var/lib/git(/.*)?                      gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/cache/cgit(/.*)?                   gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mod_proxy(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -47,11 +54,16 @@
 
 /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
 /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
 
+/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
@@ -64,11 +76,28 @@
 /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 
 /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
 /var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
 
 /var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)?  		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/svn(/.*)?                      gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)?                gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)?                 gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.13/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/apache.if	2009-02-10 15:07:15.000000000 +0100
@@ -13,21 +13,16 @@
 #
 template(`apache_content_template',`
 	gen_require(`
-		attribute httpdcontent;
 		attribute httpd_exec_scripts;
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
 	')
-	# allow write access to public file transfer
-	# services files.
-	gen_tunable(allow_httpd_$1_script_anon_write, false)
-
 	#This type is for webpages
-	type httpd_$1_content_t, httpdcontent; # customizable
+	type httpd_$1_content_t;
 	files_type(httpd_$1_content_t)
 
 	# This type is used for .htaccess files
-	type httpd_$1_htaccess_t; # customizable;
+	type httpd_$1_htaccess_t;
 	files_type(httpd_$1_htaccess_t)
 
 	# Type that CGI scripts run as
@@ -42,20 +37,22 @@
 
 	# The following three are the only areas that 
 	# scripts can read, read/write, or append to
-	type httpd_$1_script_ro_t, httpdcontent; # customizable
-	files_type(httpd_$1_script_ro_t)
+	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
 
-	type httpd_$1_script_rw_t, httpdcontent; # customizable
-	files_type(httpd_$1_script_rw_t)
+	type httpd_$1_content_rw_t;
+	files_type(httpd_$1_content_rw_t)
+	typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;
 
-	type httpd_$1_script_ra_t, httpdcontent; # customizable
-	files_type(httpd_$1_script_ra_t)
+	type httpd_$1_content_ra_t;
+	files_type(httpd_$1_content_ra_t)
+	typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;
 
-	allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
+	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
 
 	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 
-	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
+	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
+	allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
 
 	allow httpd_$1_script_t self:fifo_file rw_file_perms;
 	allow httpd_$1_script_t self:unix_stream_socket connectto;
@@ -65,29 +62,26 @@
 	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
 
 	# Allow the script process to search the cgi directory, and users directory
-	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
 
 	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
 	logging_search_logs(httpd_$1_script_t)
 
 	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-	allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
 
-	allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
-	read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-
-	allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
-	read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
-	read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
-
-	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file })
+	allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+	append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+
+	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+	manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
 
 	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
 	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -96,6 +90,7 @@
 	dev_read_urand(httpd_$1_script_t)
 
 	corecmd_exec_all_executables(httpd_$1_script_t)
+	application_exec_all(httpd_$1_script_t)
 
 	files_exec_etc_files(httpd_$1_script_t)
 	files_read_etc_files(httpd_$1_script_t)
@@ -111,34 +106,21 @@
 
 	seutil_dontaudit_search_config(httpd_$1_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		allow httpd_$1_script_t httpdcontent:file entrypoint;
-
-		manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-		manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-		manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-		can_exec(httpd_$1_script_t, httpdcontent)
-	')
-
-	tunable_policy(`allow_httpd_$1_script_anon_write',`
-		miscfiles_manage_public_files(httpd_$1_script_t)
-	') 
-
 	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
-		manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-		manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-		manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-		rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-
-		allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
-		read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-		append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-		read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-
-		allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
-		read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-		read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
+		manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+		manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+		manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+		rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t)
+
+		allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
+		read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+		append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+		read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t)
+
+		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
 
 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
 		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -151,9 +133,13 @@
 		# privileged users run the script:
 		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
 
+		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
 		# apache runs the script:
 		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 
+		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+
 		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
 		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
 
@@ -177,50 +163,6 @@
 		miscfiles_read_localization(httpd_$1_script_t)
 	')
 
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
-		allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
-		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
-		corenet_all_recvfrom_netlabel(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
-
-		sysnet_read_config(httpd_$1_script_t)
-	')
-
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
-		allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
-		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
-		corenet_all_recvfrom_netlabel(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
-		corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
-		corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
-		corenet_tcp_connect_all_ports(httpd_$1_script_t)
-		corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
-		sysnet_read_config(httpd_$1_script_t)
-	')
-
-	optional_policy(`
-		mta_send_mail(httpd_$1_script_t)
-	')
-
-	optional_policy(`
-		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-			mysql_tcp_connect(httpd_$1_script_t)
-		')
-	')
-
 	optional_policy(`
 		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
 			nis_use_ypbind_uncond(httpd_$1_script_t)
@@ -229,10 +171,6 @@
 
 	optional_policy(`
 		postgresql_unpriv_client(httpd_$1_script_t)
-
-		tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-			postgresql_tcp_connect(httpd_$1_script_t)
-		')
 	')
 
 	optional_policy(`
@@ -275,72 +213,77 @@
 template(`apache_per_role_template', `
 	gen_require(`
 		attribute httpdcontent, httpd_script_domains;
-		attribute httpd_exec_scripts, httpd_user_content_type;
-		attribute httpd_user_script_exec_type;
-		type httpd_t, httpd_suexec_t, httpd_log_t;
+		attribute httpd_exec_scripts;
+		type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
+		type httpd_user_content_t;
+		type httpd_user_script_t;
+		type httpd_user_content_ra_t;
+		type httpd_user_content_rw_t;
+		type httpd_user_content_t;
+		type httpd_user_script_exec_t;
+		type httpd_user_htaccess_t;
 	')
 
-	apache_content_template($1)
 
-	typeattribute httpd_$1_content_t httpd_user_content_type;
-	typeattribute httpd_$1_script_ra_t httpd_user_content_type;
-	typeattribute httpd_$1_script_rw_t httpd_user_content_type;
-	typeattribute httpd_$1_script_ro_t httpd_user_content_type;
-	typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;
-
-	typeattribute httpd_$1_script_t httpd_script_domains;
-	userdom_user_home_content($1,httpd_$1_content_t)
-
-	role $3 types httpd_$1_script_t;
-
-	allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
-
-	allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
-
-	manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-
-	manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-
-	manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-
-	manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
+	ifelse(`$1',`user',`',`
+		typealias httpd_user_content_t alias httpd_$1_script_t;
+		typealias httpd_user_content_ra_t alias httpd_$1_script_ra_t;
+		typealias httpd_user_content_rw_t alias httpd_$1_script_rw_t;
+		typealias httpd_user_content_t alias httpd_$1_script_ro_t;
+		typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t;
+		typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t;
+	')
+
+
+	role $3 types httpd_user_script_t;
+
+	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+	manage_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+	manage_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+	manage_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+	relabel_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+	relabel_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+	manage_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+	manage_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+	relabel_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+	relabel_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
+
+	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
 	tunable_policy(`httpd_enable_cgi',`
 		# If a user starts a script by hand it gets the proper context
-		domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		allow httpd_$1_script_t httpdcontent:file entrypoint;
-
-		domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
+		can_exec(httpd_user_script_t, httpd_user_content_t)
 	')
 
 	# allow accessing files/dirs below the users home dir
 	tunable_policy(`httpd_enable_homedirs',`
-		userdom_search_user_home_dirs($1,httpd_t)
-		userdom_search_user_home_dirs($1,httpd_suexec_t)
-		userdom_search_user_home_dirs($1,httpd_$1_script_t)
+		userdom_search_user_home_dirs(user, httpd_t)
+		userdom_search_user_home_dirs(user, httpd_suexec_t)
+		userdom_search_user_home_dirs(user, httpd_user_script_t)
+		userdom_search_user_home_dirs(user, httpd_sys_script_t)
 	')
 ')
 
@@ -362,12 +305,11 @@
 #
 template(`apache_read_user_scripts',`
 	gen_require(`
-		type httpd_$1_script_exec_t;
+		type httpd_user_script_exec_t;
 	')
-
-	allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
-	read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
+	allow $2 httpd_user_script_exec_t:dir list_dir_perms;
+	read_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	read_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 ')
 
 ########################################
@@ -388,12 +330,12 @@
 #
 template(`apache_read_user_content',`
 	gen_require(`
-		type httpd_$1_content_t;
+		type httpd_user_content_t;
 	')
 
-	allow $2 httpd_$1_content_t:dir list_dir_perms;
-	read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
-	read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
+	allow $2 httpd_user_content_t:dir list_dir_perms;
+	read_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	read_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
 ')
 
 ########################################
@@ -771,6 +713,7 @@
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
+	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
@@ -790,7 +733,7 @@
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
-	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+	allow $1 httpd_modules_t:lnk_file read_file_perms;
 	can_exec($1,httpd_modules_t)
 ')
 
@@ -838,6 +781,32 @@
 
 ########################################
 ## <summary>
+##	Allow the specified domain to delete
+##	apache system content rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+interface(`apache_delete_sys_content_rw',`
+	gen_require(`
+		type httpd_sys_content_rw_t;
+	')
+
+	files_search_tmp($1)
+	delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+	delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+	delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+	delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+	delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
+')
+
+########################################
+## <summary>
 ##	Execute all web scripts in the system
 ##	script domain.
 ## </summary>
@@ -851,12 +820,16 @@
 # sysadm_t to run scripts
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
-		attribute httpdcontent;
 		type httpd_sys_script_t;
+		type httpd_sys_content_t;
+	')
+
+	tunable_policy(`httpd_enable_cgi',`
+		domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
+		domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t)
 	')
 ')
 
@@ -942,7 +915,7 @@
 		type httpd_squirrelmail_t;
 	')
 
-	allow $1 httpd_squirrelmail_t:file { getattr read };
+	read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
 ')
 
 ########################################
@@ -1033,16 +1006,16 @@
 #
 interface(`apache_manage_all_user_content',`
 	gen_require(`
-		attribute httpd_user_content_type, httpd_user_script_exec_type;
+		type httpd_user_content_t, httpd_user_script_exec_t;
 	')
 
-	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
-	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
-	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_dirs_pattern($1, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
 
-	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
-	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
-	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_dirs_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
 ')
 
 ########################################
@@ -1098,3 +1071,160 @@
 
 	allow httpd_t $1:process signal;
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to search 
+##	apache bugzilla directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_search_bugzilla_dirs',`
+	gen_require(`
+		type httpd_bugzilla_content_t;
+	')
+
+	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write Apache
+##	bugzill script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',`
+	gen_require(`
+		type httpd_bugzilla_script_t;
+	')
+
+	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an apache environment
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix of the domain. Example, user would be
+##	the prefix for the uder_t domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the apache domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_admin',`
+
+	gen_require(`
+		type httpd_t, httpd_initrc_exec_t, httpd_config_t;
+		type httpd_log_t, httpd_modules_t, httpd_lock_t;
+		type httpd_var_run_t;
+		attribute httpdcontent;
+		attribute httpd_script_exec_type;
+		type httpd_bool_t;
+		type httpd_php_tmp_t;
+		type httpd_suexec_tmp_t;
+		type httpd_tmp_t;
+
+	')
+
+	allow $1 httpd_t:process { getattr ptrace signal_perms };
+	ps_process_pattern($1, httpd_t)
+
+	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 httpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	apache_manage_all_content($1)
+	miscfiles_manage_public_files($1)
+
+	files_search_etc($1)
+	admin_pattern($1, httpd_config_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, httpd_log_t)
+
+	admin_pattern($1, httpd_modules_t)
+
+	admin_pattern($1, httpd_lock_t)
+	files_lock_filetrans($1, httpd_lock_t, file)
+
+	admin_pattern($1, httpd_var_run_t)
+	files_pid_filetrans($1, httpd_var_run_t, file)
+
+	kernel_search_proc($1)
+	allow $1 httpd_t:dir list_dir_perms;
+	ps_process_pattern($1, httpd_t)
+	read_lnk_files_pattern($1, httpd_t, httpd_t)
+
+	admin_pattern($1, httpdcontent)
+	admin_pattern($1, httpd_script_exec_type)
+
+	seutil_domtrans_setfiles($1)
+
+	admin_pattern($1, httpd_tmp_t)
+	admin_pattern($1, httpd_php_tmp_t)
+	admin_pattern($1, httpd_suexec_tmp_t)
+	files_tmp_filetrans($1, httpd_tmp_t, { file dir })
+
+ifdef(`TODO',`
+	apache_set_booleans($1, $2, $3, httpd_bool_t )
+	seutil_setsebool_per_role_template($1, httpd, $3)
+	allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+	allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
+')
+
+########################################
+## <summary>
+##	Mark content as being readable by standard apache processes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`apache_ro_content',`
+	gen_require(`
+		attribute httpd_ro_content;
+	')
+	typeattribute $1  httpd_ro_content;
+')
+
+########################################
+## <summary>
+##	Mark content as being read/write by standard apache processes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`apache_rw_content',`
+	gen_require(`
+		attribute httpd_rw_content;
+	')
+	typeattribute $1  httpd_rw_content;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/apache.te	2009-02-18 10:20:44.000000000 +0100
@@ -20,6 +20,8 @@
 # Declarations
 #
 
+selinux_genbool(httpd_bool_t)
+
 ## <desc>
 ## <p>
 ## Allow Apache to modify public files
@@ -31,10 +33,17 @@
 
 ## <desc>
 ## <p>
-## Allow Apache to use mod_auth_pam
+## Allow httpd scripts and modules execmem/execstack
 ## </p>
 ## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
+## </desc>
+gen_tunable(httpd_dbus_avahi, false)
 
 ## <desc>
 ## <p>
@@ -45,7 +54,14 @@
 
 ## <desc>
 ## <p>
-## Allow HTTPD scripts and modules to connect to the network using TCP.
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network
 ## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect, false)
@@ -109,14 +125,35 @@
 ## </desc>
 gen_tunable(httpd_unified, false)
 
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow apache scripts to write to public content.  Directories/Files must be labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
+attribute httpd_ro_content;
+attribute httpd_rw_content;
 attribute httpdcontent;
-attribute httpd_user_content_type;
 
 # domains that can exec all users scripts
 attribute httpd_exec_scripts;
 
 attribute httpd_script_exec_type;
-attribute httpd_user_script_exec_type;
 
 # user script domains
 attribute httpd_script_domains;
@@ -141,6 +178,9 @@
 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
 role system_r types httpd_helper_t;
 
+type httpd_initrc_exec_t;
+init_script_file(httpd_initrc_exec_t)
+
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
@@ -181,6 +221,10 @@
 # setup the system domain for system CGI scripts
 apache_content_template(sys)
 
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
+
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
 
@@ -202,12 +246,26 @@
 	prelink_object_file(httpd_modules_t)
 ')
 
+apache_content_template(user)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_script_rw_t httpdcontent;
+typeattribute httpd_user_script_ra_t httpdcontent;
+#typeattribute httpd_user_script_exec_t httpdcontent;
+userdom_user_home_content(user, httpd_user_content_t)
+userdom_user_home_content(user, httpd_user_htaccess_t)
+userdom_user_home_content(user, httpd_user_script_exec_t)
+userdom_user_home_content(user, httpd_user_script_ra_t)
+userdom_user_home_content(user, httpd_user_script_ro_t)
+userdom_user_home_content(user, httpd_user_script_rw_t)
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
+miscfiles_read_public_files(httpd_user_script_t)
+
 ########################################
 #
 # Apache server local policy
 #
 
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
@@ -249,6 +307,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -260,9 +319,9 @@
 
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -278,6 +337,7 @@
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
 
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
@@ -289,6 +349,7 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
 
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
@@ -299,6 +360,7 @@
 corenet_tcp_sendrecv_all_ports(httpd_t)
 corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_all_nodes(httpd_t)
+corenet_udp_bind_all_nodes(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
 corenet_sendrecv_http_server_packets(httpd_t)
@@ -312,12 +374,12 @@
 
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
+fs_list_inotifyfs(httpd_t)
+fs_read_iso9660_files(httpd_t)
 
 auth_use_nsswitch(httpd_t)
 
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
 
 domain_use_interactive_fds(httpd_t)
 
@@ -334,7 +396,10 @@
 # for tomcat
 files_read_var_lib_symlinks(httpd_t)
 
-fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file })
 
 libs_use_ld_so(httpd_t)
 libs_use_shared_libs(httpd_t)
@@ -351,18 +416,33 @@
 
 userdom_use_unpriv_users_fds(httpd_t)
 
-mta_send_mail(httpd_t)
-
 tunable_policy(`allow_httpd_anon_write',`
 	miscfiles_manage_public_files(httpd_t)
 ') 
 
-ifdef(`TODO', `
 #
 # We need optionals to be able to be within booleans to make this work
 #
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
 tunable_policy(`allow_httpd_mod_auth_pam',`
-	auth_domtrans_chk_passwd(httpd_t)
+	auth_domtrans_chkpwd(httpd_t)
+')
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
+tunable_policy(`allow_httpd_mod_auth_pam',`
+		samba_domtrans_winbind_helper(httpd_t)
 ')
 ')
 
@@ -370,20 +450,68 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
+tunable_policy(`httpd_can_sendmail',`
+	# allow httpd to connect to mail servers
+	corenet_tcp_connect_smtp_port(httpd_t)
+	corenet_sendrecv_smtp_client_packets(httpd_t)
+	corenet_tcp_connect_pop_port(httpd_t)
+	corenet_sendrecv_pop_client_packets(httpd_t)
+	mta_send_mail(httpd_t)
+	mta_send_mail(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
 	corenet_tcp_connect_ftp_port(httpd_t)
 	corenet_tcp_connect_http_port(httpd_t)
 	corenet_tcp_connect_http_cache_port(httpd_t)
+	corenet_tcp_connect_memcache_port(httpd_t)
 	corenet_sendrecv_gopher_client_packets(httpd_t)
 	corenet_sendrecv_ftp_client_packets(httpd_t)
 	corenet_sendrecv_http_client_packets(httpd_t)
 	corenet_sendrecv_http_cache_client_packets(httpd_t)
 ')
 
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+	filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+	can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+
+	allow httpd_user_script_t httpdcontent:file entrypoint;
+	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
+        manage_files_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
+        manage_files_pattern(httpd_user_script_t, httpd_user_script_ra_t,httpd_user_script_ra_t)
+        manage_dirs_pattern(httpd_user_script_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
+        manage_dirs_pattern(httpd_user_script_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+        manage_files_pattern(httpd_user_script_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+        manage_dirs_pattern(httpd_user_script_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
+        manage_files_pattern(httpd_user_script_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
+')
+
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+	miscfiles_manage_public_files(httpd_sys_script_t)
+') 
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
-	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+	domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+	filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+	manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+	manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+	manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -394,20 +522,28 @@
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_unpriv_users_home_content_files(httpd_t)
-')
-
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_t)
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
+tunable_policy(`httpd_use_nfs',`
+	fs_manage_nfs_dirs(httpd_t)
+	fs_manage_nfs_files(httpd_t)
+	fs_manage_nfs_symlinks(httpd_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_t)
 	fs_read_cifs_symlinks(httpd_t)
 ')
 
+tunable_policy(`httpd_use_cifs',`
+	fs_manage_cifs_dirs(httpd_t)
+	fs_manage_cifs_files(httpd_t)
+	fs_manage_cifs_symlinks(httpd_t)
+')
+
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
@@ -441,8 +577,13 @@
 ')
 
 optional_policy(`
-	kerberos_use(httpd_t)
-	kerberos_read_kdc_config(httpd_t)
+	dbus_system_bus_client_template(httpd, httpd_t)
+	tunable_policy(`httpd_dbus_avahi',`
+		avahi_dbus_chat(httpd_t)
+	')
+')
+optional_policy(`
+	kerberos_keytab_template(httpd, httpd_t)
 ')
 
 optional_policy(`
@@ -454,18 +595,13 @@
 ')
 
 optional_policy(`
-	# Allow httpd to work with mysql
 	mysql_stream_connect(httpd_t)
 	mysql_rw_db_sockets(httpd_t)
-
-	tunable_policy(`httpd_can_network_connect_db',`
-		mysql_tcp_connect(httpd_t)
-	')
+	mysql_read_config(httpd_t)
 ')
 
 optional_policy(`
 	nagios_read_config(httpd_t)
-	nagios_domtrans_cgi(httpd_t)
 ')
 
 optional_policy(`
@@ -475,6 +611,12 @@
 	openca_kill(httpd_t)
 ')
 
+tunable_policy(`httpd_execmem',`
+	allow httpd_t self:process { execmem execstack };
+	allow httpd_sys_script_t self:process { execmem execstack };
+	allow httpd_suexec_t self:process { execmem execstack };
+') 
+
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
@@ -482,6 +624,7 @@
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		postgresql_tcp_connect(httpd_t)
+		postgresql_tcp_connect(httpd_sys_script_t)
 	')
 ')
 
@@ -490,6 +633,7 @@
 ')
 
 optional_policy(`
+	files_dontaudit_rw_usr_dirs(httpd_t)
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
@@ -519,9 +663,28 @@
 logging_send_syslog_msg(httpd_helper_t)
 
 tunable_policy(`httpd_tty_comm',`
+	# cjp: this is redundant:
+	term_use_controlling_term(httpd_helper_t)
+
 	sysadm_use_terms(httpd_helper_t)
 ')
 
+optional_policy(`
+	type httpd_unconfined_script_t;
+	type httpd_unconfined_script_exec_t;
+	domain_type(httpd_unconfined_script_t)
+	domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+	domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+	unconfined_domain(httpd_unconfined_script_t)
+
+	role system_r types httpd_unconfined_script_t;
+
+	tunable_policy(`httpd_tty_comm',`
+		unconfined_use_terms(httpd_helper_t)
+	')
+')
+
+
 ########################################
 #
 # Apache PHP script local policy
@@ -551,22 +714,30 @@
 
 fs_search_auto_mountpoints(httpd_php_t)
 
+auth_use_nsswitch(httpd_php_t)
+
 libs_exec_lib_files(httpd_php_t)
 libs_use_ld_so(httpd_php_t)
 libs_use_shared_libs(httpd_php_t)
 
 userdom_use_unpriv_users_fds(httpd_php_t)
 
-optional_policy(`
-	mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_mysqld_port(httpd_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_t)
+	corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+	corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
 ')
 
 optional_policy(`
-	nis_use_ypbind(httpd_php_t)
+	postgresql_stream_connect(httpd_sys_script_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(httpd_php_t)
+	mysql_stream_connect(httpd_php_t)
+	mysql_read_config(httpd_php_t)
 ')
 
 ########################################
@@ -584,12 +755,14 @@
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 
-allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
 
 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
@@ -597,10 +770,9 @@
 dev_read_urand(httpd_suexec_t)
 
 fs_search_auto_mountpoints(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
 
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
 
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
@@ -616,6 +788,7 @@
 logging_send_syslog_msg(httpd_suexec_t)
 
 miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
 
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -633,12 +806,21 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+	allow httpd_sys_script_t httpdcontent:file entrypoint;
+	manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')
-
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
+tunable_policy(`httpd_enable_cgi',`
+	domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -647,6 +829,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
+tunable_policy(`httpd_use_cifs',`
+	fs_manage_cifs_files(httpd_suexec_t)
+	fs_manage_cifs_symlinks(httpd_suexec_t)
+	fs_exec_cifs_files(httpd_suexec_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
@@ -664,20 +852,20 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
-optional_policy(`
-	nagios_domtrans_cgi(httpd_suexec_t)
-')
-
 ########################################
 #
 # Apache system script local policy
 #
 
+auth_use_nsswitch(httpd_sys_script_t)
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+apache_read_squirrelmail_data(httpd_sys_script_t)
+apache_append_squirrelmail_data(httpd_sys_script_t)
 
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -691,12 +879,27 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
+sysnet_read_config(httpd_sys_script_t)
+
 ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+	fs_manage_nfs_dirs(httpd_sys_script_t)
+	fs_manage_nfs_files(httpd_sys_script_t)
+	fs_manage_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_nfs',`
+	fs_manage_nfs_dirs(httpd_suexec_t)
+	fs_manage_nfs_files(httpd_suexec_t)
+	fs_manage_nfs_symlinks(httpd_suexec_t)
+	fs_exec_nfs_files(httpd_suexec_t)
+	fs_exec_cifs_files(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -704,6 +907,31 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+	corenet_udp_bind_all_nodes(httpd_sys_script_t)
+	corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+	corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_tcp_connect_all_ports(httpd_sys_script_t)
+	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+
+tunable_policy(`httpd_use_cifs',`
+	fs_manage_cifs_dirs(httpd_sys_script_t)
+	fs_manage_cifs_files(httpd_sys_script_t)
+	fs_manage_cifs_symlinks(httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -716,10 +944,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
-')
-
-optional_policy(`
-	postgresql_stream_connect(httpd_sys_script_t)
+	mysql_read_config(httpd_sys_script_t)
+	mysql_stream_connect(httpd_suexec_t)
+	mysql_rw_db_sockets(httpd_suexec_t)
+	mysql_read_config(httpd_suexec_t)
 ')
 
 ########################################
@@ -727,6 +955,8 @@
 # httpd_rotatelogs local policy
 #
 
+allow httpd_rotatelogs_t self:capability dac_override;
+
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -741,3 +971,66 @@
 logging_search_logs(httpd_rotatelogs_t)
 
 miscfiles_read_localization(httpd_rotatelogs_t)
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+	mysql_search_db(httpd_bugzilla_script_t)
+	mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+
+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_ra_t   alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t   alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t   alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.13/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/apcupsd.fc	2009-02-10 15:07:15.000000000 +0100
@@ -4,6 +4,8 @@
 /sbin/apcupsd			--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 ')
 
+/sbin/apcupsd               	--      gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
 /usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.13/policy/modules/services/arpwatch.fc
--- nsaserefpolicy/policy/modules/services/arpwatch.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/arpwatch	--	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
 #
 # /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.13/policy/modules/services/arpwatch.if
--- nsaserefpolicy/policy/modules/services/arpwatch.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if	2009-02-10 15:07:15.000000000 +0100
@@ -90,3 +90,45 @@
 
 	dontaudit $1 arpwatch_t:packet_socket { read write };
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an arpwatch environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the arpwatch domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`arpwatch_admin',`
+	gen_require(`
+		type arpwatch_t, arpwatch_tmp_t;
+		type arpwatch_data_t, arpwatch_var_run_t;
+		type arpwatch_initrc_exec_t;
+	')
+
+	allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, arpwatch_t)
+	        
+	init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 arpwatch_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, arpwatch_tmp_t)
+
+	files_list_var($1)
+	admin_pattern($1, arpwatch_data_t)
+
+	files_list_pids($1)
+	admin_pattern($1, arpwatch_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.13/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
 type arpwatch_data_t;
 files_type(arpwatch_data_t)
 
+type arpwatch_initrc_exec_t;
+init_script_file(arpwatch_initrc_exec_t)
+
 type arpwatch_tmp_t;
 files_tmp_file(arpwatch_tmp_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.13/policy/modules/services/asterisk.fc
--- nsaserefpolicy/policy/modules/services/asterisk.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/asterisk.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,5 @@
 /etc/asterisk(/.*)?		gen_context(system_u:object_r:asterisk_etc_t,s0)
+/etc/rc\.d/init\.d/asterisk	--	gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
 
 /usr/sbin/asterisk	--	gen_context(system_u:object_r:asterisk_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.13/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/asterisk.if	2009-02-10 15:07:15.000000000 +0100
@@ -1 +1,54 @@
 ## <summary>Asterisk IP telephony server</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an asterisk environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the asterisk domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`asterisk_admin',`
+	gen_require(`
+		type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
+		type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
+		type asterisk_var_lib_t;
+		type asterisk_initrc_exec_t;
+	')
+
+	allow $1 asterisk_t:process { ptrace signal_perms getattr };
+	ps_process_pattern($1, asterisk_t)
+	        
+	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 asterisk_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, asterisk_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, asterisk_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, asterisk_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, asterisk_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, asterisk_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, asterisk_var_run_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.13/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/asterisk.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
 type asterisk_etc_t;
 files_config_file(asterisk_etc_t)
 
+type asterisk_initrc_exec_t;
+init_script_file(asterisk_initrc_exec_t)
+
 type asterisk_log_t;
 logging_log_file(asterisk_log_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.fc serefpolicy-3.5.13/policy/modules/services/audioentropy.fc
--- nsaserefpolicy/policy/modules/services/audioentropy.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.fc	2009-02-10 15:07:15.000000000 +0100
@@ -2,3 +2,5 @@
 # /usr
 #
 /usr/sbin/audio-entropyd	--	gen_context(system_u:object_r:entropyd_exec_t,s0)
+
+/var/run/audio-entropyd\.pid	--	gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.5.13/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.te	2009-02-10 15:07:15.000000000 +0100
@@ -35,6 +35,7 @@
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
 dev_read_sound(entropyd_t)
+dev_write_sound(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.13/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/automount.if	2009-07-20 14:45:58.000000000 +0200
@@ -107,6 +107,24 @@
 	dontaudit $1 automount_tmp_t:dir getattr;
 ')
 
+######################################
+## <summary>
+##      Send signal to automount process
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`automount_signal',`
+        gen_require(`
+                type automount_t;
+        ')
+
+        allow $1 automount_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.13/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/automount.te	2009-02-10 15:07:15.000000000 +0100
@@ -64,6 +64,7 @@
 kernel_read_network_state(automount_t)
 kernel_list_proc(automount_t)
 kernel_dontaudit_search_xen_state(automount_t)
+fs_read_nfs_files(automount_t)
 
 files_search_boot(automount_t)
 # Automount is slowly adding all mount functionality internally
@@ -71,6 +72,7 @@
 files_mounton_all_mountpoints(automount_t)
 files_mount_all_file_type_fs(automount_t)
 files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
 
 fs_mount_all_fs(automount_t)
 fs_unmount_all_fs(automount_t)
@@ -100,6 +102,7 @@
 corenet_udp_bind_all_rpc_ports(automount_t)
 
 dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
 # for SSP
 dev_read_rand(automount_t)
 dev_read_urand(automount_t)
@@ -145,6 +148,7 @@
 
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)
+mount_signal(automount_t)
 
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
 
@@ -159,7 +163,7 @@
 ')
 
 optional_policy(`
-	kerberos_read_keytab(automount_t)
+	kerberos_keytab_template(automount, automount_t)
 	kerberos_read_config(automount_t)
 	kerberos_dontaudit_write_config(automount_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.13/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/avahi.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,5 +1,9 @@
+/etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
 
 /usr/sbin/avahi-daemon		--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-dnsconfd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-autoipd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 
 /var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
+
+/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.13/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/avahi.if	2009-02-10 15:07:15.000000000 +0100
@@ -2,6 +2,103 @@
 
 ########################################
 ## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`avahi_domtrans',`
+	gen_require(`
+		type avahi_exec_t;
+		type avahi_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, avahi_exec_t, avahi_t)
+')
+
+########################################
+## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`avahi_initrc_domtrans',`
+	gen_require(`
+		type avahi_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Send avahi a sigkill
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`avahi_sigkill',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send avahi a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`avahi_signal',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send avahi a signull
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`avahi_signull',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	avahi over dbus.
 ## </summary>
@@ -57,3 +154,38 @@
 
 	dontaudit $1 avahi_var_run_t:dir search_dir_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an avahi environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the avahi domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`avahi_admin',`
+	gen_require(`
+		type avahi_t, avahi_var_run_t;
+		type avahi_initrc_exec_t;
+	')
+
+	allow $1 avahi_t:process { ptrace signal_perms };
+	ps_process_pattern($1, avahi_t)
+	        
+	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 avahi_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_pids($1)
+	admin_pattern($1, avahi_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.13/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/avahi.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,12 @@
 type avahi_exec_t;
 init_daemon_domain(avahi_t, avahi_exec_t)
 
+type avahi_initrc_exec_t;
+init_script_file(avahi_initrc_exec_t)
+
+type avahi_var_lib_t;
+files_pid_file(avahi_var_lib_t)
+
 type avahi_var_run_t;
 files_pid_file(avahi_var_run_t)
 
@@ -20,13 +26,18 @@
 
 allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
 dontaudit avahi_t self:capability sys_tty_config;
-allow avahi_t self:process { setrlimit signal_perms setcap };
+allow avahi_t self:process { setrlimit signal_perms getcap setcap };
 allow avahi_t self:fifo_file rw_fifo_file_perms;
 allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow avahi_t self:unix_dgram_socket create_socket_perms;
 allow avahi_t self:tcp_socket create_stream_socket_perms;
 allow avahi_t self:udp_socket create_socket_perms;
 
+files_search_var_lib(avahi_t)
+manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
+
 manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 allow avahi_t avahi_var_run_t:dir setattr;
@@ -76,6 +87,7 @@
 logging_send_syslog_msg(avahi_t)
 
 miscfiles_read_localization(avahi_t)
+miscfiles_read_certs(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 
@@ -86,6 +98,7 @@
 	dbus_connect_system_bus(avahi_t)
 
 	init_dbus_chat_script(avahi_t)
+	dbus_system_domain(avahi_t, avahi_exec_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.13/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bind.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,17 +1,22 @@
-/etc/rc.d/init.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
 /etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)?			gen_context(system_u:object_r:named_conf_t,s0)
 
 /usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
 /usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
 /usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 /usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
 
 /var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
 /var/run/ndc		-s	gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/bind(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/named(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)?			gen_context(system_u:object_r:named_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.13/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bind.if	2009-02-10 15:07:15.000000000 +0100
@@ -38,6 +38,42 @@
 
 ########################################
 ## <summary>
+##	Send signulls to BIND.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_signull',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send sigkills to BIND.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_sigkill',`
+	gen_require(`
+		type named_t;
+	')
+
+	allow $1 named_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Execute ndc in the ndc domain, and
 ##	allow the specified role the ndc domain.
 ## </summary>
@@ -257,6 +293,25 @@
 
 ########################################
 ## <summary>
+##	Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`bind_initrc_domtrans',`
+	gen_require(`
+		type bind_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, bind_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an bind environment
 ## </summary>
@@ -267,19 +322,18 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal.
+##	The role to be allowed to manage the bind domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`bind_admin',`
 	gen_require(`
-		type named_t, ndc_t;
+		type named_t, named_tmp_t, named_log_t;
+		type named_conf_t, named_var_lib_t, named_var_run_t;
+		type named_cache_t, named_zone_t;
+		type dnssec_t, ndc_t;
+		type named_initrc_exec_t;
 	')
 
 	allow $1 named_t:process { ptrace signal_perms };
@@ -289,4 +343,28 @@
 	ps_process_pattern($1, ndc_t)
 	        
 	bind_run_ndc($1, $2, $3)
+
+	bind_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 named_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, named_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, named_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, named_conf_t)
+
+	admin_pattern($1, named_cache_t)
+	admin_pattern($1, named_zone_t)
+	admin_pattern($1, dnssec_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, named_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, named_var_run_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bind.te	2009-03-30 11:05:25.000000000 +0200
@@ -173,7 +173,7 @@
 ')
 
 optional_policy(`
-	kerberos_use(named_t)
+	kerberos_keytab_template(named, named_t)
 ')
 
 optional_policy(`
@@ -233,6 +233,7 @@
 files_search_pids(ndc_t)
 
 fs_getattr_xattr_fs(ndc_t)
+fs_list_inotifyfs(ndc_t)
 
 init_use_fds(ndc_t)
 init_use_script_ptys(ndc_t)
@@ -247,6 +248,8 @@
 sysnet_read_config(ndc_t)
 sysnet_dns_name_resolve(ndc_t)
 
+term_dontaudit_use_console(ndc_t)
+
 # for /etc/rndc.key
 ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.5.13/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bitlbee.te	2009-03-27 09:08:23.000000000 +0100
@@ -69,6 +69,8 @@
 corenet_tcp_connect_http_port(bitlbee_t)
 corenet_tcp_sendrecv_http_port(bitlbee_t)
 
+kernel_read_system_state(bitlbee_t)  
+
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.13/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc	2009-02-10 15:07:15.000000000 +0100
@@ -3,6 +3,9 @@
 #
 /etc/bluetooth(/.*)?		gen_context(system_u:object_r:bluetooth_conf_t,s0)
 /etc/bluetooth/link_key		gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
+/etc/rc\.d/init\.d/bluetooth --	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 
 #
 # /usr
@@ -16,9 +19,11 @@
 /usr/sbin/hcid		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/hid2hci	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/sdpd		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 
 #
 # /var
 #
 /var/lib/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
 /var/run/sdp		-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/var/run/bluetoothd_address	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.13/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.if	2009-02-10 15:07:15.000000000 +0100
@@ -226,3 +226,56 @@
 	dontaudit $1 bluetooth_helper_domain:dir search;
 	dontaudit $1 bluetooth_helper_domain:file { read getattr };
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an bluetooth environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the bluetooth domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_admin',`
+	gen_require(`
+		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+		type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+		type bluetooth_conf_t, bluetooth_conf_rw_t;
+		type bluetooth_initrc_exec_t;
+	')
+
+	allow $1 bluetooth_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bluetooth_t)
+	        
+	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bluetooth_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bluetooth_tmp_t)
+
+	files_list_var($1)
+	admin_pattern($1, bluetooth_lock_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bluetooth_conf_t)
+	admin_pattern($1, bluetooth_conf_rw_t)
+
+	files_list_spool($1)
+	admin_pattern($1, bluetooth_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bluetooth_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bluetooth_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te	2009-02-10 15:07:15.000000000 +0100
@@ -20,6 +20,9 @@
 type bluetooth_helper_exec_t;
 application_executable_file(bluetooth_helper_exec_t)
 
+type bluetooth_initrc_exec_t;
+init_script_file(bluetooth_initrc_exec_t)
+
 type bluetooth_lock_t;
 files_lock_file(bluetooth_lock_t)
 
@@ -37,14 +40,14 @@
 # Bluetooth services local policy
 #
 
-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
 dontaudit bluetooth_t self:capability sys_tty_config;
 allow bluetooth_t self:process { getsched signal_perms };
 allow bluetooth_t self:fifo_file rw_fifo_file_perms;
 allow bluetooth_t self:shm create_shm_perms;
 allow bluetooth_t self:socket create_stream_socket_perms;
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow bluetooth_t self:tcp_socket create_stream_socket_perms;
 allow bluetooth_t self:udp_socket create_socket_perms;
 
@@ -76,6 +79,7 @@
 
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
+kernel_read_network_state(bluetooth_t)
 
 corenet_all_recvfrom_unlabeled(bluetooth_t)
 corenet_all_recvfrom_netlabel(bluetooth_t)
@@ -92,6 +96,7 @@
 dev_rw_usbfs(bluetooth_t)
 dev_rw_generic_usb_dev(bluetooth_t)
 dev_read_urand(bluetooth_t)
+dev_rw_input_dev(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
@@ -110,6 +115,8 @@
 files_read_etc_runtime_files(bluetooth_t)
 files_read_usr_files(bluetooth_t)
 
+auth_use_nsswitch(bluetooth_t)
+
 libs_use_ld_so(bluetooth_t)
 libs_use_shared_libs(bluetooth_t)
 
@@ -117,21 +124,24 @@
 
 miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
-
-sysnet_read_config(bluetooth_t)
+miscfiles_read_hwdata(bluetooth_t)
 
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-
 sysadm_dontaudit_use_ptys(bluetooth_t)
 sysadm_dontaudit_search_home_dirs(bluetooth_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(bluetooth, bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
+	dbus_system_domain(bluetooth_t, bluetooth_exec_t)
+
+	optional_policy(`
+		cups_dbus_chat(bluetooth_t)
 ')
 
 optional_policy(`
-	nis_use_ypbind(bluetooth_t)
+		hal_dbus_chat(bluetooth_t)
+	')
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/certmaster 		--   		gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+/usr/bin/certmaster			--		gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/etc/certmaster(/.*)?					gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+
+/var/run/certmaster.*					gen_context(system_u:object_r:certmaster_var_run_t,s0)
+
+/var/log/certmaster(/.*)?  				gen_context(system_u:object_r:certmaster_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if
--- nsaserefpolicy/policy/modules/services/certmaster.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,128 @@
+## <summary>policy for certmaster</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run certmaster.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmaster_domtrans',`
+	gen_require(`
+		type certmaster_t, certmaster_exec_t;
+	')
+
+	domain_auto_trans($1,certmaster_exec_t,certmaster_t)
+
+	allow certmaster_t $1:fd use;
+	allow certmaster_t $1:fifo_file rw_file_perms;
+	allow certmaster_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+##      read
+##      certmaster logs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`certmaster_read_log',`
+        gen_require(`
+                type certmaster_var_log_t;
+        ')
+
+        read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+#######################################
+## <summary>
+##      Append to certmaster logs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`certmaster_append_log',`
+        gen_require(`
+                type certmaster_var_log_t;
+        ')
+
+        append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+#######################################
+## <summary>
+##      Create, read, write, and delete
+##      certmaster logs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`certmaster_manage_log',`
+        gen_require(`
+                type certmaster_var_log_t;
+        ')
+
+        manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+        manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+########################################
+## <summary>
+##      All of the rules required to administrate 
+##      an snort environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the syslog domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`certmaster_admin',`
+        gen_require(`
+                type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+		type certmaster_etc_rw_t, certmaster_var_log_t;
+		type certmaster_initrc_exec_t;
+        ')
+
+        allow $1 certmaster_t:process { ptrace signal_perms };
+        ps_process_pattern($1, certmaster_t)
+
+        init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 certmaster_initrc_exec_t system_r;
+        allow $2 system_r;
+
+        files_list_etc($1)
+	miscfiles_manage_cert_dirs($1)	
+	miscfiles_manage_cert_files($1)	
+
+	admin_pattern($1, certmaster_etc_rw_t)
+
+	files_list_pids($1)
+	admin_pattern($1, certmaster_var_run_t)
+        
+	logging_list_logs($1)
+	admin_pattern($1, certmaster_var_log_t)
+	
+	files_list_var_lib($1)
+	admin_pattern($1, certmaster_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,81 @@
+policy_module(certmaster,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# type and domain for certmaster
+type certmaster_t;
+type certmaster_exec_t;
+init_daemon_domain(certmaster_t, certmaster_exec_t)
+
+type certmaster_initrc_exec_t;
+init_script_file(certmaster_initrc_exec_t)
+
+# var/lib files
+type certmaster_var_lib_t;
+files_type(certmaster_var_lib_t)
+
+# config files
+type certmaster_etc_rw_t;
+files_config_file(certmaster_etc_rw_t)
+
+# log files
+type certmaster_var_log_t;
+logging_log_file(certmaster_var_log_t)
+
+# pid files
+type certmaster_var_run_t;
+files_pid_file(certmaster_var_run_t)
+
+###########################################
+#			  
+# certmaster local policy 
+#
+allow certmaster_t self:capability sys_tty_config;
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
+
+# config files
+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t)
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+
+# var/lib files for certmaster
+manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
+manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
+files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir })
+
+# log files
+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+logging_log_filetrans(certmaster_t,certmaster_var_log_t, file )
+
+# pid file
+manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
+files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file })
+
+corecmd_search_bin(certmaster_t)
+corecmd_getattr_bin_files(certmaster_t)
+
+# network
+corenet_tcp_bind_inaddr_any_node(certmaster_t)
+corenet_tcp_bind_certmaster_port(certmaster_t)
+
+files_search_etc(certmaster_t)
+files_list_var(certmaster_t)
+files_search_var_lib(certmaster_t)
+
+# read meminfo
+kernel_read_system_state(certmaster_t)
+
+auth_use_nsswitch(certmaster_t)
+
+libs_use_ld_so(certmaster_t)
+libs_use_shared_libs(certmaster_t)
+
+miscfiles_read_localization(certmaster_t)
+
+miscfiles_manage_cert_dirs(certmaster_t)
+miscfiles_manage_cert_files(certmaster_t)
+
+permissive certmaster_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.13/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/clamav.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,20 +1,22 @@
 /etc/clamav(/.*)?			gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper	--	gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
 
 /usr/bin/clamscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/clamdscan		--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/freshclam		--	gen_context(system_u:object_r:freshclam_exec_t,s0)
 
 /usr/sbin/clamd			--	gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter		--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
 /var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamd\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
 
 /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
 
-/var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
 /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
 
 /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.13/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/clamav.if	2009-02-10 15:07:15.000000000 +0100
@@ -38,6 +38,27 @@
 
 ########################################
 ## <summary>
+##	Allow the specified domain to append
+##	to clamav log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_append_log',`
+	gen_require(`
+		type clamav_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 clamav_log_t:dir list_dir_perms;
+	append_files_pattern($1, clamav_log_t, clamav_log_t)
+')
+
+########################################
+## <summary>
 ##	Read clamav configuration files.
 ## </summary>
 ## <param name="domain">
@@ -91,3 +112,87 @@
 
 	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
 ')
+
+########################################
+## <summary>
+##	Execute clamscan without a transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_exec_clamscan',`
+	gen_require(`
+		type clamscan_exec_t;
+	')
+
+	can_exec($1, clamscan_exec_t)
+
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an clamav environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the clamav domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_admin',`
+	gen_require(`
+		type clamd_t, clamd_etc_t, clamd_tmp_t;
+		type clamd_var_log_t, clamd_var_lib_t;
+		type clamd_var_run_t;
+
+		type clamscan_t, clamscan_tmp_t;
+
+		type freshclam_t, freshclam_var_log_t;
+
+		type clamd_initrc_exec_t;
+	')
+
+	allow $1 clamd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, clamd_t)
+	        
+	allow $1 clamscan_t:process { ptrace signal_perms };
+	ps_process_pattern($1, clamscan_t)
+
+	allow $1 freshclam_t:process { ptrace signal_perms };
+	ps_process_pattern($1, freshclam_t)
+	        
+	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 clamd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, clamd_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, clamd_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, clamd_var_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, clamd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, clamd_var_run_t)
+
+	admin_pattern($1, clamscan_tmp_t)
+
+	admin_pattern($1, freshclam_var_log_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.13/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/clamav.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,7 +13,10 @@
 
 # configuration files
 type clamd_etc_t;
-files_type(clamd_etc_t)
+files_config_file(clamd_etc_t)
+
+type clamd_initrc_exec_t;
+init_script_file(clamd_initrc_exec_t)
 
 # tmp files
 type clamd_tmp_t;
@@ -87,6 +90,9 @@
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
 kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
 
 corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
@@ -97,6 +103,8 @@
 corenet_tcp_bind_all_nodes(clamd_t)
 corenet_tcp_bind_clamd_port(clamd_t)
 corenet_sendrecv_clamd_server_packets(clamd_t)
+corenet_tcp_bind_generic_port(clamd_t)
+corenet_tcp_connect_generic_port(clamd_t)
 
 dev_read_rand(clamd_t)
 dev_read_urand(clamd_t)
@@ -120,11 +128,19 @@
 cron_use_system_job_fds(clamd_t)
 cron_rw_pipes(clamd_t)
 
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
 	amavis_read_spool_files(clamd_t)
 	amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
 	amavis_create_pid_files(clamd_t)
+	amavis_rw_pid_files(clamd_t)
+')
+
+optional_policy(`
+	exim_read_spool_files(clamd_t)
 ')
 
 ########################################
@@ -172,6 +188,7 @@
 
 domain_use_interactive_fds(freshclam_t)
 
+files_search_var_lib(freshclam_t)
 files_read_etc_files(freshclam_t)
 files_read_etc_runtime_files(freshclam_t)
 
@@ -197,7 +214,7 @@
 allow clamscan_t self:fifo_file rw_file_perms;
 allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
 allow clamscan_t self:unix_dgram_socket create_socket_perms;
-allow clamscan_t self:tcp_socket { listen accept };
+allow clamscan_t self:tcp_socket create_stream_socket_perms;
 
 # configuration files
 allow clamscan_t clamd_etc_t:dir list_dir_perms;
@@ -213,6 +230,14 @@
 manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
 allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
 
+corenet_all_recvfrom_unlabeled(clamscan_t)
+corenet_all_recvfrom_netlabel(clamscan_t)
+corenet_tcp_sendrecv_all_if(clamscan_t)
+corenet_tcp_sendrecv_all_nodes(clamscan_t)
+corenet_tcp_sendrecv_all_ports(clamscan_t)
+corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_connect_clamd_port(clamscan_t)
+
 kernel_read_kernel_sysctls(clamscan_t)
 
 files_read_etc_files(clamscan_t)
@@ -230,6 +255,12 @@
 
 clamav_stream_connect(clamscan_t)
 
+mta_send_mail(clamscan_t)
+
 optional_policy(`
 	apache_read_sys_content(clamscan_t)
 ')
+
+optional_policy(`
+	mailscanner_manage_spool(clamscan_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.13/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,6 @@
 /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
 
 /var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)?	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if	2009-02-10 15:07:15.000000000 +0100
@@ -38,3 +38,24 @@
 	allow $1 consolekit_t:dbus send_msg;
 	allow consolekit_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Read consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_read_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.13/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
 
+type consolekit_log_t;
+files_pid_file(consolekit_log_t)
+
 ########################################
 #
 # consolekit local policy
@@ -24,20 +27,27 @@
 allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
 allow consolekit_t self:unix_dgram_socket create_socket_perms;
 
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+
+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file)
+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })
 
 kernel_read_system_state(consolekit_t)
 
 corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)
 
 dev_read_urand(consolekit_t)
 dev_read_sysfs(consolekit_t)
 
 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
 
 files_read_etc_files(consolekit_t)
+files_read_usr_files(consolekit_t)
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
 
@@ -47,16 +57,37 @@
 
 auth_use_nsswitch(consolekit_t)
 
+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+init_chat(consolekit_t)
+
 libs_use_ld_so(consolekit_t)
 libs_use_shared_libs(consolekit_t)
 
+logging_send_syslog_msg(consolekit_t)
+
 miscfiles_read_localization(consolekit_t)
 
+# consolekit needs to be able to ptrace all logged in users 
+userdom_ptrace_all_users(consolekit_t)
+unprivuser_dontaudit_read_home_content_files(consolekit_t)
+
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
 optional_policy(`
-	dbus_system_bus_client_template(consolekit, consolekit_t)
-	dbus_connect_system_bus(consolekit_t)
+	cron_read_system_job_lib_files(consolekit_t)
+')
 
+optional_policy(`
+	dbus_system_domain(consolekit_t, consolekit_exec_t)
+	optional_policy(`
 	hal_dbus_chat(consolekit_t)
+	')
+
+	optional_policy(`
+		rpm_dbus_chat(consolekit_t)
+	')
 
 	optional_policy(`
 		unconfined_dbus_chat(consolekit_t)
@@ -64,6 +95,33 @@
 ')
 
 optional_policy(`
+	polkit_domtrans_auth(consolekit_t)
+	polkit_read_lib(consolekit_t)
+')
+
+optional_policy(`
 	xserver_read_all_users_xauth(consolekit_t)
 	xserver_stream_connect_xdm_xserver(consolekit_t)
+	xserver_ptrace_xdm(consolekit_t)
 ')
+
+optional_policy(`
+	#reading .Xauthity
+	unconfined_ptrace(consolekit_t)
+	unconfined_stream_connect(consolekit_t)
+')
+
+optional_policy(`
+	unprivuser_read_tmp_files(consolekit_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_list_nfs(consolekit_t)
+	fs_dontaudit_rw_nfs_files(consolekit_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_list_cifs(consolekit_t)
+	fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.13/policy/modules/services/courier.fc
--- nsaserefpolicy/policy/modules/services/courier.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/courier.fc	2009-02-10 15:07:15.000000000 +0100
@@ -19,5 +19,5 @@
 /var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
 
 /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
-
 /var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
+/var/spool/authdaemon(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.5.13/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/courier.if	2009-02-10 15:07:15.000000000 +0100
@@ -180,6 +180,25 @@
 	manage_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
+#######################################
+## <summary>
+##      Read courier spool files.
+## </summary>
+## <param name="prefix">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`courier_read_spool_files',`
+        gen_require(`
+                type courier_spool_t;
+        ')
+
+	files_search_spool($1)
+        read_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to courier spool pipes.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.13/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/courier.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,7 @@
 
 type courier_etc_t;
 files_config_file(courier_etc_t)
+mta_system_content(courier_etc_t)
 
 courier_domain_template(pcp)
 
@@ -73,6 +74,9 @@
 
 sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
 
+files_search_spool(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+
 ########################################
 #
 # Calendar (PCP) local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.13/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cron.fc	2009-02-10 15:07:15.000000000 +0100
@@ -17,9 +17,10 @@
 /var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 
+/var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
+
 /var/spool/at			-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/spool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/[^/]*		--	<<none>>
+/var/spool/at[^/]*		--	<<none>>
 
 /var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
 #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -45,3 +46,8 @@
 /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
+
+/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cron.if	2009-02-10 15:07:15.000000000 +0100
@@ -35,39 +35,25 @@
 #
 template(`cron_per_role_template',`
 	gen_require(`
+		class context contains;
 		attribute cron_spool_type;
 		type crond_t, cron_spool_t, crontab_exec_t;
-		class dbus send_msg;
+		type crond_var_run_t;
 	')
+	typealias $1_t alias $1_crond_t;
 
 	# Type of user crontabs once moved to cron spool.
 	type $1_cron_spool_t, cron_spool_type;
 	files_type($1_cron_spool_t)
+	mta_system_content($1_cron_spool_t)
 
-	type $1_crond_t;
-	domain_type($1_crond_t)
-	domain_cron_exemption_target($1_crond_t)
-	corecmd_shell_entry_type($1_crond_t)
-	role $3 types $1_crond_t;
+	domain_cron_exemption_target($1_t)
+	corecmd_shell_entry_type($1_t)
 
 	type $1_crontab_t;
 	application_domain($1_crontab_t, crontab_exec_t)
 	role $3 types $1_crontab_t;
 
-	type $1_crontab_tmp_t;
-	files_tmp_file($1_crontab_tmp_t)
-
-	##############################
-	#
-	# $1_crond_t local policy
-	#
-
-	allow $1_crond_t self:capability dac_override;
-	allow $1_crond_t self:process { signal_perms setsched };
-	allow $1_crond_t self:fifo_file rw_fifo_file_perms;
-	allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-
 	# The entrypoint interface is not used as this is not
 	# a regular entrypoint.  Since crontab files are
 	# not directly executed, crond must ensure that
@@ -75,116 +61,23 @@
 	# for the domain of the user cron job.  It
 	# performs an entrypoint permission check
 	# for this purpose.
-	allow $1_crond_t $1_cron_spool_t:file entrypoint;
+	allow $1_t $1_cron_spool_t:file entrypoint;
 
 	# Permit a transition from the crond_t domain to this domain.
 	# The transition is requested explicitly by the modified crond 
 	# via setexeccon.  There is no way to set up an automatic
 	# transition, since crontabs are configuration files, not executables.
-	allow crond_t $1_crond_t:process transition;
-	dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
-	allow crond_t $1_crond_t:fd use;
-	allow $1_crond_t crond_t:fd use;
-	allow $1_crond_t crond_t:fifo_file rw_file_perms;
-	allow $1_crond_t crond_t:process sigchld;
-
-	kernel_read_system_state($1_crond_t)
-	kernel_read_kernel_sysctls($1_crond_t)
-
-	# ps does not need to access /boot when run from cron
-	files_dontaudit_search_boot($1_crond_t)
-
-	corenet_all_recvfrom_unlabeled($1_crond_t)
-	corenet_all_recvfrom_netlabel($1_crond_t)
-	corenet_tcp_sendrecv_all_if($1_crond_t)
-	corenet_udp_sendrecv_all_if($1_crond_t)
-	corenet_tcp_sendrecv_all_nodes($1_crond_t)
-	corenet_udp_sendrecv_all_nodes($1_crond_t)
-	corenet_tcp_sendrecv_all_ports($1_crond_t)
-	corenet_udp_sendrecv_all_ports($1_crond_t)
-	corenet_tcp_connect_all_ports($1_crond_t)
-	corenet_sendrecv_all_client_packets($1_crond_t)
-
-	dev_read_urand($1_crond_t)
-
-	fs_getattr_all_fs($1_crond_t)
-
-	corecmd_exec_all_executables($1_crond_t)
-
-	# quiet other ps operations
-	domain_dontaudit_read_all_domains_state($1_crond_t)
-	domain_dontaudit_getattr_all_domains($1_crond_t)
-
-	files_read_usr_files($1_crond_t)
-	files_exec_etc_files($1_crond_t)
-	# for nscd:
-	files_dontaudit_search_pids($1_crond_t)
-
-	libs_use_ld_so($1_crond_t)
-	libs_use_shared_libs($1_crond_t)
-	libs_exec_lib_files($1_crond_t)
-	libs_exec_ld_so($1_crond_t)
-
-	files_read_etc_runtime_files($1_crond_t)
-	files_read_var_files($1_crond_t)
-	files_search_spool($1_crond_t)
-
-	logging_search_logs($1_crond_t)
-
-	seutil_read_config($1_crond_t)
-
-	miscfiles_read_localization($1_crond_t)
-
-	userdom_manage_user_tmp_files($1, $1_crond_t)
-	userdom_manage_user_tmp_symlinks($1, $1_crond_t)
-	userdom_manage_user_tmp_pipes($1, $1_crond_t)
-	userdom_manage_user_tmp_sockets($1, $1_crond_t)
-	# Run scripts in user home directory and access shared libs.
-	userdom_exec_user_home_content_files($1, $1_crond_t)
-	# Access user files and dirs.
-#	userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
-	userdom_manage_user_home_content_files($1, $1_crond_t)
-	userdom_manage_user_home_content_symlinks($1, $1_crond_t)
-	userdom_manage_user_home_content_pipes($1, $1_crond_t)
-	userdom_manage_user_home_content_sockets($1, $1_crond_t)
-#	userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+	allow crond_t $1_t:process transition;
+	dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh };
+	allow crond_t $1_t:fd use;
+	allow $1_t crond_t:fd use;
+	allow $1_t crond_t:fifo_file rw_file_perms;
+	allow $1_t crond_t:process sigchld;
 
 	tunable_policy(`fcron_crond', `
 		allow crond_t $1_cron_spool_t:file manage_file_perms;
 	')
 
-	# need a per-role version of this:
-	#optional_policy(`
-	#	mono_domtrans($1_crond_t)
-	#')
-
-	optional_policy(`
-		dbus_stub($1_crond_t)
-
-		allow $1_crond_t $2:dbus send_msg;
-	')		
-
-	optional_policy(`
-		nis_use_ypbind($1_crond_t)
-	')
-
-	ifdef(`TODO',`
-	optional_policy(`
-		create_dir_file($1_crond_t, httpd_$1_content_t)
-	')
-	allow $1_crond_t tmp_t:dir rw_dir_perms;
-	type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
-
-	ifdef(`mta.te', `
-		domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-		allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms;
-
-		# $1_mail_t should only be reading from the cron fifo not needing to write
-		dontaudit $1_mail_t crond_t:fifo_file write;
-		allow mta_user_agent $1_crond_t:fd use;
-	')
-	') dnl endif TODO
-
 	##############################
 	#
 	# $1_crontab_t local policy
@@ -192,23 +85,27 @@
 
 	# dac_override is to create the file in the directory under /tmp
 	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
-	allow $1_crontab_t self:process signal_perms;
+	allow $1_crontab_t self:process { signal_perms setsched };
+	allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
+	allow $1_crontab_t crond_t:process signal;
 
 	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+	allow $2 $1_crontab_t:fd use;
 
+	auth_run_chk_passwd($1_crontab_t, $3, { $1_devpts_t $1_tty_device_t })
 	# crontab shows up in user ps
 	ps_process_pattern($2, $1_crontab_t)
 
+	init_dontaudit_write_utmp($1_crontab_t)
+	init_read_utmp($1_crontab_t)
+
 	# for ^Z
 	allow $2 $1_crontab_t:process signal;
 
 	# Allow crond to read those crontabs in cron spool.
 	allow crond_t $1_cron_spool_t:file manage_file_perms;
 
-	allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, file)
-
 	# create files in /var/spool/cron
 	manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t)
 	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file)
@@ -216,6 +113,7 @@
 
 	# crontab signals crond by updating the mtime on the spooldir
 	allow $1_crontab_t cron_spool_t:dir setattr;
+	read_files_pattern($1_crontab_t, crond_var_run_t,crond_var_run_t)
 
 	kernel_read_system_state($1_crontab_t)
 
@@ -227,27 +125,33 @@
 	# Run helper programs as the user domain
 	corecmd_bin_domtrans($1_crontab_t, $2)
 	corecmd_shell_domtrans($1_crontab_t, $2)
+	allow $2 $1_crontab_t:process sigchld;
 
 	domain_use_interactive_fds($1_crontab_t)
 
 	files_read_etc_files($1_crontab_t)
 	files_dontaudit_search_pids($1_crontab_t)
 
+	auth_use_nsswitch($1_crontab_t)
+
 	libs_use_ld_so($1_crontab_t)
 	libs_use_shared_libs($1_crontab_t)
 
 	logging_send_syslog_msg($1_crontab_t)
+	logging_send_audit_msgs($1_crontab_t)
+	logging_set_loginuid($1_crontab_t)
 
 	miscfiles_read_localization($1_crontab_t)
 
 	seutil_read_config($1_crontab_t)
 
-	userdom_manage_user_tmp_dirs($1, $1_crontab_t)
-	userdom_manage_user_tmp_files($1, $1_crontab_t)
+	unprivuser_manage_tmp_dirs($1_crontab_t)
+	unprivuser_manage_tmp_files($1_crontab_t)
 	# Access terminals.
 	userdom_use_user_terminals($1, $1_crontab_t)
 	# Read user crontabs
 	userdom_read_user_home_content_files($1, $1_crontab_t)
+	userdom_transition_user_tmp($1, $1_crontab_t, { lnk_file file dir fifo_file })
 
 	tunable_policy(`fcron_crond',`
 		# fcron wants an instant update of a crontab change for the administrator
@@ -286,14 +190,12 @@
 template(`cron_admin_template',`
 	gen_require(`
 		attribute cron_spool_type;
-		type $1_crontab_t, $1_crond_t;
+		type $1_crontab_t;
 	')
 
 	# Allow our crontab domain to unlink a user cron spool file.
 	allow $1_crontab_t cron_spool_type:file { getattr read unlink };
 
-	logging_read_generic_logs($1_crond_t)
-
 	# Manipulate other users crontab.
 	selinux_get_fs_mount($1_crontab_t)
 	selinux_validate_context($1_crontab_t)
@@ -339,7 +241,7 @@
 	allow $1 system_crond_t:fifo_file rw_file_perms;
 	allow $1 system_crond_t:process sigchld;
 
-	allow $1 crond_t:fifo_file rw_file_perms;
+	allow $1 crond_t:fifo_file rw_fifo_file_perms;
 	allow $1 crond_t:fd use;
 	allow $1 crond_t:process sigchld;
 
@@ -421,6 +323,24 @@
 
 ########################################
 ## <summary>
+##	Allow read/write unix stream sockets from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_system_stream_sockets',`
+	gen_require(`
+		type system_crond_t;
+	')
+
+	allow $1 system_crond_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Read and write a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
@@ -439,7 +359,7 @@
 
 ########################################
 ## <summary>
-##	Read, and write cron daemon TCP sockets.
+##	Dontaudit Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -447,7 +367,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`cron_rw_tcp_sockets',`
+interface(`cron_dontaudit_rw_tcp_sockets',`
 	gen_require(`
 		type crond_t;
 	')
@@ -559,11 +479,14 @@
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
-		type system_crond_tmp_t;
+		type system_crond_tmp_t, cron_var_run_t;
 	')
 
 	files_search_tmp($1)
 	allow $1 system_crond_tmp_t:file read_file_perms;
+
+	files_search_pids($1)
+	allow $1 cron_var_run_t:file read_file_perms;
 ')
 
 ########################################
@@ -584,3 +507,64 @@
 
 	dontaudit $1 system_crond_tmp_t:file append;
 ')
+
+
+########################################
+## <summary>
+##	Do not audit attempts to write temporary
+##	files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+	gen_require(`
+		type system_crond_tmp_t;
+		type cron_var_run_t;
+		type system_crond_var_run_t;
+	')
+
+	dontaudit $1 system_crond_tmp_t:file write_file_perms;
+	dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+	gen_require(`
+		type system_crond_var_lib_t;
+	')
+
+
+	read_files_pattern($1, system_crond_var_lib_t,  system_crond_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage pid files used by cron
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_pid_files',`
+	gen_require(`
+		type crond_var_run_t;
+	')
+
+
+	manage_files_pattern($1, crond_var_run_t,  crond_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cron.te	2009-03-05 13:23:48.000000000 +0100
@@ -12,14 +12,6 @@
 
 ## <desc>
 ## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
-## </desc>
-gen_tunable(cron_can_relabel, false)
-
-## <desc>
-## <p>
 ## Enable extra rules in the cron domain
 ## to support fcron.
 ## </p>
@@ -38,6 +30,10 @@
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
 
+# var/lib files
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
 # var/log files
 type cron_log_t;
 logging_log_file(cron_log_t)
@@ -50,6 +46,8 @@
 
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
 
 type crond_var_run_t;
 files_pid_file(crond_var_run_t)
@@ -71,6 +69,12 @@
 type system_crond_tmp_t;
 files_tmp_file(system_crond_tmp_t)
 
+type system_crond_var_lib_t;
+files_type(system_crond_var_lib_t)
+
+type system_crond_var_run_t;
+files_pid_file(system_crond_var_run_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
 ')
@@ -80,7 +84,7 @@
 # Cron Local policy
 #
 
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
@@ -99,15 +103,14 @@
 allow crond_t crond_var_run_t:file manage_file_perms;
 files_pid_filetrans(crond_t,crond_var_run_t,file)
 
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
 
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 
 kernel_read_kernel_sysctls(crond_t)
 kernel_search_key(crond_t)
@@ -133,6 +136,8 @@
 corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
 
 files_read_etc_files(crond_t)
 files_read_generic_spool(crond_t)
@@ -142,13 +147,17 @@
 files_search_default(crond_t)
 
 init_rw_utmp(crond_t)
+#init_spec_domtrans_script(crond_t)
+init_domtrans_script(system_crond_t)
 
 auth_use_nsswitch(crond_t)
 
 libs_use_ld_so(crond_t)
 libs_use_shared_libs(crond_t)
 
+logging_send_audit_msgs(crond_t)
 logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
@@ -161,6 +170,7 @@
 userdom_list_all_users_home_dirs(crond_t)
 
 mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
 
 ifdef(`distro_debian',`
 	# pam_limits is used
@@ -180,21 +190,45 @@
 	')
 ')
 
+tunable_policy(`allow_polyinstantiation',`
+	allow crond_t self:capability fowner;
+	files_search_tmp(crond_t)
+	files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+	apache_search_sys_content(crond_t)
+')
+
 optional_policy(`
 	locallogin_search_keys(crond_t)
 	locallogin_link_keys(crond_t)
 ')
 
+optional_policy(`
+	# these should probably be unconfined_crond_t
+	init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+	mono_domtrans(crond_t)
+')
+
 tunable_policy(`fcron_crond', `
 	allow crond_t system_cron_spool_t:file manage_file_perms;
 ')
 
 optional_policy(`
+	amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
 	amavis_search_lib(crond_t)
 ')
 
 optional_policy(`
-	hal_dbus_send(crond_t)
+	hal_dbus_chat(crond_t)
+	hal_dbus_chat(system_crond_t)
 ')
 
 optional_policy(`
@@ -236,6 +270,9 @@
 allow system_crond_t cron_var_lib_t:file manage_file_perms;
 files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file)
 
+allow system_crond_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_crond_t, cron_var_run_t, file)
+
 allow system_crond_t system_cron_spool_t:file read_file_perms;
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
@@ -267,9 +304,13 @@
 filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file })
 files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file)
 
+# var/lib files for system_crond
+files_search_var_lib(system_crond_t)
+manage_files_pattern(system_crond_t, system_crond_var_lib_t, system_crond_var_lib_t)
+
 # Read from /var/spool/cron.
 allow system_crond_t cron_spool_t:dir list_dir_perms;
-allow system_crond_t cron_spool_t:file read_file_perms;
+allow system_crond_t cron_spool_t:file rw_file_perms;
 
 kernel_read_kernel_sysctls(system_crond_t)
 kernel_read_system_state(system_crond_t)
@@ -323,7 +364,8 @@
 init_read_utmp(system_crond_t)
 init_dontaudit_rw_utmp(system_crond_t)
 # prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_telinit(system_crond_t)
+init_spec_domtrans_script(system_crond_t)
 
 auth_use_nsswitch(system_crond_t)
 
@@ -333,6 +375,7 @@
 libs_exec_ld_so(system_crond_t)
 
 logging_read_generic_logs(system_crond_t)
+logging_send_audit_msgs(system_crond_t)
 logging_send_syslog_msg(system_crond_t)
 
 miscfiles_read_localization(system_crond_t)
@@ -348,18 +391,6 @@
 	')
 ')
 
-tunable_policy(`cron_can_relabel',`
-	seutil_domtrans_setfiles(system_crond_t)
-',`
-	selinux_get_fs_mount(system_crond_t)
-	selinux_validate_context(system_crond_t)
-	selinux_compute_access_vector(system_crond_t)
-	selinux_compute_create_context(system_crond_t)
-	selinux_compute_relabel_context(system_crond_t)
-	selinux_compute_user_contexts(system_crond_t)
-	seutil_read_file_contexts(system_crond_t)
-')
-
 optional_policy(`
 	# Needed for certwatch
 	apache_exec_modules(system_crond_t)
@@ -383,11 +414,20 @@
 ')
 
 optional_policy(`
+	lpd_list_spool(system_crond_t)
+')
+
+optional_policy(`
+	mono_domtrans(system_crond_t)
+')
+
+optional_policy(`
 	mrtg_append_create_logs(system_crond_t)
 ')
 
 optional_policy(`
 	mta_send_mail(system_crond_t)
+	mta_system_content(system_cron_spool_t)
 ')
 
 optional_policy(`
@@ -415,8 +455,7 @@
 ')
 
 optional_policy(`
-	# cjp: why?
-	squid_domtrans(system_crond_t)
+	spamassassin_manage_lib_files(system_crond_t)
 ')
 
 optional_policy(`
@@ -424,15 +463,12 @@
 ')
 
 optional_policy(`
+	unconfined_dbus_send(crond_t)
+	unconfined_shell_domtrans(crond_t)
+	unconfined_domain(crond_t)
 	unconfined_domain(system_crond_t)
-
-	userdom_priveleged_home_dir_manager(system_crond_t)
 ')
 
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_crond_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_crond_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
+optional_policy(`
+	userdom_priveleged_home_dir_manager(system_crond_t)
 ')
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cups.fc	2009-02-10 15:07:15.000000000 +0100
@@ -5,27 +5,38 @@
 /etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.*  --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+/etc/cups/interfaces(/.*)?	gen_context(system_u:object_r:cupsd_interface_t,s0)
 
 /etc/hp(/.*)?			gen_context(system_u:object_r:hplip_etc_t,s0)
 
 /etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
+/opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
 /usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs		--	gen_context(system_u:object_r:hplip_exec_t,s0)
 
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
 
 /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
 /usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 /usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
 /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -33,7 +44,7 @@
 
 /usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
 /usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/hplip/.*\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
 
 /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -43,10 +54,19 @@
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
 /var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 
+/var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
 /var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
 /var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 /var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
 /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/lib/cups/backend/cups-pdf	--	gen_context(system_u:object_r:cups_pdf_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.13/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cups.if	2009-02-10 15:07:15.000000000 +0100
@@ -20,6 +20,30 @@
 
 ########################################
 ## <summary>
+##	Setup cups to transtion to the cups backend domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`cups_backend',`
+	gen_require(`
+		type cupsd_t;
+	')
+
+	domtrans_pattern(cupsd_t, $2, $1)
+
+	allow cupsd_t $1:process signal;
+	allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+	cups_read_config($1)
+	cups_append_log($1)
+')
+
+########################################
+## <summary>
 ##	Connect to cupsd over an unix domain stream socket.
 ## </summary>
 ## <param name="domain">
@@ -212,6 +236,25 @@
 
 ########################################
 ## <summary>
+##	Append cups log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_append_log',`
+	gen_require(`
+		type cupsd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, cupsd_log_t, cupsd_log_t)
+')
+
+########################################
+## <summary>
 ##	Write cups log files.
 ## </summary>
 ## <param name="domain">
@@ -247,3 +290,66 @@
 	files_search_pids($1)
 	stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an cups environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the cups domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_admin',`
+	gen_require(`
+		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+		type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+		type cupsd_var_run_t, ptal_etc_t;
+		type ptal_var_run_t, hplip_var_run_t;
+		type cupsd_initrc_exec_t;
+	')
+
+	allow $1 cupsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cupsd_t)
+	        
+	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 cupsd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, cupsd_tmp_t)
+
+	admin_pattern($1, cupsd_lpd_tmp_t)
+
+	files_list_etc($1)
+	admin_pattern($1, cupsd_etc_t)
+
+	admin_pattern($1, ptal_etc_t)
+
+	files_list_spool($1)
+	admin_pattern($1, cupsd_spool_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, cupsd_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, cupsd_var_run_t)
+
+	admin_pattern($1, ptal_var_run_t)
+
+	admin_pattern($1, cupsd_config_var_run_t)
+
+	admin_pattern($1, cupsd_lpd_var_run_t)
+
+	admin_pattern($1, hplip_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cups.te	2009-04-09 14:15:20.000000000 +0200
@@ -20,9 +20,18 @@
 type cupsd_etc_t;
 files_config_file(cupsd_etc_t)
 
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
 type cupsd_rw_etc_t;
 files_config_file(cupsd_rw_etc_t)
 
+type cupsd_lock_t;
+files_lock_file(cupsd_lock_t)
+
 type cupsd_log_t;
 logging_log_file(cupsd_log_t)
 
@@ -48,6 +57,10 @@
 type hplip_t;
 type hplip_exec_t;
 init_daemon_domain(hplip_t, hplip_exec_t)
+# For CUPS to run as a backend
+cups_backend(hplip_t, hplip_exec_t)
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
 
 type hplip_etc_t;
 files_config_file(hplip_etc_t)
@@ -55,6 +68,9 @@
 type hplip_var_run_t;
 files_pid_file(hplip_var_run_t)
 
+type hplip_tmp_t;
+files_tmp_file(hplip_tmp_t)
+
 type ptal_t;
 type ptal_exec_t;
 init_daemon_domain(ptal_t, ptal_exec_t)
@@ -65,6 +81,16 @@
 type ptal_var_run_t;
 files_pid_file(ptal_var_run_t)
 
+type cups_pdf_t;
+type cups_pdf_exec_t;
+domain_type(cups_pdf_t)
+domain_entry_file(cups_pdf_t, cups_pdf_exec_t)
+cups_backend(cups_pdf_t, cups_pdf_exec_t)
+role system_r types cups_pdf_t;
+
+type cups_pdf_tmp_t;
+files_tmp_file(cups_pdf_tmp_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
 ')
@@ -79,13 +105,14 @@
 #
 
 # /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:tcp_socket create_stream_socket_perms;
 allow cupsd_t self:udp_socket create_socket_perms;
 allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -97,6 +124,9 @@
 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 files_search_etc(cupsd_t)
 
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
+
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -104,8 +134,11 @@
 
 # allow cups to execute its backend scripts
 can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
+allow cupsd_t cupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
 
 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 allow cupsd_t cupsd_log_t:dir setattr;
@@ -116,13 +149,20 @@
 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 
+# This whole section needs to be moved to a smbspool policy
+# smbspool seems to be iterating through all existing tmp files.
+# Looking for kerberos files
+files_getattr_all_tmp_files(cupsd_t)
+userdom_read_unpriv_users_tmp_files(cupsd_t)
+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+
 allow cupsd_t cupsd_var_run_t:dir setattr;
 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
 files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
 
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
+allow cupsd_t hplip_t:process {signal sigkill };
 allow cupsd_t hplip_var_run_t:file read_file_perms;
 
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -149,44 +189,49 @@
 corenet_tcp_bind_reserved_port(cupsd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
 corenet_sendrecv_hplip_client_packets(cupsd_t)
 corenet_sendrecv_ipp_client_packets(cupsd_t)
 corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
 
 dev_rw_printer(cupsd_t)
 dev_read_urand(cupsd_t)
 dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
+dev_rw_input_dev(cupsd_t)  #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
 dev_getattr_printer_dev(cupsd_t)
 
 domain_read_all_domains_state(cupsd_t)
 
 fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
 
+mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
 mls_file_write_all_levels(cupsd_t)
 mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
 mls_socket_write_all_levels(cupsd_t)
 
 term_use_unallocated_ttys(cupsd_t)
 term_search_ptys(cupsd_t)
 
-auth_domtrans_chk_passwd(cupsd_t)
-auth_dontaudit_read_pam_pid(cupsd_t)
-
 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
 corecmd_exec_shell(cupsd_t)
 corecmd_exec_bin(cupsd_t)
 
 domain_use_interactive_fds(cupsd_t)
 
+files_list_spool(cupsd_t)
 files_read_etc_files(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
 # read python modules
 files_read_usr_files(cupsd_t)
 # for /var/lib/defoma
-files_search_var_lib(cupsd_t)
+files_read_var_lib_files(cupsd_t)
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
@@ -195,15 +240,16 @@
 files_read_var_symlinks(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
-# smbspool seems to be iterating through all existing tmp files.
-# redhat bug #214953
-# cjp: this might be a broken behavior
-files_dontaudit_getattr_all_tmp_files(cupsd_t)
 
 selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
 
 init_exec_script_files(cupsd_t)
+init_read_utmp(cupsd_t)
 
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
 auth_use_nsswitch(cupsd_t)
 
 libs_use_ld_so(cupsd_t)
@@ -219,17 +265,21 @@
 miscfiles_read_fonts(cupsd_t)
 
 seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
 
-sysnet_read_config(cupsd_t)
-
+files_dontaudit_list_home(cupsd_t)
 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 userdom_dontaudit_search_all_users_home_content(cupsd_t)
 
 # Write to /var/spool/cups.
 lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
+lpd_relabel_spool(cupsd_t)
 
 ifdef(`enable_mls',`
-	lpd_relabel_spool(cupsd_t)
+	mls_trusted_object(cupsd_var_run_t)
+	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh)
 ')
 
 optional_policy(`
@@ -246,8 +296,16 @@
 	userdom_dbus_send_all_users(cupsd_t)
 
 	optional_policy(`
+		avahi_dbus_chat(cupsd_t)
+	')
+
+	optional_policy(`
 		hal_dbus_chat(cupsd_t)
 	')
+
+	optional_policy(`
+		unconfined_dbus_chat(cupsd_t)
+	')
 ')
 
 optional_policy(`
@@ -263,6 +321,10 @@
 ')
 
 optional_policy(`
+	mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
 	# cups execs smbtool which reads samba_etc_t files
 	samba_read_config(cupsd_t)
 	samba_rw_var_files(cupsd_t)
@@ -281,7 +343,7 @@
 # Cups configuration daemon local policy
 #
 
-allow cupsd_config_t self:capability { chown sys_tty_config };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
 dontaudit cupsd_config_t self:capability sys_tty_config;
 allow cupsd_config_t self:process signal_perms;
 allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -313,7 +375,7 @@
 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
 
 kernel_read_system_state(cupsd_config_t)
-kernel_read_kernel_sysctls(cupsd_config_t)
+kernel_read_all_sysctls(cupsd_config_t)
 
 corenet_all_recvfrom_unlabeled(cupsd_config_t)
 corenet_all_recvfrom_netlabel(cupsd_config_t)
@@ -326,6 +388,7 @@
 dev_read_sysfs(cupsd_config_t)
 dev_read_urand(cupsd_config_t)
 dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
 
 fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
@@ -343,7 +406,7 @@
 files_read_var_symlinks(cupsd_config_t)
 
 # Alternatives asks for this
-init_getattr_script_files(cupsd_config_t)
+init_getattr_all_script_files(cupsd_config_t)
 
 auth_use_nsswitch(cupsd_config_t)
 
@@ -353,6 +416,7 @@
 logging_send_syslog_msg(cupsd_config_t)
 
 miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
 
 seutil_dontaudit_search_config(cupsd_config_t)
 
@@ -365,14 +429,16 @@
 sysadm_dontaudit_search_home_dirs(cupsd_config_t)
 
 ifdef(`distro_redhat',`
-	init_getattr_script_files(cupsd_config_t)
-
 	optional_policy(`
 		rpm_read_db(cupsd_config_t)
 	')
 ')
 
 optional_policy(`
+	term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
@@ -388,6 +454,7 @@
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
+	hal_dontaudit_use_fds(hplip_t)
 ')
 
 optional_policy(`
@@ -500,7 +567,10 @@
 allow hplip_t self:udp_socket create_socket_perms;
 allow hplip_t self:rawip_socket create_socket_perms;
 
-allow hplip_t cupsd_etc_t:dir search;
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
 
 cups_stream_connect(hplip_t)
 
@@ -509,6 +579,11 @@
 read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
 files_search_etc(hplip_t)
 
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )  
+
 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
 files_pid_filetrans(hplip_t, hplip_var_run_t, file)
 
@@ -538,7 +613,8 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
+
 
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
@@ -552,6 +628,8 @@
 files_read_etc_runtime_files(hplip_t)
 files_read_usr_files(hplip_t)
 
+fs_rw_anon_inodefs_files(hplip_t)
+
 libs_use_ld_so(hplip_t)
 libs_use_shared_libs(hplip_t)
 
@@ -564,12 +642,14 @@
 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 
-lpd_read_config(cupsd_t)
+lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
 
 sysadm_dontaudit_search_home_dirs(hplip_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(hplip, hplip_t)
+	dbus_connect_system_bus(hplip_t)
 ')
 
 optional_policy(`
@@ -651,3 +731,55 @@
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
+
+########################################
+#
+# cups_pdf local policy
+#
+
+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
+
+allow cups_pdf_t self:fifo_file rw_file_perms;
+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(cups_pdf_t)
+files_read_usr_files(cups_pdf_t)
+
+kernel_read_system_state(cups_pdf_t)
+
+auth_use_nsswitch(cups_pdf_t)
+
+libs_use_ld_so(cups_pdf_t)
+libs_use_shared_libs(cups_pdf_t)
+
+corecmd_exec_shell(cups_pdf_t)
+corecmd_exec_bin(cups_pdf_t)
+
+miscfiles_read_localization(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+
+unprivuser_home_filetrans_home_dir(cups_pdf_t)
+unprivuser_manage_home_content_dirs(cups_pdf_t)
+unprivuser_manage_home_content_files(cups_pdf_t)
+
+lpd_manage_spool(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+miscfiles_read_fonts(cups_pdf_t)
+
+sysadm_dontaudit_read_home_content_files(cups_pdf_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(cups_pdf_t)
+ fs_manage_cifs_files(cups_pdf_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.13/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cvs.te	2009-02-10 15:07:15.000000000 +0100
@@ -115,4 +115,5 @@
 	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
 	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
--- nsaserefpolicy/policy/modules/services/cyphesis.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1 +1,6 @@
 /usr/bin/cyphesis	--	gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.5.13/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cyrus.te	2009-02-10 15:07:15.000000000 +0100
@@ -141,6 +141,7 @@
 optional_policy(`
 	snmp_read_snmp_var_lib_files(cyrus_t)
 	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+	snmp_stream_connect(cyrus_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc	2009-02-10 15:07:15.000000000 +0100
@@ -4,6 +4,9 @@
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
 /bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
 
+/lib/dbus-1/dbus-daemon-launch-helper 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
 /var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
 
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dbus.if	2009-04-14 10:39:44.000000000 +0200
@@ -53,19 +53,19 @@
 	gen_require(`
 		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
 		class dbus { send_msg acquire_svc };
+		attribute dbusd_unconfined;
+		attribute dbusd_userbus;
 	')
 
 	##############################
 	#
 	# Delcarations
 	#
-	type $1_dbusd_t;
+	type $1_dbusd_t, dbusd_userbus;
 	domain_type($1_dbusd_t)
 	domain_entry_file($1_dbusd_t, system_dbusd_exec_t)
 	role $3 types $1_dbusd_t;
 
-	type $1_dbusd_$1_t;
-
 	type $1_dbusd_tmp_t;
 	files_tmp_file($1_dbusd_tmp_t)
 
@@ -84,14 +84,19 @@
 	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
 	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
 
+	allow dbusd_unconfined  $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $1_dbusd_t dbusd_unconfined:dbus send_msg;
+
 	# For connecting to the bus
-	allow $2 $1_dbusd_t:unix_stream_socket connectto;
-	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+	allow $2 $1_dbusd_t:unix_stream_socket { rw_socket_perms connectto };
+	allow $2 $1_dbusd_t:unix_dgram_socket getattr;
+	allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
 
 	# SE-DBus specific permissions
-	allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
 	allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
-	allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+	allow $1_dbusd_t $2:dbus send_msg;
+	allow $2 $2:dbus send_msg;
+	allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
 
 	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
 	read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -102,10 +107,9 @@
 	files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
 
 	domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
-	allow $2 $1_dbusd_t:process { sigkill signal };
+	allow $2 $1_dbusd_t:process { getattr ptrace signal_perms };
 
-	# cjp: this seems very broken
-	corecmd_bin_domtrans($1_dbusd_t, $2)
+	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	allow $1_dbusd_t $2:process sigkill;
 	allow $2 $1_dbusd_t:fd use;
 	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -115,8 +119,8 @@
 	kernel_read_kernel_sysctls($1_dbusd_t)
 
 	corecmd_list_bin($1_dbusd_t)
-	corecmd_read_bin_symlinks($1_dbusd_t)
 	corecmd_read_bin_files($1_dbusd_t)
+	corecmd_read_bin_symlinks($1_dbusd_t)
 	corecmd_read_bin_pipes($1_dbusd_t)
 	corecmd_read_bin_sockets($1_dbusd_t)
 
@@ -139,6 +143,7 @@
 
 	fs_getattr_romfs($1_dbusd_t)
 	fs_getattr_xattr_fs($1_dbusd_t)
+	fs_list_inotifyfs($1_dbusd_t)
 
 	selinux_get_fs_mount($1_dbusd_t)
 	selinux_validate_context($1_dbusd_t)
@@ -161,12 +166,24 @@
 	seutil_read_config($1_dbusd_t)
 	seutil_read_default_contexts($1_dbusd_t)
 
-	userdom_read_user_home_content_files($1, $1_dbusd_t)
+	sysadm_dontaudit_search_home_dirs($1_dbusd_t)
+	unprivuser_read_home_content_files($1_dbusd_t)
+	unprivuser_dontaudit_append_home_content_files($1_dbusd_t)
+	term_dontaudit_use_all_user_ptys($1_dbusd_t)
+	term_dontaudit_use_all_user_ttys($1_dbusd_t)
 
 	ifdef(`hide_broken_symptoms', `
 		dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
 	')
 
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_read_nfs_files($1_dbusd_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_read_cifs_files($1_dbusd_t)
+	')
+
 	tunable_policy(`read_default_t',`
 		files_list_default($1_dbusd_t)
 		files_read_default_files($1_dbusd_t)
@@ -180,9 +197,17 @@
 	')
 
 	optional_policy(`
+		gnome_read_gnome_config($1, $1_dbusd_t)
+		gnome_read_gconf_home_files($1_dbusd_t)
+	')
+
+	optional_policy(`
 		xserver_use_xdm_fds($1_dbusd_t)
 		xserver_rw_xdm_pipes($1_dbusd_t)
+		xserver_dontaudit_xdm_lib_search($1_dbusd_t)
+		xserver_rw_xdm_home_files($1_dbusd_t)
 	')
+
 ')
 
 #######################################
@@ -207,14 +232,12 @@
 		type system_dbusd_t, system_dbusd_t;
 		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
+		attribute dbusd_unconfined;
 	')
 
-#	type $1_dbusd_system_t;
-#	type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
-
 	# SE-DBus specific permissions
-#	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
-	allow $2 { system_dbusd_t self }:dbus send_msg;
+	allow $2 { system_dbusd_t $2 dbusd_unconfined }:dbus send_msg;
+	allow { system_dbusd_t dbusd_unconfined } $2:dbus send_msg;
 
 	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($2)
@@ -223,6 +246,10 @@
 	files_search_pids($2)
 	stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
 	dbus_read_config($2)
+
+	optional_policy(`
+		rpm_script_dbus_chat($2)
+	')
 ')
 
 #######################################
@@ -251,18 +278,16 @@
 template(`dbus_user_bus_client_template',`
 	gen_require(`
 		type $1_dbusd_t;
+		attribute dbusd_unconfined;
 		class dbus send_msg;
 	')
 
-#	type $2_dbusd_$1_t;
-#	type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
-
 	# SE-DBus specific permissions
-#	allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
 	allow $3 { $1_dbusd_t self }:dbus send_msg;
 
 	# For connecting to the bus
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
+	allow dbusd_unconfined $1_dbusd_t:dbus *;
 ')
 
 ########################################
@@ -292,6 +317,55 @@
 
 ########################################
 ## <summary>
+##	connectto a message on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`dbus_connectto_user_bus',`
+	allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Chat on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`dbus_chat_user_bus',`
+	gen_require(`
+		type $1_t;
+		type $1_dbusd_t;
+		class dbus send_msg;
+	')
+
+	allow $2 $1_dbusd_t:dbus send_msg;
+	allow $1_dbusd_t $2:dbus send_msg;
+	allow $2 $1_t:dbus send_msg;
+	allow $1_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
@@ -366,3 +440,122 @@
 
 	allow $1 system_dbusd_t:dbus *;
 ')
+
+########################################
+## <summary>
+##	Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_unconfined',`
+	gen_require(`
+		attribute dbusd_unconfined;
+	')
+
+	typeattribute $1 dbusd_unconfined;
+')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by the system dbus
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`dbus_system_domain',`
+	gen_require(`
+		type system_dbusd_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(system_dbusd_t, $2, $1)
+
+	dbus_system_bus_client_template($1, $1)
+	dbus_connect_system_bus($1)
+
+	userdom_dontaudit_search_admin_dir($1)
+
+	ifdef(`hide_broken_symptoms', `
+		dbus_dontaudit_rw_system_selinux_socket($1)
+	');
+')
+
+########################################
+## <summary>
+##	Dontaudit Read, and write system dbus TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:tcp_socket { read write };
+	allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+##	connectto a message on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`dbus_dontaudit_connectto_user_bus',`
+	gen_require(`
+		attribute dbusd_userbus;
+	')
+
+
+	dontaudit $2 dbusd_userbus:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	dontaudit attempts to use system_dbus_t selinux_socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_rw_system_selinux_socket',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dbus.te	2009-02-10 15:07:15.000000000 +0100
@@ -9,9 +9,11 @@
 #
 # Delcarations
 #
+attribute dbusd_unconfined;
+attribute dbusd_userbus;
 
 type dbusd_etc_t alias etc_dbusd_t;
-files_type(dbusd_etc_t)
+files_config_file(dbusd_etc_t)
 
 type system_dbusd_t alias dbusd_t;
 type system_dbusd_exec_t;
@@ -21,11 +23,23 @@
 files_tmp_file(system_dbusd_tmp_t)
 
 type system_dbusd_var_lib_t;
-files_pid_file(system_dbusd_var_lib_t)
+files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mls_systemhigh)
+	mls_fd_use_all_levels(system_dbusd_t)
+	mls_rangetrans_target(system_dbusd_t)
+	mls_file_read_all_levels(system_dbusd_t)
+	mls_socket_write_all_levels(system_dbusd_t)
+')
+
 ##############################
 #
 # Local policy
@@ -35,7 +49,7 @@
 # cjp: dac_override should probably go in a distro_debian
 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:process { getattr signal_perms setpgid getcap setcap };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -43,6 +57,8 @@
 # Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
+can_exec(system_dbusd_t, system_dbusd_exec_t)
+
 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -65,6 +81,8 @@
 
 fs_getattr_all_fs(system_dbusd_t)
 fs_search_auto_mountpoints(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
 
 selinux_get_fs_mount(system_dbusd_t)
 selinux_validate_context(system_dbusd_t)
@@ -81,7 +99,6 @@
 corecmd_list_bin(system_dbusd_t)
 corecmd_read_bin_pipes(system_dbusd_t)
 corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_bin(system_dbusd_t)
 
 domain_use_interactive_fds(system_dbusd_t)
 
@@ -91,6 +108,9 @@
 
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
+init_dbus_chat_script(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
 
 libs_use_ld_so(system_dbusd_t)
 libs_use_shared_libs(system_dbusd_t)
@@ -122,9 +142,38 @@
 ')
 
 optional_policy(`
+	consolekit_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+	gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+	networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+	polkit_domtrans_auth(system_dbusd_t)
+	polkit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
 	sysnet_domtrans_dhcpc(system_dbusd_t)
 ')
 
 optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')
+
+optional_policy(`
+	gen_require(`
+		type unconfined_dbusd_t;
+	')
+	unconfined_domain(unconfined_dbusd_t)
+	unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+	optional_policy(`
+		xserver_rw_xdm_xserver_shm(unconfined_dbusd_t)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.5.13/policy/modules/services/dcc.fc
--- nsaserefpolicy/policy/modules/services/dcc.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dcc.fc	2009-04-06 13:11:38.000000000 +0200
@@ -12,6 +12,8 @@
 
 /var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
 /var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/lib/dcc(/.*)?   			gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
 
 /var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
 /var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.13/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dcc.if	2009-02-10 15:07:15.000000000 +0100
@@ -72,6 +72,24 @@
 
 ########################################
 ## <summary>
+##	Send a signal to the dcc_client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_signal_client',`
+	gen_require(`
+		type dcc_client_t;
+	')
+
+	allow $1 dcc_client_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute dcc_client in the dcc_client domain, and
 ##	allow the specified role the dcc_client domain.
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.13/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dcc.te	2009-06-11 12:19:36.000000000 +0200
@@ -105,6 +105,8 @@
 files_read_etc_files(cdcc_t)
 files_read_etc_runtime_files(cdcc_t)
 
+auth_use_nsswitch(cdcc_t)
+
 libs_use_ld_so(cdcc_t)
 libs_use_shared_libs(cdcc_t)
 
@@ -112,19 +114,12 @@
 
 miscfiles_read_localization(cdcc_t)
 
-sysnet_read_config(cdcc_t)
-sysnet_dns_name_resolve(cdcc_t)
-
-optional_policy(`
-	nscd_socket_use(cdcc_t)
-')
-
 ########################################
 #
 # dcc procmail interface local policy
 #
 
-allow dcc_client_t self:capability setuid;
+allow dcc_client_t self:capability { setgid setuid };
 allow dcc_client_t self:unix_dgram_socket create_socket_perms;
 allow dcc_client_t self:udp_socket create_socket_perms;
 
@@ -136,11 +131,12 @@
 
 # Access files in /var/dcc. The map file can be updated
 allow dcc_client_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 
 corenet_all_recvfrom_unlabeled(dcc_client_t)
 corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_bind_all_nodes(dcc_client_t)
 corenet_udp_sendrecv_generic_if(dcc_client_t)
 corenet_udp_sendrecv_all_nodes(dcc_client_t)
 corenet_udp_sendrecv_all_ports(dcc_client_t)
@@ -148,6 +144,12 @@
 files_read_etc_files(dcc_client_t)
 files_read_etc_runtime_files(dcc_client_t)
 
+fs_getattr_xattr_fs(dcc_client_t)
+
+kernel_read_system_state(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
+
 libs_use_ld_so(dcc_client_t)
 libs_use_shared_libs(dcc_client_t)
 
@@ -155,11 +157,12 @@
 
 miscfiles_read_localization(dcc_client_t)
 
-sysnet_read_config(dcc_client_t)
-sysnet_dns_name_resolve(dcc_client_t)
+optional_policy(`
+	amavis_read_spool_files(dcc_client_t)
+')
 
 optional_policy(`
-	nscd_socket_use(dcc_client_t)
+	spamassassin_read_spamd_tmp_files(dcc_client_t)
 ')
 
 ########################################
@@ -191,6 +194,8 @@
 files_read_etc_files(dcc_dbclean_t)
 files_read_etc_runtime_files(dcc_dbclean_t)
 
+auth_use_nsswitch(dcc_dbclean_t)
+
 libs_use_ld_so(dcc_dbclean_t)
 libs_use_shared_libs(dcc_dbclean_t)
 
@@ -198,13 +203,6 @@
 
 miscfiles_read_localization(dcc_dbclean_t)
 
-sysnet_read_config(dcc_dbclean_t)
-sysnet_dns_name_resolve(dcc_dbclean_t)
-
-optional_policy(`
-	nscd_socket_use(dcc_dbclean_t)
-')
-
 ########################################
 #
 # Server daemon local policy
@@ -262,6 +260,8 @@
 fs_getattr_all_fs(dccd_t)
 fs_search_auto_mountpoints(dccd_t)
 
+auth_use_nsswitch(dccd_t)
+
 libs_use_ld_so(dccd_t)
 libs_use_shared_libs(dccd_t)
 
@@ -277,10 +277,6 @@
 sysadm_dontaudit_search_home_dirs(dccd_t)
 
 optional_policy(`
-	nscd_socket_use(dccd_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dccd_t)
 ')
 
@@ -336,6 +332,8 @@
 fs_getattr_all_fs(dccifd_t)
 fs_search_auto_mountpoints(dccifd_t)
 
+auth_use_nsswitch(dccifd_t)
+
 libs_use_ld_so(dccifd_t)
 libs_use_shared_libs(dccifd_t)
 
@@ -343,18 +341,10 @@
 
 miscfiles_read_localization(dccifd_t)
 
-sysnet_read_config(dccifd_t)
-sysnet_dns_name_resolve(dccifd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-
 sysadm_dontaudit_search_home_dirs(dccifd_t)
 
 optional_policy(`
-	nscd_socket_use(dccifd_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dccifd_t)
 ')
 
@@ -409,6 +399,8 @@
 fs_getattr_all_fs(dccm_t)
 fs_search_auto_mountpoints(dccm_t)
 
+auth_use_nsswitch(dccm_t)
+
 libs_use_ld_so(dccm_t)
 libs_use_shared_libs(dccm_t)
 
@@ -416,18 +408,10 @@
 
 miscfiles_read_localization(dccm_t)
 
-sysnet_read_config(dccm_t)
-sysnet_dns_name_resolve(dccm_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-
 sysadm_dontaudit_search_home_dirs(dccm_t)
 
 optional_policy(`
-	nscd_socket_use(dccm_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dccm_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.13/policy/modules/services/dhcp.fc
--- nsaserefpolicy/policy/modules/services/dhcp.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dhcp.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/dhcpd	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
 /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.13/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dhcp.if	2009-02-10 15:07:15.000000000 +0100
@@ -19,3 +19,63 @@
 	sysnet_search_dhcp_state($1)
 	allow $1 dhcpd_state_t:file setattr;
 ')
+
+########################################
+## <summary>
+##	Execute dhcp server in the dhcp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`dhcpd_initrc_domtrans',`
+	gen_require(`
+		type dhcpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dhcp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dhcp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dhcpd_admin',`
+	gen_require(`
+		type dhcpd_t; type dhcpd_tmp_t;	type dhcpd_state_t;
+		type dhcpd_var_run_t;
+		type dhcpd_initrc_exec_t;
+	')
+
+	allow $1 dhcpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dhcpd_t)
+	        
+	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dhcpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, dhcpd_tmp_t)
+
+	admin_pattern($1, dhcpd_state_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dhcpd_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.13/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dhcp.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,9 @@
 type dhcpd_exec_t;
 init_daemon_domain(dhcpd_t, dhcpd_exec_t)
 
+type dhcpd_initrc_exec_t;
+init_script_file(dhcpd_initrc_exec_t)
+
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
@@ -24,13 +27,12 @@
 # Local policy
 #
 
-allow dhcpd_t self:capability net_raw;
+allow dhcpd_t self:capability { net_raw sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process signal_perms;
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
 allow dhcpd_t self:tcp_socket create_stream_socket_perms;
 allow dhcpd_t self:udp_socket create_socket_perms;
 # Allow dhcpd_t to use packet sockets
@@ -51,6 +53,7 @@
 
 kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
 
 corenet_all_recvfrom_unlabeled(dhcpd_t)
 corenet_all_recvfrom_netlabel(dhcpd_t)
@@ -88,6 +91,8 @@
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
+auth_use_nsswitch(dhcpd_t)
+
 libs_use_ld_so(dhcpd_t)
 libs_use_shared_libs(dhcpd_t)
 
@@ -95,7 +100,6 @@
 
 miscfiles_read_localization(dhcpd_t)
 
-sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
@@ -117,14 +121,6 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(dhcpd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(dhcpd_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dhcpd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,7 @@
+/etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
 /usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)?		gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if	2009-02-10 15:07:15.000000000 +0100
@@ -1 +1,175 @@
 ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+
+########################################
+## <summary>
+##	Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_domtrans',`
+	gen_require(`
+		type dnsmasq_exec_t;
+		type dnsmasq_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_initrc_domtrans',`
+	gen_require(`
+		type dnsmasq_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Send dnsmasq a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_signal',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process signal;
+')
+
+
+########################################
+## <summary>
+##	Send dnsmasq a signull
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_signull',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send dnsmasq a sigkill
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_sigkill',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Delete dnsmasq pid files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_delete_pid_files',`
+	gen_require(`
+		type dnsmasq_var_run_t;
+	')
+
+	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read dnsmasq pid files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_read_pid_files',`
+	gen_require(`
+		type dnsmasq_var_run_t;
+	')
+
+	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dnsmasq environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dnsmasq domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dnsmasq_admin',`
+	gen_require(`
+		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+		type dnsmasq_initrc_exec_t;
+	')
+
+	allow $1 dnsmasq_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dnsmasq_t)
+	        
+	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dnsmasq_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, dnsmasq_lease_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dnsmasq_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,9 @@
 type dnsmasq_exec_t;
 init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
 
+type dnsmasq_initrc_exec_t;
+init_script_file(dnsmasq_initrc_exec_t)
+
 type dnsmasq_lease_t;
 files_type(dnsmasq_lease_t)
 
@@ -23,7 +26,7 @@
 
 allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
 dontaudit dnsmasq_t self:capability sys_tty_config;
-allow dnsmasq_t self:process { setcap signal_perms };
+allow dnsmasq_t self:process { getcap setcap signal_perms };
 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
 allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
 allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
@@ -32,7 +35,7 @@
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
 # dhcp leases
-allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t,  dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
 
 manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
@@ -55,8 +58,7 @@
 corenet_tcp_bind_all_nodes(dnsmasq_t)
 corenet_udp_bind_all_nodes(dnsmasq_t)
 corenet_tcp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dhcpd_port(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
 corenet_sendrecv_dns_server_packets(dnsmasq_t)
 corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
 
@@ -67,10 +69,13 @@
 
 # allow access to dnsmasq.conf
 files_read_etc_files(dnsmasq_t)
+files_read_etc_runtime_files(dnsmasq_t)
 
 fs_getattr_all_fs(dnsmasq_t)
 fs_search_auto_mountpoints(dnsmasq_t)
 
+auth_use_nsswitch(dnsmasq_t)
+
 libs_use_ld_so(dnsmasq_t)
 libs_use_shared_libs(dnsmasq_t)
 
@@ -78,14 +83,12 @@
 
 miscfiles_read_localization(dnsmasq_t)
 
-sysnet_read_config(dnsmasq_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 
 sysadm_dontaudit_search_home_dirs(dnsmasq_t)
 
 optional_policy(`
-	nis_use_ypbind(dnsmasq_t)
+	cron_manage_pid_files(dnsmasq_t)
 ')
 
 optional_policy(`
@@ -95,3 +98,8 @@
 optional_policy(`
 	udev_read_db(dnsmasq_t)
 ')
+
+optional_policy(`
+	virt_manage_lib_files(dnsmasq_t)
+	virt_manage_pid_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.13/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.fc	2009-02-10 15:07:15.000000000 +0100
@@ -6,6 +6,7 @@
 /etc/dovecot\.passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
 
 /etc/pki/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot	--	gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
 
 #
 # /usr
@@ -17,23 +18,22 @@
 
 ifdef(`distro_debian', `
 /usr/lib/dovecot/dovecot-auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 ')
 
 ifdef(`distro_redhat', `
 /usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 ')
 
 #
 # /var
 #
 /var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
-# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
-/var/run/dovecot/login/ssl-parameters.dat	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
 /var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
-/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
-
-
-
+/var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)
 
+/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.13/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.if	2009-02-10 15:07:15.000000000 +0100
@@ -21,7 +21,46 @@
 
 ########################################
 ## <summary>
-##      Do not audit attempts to delete dovecot lib files.
+##	Connect to dovecot auth unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_auth_stream_connect',`
+	gen_require(`
+		type dovecot_auth_t, dovecot_var_run_t;
+	')
+
+	allow $1 dovecot_var_run_t:dir search;
+	allow $1 dovecot_var_run_t:sock_file write;
+	allow $1 dovecot_auth_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Execute dovecot_deliver in the dovecot_deliver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dovecot_domtrans_deliver',`
+	gen_require(`
+		type dovecot_deliver_t, dovecot_deliver_exec_t;
+	')
+
+	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
+#######################################
+## <summary>
+##      Do not audit attempts to d`elete dovecot lib files.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
@@ -36,3 +75,60 @@
 
 	dontaudit $1 dovecot_var_lib_t:file unlink;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dovecot environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dovecot domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_admin',`
+	gen_require(`
+		type dovecot_t, dovecot_etc_t, dovecot_log_t;
+		type dovecot_spool_t, dovecot_var_lib_t;
+		type dovecot_var_run_t;
+
+		type dovecot_cert_t, dovecot_passwd_t;
+		type dovecot_initrc_exec_t;
+	')
+
+	allow $1 dovecot_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dovecot_t)
+	        
+	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dovecot_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, dovecot_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, dovecot_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, dovecot_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, dovecot_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dovecot_var_run_t)
+
+	admin_pattern($1, dovecot_cert_t)
+
+	admin_pattern($1, dovecot_passwd_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te	2009-03-06 09:53:17.000000000 +0100
@@ -15,12 +15,21 @@
 domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
 
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
 type dovecot_cert_t;
 files_type(dovecot_cert_t)
 
 type dovecot_etc_t;
 files_config_file(dovecot_etc_t)
 
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
 type dovecot_passwd_t;
 files_type(dovecot_passwd_t)
 
@@ -31,9 +40,15 @@
 type dovecot_var_lib_t;
 files_type(dovecot_var_lib_t) 
 
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
 type dovecot_var_run_t;
 files_pid_file(dovecot_var_run_t)
 
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
 ########################################
 #
 # dovecot local policy
@@ -85,6 +100,7 @@
 dev_read_urand(dovecot_t)
 
 fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
 fs_search_auto_mountpoints(dovecot_t)
 fs_list_inotifyfs(dovecot_t)
 
@@ -98,7 +114,7 @@
 files_dontaudit_list_default(dovecot_t)
 # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
 files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
 
 init_getattr_utmp(dovecot_t)
 
@@ -120,7 +136,7 @@
 sysadm_dontaudit_search_home_dirs(dovecot_t)
 
 optional_policy(`
-	kerberos_use(dovecot_t)
+	kerberos_keytab_template(dovecot, dovecot_t)
 ')
 
 optional_policy(`
@@ -140,25 +156,40 @@
 # dovecot auth local policy
 #
 
-allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
 allow dovecot_auth_t self:process signal_perms;
 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
 
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+read_files_pattern(dovecot_auth_t,dovecot_passwd_t,dovecot_passwd_t)
+#allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+
+# log files
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
 
 # Allow dovecot to create and read SSL parameters file
 manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
 files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
 
 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_auth_stream_connect(dovecot_auth_t)
 
 kernel_read_all_sysctls(dovecot_auth_t)
 kernel_read_system_state(dovecot_auth_t)
 
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
 dev_read_urand(dovecot_auth_t)
 
 auth_domtrans_chk_passwd(dovecot_auth_t)
@@ -167,6 +198,7 @@
 files_read_etc_files(dovecot_auth_t)
 files_read_etc_runtime_files(dovecot_auth_t)
 files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
 files_read_usr_symlinks(dovecot_auth_t)
 files_search_tmp(dovecot_auth_t)
 files_read_var_lib_files(dovecot_t)
@@ -185,5 +217,59 @@
 ')
 
 optional_policy(`
-	logging_send_syslog_msg(dovecot_auth_t)
+	mysql_search_db(dovecot_auth_t)
+	mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+	nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+	postfix_manage_private_sockets(dovecot_auth_t)
+	postfix_search_spool(dovecot_auth_t)
 ')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t) 
+userdom_read_unpriv_users_tmp_files(dovecot_auth_t) 
+userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t) 
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+manage_dirs_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t)
+manage_lnk_files_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t)
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+fs_getattr_all_fs(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_auth_stream_connect(dovecot_deliver_t)
+
+userdom_priveleged_home_dir_manager(dovecot_deliver_t)
+
+optional_policy(`
+	mta_manage_spool(dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.13/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/exim.if	2009-02-10 15:07:15.000000000 +0100
@@ -97,6 +97,26 @@
 
 ########################################
 ## <summary>
+##	Allow the specified domain to manage exim's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_manage_log',`
+	gen_require(`
+		type exim_log_t;
+	')
+
+	manage_files_pattern($1, exim_log_t, exim_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to append
 ##	exim log files.
 ## </summary>
@@ -154,3 +174,23 @@
 	manage_files_pattern($1, exim_spool_t, exim_spool_t)
 	files_search_spool($1)
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	exim spool dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_spool_dirs',`
+	gen_require(`
+		type exim_spool_t;
+	')
+
+	manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+	files_search_spool($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.13/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/exim.te	2009-02-10 15:07:15.000000000 +0100
@@ -21,9 +21,20 @@
 ## </desc>
 gen_tunable(exim_manage_user_files, false)
 
+## <desc>
+## <p>
+##     Allow exim to connect to databases (postgres, mysql)
+## </p>
+## </desc>
+gen_tunable(exim_can_connect_db, false)
+
 type exim_t;
 type exim_exec_t;
 init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_agent_executable(exim_exec_t)
 
 type exim_log_t;
 logging_log_file(exim_log_t)
@@ -42,10 +53,12 @@
 # exim local policy
 #
 
-allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource  };
+allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket create_stream_socket_perms;
 allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
 
 can_exec(exim_t,exim_exec_t)
 
@@ -66,12 +79,15 @@
 files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(exim_t)
-
 kernel_dontaudit_read_system_state(exim_t)
+kernel_read_network_state(exim_t)
 
 corecmd_search_bin(exim_t)
 
 corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
+corenet_udp_sendrecv_all_if(exim_t)
+corenet_udp_sendrecv_all_nodes(exim_t)
 corenet_tcp_sendrecv_all_if(exim_t)
 corenet_tcp_sendrecv_all_nodes(exim_t)
 corenet_tcp_sendrecv_all_ports(exim_t)
@@ -82,6 +98,8 @@
 corenet_tcp_connect_smtp_port(exim_t)
 corenet_tcp_connect_ldap_port(exim_t)
 corenet_tcp_connect_inetd_child_port(exim_t)
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
 
 dev_read_rand(exim_t)
 dev_read_urand(exim_t)
@@ -89,7 +107,10 @@
 # Init script handling
 domain_use_interactive_fds(exim_t)
 
+files_search_usr(exim_t)
+files_search_var(exim_t)
 files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
 
 auth_use_nsswitch(exim_t)
 
@@ -99,23 +120,86 @@
 logging_send_syslog_msg(exim_t)
 
 miscfiles_read_localization(exim_t)
+miscfiles_read_certs(exim_t)
 
-sysnet_dns_name_resolve(exim_t)
+fs_getattr_xattr_fs(exim_t)
+fs_list_inotifyfs(exim_t)
 
 unprivuser_dontaudit_search_home_dirs(exim_t)
 
 mta_read_aliases(exim_t)
-mta_rw_spool(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
 
 sysadm_dontaudit_search_home_dirs(exim_t)
 
 tunable_policy(`exim_read_user_files',`
-	userdom_read_unpriv_users_home_content_files(exim_t)
-	userdom_read_unpriv_users_tmp_files(exim_t)
+	unprivuser_read_home_content_files(exim_t)
+	unprivuser_read_tmp_files(exim_t)
 ')
 
 tunable_policy(`exim_manage_user_files',`
-	userdom_manage_unpriv_users_home_content_dirs(exim_t)
-	userdom_read_unpriv_users_tmp_files(exim_t)
-	userdom_write_unpriv_users_tmp_files(exim_t)
+	unprivuser_manage_home_content_dirs(exim_t)
+	unprivuser_read_tmp_files(exim_t)
+	unprivuser_write_tmp_files(exim_t)
+')
+
+tunable_policy(`exim_can_connect_db',`
+	corenet_tcp_connect_mysqld_port(exim_t)
+	corenet_sendrecv_mysqld_client_packets(exim_t)
+        corenet_tcp_connect_postgresql_port(exim_t)
+        corenet_sendrecv_postgresql_client_packets(exim_t)
+')
+
+optional_policy(`
+	dovecot_auth_stream_connect(exim_t)
+')
+
+optional_policy(`
+	tunable_policy(`exim_can_connect_db',`
+		mysql_stream_connect(exim_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`exim_can_connect_db',`
+		postgresql_stream_connect(exim_t)
+')
+')
+
+optional_policy(`
+	kerberos_keytab_template(exim, exim_t)
+')
+
+optional_policy(`
+	mailman_read_data_files(exim_t)
+	mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+	procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+	sasl_connect(exim_t)
+')
+
+optional_policy(`
+	cron_read_pipes(exim_t)
+	cron_rw_system_job_pipes(exim_t)
+')
+
+optional_policy(`
+	cyrus_stream_connect(exim_t)
+')
+
+optional_policy(`
+	clamav_domtrans_clamscan(exim_t)
+	clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+	spamassassin_exec(exim_t)
+	spamassassin_exec_client(exim_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.13/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fail2ban.fc	2009-04-14 11:02:53.000000000 +0200
@@ -2,5 +2,6 @@
 
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/var/lib/fail2ban(/.*)?  	gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
 /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
 /var/run/fail2ban.*		gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.13/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fail2ban.if	2009-04-14 11:02:23.000000000 +0200
@@ -60,6 +60,26 @@
 	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 
+#######################################
+## <summary>
+## Read fail2ban lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_read_lib_files',`
+	gen_require(`
+  		type fail2ban_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 fail2ban_var_lib_t:file read_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Read fail2ban PID files.
@@ -79,6 +99,27 @@
 	allow $1 fail2ban_var_run_t:file read_file_perms;
 ')
 
+#######################################
+## <summary>
+##      Connect to fail2ban over a unix domain
+##      stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fail2ban_stream_connect',`
+        gen_require(`
+                type fail2ban_var_run_t, fail2ban_t;
+        ')
+
+        allow $1 fail2ban_t:unix_stream_socket connectto;
+        allow $1 fail2ban_var_run_t:sock_file { getattr write };
+        files_search_pids($1)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
@@ -100,6 +141,7 @@
 	gen_require(`
 		type fail2ban_t, fail2ban_log_t;
 		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_lib_t;
 	')
 
 	allow $1 fail2ban_t:process { ptrace signal_perms };
@@ -113,6 +155,9 @@
 	logging_list_logs($1)
 	admin_pattern($1, fail2ban_log_t)
 
+	files_list_var_lib($1)
+	admin_pattern($1, fail2ban_var_lib_t)
+
 	files_list_pids($1)
 	admin_pattern($1, fail2ban_var_run_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.13/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fail2ban.te	2009-04-14 10:56:48.000000000 +0200
@@ -17,6 +17,10 @@
 type fail2ban_log_t;
 logging_log_file(fail2ban_log_t)
 
+# lib files
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
 # pid files
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)
@@ -27,6 +31,7 @@
 #
 
 allow fail2ban_t self:process signal;
+dontaudit fail2ban_t self:capability sys_tty_config;
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow fail2ban_t self:tcp_socket create_stream_socket_perms;
@@ -36,6 +41,11 @@
 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
 
+# lib files
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
+
 # pid file
 manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.fc serefpolicy-3.5.13/policy/modules/services/fetchmail.fc
--- nsaserefpolicy/policy/modules/services/fetchmail.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.fc	2009-03-05 15:02:41.000000000 +0100
@@ -11,9 +11,11 @@
 
 /usr/bin/fetchmail		--	gen_context(system_u:object_r:fetchmail_exec_t,s0)
 
+
 #
 # /var
 #
 
+/var/log/fetchmail\.log     	--      gen_context(system_u:object_r:fetchmail_log_t,s0)
 /var/run/fetchmail/.*		--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)
 /var/mail/\.fetchmail-UIDL-cache --	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.13/policy/modules/services/fetchmail.if
--- nsaserefpolicy/policy/modules/services/fetchmail.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.if	2009-03-05 15:06:34.000000000 +0100
@@ -1,5 +1,25 @@
 ## <summary>Remote-mail retrieval and forwarding utility</summary>
 
+#######################################
+## <summary>
+##      Allow the specified domain to append
+##      fetchmail log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`fetchmail_append_log',`
+        gen_require(`
+                type fetchmail_log_t;
+        ')
+
+        logging_search_logs($1)
+        append_files_pattern($1, fetchmail_log_t, fetchmail_log_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
@@ -21,10 +41,10 @@
 	ps_process_pattern($1, fetchmail_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t)
+	admin_pattern($1, fetchmail_etc_t)
 
-	manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t)
+	admin_pattern($1, fetchmail_uidl_cache_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t)
+	admin_pattern($1, fetchmail_var_run_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.13/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.te	2009-03-05 15:01:19.000000000 +0100
@@ -19,6 +19,9 @@
 type fetchmail_uidl_cache_t;
 files_type(fetchmail_uidl_cache_t)
 
+type fetchmail_log_t;
+logging_log_file(fetchmail_log_t)
+
 ########################################
 #
 # Local policy
@@ -40,6 +43,9 @@
 manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
 files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file)
 
+manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+logging_log_filetrans(fetchmail_t,fetchmail_log_t,file)
+
 kernel_read_kernel_sysctls(fetchmail_t)
 kernel_list_proc(fetchmail_t)
 kernel_getattr_proc_files(fetchmail_t)
@@ -91,6 +97,10 @@
 ')
 
 optional_policy(`
+	sendmail_manage_log(fetchmail_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(fetchmail_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ftp.te	2009-07-03 11:05:13.000000000 +0200
@@ -26,7 +26,7 @@
 ## <desc>
 ## <p>
 ## Allow ftp servers to use cifs
-## used for public file transfer services.
+## for public file transfer services.
 ## </p>
 ## </desc>
 gen_tunable(allow_ftpd_use_cifs, false)
@@ -34,7 +34,7 @@
 ## <desc>
 ## <p>
 ## Allow ftp servers to use nfs
-## used for public file transfer services.
+## for public file transfer services.
 ## </p>
 ## </desc>
 gen_tunable(allow_ftpd_use_nfs, false)
@@ -46,6 +46,14 @@
 ## </desc>
 gen_tunable(ftp_home_dir, false)
 
+## <desc>
+## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
+## </desc>
+gen_tunable(ftpd_connect_db, false)
+
+
 type ftpd_t;
 type ftpd_exec_t;
 init_daemon_domain(ftpd_t, ftpd_exec_t)
@@ -92,6 +100,8 @@
 allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
 allow ftpd_t self:tcp_socket create_stream_socket_perms;
 allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
+allow ftpd_t self:key manage_key_perms;
 
 allow ftpd_t ftpd_etc_t:file read_file_perms;
 
@@ -158,8 +168,10 @@
 files_read_etc_runtime_files(ftpd_t)
 files_search_var_lib(ftpd_t)
 
+fs_list_inotifyfs(ftpd_t)
 fs_search_auto_mountpoints(ftpd_t)
 fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs_dirs(ftpd_t)
 
 auth_use_nsswitch(ftpd_t)
 auth_domtrans_chk_passwd(ftpd_t)
@@ -226,8 +238,16 @@
 	userdom_manage_all_users_home_content_dirs(ftpd_t)
 	userdom_manage_all_users_home_content_files(ftpd_t)
 	userdom_manage_all_users_home_content_symlinks(ftpd_t)
+	auth_manage_all_files_except_shadow(ftpd_t)
+
+	auth_read_all_dirs_except_shadow(ftpd_t)
+	auth_read_all_files_except_shadow(ftpd_t)
+	auth_read_all_symlinks_except_shadow(ftpd_t)
 ')
 
+# Needed for permissive mode, to make sure everything gets labeled correctly
+userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+
 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
 	fs_manage_nfs_files(ftpd_t)
 	fs_read_nfs_symlinks(ftpd_t)
@@ -238,6 +258,11 @@
 	fs_read_cifs_symlinks(ftpd_t)
 ')
 
+tunable_policy(`ftpd_connect_db',`
+	corenet_tcp_connect_mysqld_port(ftpd_t)
+	corenet_tcp_connect_postgresql_port(ftpd_t)
+')
+
 optional_policy(`
 	tunable_policy(`ftp_home_dir',`
 		apache_search_sys_content(ftpd_t)
@@ -245,6 +270,18 @@
 ')
 
 optional_policy(`
+       tunable_policy(`ftpd_connect_db',`
+               mysql_stream_connect(ftpd_t)
+       ')
+')
+
+optional_policy(`
+	tunable_policy(`ftpd_connect_db',`
+		postgresql_stream_connect(ftpd_t)
+	')
+')
+
+optional_policy(`
 	corecmd_exec_shell(ftpd_t)
 
 	files_read_usr_files(ftpd_t)
@@ -261,7 +298,9 @@
 ')
 
 optional_policy(`
-	kerberos_read_keytab(ftpd_t)
+	kerberos_keytab_template(ftpd, ftpd_t)
+	kerberos_manage_host_rcache(ftpd_t)
+	selinux_validate_context(ftpd_t)
 ')
 
 optional_policy(`
@@ -273,6 +312,14 @@
 ')
 
 optional_policy(`
+	dbus_system_bus_client_template(notused, ftpd_t)
+	optional_policy(`
+		oddjob_dbus_chat(ftpd_t)
+		oddjob_domtrans_mkhomedir(ftpd_t)
+	')
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(ftpd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.13/policy/modules/services/gamin.fc
--- nsaserefpolicy/policy/modules/services/gamin.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gamin.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,2 @@
+
+/usr/libexec/gam_server	--	gen_context(system_u:object_r:gamin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.13/policy/modules/services/gamin.if
--- nsaserefpolicy/policy/modules/services/gamin.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gamin.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,57 @@
+
+## <summary>policy for gamin</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run gamin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gamin_domtrans',`
+	gen_require(`
+		type gamin_t;
+                type gamin_exec_t;
+	')
+
+	domtrans_pattern($1, gamin_exec_t, gamin_t)
+')
+
+########################################
+## <summary>
+##	Execute gamin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gamin_exec',`
+	gen_require(`
+                type gamin_exec_t;
+	')
+
+	can_exec($1, gamin_exec_t)
+')
+
+########################################
+## <summary>
+##	Connect to gamin over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gamin_stream_connect',`
+	gen_require(`
+		type gamin_t;
+	')
+
+	allow $1 gamin_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.13/policy/modules/services/gamin.te
--- nsaserefpolicy/policy/modules/services/gamin.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gamin.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,39 @@
+policy_module(gamin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gamin_t;
+type gamin_exec_t;
+application_domain(gamin_t, gamin_exec_t)
+role system_r types gamin_t;
+
+########################################
+#
+# gamin local policy
+#
+
+# Init script handling
+domain_use_interactive_fds(gamin_t)
+allow gamin_t self:capability sys_ptrace;
+
+# internal communication is often done using fifo and unix sockets.
+allow gamin_t self:fifo_file rw_file_perms;
+allow gamin_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(gamin_t)
+files_read_etc_runtime_files(gamin_t)
+files_list_all(gamin_t)
+files_getattr_all_files(gamin_t)
+
+fs_list_inotifyfs(gamin_t)
+domain_read_all_domains_state(gamin_t)
+domain_dontaudit_ptrace_all_domains(gamin_t)
+
+libs_use_ld_so(gamin_t)
+libs_use_shared_libs(gamin_t)
+
+miscfiles_read_localization(gamin_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc
--- nsaserefpolicy/policy/modules/services/gnomeclock.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,3 @@
+
+/usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.13/policy/modules/services/gnomeclock.if
--- nsaserefpolicy/policy/modules/services/gnomeclock.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,75 @@
+
+## <summary>policy for gnomeclock</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run gnomeclock.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnomeclock_domtrans',`
+	gen_require(`
+		type gnomeclock_t;
+                type gnomeclock_exec_t;
+	')
+
+	domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
+')
+
+
+########################################
+## <summary>
+##	Execute gnomeclock in the gnomeclock domain, and
+##	allow the specified role the gnomeclock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the gnomeclock domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`gnomeclock_run',`
+	gen_require(`
+		type gnomeclock_t;
+	')
+
+	gnomeclock_domtrans($1)
+	role $2 types gnomeclock_t;
+	dontaudit gnomeclock_t $3:chr_file rw_term_perms;
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	gnomeclock over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnomeclock_dbus_chat',`
+	gen_require(`
+		type gnomeclock_t;
+		class dbus send_msg;
+	')
+
+	allow $1 gnomeclock_t:dbus send_msg;
+	allow gnomeclock_t $1:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.13/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,55 @@
+policy_module(gnomeclock, 1.0.0)
+########################################
+#
+# Declarations
+#
+
+type gnomeclock_t;
+type gnomeclock_exec_t;
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+
+########################################
+#
+# gnomeclock local policy
+#
+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:process { getattr getsched };
+
+# internal communication is often done using fifo and unix sockets.
+allow gnomeclock_t self:fifo_file rw_file_perms;
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_bin(gnomeclock_t)
+
+userdom_ptrace_all_users(gnomeclock_t)
+
+files_read_etc_files(gnomeclock_t)
+files_read_usr_files(gnomeclock_t)
+
+miscfiles_manage_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
+
+fs_list_inotifyfs(gnomeclock_t)
+
+auth_use_nsswitch(gnomeclock_t)
+
+libs_use_ld_so(gnomeclock_t)
+libs_use_shared_libs(gnomeclock_t)
+
+miscfiles_read_localization(gnomeclock_t)
+
+userdom_read_all_users_state(gnomeclock_t)
+
+optional_policy(`
+	consolekit_dbus_chat(gnomeclock_t)
+')
+
+optional_policy(`
+	clock_domtrans(gnomeclock_t)
+')
+
+optional_policy(`
+	polkit_domtrans_auth(gnomeclock_t)
+	polkit_read_lib(gnomeclock_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.5.13/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gpsd.fc	2009-03-10 13:22:11.000000000 +0100
@@ -0,0 +1,3 @@
+
+/usr/sbin/gpsd                 --      gen_context(system_u:object_r:gpsd_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.5.13/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gpsd.if	2009-03-10 13:22:11.000000000 +0100
@@ -0,0 +1,89 @@
+## <summary>gpsd monitor daemon</summary>
+
+########################################
+## <summary>
+##      Execute a domain transition to run gpsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gpsd_domtrans',`
+        gen_require(`
+                type gpsd_t, gpsd_exec_t;
+        ')
+
+        domtrans_pattern($1, gpsd_exec_t, gpsd_t)
+')
+
+########################################
+## <summary>
+##      Execute gpsd in the gpsd domain, and
+##      allow the specified role the gpsd domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed the gpsd domain.
+##      </summary>
+## </param>
+## <param name="terminal">
+##      <summary>
+##      The type of the role's terminal.
+##      </summary>
+## </param>
+#
+interface(`gpsd_run',`
+        gen_require(`
+                type gpsd_t;
+        ')
+
+        gpsd_domtrans($1)
+        role $2 types gpsd_t;
+        allow gpsd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>    
+##      Read and write to gpsd shared memory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`gpsd_rw_shm',`
+        gen_require(`
+                type gpsd_t;
+        ')
+
+        allow $1 gpsd_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##      Read/write gpsd tmpfs files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`gpsd_rw_tmpfs_files',`
+        gen_require(`
+                type gpsd_tmpfs_t;
+        ')
+
+        fs_search_tmpfs($1)
+        allow $1 gpsd_tmpfs_t:dir list_dir_perms;
+        rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+        read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.5.13/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/gpsd.te	2009-08-21 09:52:33.000000000 +0200
@@ -0,0 +1,55 @@
+policy_module(gpsd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpsd_t;
+type gpsd_exec_t;
+application_domain(gpsd_t, gpsd_exec_t)
+role system_r types gpsd_t;
+
+type gpsd_tmpfs_t;
+files_tmpfs_file(gpsd_tmpfs_t)
+
+########################################
+#
+# gpsd local policy
+#
+
+allow gpsd_t self:capability { setuid sys_nice setgid fowner fsetid};
+allow gpsd_t self:process setsched;
+allow gpsd_t self:shm create_shm_perms;
+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow gpsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+
+corenet_tcp_bind_all_nodes(gpsd_t)
+corenet_tcp_bind_gpsd_port(gpsd_t)
+
+term_use_unallocated_ttys(gpsd_t)
+term_setattr_unallocated_ttys(gpsd_t)
+
+auth_use_nsswitch(gpsd_t)
+
+libs_use_ld_so(gpsd_t)
+libs_use_shared_libs(gpsd_t)
+
+logging_send_syslog_msg(gpsd_t)
+
+miscfiles_read_localization(gpsd_t)
+
+optional_policy(`
+	ntpd_rw_shm(gpsd_t)
+	ntpd_rw_tmpfs_files(gpsd_t)
+')
+
+optional_policy(`
+        dbus_system_bus_client_template(gpsd, gpsd_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.13/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/hal.fc	2009-02-10 15:07:15.000000000 +0100
@@ -5,10 +5,12 @@
 /usr/bin/hal-setup-keymap		--	gen_context(system_u:object_r:hald_keymap_exec_t,s0)
 
 /usr/libexec/hal-acl-tool		--	gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hal-dccm			--	gen_context(system_u:object_r:hald_dccm_exec_t,s0)
 /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
 /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 /usr/libexec/hald-addon-macbook-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/sbin/radeontool			  --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
 
@@ -17,7 +19,7 @@
 /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
 
 /var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
-/var/log/pm-suspend\.log			gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm-.*\.log				gen_context(system_u:object_r:hald_log_t,s0)
 
 /var/run/hald(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/haldaemon\.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.13/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/hal.if	2009-02-10 15:07:15.000000000 +0100
@@ -302,3 +302,42 @@
 	files_search_pids($1)
 	allow $1 hald_var_run_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to hal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_getattr',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:process getattr;
+')
+
+########################################
+## <summary>
+##f	Read hal system state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_read_state',`
+	gen_require(`
+		type hald_t;
+	')
+	kernel_search_proc($1)
+	allow $1 hald_t:dir list_dir_perms;
+	read_files_pattern($1, hald_t, hald_t)
+	read_lnk_files_pattern($1, hald_t, hald_t)
+	dontaudit $1 hald_t:process ptrace;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/hal.te	2009-06-03 07:54:09.000000000 +0200
@@ -49,6 +49,15 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
 
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
+type hald_dccm_t;
+type hald_dccm_exec_t;
+domain_type(hald_dccm_t)
+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
+role system_r types hald_dccm_t;
+
 ########################################
 #
 # Local policy
@@ -85,6 +94,7 @@
 manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
 manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t)
 files_pid_filetrans(hald_t, hald_var_run_t, { dir file })
+allow hald_t hald_var_run_t:dir mounton;
 
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
@@ -141,13 +151,20 @@
 # hal is now execing pm-suspend
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
+files_getattr_all_files(hald_t)
 files_read_kernel_img(hald_t)
 files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
 fs_list_inotifyfs(hald_t)
 fs_list_auto_mountpoints(hald_t)
+fs_mount_dos_fs(hald_t)
+fs_unmount_dos_fs(hald_t)
+fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
+
 files_getattr_all_mountpoints(hald_t)
 
 mls_file_read_all_levels(hald_t)
@@ -197,6 +214,7 @@
 seutil_read_file_contexts(hald_t)
 
 sysnet_read_config(hald_t)
+sysnet_domtrans_dhcpc(hald_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 
@@ -280,6 +298,16 @@
 ')
 
 optional_policy(`
+	polkit_domtrans_auth(hald_t)
+	polkit_domtrans_resolve(hald_t)
+	polkit_read_lib(hald_t)
+')
+
+optional_policy(`
+	ppp_read_rw_config(hald_t)
+') 
+
+optional_policy(`
 	rpc_search_nfs_state_data(hald_t)
 ')
 
@@ -300,12 +328,20 @@
 	vbetool_domtrans(hald_t)
 ')
 
+optional_policy(`
+	virt_manage_images(hald_t)
+')
+
+optional_policy(`
+	xserver_read_pid(hald_t)
+')
+
 ########################################
 #
 # Hal acl local policy
 #
 
-allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
 allow hald_acl_t self:process { getattr signal };
 allow hald_acl_t self:fifo_file rw_fifo_file_perms;
 
@@ -326,6 +362,7 @@
 dev_getattr_all_chr_files(hald_acl_t)
 dev_setattr_all_chr_files(hald_acl_t)
 dev_getattr_generic_usb_dev(hald_acl_t)
+dev_getattr_mouse_dev(hald_acl_t)
 dev_getattr_video_dev(hald_acl_t)
 dev_setattr_video_dev(hald_acl_t)
 dev_getattr_sound_dev(hald_acl_t)
@@ -338,19 +375,30 @@
 
 storage_getattr_removable_dev(hald_acl_t)
 storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
 
 auth_use_nsswitch(hald_acl_t)
 
 libs_use_ld_so(hald_acl_t)
 libs_use_shared_libs(hald_acl_t)
 
+logging_send_syslog_msg(hald_acl_t)
+
 miscfiles_read_localization(hald_acl_t)
 
+optional_policy(`
+	polkit_domtrans_auth(hald_acl_t)
+	polkit_read_lib(hald_acl_t)
+')
+
 ########################################
 #
 # Local hald mac policy
 #
 
+allow hald_mac_t self:capability { setgid setuid sys_admin };
+
 domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
 allow hald_t hald_mac_t:process signal;
 allow hald_mac_t hald_t:unix_stream_socket connectto;
@@ -359,6 +407,8 @@
 manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_mac_t)
 
+write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
+
 kernel_read_system_state(hald_mac_t)
 
 dev_read_raw_memory(hald_mac_t)
@@ -366,10 +416,15 @@
 dev_read_sysfs(hald_mac_t)
 
 files_read_usr_files(hald_mac_t)
+files_read_etc_files(hald_mac_t)
+
+auth_use_nsswitch(hald_mac_t)
 
 libs_use_ld_so(hald_mac_t)
 libs_use_shared_libs(hald_mac_t)
 
+logging_send_syslog_msg(hald_mac_t)
+
 miscfiles_read_localization(hald_mac_t)
 
 ########################################
@@ -388,6 +443,8 @@
 manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_sonypic_t)
 
+write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
+
 files_read_usr_files(hald_sonypic_t)
 
 libs_use_ld_so(hald_sonypic_t)
@@ -408,6 +465,8 @@
 manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_keymap_t)
 
+write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+
 dev_rw_input_dev(hald_keymap_t)
 
 files_read_usr_files(hald_keymap_t)
@@ -419,4 +478,53 @@
 
 # This is caused by a bug in hald and PolicyKit.  
 # Should be removed when this is fixed
-#cron_read_system_job_lib_files(hald_t)
+cron_read_system_job_lib_files(hald_t)
+
+########################################
+#
+# Local hald dccm policy
+#
+allow hald_dccm_t self:capability { net_bind_service };
+allow hald_dccm_t self:process getsched;
+
+allow hald_dccm_t self:unix_dgram_socket create_socket_perms;
+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+allow hald_dccm_t self:udp_socket create_socket_perms;
+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+
+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
+allow hald_t hald_dccm_t:process signal;
+allow hald_dccm_t hald_t:unix_stream_socket connectto;
+
+corenet_all_recvfrom_unlabeled(hald_dccm_t)
+corenet_all_recvfrom_netlabel(hald_dccm_t)
+corenet_tcp_sendrecv_all_if(hald_dccm_t)
+corenet_udp_sendrecv_all_if(hald_dccm_t)
+corenet_tcp_sendrecv_all_nodes(hald_dccm_t)
+corenet_udp_sendrecv_all_nodes(hald_dccm_t)
+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
+corenet_udp_sendrecv_all_ports(hald_dccm_t)
+corenet_tcp_bind_all_nodes(hald_dccm_t)
+corenet_udp_bind_all_nodes(hald_dccm_t)
+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_ftps_port(hald_dccm_t)
+corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+kernel_search_network_sysctl(hald_dccm_t)
+
+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_dccm_t)
+
+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+files_read_usr_files(hald_dccm_t)
+
+libs_use_ld_so(hald_dccm_t)
+libs_use_shared_libs(hald_dccm_t)
+
+logging_send_syslog_msg(hald_dccm_t)
+
+miscfiles_read_localization(hald_dccm_t)
+
+permissive hald_dccm_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.13/policy/modules/services/inetd.fc
--- nsaserefpolicy/policy/modules/services/inetd.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/inetd.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,6 +1,8 @@
 
 /usr/sbin/identd	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
 /usr/sbin/in\..*d	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
 /usr/sbin/inetd		--	gen_context(system_u:object_r:inetd_exec_t,s0)
 /usr/sbin/rlinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
 /usr/sbin/xinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.13/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/inetd.te	2009-02-10 15:07:15.000000000 +0100
@@ -136,6 +136,7 @@
 domain_use_interactive_fds(inetd_t)
 
 files_read_etc_files(inetd_t)
+files_read_etc_runtime_files(inetd_t)
 
 libs_use_ld_so(inetd_t)
 libs_use_shared_libs(inetd_t)
@@ -223,6 +224,7 @@
 fs_getattr_xattr_fs(inetd_child_t)
 
 files_read_etc_files(inetd_child_t)
+files_read_etc_runtime_files(inetd_child_t)
 
 auth_use_nsswitch(inetd_child_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.13/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/kerberos.fc	2009-05-15 09:29:04.000000000 +0200
@@ -6,21 +6,23 @@
 /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
 /etc/rc\.d/init\.d/kadmind	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/kpropd	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 
 /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kadmin\.local --	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kpropd         --    gen_context(system_u:object_r:kpropd_exec_t,s0)
 
 /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
 /var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab --  gen_context(system_u:object_r:krb5_keytab_t,s0)
 /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok   gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.13/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/kerberos.te	2009-05-15 09:15:30.000000000 +0200
@@ -33,6 +33,7 @@
 type kpropd_t;
 type kpropd_exec_t;
 init_daemon_domain(kpropd_t, kpropd_exec_t)
+domain_obj_id_change_exemption(kpropd_t)
 
 type krb5_conf_t;
 files_type(krb5_conf_t)
@@ -289,6 +290,7 @@
 
 allow kpropd_t krb5_keytab_t:file read_file_perms;
 
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 
 corecmd_exec_bin(kpropd_t)
@@ -298,6 +300,7 @@
 corenet_tcp_sendrecv_all_nodes(kpropd_t)
 corenet_tcp_sendrecv_all_ports(kpropd_t)
 corenet_tcp_bind_all_nodes(kpropd_t)
+corenet_tcp_bind_kprop_port(kpropd_t)
 
 dev_read_urand(kpropd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.13/policy/modules/services/kerneloops.if
--- nsaserefpolicy/policy/modules/services/kerneloops.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.if	2009-02-10 15:07:15.000000000 +0100
@@ -63,6 +63,25 @@
 
 ########################################
 ## <summary>
+##	Allow domain to manage kerneloops tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kerneloops_manage_tmp_files',`
+	gen_require(`
+		type kerneloops_tmp_t;
+	')
+
+	manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an kerneloops environment
 ## </summary>
@@ -81,6 +100,7 @@
 interface(`kerneloops_admin',`
 	gen_require(`
 		type kerneloops_t, kerneloops_initrc_exec_t;
+		type kerneloops_tmp_t;
 	')
 
 	allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -90,4 +110,7 @@
 	domain_system_change_exemption($1)
 	role_transition $2 kerneloops_initrc_exec_t system_r;
 	allow $2 system_r;
+
+	admin_pattern($1, kerneloops_tmp_t)
 ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.13/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
 type kerneloops_initrc_exec_t;
 init_script_file(kerneloops_initrc_exec_t)
 
+type kerneloops_tmp_t;
+files_tmp_file(kerneloops_tmp_t)
+
 ########################################
 #
 # kerneloops local policy
@@ -23,6 +26,9 @@
 allow kerneloops_t self:fifo_file rw_file_perms;
 allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
 
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
+files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
+
 kernel_read_ring_buffer(kerneloops_t)
 
 # Init script handling
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.5.13/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ktalk.te	2009-02-25 19:56:42.000000000 +0100
@@ -69,6 +69,7 @@
 files_read_etc_files(ktalkd_t)
 
 term_search_ptys(ktalkd_t)
+term_use_all_terms(ktalkd_t)
 
 auth_use_nsswitch(ktalkd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.13/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ldap.te	2009-02-10 15:07:15.000000000 +0100
@@ -121,7 +121,11 @@
 sysadm_dontaudit_search_home_dirs(slapd_t)
 
 optional_policy(`
-	kerberos_use(slapd_t)
+	kerberos_keytab_template(slapd, slapd_t)
+')
+
+optional_policy(`
+	sasl_connect(slapd_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.5.13/policy/modules/services/lircd.fc
--- nsaserefpolicy/policy/modules/services/lircd.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/lircd.fc	2009-03-27 14:57:13.000000000 +0100
@@ -0,0 +1,9 @@
+
+/dev/lircd             			-s      	gen_context(system_u:object_r:lircd_sock_t,s0)
+
+/etc/rc\.d/init\.d/lirc                 --              gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/etc/lircd\.conf			--		gen_context(system_u:object_r:lircd_etc_t,s0)
+
+/usr/sbin/lircd				--		gen_context(system_u:object_r:lircd_exec_t,s0)
+
+/var/run/lircd\.pid					gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.5.13/policy/modules/services/lircd.if
--- nsaserefpolicy/policy/modules/services/lircd.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/lircd.if	2009-03-22 16:10:11.000000000 +0100
@@ -0,0 +1,100 @@
+## <summary>Lirc daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run lircd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lircd_domtrans',`
+	gen_require(`
+		type lircd_t, lircd_exec_t;
+	')
+
+	domain_auto_trans($1,lircd_exec_t,lircd_t)
+
+')
+
+#######################################
+## <summary>
+##      Read lircd etc file
+## </summary>
+## <param name="domain">
+## <summary>
+##      The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`lircd_read_etc',`
+	gen_require(`
+		type lircd_etc_t;
+        ')
+
+	read_files_pattern($1, lircd_etc_t, lircd_etc_t)
+')
+
+######################################
+## <summary>
+##      Connect to lircd over a unix domain
+##      stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`lircd_stream_connect',`
+        gen_require(`
+                type lircd_var_run_t, lircd_t;
+        ')
+
+        allow $1 lircd_t:unix_stream_socket connectto;
+        allow $1 lircd_sock_t:sock_file { getattr write };
+        files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an lircd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lircd_admin',`
+	gen_require(`
+		type lircd_t, lircd_var_run_t, lircd_sock_t;
+		type lircd_initrc_exec_t, lircd_etc_t;
+	')
+
+	allow $1 lircd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, lircd_t)
+
+	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 lircd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, lircd_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, lircd_var_run_t)
+
+	admin_pattern($1, lircd_sock_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.5.13/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/lircd.te	2009-07-30 17:15:19.000000000 +0200
@@ -0,0 +1,70 @@
+policy_module(lircd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lircd_t;
+type lircd_exec_t;
+init_daemon_domain(lircd_t, lircd_exec_t)
+
+type lircd_initrc_exec_t;
+init_script_file(lircd_initrc_exec_t)
+
+# pid files
+type lircd_var_run_t;
+files_pid_file(lircd_var_run_t)
+
+# etc file
+type lircd_etc_t;
+files_config_file(lircd_etc_t)
+
+# type for lircd /dev/ sock file
+type lircd_sock_t;
+files_type(lircd_sock_t)
+
+########################################
+#
+# lircd local policy
+#
+
+allow lircd_t self:process signal;
+allow lircd_t self:fifo_file rw_fifo_file_perms;
+allow lircd_t self:unix_dgram_socket create_socket_perms;
+
+# etc file
+read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+# pid file
+manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+files_pid_filetrans(lircd_t,lircd_var_run_t, { dir file })
+
+# /dev/lircd socket
+manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
+dev_filetrans(lircd_t, lircd_sock_t, sock_file )
+
+dev_filetrans_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+dev_rw_lirc(lircd_t)
+
+dev_read_generic_usb_dev(lircd_t)
+
+files_read_etc_files(lircd_t)
+
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+
+logging_send_syslog_msg(lircd_t)
+
+libs_use_ld_so(lircd_t)
+libs_use_shared_libs(lircd_t)
+
+fs_list_inotifyfs(lircd_t)
+
+miscfiles_read_localization(lircd_t)
+
+permissive lircd_t;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.13/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/lpd.fc	2009-02-10 15:07:15.000000000 +0100
@@ -3,6 +3,8 @@
 #
 /dev/printer		-s	gen_context(system_u:object_r:printer_t,s0)
 
+/opt/gutenprint/s?bin(/.*)?	gen_context(system_u:object_r:lpr_exec_t,s0)
+
 #
 # /usr
 #
@@ -22,11 +24,15 @@
 /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
 /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 
 #
 # /var
 #
 /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/cups-pdf(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
 /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.13/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mailman.fc	2009-02-10 15:07:15.000000000 +0100
@@ -31,3 +31,4 @@
 /var/lock/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
 /var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
 ')
+/usr/lib/mailman/mail/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.13/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mailman.if	2009-02-10 15:07:15.000000000 +0100
@@ -31,6 +31,12 @@
 	allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
 	allow mailman_$1_t self:udp_socket create_socket_perms;
 
+	files_search_spool(mailman_$1_t)
+
+	manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+	manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+
 	manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
 	manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
 	manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
@@ -64,6 +70,7 @@
 	corenet_sendrecv_smtp_client_packets(mailman_$1_t)
 
 	fs_getattr_xattr_fs(mailman_$1_t)
+	fs_list_inotifyfs(mailman_$1_t)
 
 	corecmd_exec_all_executables(mailman_$1_t)
 
@@ -193,6 +200,7 @@
 	')
 
 	read_files_pattern($1, mailman_data_t, mailman_data_t)
+	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
 #######################################
@@ -211,6 +219,7 @@
 		type mailman_data_t;
 	')
 
+	manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	manage_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
@@ -252,6 +261,25 @@
 
 #######################################
 ## <summary>
+##	read
+##	mailman logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_log',`
+	gen_require(`
+		type mailman_log_t;
+	')
+
+	read_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
 ##	Append to mailman logs.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.13/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mailman.te	2009-02-10 15:07:15.000000000 +0100
@@ -53,10 +53,9 @@
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
 	apache_search_sys_script_state(mailman_cgi_t)
+	apache_read_config(mailman_cgi_t)
+	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
 
-	optional_policy(`
-		nscd_socket_use(mailman_cgi_t)
-	')
 ')
 
 ########################################
@@ -65,15 +64,30 @@
 #
 
 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+
+files_search_spool(mailman_mail_t)
+fs_rw_anon_inodefs_files(mailman_mail_t)
+
+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
 
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
 
-ifdef(`TODO',`
 optional_policy(`
-	allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
-	# do we really need this?
-	allow mailman_mail_t qmail_lspawn_t:fifo_file write;
+	postfix_search_spool(mailman_mail_t)
 ')
+
+optional_policy(`
+        cron_read_pipes(mailman_mail_t)
+')
+
+optional_policy(`
+	courier_read_spool_files(mailman_mail_t)
 ')
 
 ########################################
@@ -104,6 +118,11 @@
 # some of the following could probably be changed to dontaudit, someone who
 # knows mailman well should test this out and send the changes
 sysadm_search_home_dirs(mailman_queue_t)
+sysadm_getattr_home_dirs(mailman_queue_t)
+
+optional_policy(`
+	apache_read_config(mailman_queue_t)
+')
 
 optional_policy(`
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.13/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.13/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
+########################################
+## <summary>
+##	Search mailscanner spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_search_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mailscanner_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	read mailscanner spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_read_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mailscanner spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_manage_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.13/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner, 1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.5.13/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/milter.fc	2009-05-04 10:32:34.000000000 +0200
@@ -0,0 +1,15 @@
+
+/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/spamass-milter			--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+/var/lib/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/milter.*                               --      gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
+/usr/sbin/milter-greylist                       --      gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+
+/var/lib/milter-greylist(/.*)?                          gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist(/.*)?                          gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist\.pid                   --      gen_context(system_u:object_r:greylist_milter_data_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.5.13/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/milter.if	2009-04-24 10:10:52.000000000 +0200
@@ -0,0 +1,104 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`milter_template',`
+	# attributes common to all milters
+	gen_require(`
+		attribute milter_data_type, milter_domains;
+	')
+
+	type $1_milter_t, milter_domains;
+	type $1_milter_exec_t;
+	init_daemon_domain($1_milter_t, $1_milter_exec_t)
+	role system_r types $1_milter_t;
+
+	# Type for the milter data (e.g. the socket used to communicate with the MTA)
+	type $1_milter_data_t, milter_data_type;
+	files_type($1_milter_data_t);
+
+	allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+
+	# Allow communication with MTA over a unix-domain socket
+	# Note: usage with TCP sockets requires additional policy
+	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+	# Create other data files and directories in the data directory
+	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+	miscfiles_read_localization($1_milter_t)
+
+	logging_send_syslog_msg($1_milter_t)
+
+	 # Included in all domains upstream but not on F-10 or earlier
+	libs_use_ld_so($1_milter_t)
+	libs_use_shared_libs($1_milter_t)
+')
+
+########################################
+## <summary>
+##	MTA communication with milter sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_stream_connect_all',`
+	gen_require(`
+		attribute milter_data_type, milter_domains;
+	')
+
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+')
+
+########################################
+## <summary>
+##	Allow getattr of milter sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_getattr_all_sockets',`
+	gen_require(`
+		attribute milter_data_type;
+	')
+
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
+##	Manage spamassassin milter state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_manage_spamass_state',`
+	gen_require(`
+		type spamass_milter_state_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.5.13/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/milter.te	2009-05-04 10:31:04.000000000 +0200
@@ -0,0 +1,107 @@
+
+policy_module(milter, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_data_type;
+
+# currently-supported milters are milter-regex and spamass-milter
+milter_template(regex)
+milter_template(spamass)
+
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t);
+
+########################################
+#
+# milter-regex local policy
+#   filter emails using regular expressions
+#   http://www.benzedrine.cx/milter-regex.html
+#
+
+# The milter runs from /var/lib/spamass-milter
+files_search_var_lib(spamass_milter_t);
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(regex_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(regex_milter_t)
+
+########################################
+#
+# spamass-milter local policy
+#   pipe emails through SpamAssassin
+#   http://savannah.nongnu.org/projects/spamass-milt/
+#
+
+# The milter runs from /var/lib/spamass-milter
+files_search_var_lib(spamass_milter_t);
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
+
+mta_send_mail(spamass_milter_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+spamassassin_domtrans_spamc(spamass_milter_t)
+
+#######################################
+#
+# milter-greylist Declarations
+#
+
+milter_template(greylist)
+
+#######################################
+#
+# milter-greylist local policy
+#   ensure smtp clients retry mail like real MTAs and not spamware
+#   http://hcpnet.free.fr/milter-greylist/
+#
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+kernel_read_kernel_sysctls(greylist_milter_t)
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t);
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mta.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,4 @@
-/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -9,11 +9,15 @@
 /etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
 ')
 
+/usr/bin/esmtp    		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/lib/courier/bin/sendmail   -- gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp 		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
 
@@ -22,7 +26,3 @@
 /var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
-
-#ifdef(`postfix.te', `', `
-#/var/spool/postfix(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
-#')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.13/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mta.if	2009-03-27 13:19:43.000000000 +0100
@@ -133,6 +133,15 @@
 		sendmail_create_log($1_mail_t)
 	')
 
+	optional_policy(`
+		exim_read_log($1_mail_t)
+		exim_append_log($1_mail_t)
+		exim_manage_spool_files($1_mail_t)
+	')
+
+	optional_policy(`
+		uucp_manage_spool($1_mail_t)
+	')
 ')
 
 #######################################
@@ -220,6 +229,11 @@
 		fs_manage_cifs_symlinks($1_mail_t)
 	')
 
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_mail_t)
+		fs_manage_nfs_symlinks($1_mail_t)
+	')
+
 	optional_policy(`
 		allow $1_mail_t self:capability dac_override;
 
@@ -423,11 +437,13 @@
 	allow $1 mail_spool_t:dir list_dir_perms;
 	create_files_pattern($1, mail_spool_t, mail_spool_t)
 	read_files_pattern($1, mail_spool_t, mail_spool_t)
+	append_files_pattern($1, mail_spool_t, mail_spool_t)
 	create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 
 	optional_policy(`
 		dovecot_manage_spool($1)
+		dovecot_domtrans_deliver($1)
 	')
 
 	optional_policy(`
@@ -462,6 +478,7 @@
 		# apache should set close-on-exec
 		apache_dontaudit_rw_stream_sockets($1)
 		apache_dontaudit_rw_sys_script_stream_sockets($1)
+		apache_append_log($1)
 	')
 ')
 
@@ -712,8 +729,8 @@
 
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir list_dir_perms;
-	allow $1 mail_spool_t:lnk_file read;
-	allow $1 mail_spool_t:file getattr;
+	getattr_files_pattern($1, mail_spool_t, mail_spool_t)
+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
 ########################################
@@ -731,11 +748,11 @@
 	gen_require(`
 		type mail_spool_t;
 	')
-
+	
 	files_dontaudit_search_spool($1)
-	dontaudit $1 mail_spool_t:dir search;
-	dontaudit $1 mail_spool_t:lnk_file read;
-	dontaudit $1 mail_spool_t:file getattr;
+        dontaudit $1 mail_spool_t:dir search;
+        dontaudit $1 mail_spool_t:lnk_file read;
+        dontaudit $1 mail_spool_t:file getattr;
 ')
 
 #######################################
@@ -786,7 +803,7 @@
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir list_dir_perms;
 	allow $1 mail_spool_t:file setattr;
-	rw_files_pattern($1, mail_spool_t, mail_spool_t)
+	manage_files_pattern($1, mail_spool_t, mail_spool_t)
 	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
@@ -871,6 +888,25 @@
 	allow $1 mqueue_spool_t:dir search_dir_perms;
 ')
 
+######################################
+## <summary>
+##      List mail queue directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mta_list_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	files_search_spool($1)
+	list_dirs_pattern($1,mqueue_spool_t,mqueue_spool_t)
+')
+                                                
 #######################################
 ## <summary>
 ##	Do not audit attempts to read and
@@ -893,6 +929,25 @@
 
 ########################################
 ## <summary>
+##	read mail queue files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_read_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mail queue files.
 ## </summary>
@@ -909,6 +964,7 @@
 
 	files_search_spool($1)
 	manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+	manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
 ')
 
 #######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.13/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mta.te	2009-04-14 10:49:52.000000000 +0200
@@ -39,34 +39,50 @@
 #
 
 # newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
 
 read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
 
 allow system_mail_t mta_exec_type:file entrypoint;
 
-allow system_mail_t mailcontent_type:file read_file_perms;
+can_exec(system_mail_t, mta_exec_type)
+
+files_read_all_tmp_files(system_mail_t)
 
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
 
+dev_read_sysfs(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
+fs_rw_anon_inodefs_files(system_mail_t)
+fs_list_inotifyfs(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
 init_use_script_ptys(system_mail_t)
 
+logging_append_all_logs(system_mail_t)
+
+files_dontaudit_search_home(system_mail_t)
 sysadm_use_terms(system_mail_t)
 sysadm_dontaudit_search_home_dirs(system_mail_t)
+userdom_dontaudit_search_all_users_home_content(system_mail_t)
 
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
+	apache_search_bugzilla_dirs(system_mail_t)
 
 	# apache should set close-on-exec
 	apache_dontaudit_append_log(system_mail_t)
 	apache_dontaudit_rw_stream_sockets(system_mail_t)
 	apache_dontaudit_rw_tcp_sockets(system_mail_t)
 	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+	apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
 ')
 
 optional_policy(`
@@ -80,6 +96,13 @@
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
+	cron_rw_system_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+	courier_manage_spool_dirs(system_mail_t)
+	courier_manage_spool_files(system_mail_t)
+	courier_rw_spool_pipes(system_mail_t)
 ')
 
 optional_policy(`
@@ -87,6 +110,11 @@
 ')
 
 optional_policy(`
+	exim_domtrans(system_mail_t)
+	exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
 	logrotate_read_tmp_files(system_mail_t)
 ')
 
@@ -95,6 +123,11 @@
 ')
 
 optional_policy(`
+       # newaliases runs as system_mail_t when the sendmail initscript does a restart
+        milter_getattr_all_sockets(system_mail_t)
+')
+
+optional_policy(`
 	nagios_read_tmp_files(system_mail_t)
 ')
 
@@ -119,10 +152,6 @@
 		# compatability for old default main.cf
 		postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
 	')
-
-	optional_policy(`
-		cron_rw_tcp_sockets(system_mail_t)
-	')
 ')
 
 optional_policy(`
@@ -142,11 +171,44 @@
 ')
 
 optional_policy(`
+	clamav_stream_connect(system_mail_t)
+	clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
+	fail2ban_append_log(system_mail_t)
+')
+
+optional_policy(`
+	spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
-# should break this up among sections:
+optional_policy(`
+        unconfined_use_terms(system_mail_t)
+')
+
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mailserver_delivery)
+	fs_manage_cifs_files(mailserver_delivery)
+	fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mailserver_delivery)
+	fs_manage_nfs_files(mailserver_delivery)
+	fs_manage_nfs_symlinks(mailserver_delivery)
+')
 
+# should break this up among sections:
 optional_policy(`
 	# why is mail delivered to a directory of type arpwatch_data_t?
 	arpwatch_search_data(mailserver_delivery)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.13/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/munin.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,5 @@
 /etc/munin(/.*)?			gen_context(system_u:object_r:munin_etc_t,s0)
+/etc/rc\.d/init\.d/munin-node	--	gen_context(system_u:object_r:munin_initrc_exec_t,s0)
 
 /usr/bin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
 /usr/sbin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
@@ -6,6 +7,8 @@
 /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
 
 /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.13/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/munin.if	2009-02-10 15:07:15.000000000 +0100
@@ -21,6 +21,25 @@
 	files_search_pids($1)
 ')
 
+######################################
+## <summary>
+##      Do not audit attempts to read and write
+##      munin server TCP sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`munin_dontaudit_rw_tcp_sockets',`
+        gen_require(`
+		type munin_t;
+	')      
+
+	dontaudit $1 munin_t:tcp_socket { read write };
+')
+
 #######################################
 ## <summary>
 ##	Read munin configuration files.
@@ -80,3 +99,76 @@
 
 	dontaudit $1 munin_var_lib_t:dir search_dir_perms;
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	to munin log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_append_log',`
+	gen_require(`
+		type munin_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 munin_log_t:dir list_dir_perms;
+	append_files_pattern($1, munin_log_t, munin_log_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an munin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the munin domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_admin',`
+	gen_require(`
+		type munin_t, munin_etc_t, munin_tmp_t;
+		type munin_log_t, munin_var_lib_t, munin_var_run_t;
+		type httpd_munin_content_t;
+		type munin_initrc_exec_t;
+	')
+
+	allow $1 munin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, munin_t)
+	        
+	init_labeled_script_domtrans($1, munin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 munin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, munin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, munin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, munin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, munin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, munin_var_run_t)
+
+	admin_pattern($1, httpd_munin_content_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/munin.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
 type munin_etc_t alias lrrd_etc_t;
 files_config_file(munin_etc_t)
 
+type munin_initrc_exec_t;
+init_script_file(munin_initrc_exec_t)
+
 type munin_log_t alias lrrd_log_t;
 logging_log_file(munin_log_t)
 
@@ -30,21 +33,25 @@
 # Local policy
 #
 
-allow munin_t self:capability { setgid setuid };
+allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
 dontaudit munin_t self:capability sys_tty_config;
 allow munin_t self:process { getsched setsched signal_perms };
 allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
 allow munin_t self:tcp_socket create_stream_socket_perms;
 allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(munin_t, munin_exec_t)
 
 allow munin_t munin_etc_t:dir list_dir_perms;
 read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
 read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
 files_search_etc(munin_t)
 
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t, munin_log_t, file)
+manage_dirs_pattern(munin_t, munin_log_t,  munin_log_t)
+manage_files_pattern(munin_t, munin_log_t,  munin_log_t)
+logging_log_filetrans(munin_t, munin_log_t, { file dir })
 
 manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
 manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
@@ -61,9 +68,11 @@
 files_pid_filetrans(munin_t, munin_var_run_t, file)
 
 kernel_read_system_state(munin_t)
-kernel_read_kernel_sysctls(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
 
 corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
 
 corenet_all_recvfrom_unlabeled(munin_t)
 corenet_all_recvfrom_netlabel(munin_t)
@@ -73,30 +82,41 @@
 corenet_udp_sendrecv_all_nodes(munin_t)
 corenet_tcp_sendrecv_all_ports(munin_t)
 corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
+corenet_tcp_bind_all_nodes(munin_t)
 
 dev_read_sysfs(munin_t)
 dev_read_urand(munin_t)
 
 domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t)
 
 files_read_etc_files(munin_t)
 files_read_etc_runtime_files(munin_t)
 files_read_usr_files(munin_t)
+files_list_spool(munin_t)
 
 fs_getattr_all_fs(munin_t)
 fs_search_auto_mountpoints(munin_t)
+fs_list_inotifyfs(munin_t)
+
+auth_use_nsswitch(munin_t)
 
 libs_use_ld_so(munin_t)
 libs_use_shared_libs(munin_t)
 
 logging_send_syslog_msg(munin_t)
+logging_read_all_logs(munin_t)
 
+miscfiles_read_fonts(munin_t)
 miscfiles_read_localization(munin_t)
 
-sysnet_read_config(munin_t)
+sysnet_exec_ifconfig(munin_t)
+netutils_domtrans_ping(munin_t)
 
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
-
 sysadm_dontaudit_search_home_dirs(munin_t)
 
 optional_policy(`
@@ -109,7 +129,44 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(munin_t)
+	fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+        files_search_mnt(munin_t)
+')
+
+optional_policy(`
+        iptables_domtrans(munin_t)
+')
+
+optional_policy(`
+        logging_getattr_generic_log_files(munin_t)
+')
+
+optional_policy(`
+	mta_read_config(munin_t)
+	mta_send_mail(munin_t)
+	mta_list_queue(munin_t)
+	mta_read_queue(munin_t)
+')
+
+optional_policy(`
+	mysql_read_config(munin_t)
+	mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+	postfix_list_spool(munin_t)
+	postfix_getattr_spool_files(munin_t)
+')
+
+optional_policy(`
+	rpc_search_nfs_state_data(munin_t)
+')
+
+optional_policy(`
+	sendmail_read_log(munin_t)
 ')
 
 optional_policy(`
@@ -119,3 +176,9 @@
 optional_policy(`
 	udev_read_db(munin_t)
 ')
+
+#============= http munin policy ==============
+apache_content_template(munin)
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.13/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mysql.fc	2009-02-10 17:49:30.000000000 +0100
@@ -5,12 +5,15 @@
 #
 /etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
 /etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
 
 #
 # /usr
 #
 /usr/libexec/mysqld	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
+/usr/bin/mysqld_safe    --      gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
 /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.13/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mysql.if	2009-03-20 09:38:48.000000000 +0100
@@ -53,9 +53,11 @@
 interface(`mysql_stream_connect',`
 	gen_require(`
 		type mysqld_t, mysqld_var_run_t;
+		type mysqld_db_t;
 	')
 
 	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
 ')
 
 ########################################
@@ -98,7 +100,7 @@
 	')
 
 	files_search_var_lib($1)
-	allow $1 mysqld_db_t:dir search;
+	search_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
 ')
 
 ########################################
@@ -120,6 +122,44 @@
 	allow $1 mysqld_db_t:dir rw_dir_perms;
 ')
 
+#######################################
+## <summary>
+##      Append to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mysql_append_db_files',`
+        gen_require(`
+                type mysqld_db_t;
+        ')
+
+	files_search_var_lib($1)
+	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+## <summary>
+##      Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mysql_rw_db_files',`
+        gen_require(`
+                type mysqld_db_t;
+        ')
+
+        files_search_var_lib($1)
+	rw_files_pattern($1,mysqld_db_t,mysqld_db_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete MySQL database directories.
@@ -139,6 +179,25 @@
 	allow $1 mysqld_db_t:dir manage_dir_perms;
 ')
 
+#######################################
+## <summary>
+##      Create, read, write, and delete MySQL database files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mysql_manage_db_files',`
+        gen_require(`
+                type mysqld_db_t;
+        ')
+
+        files_search_var_lib($1)
+        manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the MySQL database
@@ -157,7 +216,26 @@
 
 	files_search_var_lib($1)
 	allow $1 mysqld_db_t:dir search;
-	allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
+	allow $1 mysqld_db_t:sock_file rw_file_perms;
+')
+
+#####################################
+## <summary>
+##      Search MySQL PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+##
+#
+interface(`mysql_search_pid_files',`
+        gen_require(`
+                type mysqld_var_run_t;
+        ')
+
+        search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
 ')
 
 ########################################
@@ -176,5 +254,49 @@
 	')
 
 	logging_search_logs($1)
-	allow $1 mysqld_log_t:file { write append setattr ioctl };
+	allow $1 mysqld_log_t:file { write_file_perms setattr getattr };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the mysql domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+
+	gen_require(`
+		type mysqld_t, mysqld_var_run_t;
+		type mysqld_tmp_t, mysqld_db_t;
+		type mysqld_etc_t, mysqld_log_t;
+		type mysqld_initrc_exec_t;
+	')
+
+	allow $1 mysqld_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mysqld_t)
+	
+	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 mysqld_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, mysqld_var_run_t)
+
+	admin_pattern($1, mysqld_db_t)
+
+	admin_pattern($1, mysqld_etc_t)
+
+	admin_pattern($1, mysqld_log_t)
+
+	admin_pattern($1, mysqld_tmp_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mysql.te	2009-06-24 09:54:02.000000000 +0200
@@ -10,6 +10,10 @@
 type mysqld_exec_t;
 init_daemon_domain(mysqld_t, mysqld_exec_t)
 
+type mysqld_safe_t;
+type mysqld_safe_exec_t;
+init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
+
 type mysqld_var_run_t;
 files_pid_file(mysqld_var_run_t)
 
@@ -19,6 +23,9 @@
 type mysqld_etc_t alias etc_mysqld_t;
 files_config_file(mysqld_etc_t)
 
+type mysqld_initrc_exec_t;
+init_script_file(mysqld_initrc_exec_t)
+
 type mysqld_log_t;
 logging_log_file(mysqld_log_t)
 
@@ -27,13 +34,14 @@
 
 ########################################
 #
-# Local policy
+# Local mysqld policy
 #
 
 allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket create_stream_socket_perms;
 allow mysqld_t self:udp_socket create_socket_perms;
@@ -79,6 +87,7 @@
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
+fs_rw_hugetlbfs_files(mysqld_t)
 
 domain_use_interactive_fds(mysqld_t)
 
@@ -120,3 +129,45 @@
 optional_policy(`
 	udev_read_db(mysqld_t)
 ')
+
+#######################################
+#
+# Local mysqld_safe policy
+#
+
+domtrans_pattern(mysqld_safe_t,mysqld_exec_t,mysqld_t)
+
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+ 
+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+mysql_append_db_files(mysqld_safe_t)        
+mysql_manage_db_files(mysqld_safe_t) 
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
+
+kernel_read_system_state(mysqld_safe_t) 
+
+dev_list_sysfs(mysqld_safe_t)
+     
+files_read_etc_files(mysqld_safe_t)
+files_read_usr_files(mysqld_safe_t)
+
+corecmd_exec_bin(mysqld_safe_t)
+    
+libs_use_ld_so(mysqld_safe_t)
+libs_use_shared_libs(mysqld_safe_t)
+
+miscfiles_read_localization(mysqld_safe_t) 
+
+hostname_exec(mysqld_safe_t)
+   
+permissive mysqld_safe_t; 
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.13/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nagios.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,16 +1,19 @@
 /etc/nagios(/.*)?			gen_context(system_u:object_r:nagios_etc_t,s0)
 /etc/nagios/nrpe\.cfg		--	gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios	--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe	--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
 
 /usr/bin/nagios			--	gen_context(system_u:object_r:nagios_exec_t,s0)
 /usr/bin/nrpe			--	gen_context(system_u:object_r:nrpe_exec_t,s0)
 
-/usr/lib(64)?/cgi-bin/netsaint/.+ --	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 
 /var/log/nagios(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
+
+/var/spool/nagios(/.*)?			gen_context(system_u:object_r:nagios_spool_t,s0)
 
 ifdef(`distro_debian',`
 /usr/sbin/nagios		--	gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
 ')
+/usr/lib(64)?/cgi-bin/nagios(/.+)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.13/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nagios.if	2009-02-10 15:07:15.000000000 +0100
@@ -44,7 +44,7 @@
 
 ########################################
 ## <summary>
-##	Execute the nagios CGI with
+##	Execute the nagios NRPE with
 ##	a domain transition.
 ## </summary>
 ## <param name="domain">
@@ -53,29 +53,82 @@
 ##	</summary>
 ## </param>
 #
-interface(`nagios_domtrans_cgi',`
+interface(`nagios_domtrans_nrpe',`
 	gen_require(`
-		type nagios_cgi_t, nagios_cgi_exec_t;
+		type nrpe_t, nrpe_exec_t;
 	')
 
-	domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t)
+	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the nagios NRPE with
-##	a domain transition.
+##	Do not audit attempts to read and write
+##	NAGIOS unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nagios_dontaudit_rw_pipes',`
+
+	gen_require(`
+		type nagios_t;
+	')
+
+	dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an nagios environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nagios domain.
+##	</summary>
+## </param>
+## <rolecap/>
 #
-interface(`nagios_domtrans_nrpe',`
+interface(`nagios_admin',`
 	gen_require(`
-		type nrpe_t, nrpe_exec_t;
+		type nagios_t, nrpe_t;
+		type nagios_tmp_t, nagios_log_t;
+		type nagios_etc_t, nrpe_etc_t;
+		type nagios_spool_t, nagios_var_run_t;
+		type nagios_initrc_exec_t;
 	')
 
-	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+	allow $1 nagios_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nagios_t)
+
+	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 nagios_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, nagios_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, nagios_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, nagios_etc_t)
+
+	files_list_spool($1)
+	admin_pattern($1, nagios_spool_t)
+
+	files_list_pids($1)
+	admin_pattern($1, nagios_var_run_t)
+
+	admin_pattern($1, nrpe_etc_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.13/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nagios.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,13 +10,12 @@
 type nagios_exec_t;
 init_daemon_domain(nagios_t, nagios_exec_t)
 
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
-
 type nagios_etc_t;
 files_config_file(nagios_etc_t)
 
+type nagios_initrc_exec_t;
+init_script_file(nagios_initrc_exec_t)
+
 type nagios_log_t;
 logging_log_file(nagios_log_t)
 
@@ -26,6 +25,9 @@
 type nagios_var_run_t;
 files_pid_file(nagios_var_run_t)
 
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
 type nrpe_t;
 type nrpe_exec_t;
 init_daemon_domain(nrpe_t, nrpe_exec_t)
@@ -60,6 +62,8 @@
 manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
 files_pid_filetrans(nagios_t, nagios_var_run_t, file)
 
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
 kernel_read_system_state(nagios_t)
 kernel_read_kernel_sysctls(nagios_t)
 
@@ -131,42 +135,34 @@
 #
 # Nagios CGI local policy
 #
+apache_content_template(nagios)
+typealias httpd_nagios_script_t alias nagios_cgi_t;
+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
 
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
+allow httpd_nagios_script_t self:process signal_perms;
 
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
 
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
+files_search_spool(httpd_nagios_script_t)
+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
 
-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
 
-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
 
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
 
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
 
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
 
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
-	apache_append_log(nagios_cgi_t)
-')
+logging_send_syslog_msg(httpd_nagios_script_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,8 +1,19 @@
+/etc/rc\.d/init\.d/wicd         --      gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
 /sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
+/usr/sbin/wicd                  --      gen_context(system_u:object_r:NetworkManager_exec_t, s0)
+
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)?                    gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
+/var/log/wicd(/.*)?                    gen_context(system_u:object_r:NetworkManager_log_t,s0)
 
 /var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 
@@ -10,3 +21,4 @@
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if	2009-02-10 15:07:15.000000000 +0100
@@ -118,6 +118,24 @@
 
 ########################################
 ## <summary>
+##	Execute NetworkManager scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_initrc_domtrans',`
+	gen_require(`
+		type NetworkManager_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read NetworkManager PID files.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2009-02-12 23:07:03.000000000 +0100
@@ -19,6 +19,9 @@
 type NetworkManager_tmp_t;
 files_tmp_file(NetworkManager_tmp_t)
 
+type NetworkManager_var_lib_t;
+files_type(NetworkManager_var_lib_t)
+
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
@@ -33,9 +36,9 @@
 
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
 allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
@@ -51,8 +54,10 @@
 manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
 
-rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
-files_search_tmp(NetworkManager_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 
 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -63,6 +68,8 @@
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
 kernel_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t)
 
 corenet_all_recvfrom_unlabeled(NetworkManager_t)
 corenet_all_recvfrom_netlabel(NetworkManager_t)
@@ -81,13 +88,18 @@
 corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
 corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
 corenet_sendrecv_all_client_packets(NetworkManager_t)
+corenet_rw_tun_tap_dev(NetworkManager_t)
+corenet_getattr_ppp_dev(NetworkManager_t)
 
 dev_read_sysfs(NetworkManager_t)
 dev_read_rand(NetworkManager_t)
 dev_read_urand(NetworkManager_t)
+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+dev_getattr_all_chr_files(NetworkManager_t)
 
 fs_getattr_all_fs(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
+fs_list_inotifyfs(NetworkManager_t)
 
 mls_file_read_all_levels(NetworkManager_t)
 
@@ -104,9 +116,14 @@
 files_read_etc_runtime_files(NetworkManager_t)
 files_read_usr_files(NetworkManager_t)
 
+storage_getattr_fixed_disk_dev(NetworkManager_t)
+
 init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
 init_domtrans_script(NetworkManager_t)
 
+auth_use_nsswitch(NetworkManager_t)
+
 libs_use_ld_so(NetworkManager_t)
 libs_use_shared_libs(NetworkManager_t)
 
@@ -119,27 +136,42 @@
 
 seutil_read_config(NetworkManager_t)
 
-sysnet_domtrans_ifconfig(NetworkManager_t)
-sysnet_domtrans_dhcpc(NetworkManager_t)
-sysnet_signal_dhcpc(NetworkManager_t)
-sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_etc_filetrans_config(NetworkManager_t)
 sysnet_delete_dhcpc_pid(NetworkManager_t)
-sysnet_search_dhcp_state(NetworkManager_t)
-# in /etc created by NetworkManager will be labelled net_conf_t.
+sysnet_domtrans_dhcpc(NetworkManager_t)
+sysnet_domtrans_ifconfig(NetworkManager_t)
+sysnet_kill_dhcpc(NetworkManager_t)
 sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
+sysnet_delete_dhcpc_state(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
 
+userdom_dgram_send(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
 userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
 # Read gnome-keyring
 userdom_read_unpriv_users_home_content_files(NetworkManager_t)
+unprivuser_stream_connect(NetworkManager_t)
 
 sysadm_dontaudit_search_home_dirs(NetworkManager_t)
 
+cron_read_system_job_lib_files(NetworkManager_t)
+
+optional_policy(`
+	avahi_domtrans(NetworkManager_t)
+	avahi_sigkill(NetworkManager_t)
+	avahi_signal(NetworkManager_t)
+	avahi_signull(NetworkManager_t)
+')
+
 optional_policy(`
 	bind_domtrans(NetworkManager_t)
 	bind_manage_cache(NetworkManager_t)
+	bind_sigkill(NetworkManager_t)
 	bind_signal(NetworkManager_t)
+	bind_signull(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -151,8 +183,25 @@
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(NetworkManager, NetworkManager_t)
-	dbus_connect_system_bus(NetworkManager_t)
+	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(NetworkManager_t)
+	')
+')
+
+optional_policy(`
+	dnsmasq_read_pid_files(NetworkManager_t)
+	dnsmasq_delete_pid_files(NetworkManager_t)
+	dnsmasq_domtrans(NetworkManager_t)
+	dnsmasq_initrc_domtrans(NetworkManager_t)
+	dnsmasq_sigkill(NetworkManager_t)
+	dnsmasq_signal(NetworkManager_t)
+	dnsmasq_signull(NetworkManager_t)
+')
+
+optional_policy(`
+	hal_write_log(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -160,23 +209,48 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(NetworkManager_t)
+	iptables_domtrans(NetworkManager_t)
 ')
 
 optional_policy(`
-	nscd_socket_use(NetworkManager_t)
+	nscd_domtrans(NetworkManager_t)
 	nscd_signal(NetworkManager_t)
+	nscd_signull(NetworkManager_t)
+	nscd_sigkill(NetworkManager_t)
+	nscd_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+	# Dispatcher starting and stoping ntp
+	ntp_initrc_domtrans(NetworkManager_t)
 ')
 
 optional_policy(`
 	openvpn_domtrans(NetworkManager_t)
+	openvpn_sigkill(NetworkManager_t)
 	openvpn_signal(NetworkManager_t)
+	openvpn_signull(NetworkManager_t)
+')
+
+optional_policy(`
+	polkit_domtrans_auth(NetworkManager_t)
+	polkit_read_lib(NetworkManager_t)
 ')
 
 optional_policy(`
+	ppp_initrc_domtrans(NetworkManager_t)
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)
+	ppp_sigkill(NetworkManager_t)
 	ppp_signal(NetworkManager_t)
+	ppp_signull(NetworkManager_t)
+	ppp_read_config(NetworkManager_t)
+')
+
+optional_policy(`
+	rpm_exec(NetworkManager_t)
+	rpm_read_db(NetworkManager_t)
+	rpm_dontaudit_manage_db(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -194,7 +268,9 @@
 
 optional_policy(`
 	vpn_domtrans(NetworkManager_t)
+	vpn_sigkill(NetworkManager_t)
 	vpn_signal(NetworkManager_t)
+	vpn_signull(NetworkManager_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.13/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nis.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,9 +1,13 @@
-
+/etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypserv	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypxfrd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/ypserv\.conf	--	gen_context(system_u:object_r:ypserv_conf_t,s0)
 
 /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
 
 /usr/lib/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 
 /usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
 /usr/sbin/rpc\.ypxfrd	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.13/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nis.if	2009-02-10 15:07:15.000000000 +0100
@@ -28,7 +28,7 @@
 		type var_yp_t;
 	')
 
-	dontaudit $1 self:capability net_bind_service;
+	allow $1 self:capability net_bind_service;
 
 	allow $1 self:tcp_socket create_stream_socket_perms;
 	allow $1 self:udp_socket create_socket_perms;
@@ -49,8 +49,8 @@
 	corenet_udp_bind_all_nodes($1)
 	corenet_tcp_bind_generic_port($1)
 	corenet_udp_bind_generic_port($1)
-	corenet_tcp_bind_reserved_port($1)
-	corenet_udp_bind_reserved_port($1)
+	corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+	corenet_dontaudit_udp_bind_all_reserved_ports($1)
 	corenet_dontaudit_tcp_bind_all_ports($1)
 	corenet_dontaudit_udp_bind_all_ports($1)
 	corenet_tcp_connect_portmap_port($1)
@@ -87,6 +87,25 @@
 
 ########################################
 ## <summary>
+##	Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_authenticate',`
+	tunable_policy(`allow_ypbind',`
+		nis_use_ypbind_uncond($1)
+		corenet_tcp_bind_all_rpc_ports($1)
+		corenet_udp_bind_all_rpc_ports($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Execute ypbind in the ypbind domain.
 ## </summary>
 ## <param name="domain">
@@ -244,3 +263,104 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
 ')
+
+########################################
+## <summary>
+##	Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`nis_initrc_domtrans',`
+	gen_require(`
+		type nis_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, nis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`nis_ypbind_initrc_domtrans',`
+	gen_require(`
+		type ypbind_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ypbind_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an nis environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nis domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_admin',`
+	gen_require(`
+		type ypbind_t, yppasswdd_t;
+		type ypserv_t, ypxfr_t;
+		type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+		type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+		type ypbind_initrc_exec_t;
+		type nis_initrc_exec_t;
+	')
+
+	allow $1 ypbind_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ypbind_t)
+	        
+	allow $1 yppasswdd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, yppasswdd_t)
+	        
+	allow $1 ypserv_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ypserv_t)
+	        
+	allow $1 ypxfr_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ypxfr_t)
+
+	nis_initrc_domtrans($1)
+	nis_ypbind_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 nis_initrc_exec_t system_r;
+	role_transition $2 ypbind_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, ypbind_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ypbind_var_run_t)
+
+	admin_pattern($1, yppasswdd_var_run_t)
+
+	files_list_etc($1)
+	admin_pattern($1, ypserv_conf_t)
+
+	admin_pattern($1, ypserv_tmp_t)
+
+	admin_pattern($1, ypserv_var_run_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.13/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nis.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
 type ypbind_exec_t;
 init_daemon_domain(ypbind_t, ypbind_exec_t)
 
+type ypbind_initrc_exec_t;
+init_script_file(ypbind_initrc_exec_t)
+
 type ypbind_tmp_t;
 files_tmp_file(ypbind_tmp_t)
 
@@ -44,6 +47,9 @@
 type ypxfr_exec_t;
 init_daemon_domain(ypxfr_t, ypxfr_exec_t)
 
+type nis_initrc_exec_t;
+init_script_file(nis_initrc_exec_t)
+
 ########################################
 #
 # ypbind local policy
@@ -111,9 +117,19 @@
 sysnet_read_config(ypbind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
-
 sysadm_dontaudit_search_home_dirs(ypbind_t)
 
+
+optional_policy(`
+	dbus_system_bus_client_template(ypbind, ypbind_t)
+	dbus_connect_system_bus(ypbind_t)
+	init_dbus_chat_script(ypbind_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(ypbind_t)
+	')
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(ypbind_t)
 ')
@@ -127,6 +143,7 @@
 # yppasswdd local policy
 #
 
+allow yppasswdd_t self:capability dac_override;
 dontaudit yppasswdd_t self:capability sys_tty_config;
 allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:process { setfscreate signal_perms };
@@ -157,8 +174,8 @@
 corenet_udp_sendrecv_all_ports(yppasswdd_t)
 corenet_tcp_bind_all_nodes(yppasswdd_t)
 corenet_udp_bind_all_nodes(yppasswdd_t)
-corenet_tcp_bind_reserved_port(yppasswdd_t)
-corenet_udp_bind_reserved_port(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
 corenet_sendrecv_generic_server_packets(yppasswdd_t)
@@ -249,6 +266,8 @@
 corenet_udp_bind_all_nodes(ypserv_t)
 corenet_tcp_bind_reserved_port(ypserv_t)
 corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
 corenet_sendrecv_generic_server_packets(ypserv_t)
@@ -318,6 +337,8 @@
 corenet_udp_bind_all_nodes(ypxfr_t)
 corenet_tcp_bind_reserved_port(ypxfr_t)
 corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
 corenet_tcp_connect_all_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.13/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nscd.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/nscd	--	gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
 
 /usr/sbin/nscd		--	gen_context(system_u:object_r:nscd_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nscd.if	2009-02-10 15:07:15.000000000 +0100
@@ -2,7 +2,27 @@
 
 ########################################
 ## <summary>
-##	Send generic signals to NSCD.
+##	Execute NSCD in the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`nscd_domtrans',`
+	gen_require(`
+		type nscd_t, nscd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nscd_exec_t, nscd_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute nscd
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -10,37 +30,53 @@
 ##	</summary>
 ## </param>
 #
-interface(`nscd_signal',`
+interface(`nscd_exec',`
+	gen_require(`
+		type nscd_exec_t;
+	')
+
+	can_exec($1, nscd_exec_t)
+')
+
+########################################
+## <summary>
+##	Send sigkills to NSCD.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_sigkill',`
 	gen_require(`
 		type nscd_t;
 	')
 
-	allow $1 nscd_t:process signal;
+	allow $1 nscd_t:process sigkill;
 ')
 
 ########################################
 ## <summary>
-##	Execute NSCD in the nscd domain.
+##	Send generic signals to NSCD.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`nscd_domtrans',`
+interface(`nscd_signal',`
 	gen_require(`
-		type nscd_t, nscd_exec_t;
+		type nscd_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, nscd_exec_t, nscd_t)
+	allow $1 nscd_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Allow the specified domain to execute nscd
-##	in the caller domain.
+##	Send signulls to NSCD.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -48,12 +84,12 @@
 ##	</summary>
 ## </param>
 #
-interface(`nscd_exec',`
+interface(`nscd_signull',`
 	gen_require(`
-		type nscd_exec_t;
+		type nscd_t;
 	')
 
-	can_exec($1, nscd_exec_t)
+	allow $1 nscd_t:process signull;
 ')
 
 ########################################
@@ -70,15 +106,14 @@
 interface(`nscd_socket_use',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
-		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
 	')
 
 	allow $1 self:unix_stream_socket create_socket_perms;
 
 	allow $1 nscd_t:nscd { getpwd getgrp gethost };
 	dontaudit $1 nscd_t:fd use;
-	dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
+	dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
 	files_search_pids($1)
 	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
 	dontaudit $1 nscd_var_run_t:file { getattr read };
@@ -204,3 +239,60 @@
 	role $2 types nscd_t;
 	dontaudit nscd_t $3:chr_file rw_term_perms;
 ')
+
+########################################
+## <summary>
+##	Execute nscd server in the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`nscd_initrc_domtrans',`
+	gen_require(`
+		type nscd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an nscd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nscd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nscd_admin',`
+	gen_require(`
+		type nscd_t, nscd_log_t, nscd_var_run_t;
+		type nscd_initrc_exec_t;
+	')
+
+	allow $1 nscd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nscd_t)
+	        
+	nscd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 nscd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, nscd_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, nscd_var_run_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.13/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nscd.te	2009-02-10 15:07:15.000000000 +0100
@@ -20,6 +20,9 @@
 type nscd_exec_t;
 init_daemon_domain(nscd_t, nscd_exec_t)
 
+type nscd_initrc_exec_t;
+init_script_file(nscd_initrc_exec_t)
+
 type nscd_log_t;
 logging_log_file(nscd_log_t)
 
@@ -28,14 +31,14 @@
 # Local policy
 #
 
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
 dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
 allow nscd_t self:fifo_file read_fifo_file_perms;
 allow nscd_t self:unix_stream_socket create_stream_socket_perms;
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
 allow nscd_t self:tcp_socket create_socket_perms;
 allow nscd_t self:udp_socket create_socket_perms;
 
@@ -50,6 +53,8 @@
 manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
 files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
 
+can_exec(nscd_t, nscd_exec_t)
+
 kernel_read_kernel_sysctls(nscd_t)
 kernel_list_proc(nscd_t)
 kernel_read_proc_symlinks(nscd_t)
@@ -60,6 +65,7 @@
 
 fs_getattr_all_fs(nscd_t)
 fs_search_auto_mountpoints(nscd_t)
+fs_list_inotifyfs(nscd_t)
 
 # for when /etc/passwd has just been updated and has the wrong type
 auth_getattr_shadow(nscd_t)
@@ -73,6 +79,7 @@
 corenet_udp_sendrecv_all_nodes(nscd_t)
 corenet_tcp_sendrecv_all_ports(nscd_t)
 corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
 corenet_tcp_connect_all_ports(nscd_t)
 corenet_sendrecv_all_client_packets(nscd_t)
 corenet_rw_tun_tap_dev(nscd_t)
@@ -84,6 +91,7 @@
 selinux_compute_relabel_context(nscd_t)
 selinux_compute_user_contexts(nscd_t)
 domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
 
 files_read_etc_files(nscd_t)
 files_read_generic_tmp_symlinks(nscd_t)
@@ -93,6 +101,7 @@
 libs_use_ld_so(nscd_t)
 libs_use_shared_libs(nscd_t)
 
+logging_send_audit_msgs(nscd_t)
 logging_send_syslog_msg(nscd_t)
 
 miscfiles_read_localization(nscd_t)
@@ -108,6 +117,14 @@
 sysadm_dontaudit_search_home_dirs(nscd_t)
 
 optional_policy(`
+	cron_read_system_job_tmp_files(nscd_t)
+')
+
+optional_policy(`
+	kerberos_use(nscd_t)
+')
+
+optional_policy(`
 	udev_read_db(nscd_t)
 ')
 
@@ -115,3 +132,12 @@
 	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
 	xen_append_log(nscd_t)
 ')
+
+optional_policy(`
+	tunable_policy(`samba_domain_controller',`
+		samba_append_log(nscd_t)
+		samba_dontaudit_use_fds(nscd_t)
+	')
+	samba_read_config(nscd_t)
+	samba_read_var_files(nscd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.13/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ntp.if	2009-03-10 13:22:20.000000000 +0100
@@ -56,6 +56,63 @@
 
 ########################################
 ## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ntp_initrc_domtrans',`
+	gen_require(`
+		type ntpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##      Read/write ntpdd tmpfs files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`ntpd_rw_tmpfs_files',`
+        gen_require(`
+                type ntpd_tmpfs_t;
+        ')
+
+        fs_search_tmpfs($1)
+        list_dirs_pattern($1,ntpd_tmpfs_t,ntpd_tmpfs_t)
+        rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+        read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+')
+
+########################################
+## <summary>    
+##      Read and write to ntpd shared memory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`ntpd_rw_shm',`
+        gen_require(`
+                type ntpd_t;
+        ')
+
+        allow $1 ntpd_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an ntp environment
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.13/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ntp.te	2009-03-10 13:22:25.000000000 +0100
@@ -25,6 +25,9 @@
 type ntpd_tmp_t;
 files_tmp_file(ntpd_tmp_t)
 
+type ntpd_tmpfs_t;
+files_tmpfs_file(ntpd_tmpfs_t)
+
 type ntpd_var_run_t;
 files_pid_file(ntpd_var_run_t)
 
@@ -38,10 +41,11 @@
 
 # sys_resource and setrlimit is for locking memory
 # ntpdate wants sys_nice
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -52,6 +56,7 @@
 can_exec(ntpd_t,ntpd_exec_t)
 
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
 allow ntpd_t ntpd_log_t:dir setattr;
 manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
@@ -62,6 +67,10 @@
 manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
 
+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
+
 manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
 files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 
@@ -89,7 +98,10 @@
 dev_read_urand(ntpd_t)
 
 fs_getattr_all_fs(ntpd_t)
+fs_list_inotifyfs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
 
 term_use_ptmx(ntpd_t)
 
@@ -126,6 +138,11 @@
 ')
 
 optional_policy(`
+	gpsd_rw_shm(ntpd_t)
+	gpsd_rw_tmpfs_files(ntpd_t)
+')
+
+optional_policy(`
 	firstboot_dontaudit_use_fds(ntpd_t)
 	firstboot_dontaudit_rw_pipes(ntpd_t)
 	firstboot_dontaudit_rw_stream_sockets(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.5.13/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/nx.fc	2009-08-21 10:05:00.000000000 +0200
@@ -5,3 +5,7 @@
 /opt/NX/var(/.*)?			gen_context(system_u:object_r:nx_server_var_run_t,s0)
 
 /usr/libexec/nx/nxserver	--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+/var/lib/nxserver/home/.ssh(/.*)? 	gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.13/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/oddjob.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,4 @@
-/usr/lib/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib(64)?/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
 
 /usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.13/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/oddjob.if	2009-02-10 15:07:15.000000000 +0100
@@ -44,6 +44,7 @@
 	')
 
 	domtrans_pattern(oddjob_t, $2, $1)
+	domain_user_exemption_target($1)
 ')
 
 ########################################
@@ -84,3 +85,34 @@
 
 	domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
 ')
+
+########################################
+## <summary>
+##	Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the oddjob_mkhomedir domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the oddjob_mkhomedir domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`oddjob_run_mkhomedir',`
+	gen_require(`
+		type oddjob_mkhomedir_t;
+	')
+
+	oddjob_domtrans_mkhomedir($1)
+	role $2 types oddjob_mkhomedir_t;
+	dontaudit oddjob_mkhomedir_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.13/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/oddjob.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,14 +10,21 @@
 type oddjob_exec_t;
 domain_type(oddjob_t)
 init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_obj_id_change_exemption(oddjob_t)
+domain_role_change_exemption(oddjob_t)
 domain_subj_id_change_exemption(oddjob_t)
 
 type oddjob_mkhomedir_t;
 type oddjob_mkhomedir_exec_t;
 domain_type(oddjob_mkhomedir_t)
-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh)
+')
+
 # pid files
 type oddjob_var_run_t;
 files_pid_file(oddjob_var_run_t)
@@ -68,17 +75,34 @@
 # oddjob_mkhomedir local policy
 #
 
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
 allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
 allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
 
 files_read_etc_files(oddjob_mkhomedir_t)
 
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
 libs_use_ld_so(oddjob_mkhomedir_t)
 libs_use_shared_libs(oddjob_mkhomedir_t)
 
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
 miscfiles_read_localization(oddjob_mkhomedir_t)
 
-staff_manage_home_dirs(oddjob_mkhomedir_t)
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
 
 # Add/remove user home directories
 unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.5.13/policy/modules/services/openvpn.fc
--- nsaserefpolicy/policy/modules/services/openvpn.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/openvpn.fc	2009-02-10 15:07:15.000000000 +0100
@@ -2,6 +2,7 @@
 # /etc
 #
 /etc/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/ipp.txt	--	gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
 /etc/rc\.d/init\.d/openvpn --	gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.13/policy/modules/services/openvpn.if
--- nsaserefpolicy/policy/modules/services/openvpn.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/openvpn.if	2009-02-10 15:07:15.000000000 +0100
@@ -52,6 +52,24 @@
 
 ########################################
 ## <summary>
+##	Send sigkills to OPENVPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_sigkill',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	allow $1 openvpn_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to OPENVPN clients.
 ## </summary>
 ## <param name="domain">
@@ -70,6 +88,24 @@
 
 ########################################
 ## <summary>
+##	Send signulls to OPENVPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_signull',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	allow $1 openvpn_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read
 ##	OpenVPN configuration files.
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.13/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/openvpn.te	2009-02-10 15:07:15.000000000 +0100
@@ -22,6 +22,9 @@
 type openvpn_etc_t;
 files_config_file(openvpn_etc_t)
 
+type openvpn_etc_rw_t;
+files_config_file(openvpn_etc_rw_t)
+
 type openvpn_initrc_exec_t;
 init_script_file(openvpn_initrc_exec_t)
 
@@ -40,6 +43,7 @@
 
 allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
 allow openvpn_t self:process { signal getsched };
+allow openvpn_t self:fifo_file rw_fifo_file_perms;
 
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -47,10 +51,11 @@
 allow openvpn_t self:tcp_socket server_stream_socket_perms;
 allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
 
-allow openvpn_t openvpn_etc_t:dir list_dir_perms;
-can_exec(openvpn_t, openvpn_etc_t)
+manage_files_pattern(openvpn_t,openvpn_etc_rw_t,openvpn_etc_rw_t)
 read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
 read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+filetrans_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_rw_t, file)
+can_exec(openvpn_t,openvpn_etc_t)
 
 allow openvpn_t openvpn_var_log_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
@@ -102,6 +107,8 @@
 
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
+sysnet_write_config(openvpn_t)
+sysnet_etc_filetrans_config(openvpn_t)
 
 tunable_policy(`openvpn_enable_homedirs',`
 	userdom_read_unpriv_users_home_content_files(openvpn_t)
@@ -117,3 +124,11 @@
 
 	networkmanager_dbus_chat(openvpn_t)
 ')
+
+# Need to interact with terminals if config option "auth-user-pass" is used
+sysadm_use_terms(openvpn_t)
+
+optional_policy(`
+	unconfined_use_terms(openvpn_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.5.13/policy/modules/services/pads.fc
--- nsaserefpolicy/policy/modules/services/pads.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pads.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,12 @@
+
+/etc/pads-ether-codes   --      gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-signature-list        --      gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads.conf  --      gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-assets.csv    --      gen_context(system_u:object_r:pads_config_t, s0)
+
+/etc/rc\.d/init\.d/pads --      gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+
+/usr/bin/pads           --      gen_context(system_u:object_r:pads_exec_t, s0)
+
+/var/run/pads.pid       --      gen_context(system_u:object_r:pads_var_run_t, s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.5.13/policy/modules/services/pads.if
--- nsaserefpolicy/policy/modules/services/pads.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pads.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,10 @@
+## <summary>SELinux policy for PADS daemon.</summary>
+## <desc>
+##	<p>
+##	PADS is a libpcap based detection engine used to
+##	passively detect network assets.  It is designed to
+##	complement IDS technology by providing context to IDS
+##	alerts.
+##	</p>
+## </desc>
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te
--- nsaserefpolicy/policy/modules/services/pads.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pads.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,68 @@
+
+policy_module(pads, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+type pads_t;
+type pads_exec_t;
+init_daemon_domain(pads_t, pads_exec_t)
+role system_r types pads_t;
+
+type pads_initrc_exec_t;
+init_script_file(pads_initrc_exec_t)
+
+type pads_config_t;
+files_config_file(pads_config_t)
+
+type pads_var_run_t;
+files_pid_file(pads_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+allow pads_t self:udp_socket { create ioctl };
+allow pads_t self:unix_dgram_socket { write create connect };
+
+allow pads_t pads_config_t:file manage_file_perms;
+files_etc_filetrans(pads_t, pads_config_t, file)
+
+allow pads_t pads_var_run_t:file manage_file_perms;
+files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+corecmd_search_bin(pads_t)
+
+corenet_all_recvfrom_unlabeled(pads_t)
+corenet_all_recvfrom_netlabel(pads_t)
+corenet_tcp_sendrecv_all_if(pads_t)
+corenet_tcp_sendrecv_all_nodes(pads_t)
+
+corenet_tcp_connect_prelude_port(pads_t)
+
+dev_read_rand(pads_t)
+dev_read_urand(pads_t)
+
+kernel_read_sysctl(pads_t)
+
+files_read_etc_files(pads_t)
+files_search_spool(pads_t)
+
+libs_use_ld_so(pads_t)
+libs_use_shared_libs(pads_t)
+
+miscfiles_read_localization(pads_t)
+
+logging_send_syslog_msg(pads_t)
+
+sysnet_dns_name_resolve(pads_t)
+
+optional_policy(`
+        prelude_manage_spool(pads_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.5.13/policy/modules/services/pcscd.fc
--- nsaserefpolicy/policy/modules/services/pcscd.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/pcscd.fc	2009-03-05 13:06:23.000000000 +0100
@@ -1,4 +1,5 @@
 /var/run/pcscd\.comm	-s	gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.events(/.*)?	gen_context(system_u:object_r:pcscd_var_run_t,s0)
 /var/run/pcscd\.pid	--	gen_context(system_u:object_r:pcscd_var_run_t,s0)
 /var/run/pcscd\.pub	--	gen_context(system_u:object_r:pcscd_var_run_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.13/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/pcscd.te	2009-03-05 13:00:11.000000000 +0100
@@ -10,6 +10,7 @@
 type pcscd_exec_t;
 domain_type(pcscd_t)
 init_daemon_domain(pcscd_t, pcscd_exec_t)
+init_daemon_domain(pcscd_t, pcscd_exec_t)
 
 # pid files
 type pcscd_var_run_t;
@@ -27,9 +28,10 @@
 allow pcscd_t self:unix_dgram_socket create_socket_perms;
 allow pcscd_t self:tcp_socket create_stream_socket_perms;
 
+manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
 manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
 manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file })
+files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file dir sock_file })
 
 corenet_all_recvfrom_unlabeled(pcscd_t)
 corenet_all_recvfrom_netlabel(pcscd_t)
@@ -60,6 +62,14 @@
 sysnet_dns_name_resolve(pcscd_t)
 
 optional_policy(`
+	dbus_system_bus_client_template(pcscd, pcscd_t)
+
+	optional_policy(`
+		hal_dbus_chat(pcscd_t)
+	')
+')
+
+optional_policy(`
 	openct_stream_connect(pcscd_t)
 	openct_read_pid_files(pcscd_t)
 	openct_signull(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.13/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te	2009-02-10 15:07:15.000000000 +0100
@@ -30,7 +30,7 @@
 # Local policy
 #
 
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
 dontaudit pegasus_t self:capability sys_tty_config;
 allow pegasus_t self:process signal;
 allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -66,6 +66,8 @@
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
 kernel_read_net_sysctls(pegasus_t)
+kernel_read_xen_state(pegasus_t)
+kernel_write_xen_state(pegasus_t)
 
 corenet_all_recvfrom_unlabeled(pegasus_t)
 corenet_all_recvfrom_netlabel(pegasus_t)
@@ -96,13 +98,12 @@
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
@@ -118,7 +119,6 @@
 
 miscfiles_read_localization(pegasus_t)
 
-sysnet_read_config(pegasus_t)
 sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
@@ -130,6 +130,14 @@
 ')
 
 optional_policy(`
+	samba_manage_config(pegasus_t)
+')
+
+optional_policy(`
+	ssh_exec(pegasus_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(pegasus_t)
 	seutil_dontaudit_read_config(pegasus_t)
 ')
@@ -141,3 +149,13 @@
 optional_policy(`
 	unconfined_signull(pegasus_t)
 ')
+
+optional_policy(`
+	virt_domtrans(pegasus_t)
+	virt_manage_config(pegasus_t)
+')
+
+optional_policy(`
+	xen_stream_connect(pegasus_t)
+	xen_stream_connect_xenstore(pegasus_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.5.13/policy/modules/services/pingd.fc
--- nsaserefpolicy/policy/modules/services/pingd.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pingd.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,11 @@
+
+/etc/pingd.conf				--	gen_context(system_u:object_r:pingd_etc_t,s0)
+
+/etc/rc\.d/init\.d/whatsup-pingd  	--  	gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+
+/usr/lib/pingd(/.*)?		      		gen_context(system_u:object_r:pingd_modules_t,s0)
+
+/usr/sbin/pingd				--	gen_context(system_u:object_r:pingd_exec_t,s0)
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.5.13/policy/modules/services/pingd.if
--- nsaserefpolicy/policy/modules/services/pingd.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pingd.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,99 @@
+## <summary>policy for pingd</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pingd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pingd_domtrans',`
+	gen_require(`
+		type pingd_t, pingd_exec_t;
+	')
+
+	domtrans_pattern($1,pingd_exec_t,pingd_t)
+')
+
+#######################################
+## <summary>
+##      Read pingd etc configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pingd_read_etc',`
+        gen_require(`
+                type pingd_etc_t;
+        ')
+
+        files_search_etc($1)
+        read_files_pattern($1, pingd_etc_t, pingd_etc_t)
+')
+
+#######################################
+## <summary>
+##      Manage pingd etc configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pingd_manage_etc',`
+        gen_require(`
+                type pingd_etc_t;
+        ')
+
+        files_search_etc($1)
+        manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+        manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+
+')
+
+#######################################
+## <summary>
+##      All of the rules required to administrate 
+##      an pingd environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the pingd domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pingd_admin',`
+        gen_require(`
+                type pingd_t, pingd_etc_t;
+                type pingd_initrc_exec_t, pingd_modules_t;
+        ')
+
+        allow $1 pingd_t:process { ptrace signal_perms };
+        ps_process_pattern($1, pingd_t)
+
+        init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 pingd_initrc_exec_t system_r;
+        allow $2 system_r;
+
+        files_list_etc($1)
+        admin_pattern($1, pingd_etc_t)
+
+	files_list_usr($1)
+        admin_pattern($1, pingd_modules_t)
+
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.5.13/policy/modules/services/pingd.te
--- nsaserefpolicy/policy/modules/services/pingd.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pingd.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,54 @@
+policy_module(pingd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pingd_t;
+type pingd_exec_t;
+init_daemon_domain(pingd_t, pingd_exec_t)
+
+type pingd_initrc_exec_t;
+init_script_file(pingd_initrc_exec_t)
+
+# type for config
+type pingd_etc_t;
+files_type(pingd_etc_t);
+
+# type for pingd modules
+type pingd_modules_t;
+files_type(pingd_modules_t)
+
+########################################
+#
+# pingd local policy
+#
+
+allow pingd_t self:capability net_raw;
+allow pingd_t self:tcp_socket create_stream_socket_perms;
+allow pingd_t self:rawip_socket { write read create bind };
+
+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+
+corenet_raw_bind_all_nodes(pingd_t)
+corenet_tcp_bind_all_nodes(pingd_t)
+corenet_tcp_bind_pingd_port(pingd_t)
+
+auth_use_nsswitch(pingd_t)
+
+files_search_usr(pingd_t)
+
+libs_use_ld_so(pingd_t)
+libs_use_shared_libs(pingd_t)
+miscfiles_read_localization(pingd_t)
+
+logging_send_syslog_msg(pingd_t)
+
+permissive pingd_t;
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.5.13/policy/modules/services/pki.fc
--- nsaserefpolicy/policy/modules/services/pki.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pki.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,46 @@
+
+/etc/rc\.d/init\.d/pki-ca	--	gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
+/etc/rc\.d/init\.d/pki-kra	--	gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
+/etc/rc\.d/init\.d/pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
+/etc/rc\.d/init\.d/pki-ra      	--      gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
+/etc/rc\.d/init\.d/pki-tks	--	gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
+/etc/rc\.d/init\.d/pki-tps     	--      gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
+
+/etc/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
+/etc/pki-ca/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
+/etc/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
+/etc/pki-kra/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
+/etc/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
+/etc/pki-ocsp/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
+/etc/pki-ra(/.*)?               	gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/etc/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
+/etc/pki-tks/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
+/etc/pki-tps(/.*)?              	gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+
+/usr/bin/dtomcat5-pki-ca	--	gen_context(system_u:object_r:pki_ca_exec_t,s0)
+/usr/bin/dtomcat5-pki-kra	--	gen_context(system_u:object_r:pki_kra_exec_t,s0)
+/usr/bin/dtomcat5-pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
+/usr/bin/dtomcat5-pki-tks	--	gen_context(system_u:object_r:pki_tks_exec_t,s0)
+
+/usr/sbin/httpd.worker  	--     	gen_context(system_u:object_r:pki_ra_exec_t,s0)
+
+/var/lib/pki-ca(/.*)?		        gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
+/var/lib/pki-kra(/.*)?		        gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
+/var/lib/pki-ocsp(/.*)?		        gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
+/var/lib/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/lib/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
+/var/lib/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+
+/var/log/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_log_t,s0)
+/var/log/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_log_t,s0)
+/var/log/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_log_t,s0)
+/var/log/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_log_t,s0)
+/var/log/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_log_t,s0)
+/var/log/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_log_t,s0)
+
+/var/run/pki-ca\.pid		--	gen_context(system_u:object_r:pki_ca_var_run_t,s0)
+/var/run/pki-kra\.pid		--	gen_context(system_u:object_r:pki_kra_var_run_t,s0)
+/var/run/pki-ocsp\.pid		--	gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
+/var/run/pki-ra\.pid		--	gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
+/var/run/pki-tks\.pid		--	gen_context(system_u:object_r:pki_tks_var_run_t,s0)
+/var/run/pki-tps\.pid		--	gen_context(system_u:object_r:pki_tks_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.5.13/policy/modules/services/pki.if
--- nsaserefpolicy/policy/modules/services/pki.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pki.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,643 @@
+
+## <summary>policy for pki</summary>
+
+########################################
+## <summary>
+##	Execute pki_ca server in the pki_ca domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_ca_script_domtrans',`
+	gen_require(`
+		attribute pki_ca_script;
+	')
+
+	init_script_domtrans_spec($1,pki_ca_script)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`pki_ca_template',`
+	gen_require(`
+		attribute pki_ca_process;
+		attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
+		attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
+		type pki_ca_tomcat_exec_t;
+		type $1_port_t;
+	')
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, pki_ca_process;
+	type $1_exec_t, pki_ca_executable;
+	domain_type($1_t)
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_script_exec_t, pki_ca_script;
+	init_script_file($1_script_exec_t)
+
+	type $1_etc_rw_t, pki_ca_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_run_t, pki_ca_var_run;
+	files_pid_file($1_var_run_t)
+
+	type $1_var_lib_t, pki_ca_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_ca_var_log;
+	logging_log_file($1_log_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	# Execstack/execmem caused by java app.
+	allow $1_t self:process { execstack execmem getsched setsched };
+
+	## internal communication is often done using fifo and unix sockets.
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:process signull;
+
+	allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+
+	corenet_tcp_bind_all_nodes($1_t)
+	corenet_tcp_bind_ocsp_port($1_t)
+	corenet_tcp_connect_ocsp_port($1_t)
+
+	# This is for /etc/$1/tomcat.conf:
+	can_exec($1_t, pki_ca_tomcat_exec_t)
+
+	# Init script handling
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	corecmd_exec_bin($1_t)
+	corecmd_read_bin_symlinks($1_t)
+	corecmd_exec_shell($1_t)
+
+	dev_list_sysfs($1_t)
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+
+	# Java is looking in /tmp for some reason...:
+	files_manage_generic_tmp_dirs($1_t)
+	files_manage_generic_tmp_files($1_t)
+	files_read_usr_files($1_t)
+	files_read_usr_symlinks($1_t)
+	# These are used to read tomcat class files in /var/lib/tomcat
+	files_read_var_lib_files($1_t)
+	files_read_var_lib_symlinks($1_t)
+
+	kernel_read_network_state($1_t)
+	kernel_read_system_state($1_t)
+	kernel_search_network_state($1_t)
+	# audit2allow
+        kernel_signull_unlabeled($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	init_dontaudit_write_utmp($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_ttys($1_t)
+		term_dontaudit_use_generic_ptys($1_t)
+	')
+
+#This is broken in selinux-policy we need java_exec defined, Will add to policy
+	gen_require(`
+		type java_exec_t;
+	')
+	can_exec($1_t, java_exec_t)
+
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ca environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ca_admin',`
+	gen_require(`
+		type pki_ca_tomcat_exec_t;
+		attribute pki_ca_process;
+		attribute pki_ca_config;
+		attribute pki_ca_executable;
+		attribute pki_ca_var_lib;
+		attribute pki_ca_var_log;
+		attribute pki_ca_var_run;
+		attribute pki_ca_pidfiles;
+		attribute pki_ca_script;
+	')
+
+	allow $1 pki_ca_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ca_t)
+
+	# Allow pki_ca_t to restart the service
+	pki_ca_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ca_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ca_config)
+	manage_all_pattern($1, pki_ca_var_run)
+	manage_all_pattern($1, pki_ca_var_lib)
+	manage_all_pattern($1, pki_ca_var_log)
+	manage_all_pattern($1, pki_ca_config)
+	manage_all_pattern($1, pki_ca_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_kra server in the pki_kra domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_kra_script_domtrans',`
+	gen_require(`
+		attribute pki_kra_script;
+	')
+
+	init_script_domtrans_spec($1,pki_kra_script)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_kra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_kra_admin',`
+	gen_require(`
+		type pki_kra_tomcat_exec_t;
+		attribute pki_kra_process;
+		attribute pki_kra_config;
+		attribute pki_kra_executable;
+		attribute pki_kra_var_lib;
+		attribute pki_kra_var_log;
+		attribute pki_kra_var_run;
+		attribute pki_kra_pidfiles;
+		attribute pki_kra_script;
+	')
+
+	allow $1 pki_kra_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_kra_t)
+
+	# Allow pki_kra_t to restart the service
+	pki_kra_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_kra_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_kra_config)
+	manage_all_pattern($1, pki_kra_var_run)
+	manage_all_pattern($1, pki_kra_var_lib)
+	manage_all_pattern($1, pki_kra_var_log)
+	manage_all_pattern($1, pki_kra_config)
+	manage_all_pattern($1, pki_kra_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_ocsp server in the pki_ocsp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_ocsp_script_domtrans',`
+	gen_require(`
+		attribute pki_ocsp_script;
+	')
+
+	init_script_domtrans_spec($1,pki_ocsp_script)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ocsp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ocsp_admin',`
+	gen_require(`
+		type pki_ocsp_tomcat_exec_t;
+		attribute pki_ocsp_process;
+		attribute pki_ocsp_config;
+		attribute pki_ocsp_executable;
+		attribute pki_ocsp_var_lib;
+		attribute pki_ocsp_var_log;
+		attribute pki_ocsp_var_run;
+		attribute pki_ocsp_pidfiles;
+		attribute pki_ocsp_script;
+	')
+
+	allow $1 pki_ocsp_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ocsp_t)
+
+	# Allow pki_ocsp_t to restart the service
+	pki_ocsp_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ocsp_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ocsp_config)
+	manage_all_pattern($1, pki_ocsp_var_run)
+	manage_all_pattern($1, pki_ocsp_var_lib)
+	manage_all_pattern($1, pki_ocsp_var_log)
+	manage_all_pattern($1, pki_ocsp_config)
+	manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_ra server in the pki_ra domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_ra_script_domtrans',`
+	gen_require(`
+		attribute pki_ra_script;
+	')
+
+	init_script_domtrans_spec($1,pki_ra_script)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`pki_ra_template',`
+	gen_require(`
+		attribute pki_ra_process;
+		attribute pki_ra_config, pki_ra_var_lib;
+		attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
+	')
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, pki_ra_process;
+	type $1_exec_t, pki_ra_executable;
+	domain_type($1_t)
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_script_exec_t, pki_ra_script;
+	init_script_file($1_script_exec_t)
+
+	type $1_etc_rw_t, pki_ra_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_lib_t, pki_ra_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_ra_var_log;
+	logging_log_file($1_log_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	## internal communication is often done using fifo and unix sockets.
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+
+	# Init script handling
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	init_dontaudit_write_utmp($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_ttys($1_t)
+		term_dontaudit_use_generic_ptys($1_t)
+	')
+
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow httpd_t pki_ra_etc_rw_t:file { read getattr };
+	allow httpd_t pki_ra_log_t:file read;
+	allow httpd_t pki_ra_var_lib_t:lnk_file read;
+
+
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ra_admin',`
+	gen_require(`
+		attribute pki_ra_process;
+		attribute pki_ra_config;
+		attribute pki_ra_executable;
+		attribute pki_ra_var_lib;
+		attribute pki_ra_var_log;
+		attribute pki_ra_script;
+	')
+
+	allow $1 pki_ra_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ra_t)
+
+	# Allow pki_ra_t to restart the service
+	pki_ra_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ra_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ra_config)
+	manage_all_pattern($1, pki_ra_var_lib)
+	manage_all_pattern($1, pki_ra_var_log)
+	manage_all_pattern($1, pki_ra_config)
+')
+
+########################################
+## <summary>
+##	Execute pki_tks server in the pki_tks domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_tks_script_domtrans',`
+	gen_require(`
+		attribute pki_tks_script;
+	')
+
+	init_script_domtrans_spec($1,pki_tks_script)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_tks environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_tks_admin',`
+	gen_require(`
+		type pki_tks_tomcat_exec_t;
+		attribute pki_tks_process;
+		attribute pki_tks_config;
+		attribute pki_tks_executable;
+		attribute pki_tks_var_lib;
+		attribute pki_tks_var_log;
+		attribute pki_tks_var_run;
+		attribute pki_tks_pidfiles;
+		attribute pki_tks_script;
+	')
+
+	allow $1 pki_tks_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_tks_t)
+
+	# Allow pki_tks_t to restart the service
+	pki_tks_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_tks_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_tks_config)
+	manage_all_pattern($1, pki_tks_var_run)
+	manage_all_pattern($1, pki_tks_var_lib)
+	manage_all_pattern($1, pki_tks_var_log)
+	manage_all_pattern($1, pki_tks_config)
+	manage_all_pattern($1, pki_tks_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_tps server in the pki_tps domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_tps_script_domtrans',`
+	gen_require(`
+		attribute pki_tps_script;
+	')
+
+	init_script_domtrans_spec($1,pki_tps_script)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_tps environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_tps_admin',`
+	gen_require(`
+		attribute pki_tps_process;
+		attribute pki_tps_config;
+		attribute pki_tps_executable;
+		attribute pki_tps_var_lib;
+		attribute pki_tps_var_log;
+		attribute pki_tps_script;
+	')
+
+	allow $1 pki_tps_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_tps_t)
+
+	# Allow pki_tps_t to restart the service
+	pki_tps_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_tps_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_tps_config)
+	manage_all_pattern($1, pki_tps_var_lib)
+	manage_all_pattern($1, pki_tps_var_log)
+	manage_all_pattern($1, pki_tps_config)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.5.13/policy/modules/services/pki.te
--- nsaserefpolicy/policy/modules/services/pki.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/pki.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,91 @@
+policy_module(pki,1.0.0)
+
+attribute pki_ca_config;
+attribute pki_ca_executable;
+attribute pki_ca_var_lib;
+attribute pki_ca_var_log;
+attribute pki_ca_var_run;
+attribute pki_ca_pidfiles;
+attribute pki_ca_script;
+attribute pki_ca_process;
+
+type pki_ca_tomcat_exec_t;
+files_type(pki_ca_tomcat_exec_t)
+
+pki_ca_template(pki_ca)
+
+attribute pki_kra_config;
+attribute pki_kra_executable;
+attribute pki_kra_var_lib;
+attribute pki_kra_var_log;
+attribute pki_kra_var_run;
+attribute pki_kra_pidfiles;
+attribute pki_kra_script;
+attribute pki_kra_process;
+
+type pki_kra_tomcat_exec_t;
+files_type(pki_kra_tomcat_exec_t)
+
+pki_ca_template(pki_kra)
+
+
+attribute pki_ocsp_config;
+attribute pki_ocsp_executable;
+attribute pki_ocsp_var_lib;
+attribute pki_ocsp_var_log;
+attribute pki_ocsp_var_run;
+attribute pki_ocsp_pidfiles;
+attribute pki_ocsp_script;
+attribute pki_ocsp_process;
+
+type pki_ocsp_tomcat_exec_t;
+files_type(pki_ocsp_tomcat_exec_t)
+
+pki_ca_template(pki_ocsp)
+
+
+attribute pki_ra_config;
+attribute pki_ra_executable;
+attribute pki_ra_var_lib;
+attribute pki_ra_var_log;
+attribute pki_ra_var_run;
+attribute pki_ra_pidfiles;
+attribute pki_ra_script;
+attribute pki_ra_process;
+
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_ra_template(pki_ra)
+
+
+attribute pki_tks_config;
+attribute pki_tks_executable;
+attribute pki_tks_var_lib;
+attribute pki_tks_var_log;
+attribute pki_tks_var_run;
+attribute pki_tks_pidfiles;
+attribute pki_tks_script;
+attribute pki_tks_process;
+
+type pki_tks_tomcat_exec_t;
+files_type(pki_tks_tomcat_exec_t)
+
+pki_ca_template(pki_tks)
+
+
+attribute pki_tps_config;
+attribute pki_tps_executable;
+attribute pki_tps_var_lib;
+attribute pki_tps_var_log;
+attribute pki_tps_var_run;
+attribute pki_tps_pidfiles;
+attribute pki_tps_script;
+attribute pki_tps_process;
+
+type pki_tps_tomcat_exec_t;
+files_type(pki_tps_tomcat_exec_t)
+
+pki_ra_template(pki_tps)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.13/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/polkit.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,9 @@
+
+/usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:polkit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
+/usr/libexec/polkitd			--	gen_context(system_u:object_r:polkit_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_run_t,s0)
+/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/polkit.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,233 @@
+
+## <summary>policy for polkit_auth</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`polkit_domtrans_auth',`
+	gen_require(`
+		type polkit_auth_t;
+                type polkit_auth_exec_t;
+	')
+
+	domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t)
+')
+
+########################################
+## <summary>
+##	Search polkit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polkit_search_lib',`
+	gen_require(`
+		type polkit_var_lib_t;
+	')
+
+	allow $1 polkit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	read polkit lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polkit_read_lib',`
+	gen_require(`
+		type polkit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, polkit_var_lib_t,  polkit_var_lib_t)
+
+	# Broken placement
+	cron_read_system_job_lib_files($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_grant.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`polkit_domtrans_grant',`
+	gen_require(`
+		type polkit_grant_t;
+                type polkit_grant_exec_t;
+	')
+
+	domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_resolve.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`polkit_domtrans_resolve',`
+	gen_require(`
+		type polkit_resolve_t;
+                type polkit_resolve_exec_t;
+	')
+
+	domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t)
+
+	allow polkit_resolve_t $1:dir list_dir_perms;
+	read_files_pattern(polkit_resolve_t, $1, $1)
+	read_lnk_files_pattern(polkit_resolve_t, $1, $1)
+	allow polkit_resolve_t $1:process getattr;
+')
+
+########################################
+## <summary>
+##	Execute a policy_grant in the policy_grant domain, and
+##	allow the specified role the policy_grant domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the load_policy domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the load_policy domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`polkit_run_grant',`
+	gen_require(`
+		type polkit_grant_t;
+	')
+
+	polkit_domtrans_grant($1)
+	role $2 types polkit_grant_t;
+	allow polkit_grant_t $3:chr_file rw_term_perms;
+	allow $1 polkit_grant_t:process signal;
+	read_files_pattern(polkit_grant_t, $1, $1)
+	allow polkit_grant_t $1:process getattr;
+')
+
+########################################
+## <summary>
+##	Execute a policy_auth in the policy_auth domain, and
+##	allow the specified role the policy_auth domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the load_policy domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the load_policy domain to use.
+##	</summary>
+## </param>
+#
+interface(`polkit_run_auth',`
+	gen_require(`
+		type polkit_auth_t;
+	')
+
+	polkit_domtrans_auth($1)
+	role $2 types polkit_auth_t;
+	allow polkit_auth_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for nsplugin web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`polkit_per_role_template',`
+	polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t })
+	polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t })
+	polkit_read_lib($2)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	polkit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polkit_dbus_chat',`
+	gen_require(`
+		type polkit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 polkit_t:dbus send_msg;
+	allow polkit_t $1:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2009-03-12 13:00:18.000000000 +0100
@@ -0,0 +1,235 @@
+policy_module(polkit_auth, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type polkit_t;
+type polkit_exec_t;
+init_daemon_domain(polkit_t, polkit_exec_t)
+
+type polkit_grant_t;
+type polkit_grant_exec_t;
+init_system_domain(polkit_grant_t, polkit_grant_exec_t)
+
+type polkit_resolve_t;
+type polkit_resolve_exec_t;
+init_system_domain(polkit_resolve_t, polkit_resolve_exec_t)
+
+type polkit_auth_t;
+type polkit_auth_exec_t;
+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
+
+type polkit_var_lib_t;
+files_type(polkit_var_lib_t)
+
+type polkit_var_run_t;
+files_pid_file(polkit_var_run_t)
+
+########################################
+#
+# polkit local policy
+#
+
+allow polkit_t self:capability { setgid setuid };
+allow polkit_t self:process getattr;
+
+allow polkit_t self:unix_dgram_socket create_socket_perms;
+allow polkit_t self:fifo_file rw_file_perms;
+allow polkit_t self:unix_stream_socket create_stream_socket_perms;
+
+polkit_domtrans_auth(polkit_t)
+polkit_domtrans_resolve(polkit_t)
+
+can_exec(polkit_t, polkit_exec_t)
+corecmd_exec_bin(polkit_t)
+
+domain_use_interactive_fds(polkit_t)
+
+files_read_etc_files(polkit_t)
+files_read_usr_files(polkit_t)
+
+fs_list_inotifyfs(polkit_t)
+
+kernel_read_kernel_sysctls(polkit_t)
+
+auth_use_nsswitch(polkit_t)
+
+libs_use_ld_so(polkit_t)
+libs_use_shared_libs(polkit_t)
+
+miscfiles_read_localization(polkit_t)
+
+logging_send_syslog_msg(polkit_t)
+
+manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t)
+
+# pid file
+manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
+
+optional_policy(`
+	dbus_system_domain(polkit_t, polkit_exec_t)
+	optional_policy(`
+		consolekit_dbus_chat(polkit_t)
+	')
+')
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow polkit_auth_t self:capability setgid;
+allow polkit_auth_t self:process { getattr };
+
+allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
+allow polkit_auth_t self:fifo_file rw_file_perms;
+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(polkit_auth_t, polkit_auth_exec_t)
+corecmd_search_bin(polkit_auth_t)
+
+domain_use_interactive_fds(polkit_auth_t)
+
+files_read_etc_files(polkit_auth_t)
+files_read_usr_files(polkit_auth_t)
+
+auth_use_nsswitch(polkit_auth_t)
+
+libs_use_ld_so(polkit_auth_t)
+libs_use_shared_libs(polkit_auth_t)
+
+miscfiles_read_localization(polkit_auth_t)
+
+logging_send_syslog_msg(polkit_auth_t)
+
+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
+
+# pid file
+manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir })
+
+userdom_read_all_users_state(polkit_t)
+
+unprivuser_append_home_content_files(polkit_auth_t)
+unprivuser_dontaudit_read_home_content_files(polkit_auth_t)
+
+optional_policy(`
+	cron_read_system_job_lib_files(polkit_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
+	consolekit_dbus_chat(polkit_auth_t)
+	dbus_system_domain(polkit_auth_t, polkit_auth_exec_t)
+')
+
+optional_policy(`
+	hal_getattr(polkit_auth_t)
+	hal_read_state(polkit_auth_t)
+')
+
+optional_policy(`
+	xserver_write_log(polkit_auth_t)
+')
+########################################
+#
+# polkit_grant local policy
+#
+
+allow polkit_grant_t self:capability setuid;
+allow polkit_grant_t self:process getattr;
+
+allow polkit_grant_t self:unix_dgram_socket create_socket_perms;
+allow polkit_grant_t self:fifo_file rw_file_perms;
+allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(polkit_grant_t, polkit_grant_exec_t)
+corecmd_search_bin(polkit_grant_t)
+
+files_read_etc_files(polkit_grant_t)
+files_read_usr_files(polkit_grant_t)
+
+auth_use_nsswitch(polkit_grant_t)
+auth_domtrans_chk_passwd(polkit_grant_t)
+
+libs_use_ld_so(polkit_grant_t)
+libs_use_shared_libs(polkit_grant_t)
+
+miscfiles_read_localization(polkit_grant_t)
+
+logging_send_syslog_msg(polkit_grant_t)
+
+polkit_domtrans_auth(polkit_grant_t)
+polkit_domtrans_resolve(polkit_grant_t)
+
+manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t)
+
+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
+userdom_read_all_users_state(polkit_grant_t)
+
+optional_policy(`
+	dbus_system_bus_client_template(polkit_grant, polkit_grant_t)
+	consolekit_dbus_chat(polkit_grant_t)
+')
+
+gen_require(`
+	type system_crond_var_lib_t;
+')
+
+manage_files_pattern(polkit_grant_t, system_crond_var_lib_t,  system_crond_var_lib_t)
+
+########################################
+#
+# polkit_resolve local policy
+#
+
+allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow polkit_resolve_t self:process getattr;
+
+allow polkit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow polkit_resolve_t self:fifo_file rw_file_perms;
+allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t)
+
+can_exec(polkit_resolve_t, polkit_resolve_exec_t)
+corecmd_search_bin(polkit_resolve_t)
+
+polkit_domtrans_auth(polkit_resolve_t)
+
+files_read_etc_files(polkit_resolve_t)
+files_read_usr_files(polkit_resolve_t)
+
+auth_use_nsswitch(polkit_resolve_t)
+
+libs_use_ld_so(polkit_resolve_t)
+libs_use_shared_libs(polkit_resolve_t)
+
+miscfiles_read_localization(polkit_resolve_t)
+
+logging_send_syslog_msg(polkit_resolve_t)
+
+userdom_read_all_users_state(polkit_resolve_t)
+userdom_ptrace_all_users(polkit_resolve_t)
+mcs_ptrace_all(polkit_resolve_t)
+
+optional_policy(`
+	dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t)
+	optional_policy(`
+		consolekit_dbus_chat(polkit_resolve_t)
+	')
+')
+
+optional_policy(`
+	hal_getattr(polkit_resolve_t)
+	hal_read_state(polkit_resolve_t)
+')
+
+optional_policy(`
+	unconfined_ptrace(polkit_resolve_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.13/policy/modules/services/portmap.te
--- nsaserefpolicy/policy/modules/services/portmap.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/portmap.te	2009-02-10 15:07:15.000000000 +0100
@@ -41,6 +41,7 @@
 manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
 files_pid_filetrans(portmap_t, portmap_var_run_t, file)
 
+kernel_read_system_state(portmap_t)
 kernel_read_kernel_sysctls(portmap_t)
 kernel_list_proc(portmap_t)
 kernel_read_proc_symlinks(portmap_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.5.13/policy/modules/services/portreserve.fc
--- nsaserefpolicy/policy/modules/services/portreserve.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/portreserve.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,12 @@
+# portreserve executable will have:
+# label: system_u:object_r:portreserve_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+#exec
+/sbin/portreserve		--	gen_context(system_u:object_r:portreserve_exec_t,s0)
+
+/var/run/portreserve(/.*)? 		gen_context(system_u:object_r:portreserve_var_run_t,s0)
+
+/etc/portreserve(/.*)? 			gen_context(system_u:object_r:portreserve_etc_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.5.13/policy/modules/services/portreserve.if
--- nsaserefpolicy/policy/modules/services/portreserve.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/portreserve.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,70 @@
+## <summary>policy for portreserve</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run portreserve.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portreserve_domtrans',`
+	gen_require(`
+		type portreserve_t, portreserve_exec_t;
+	')
+
+	domain_auto_trans($1,portreserve_exec_t,portreserve_t)
+
+	allow portreserve_t $1:fd use;
+	allow portreserve_t $1:fifo_file rw_file_perms;
+	allow portreserve_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+##      Allow the specified domain to read
+##      portreserve etcuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`portreserve_read_etc',`
+        gen_require(`
+                type portreserve_etc_t;
+        ')
+
+        files_search_etc($1)
+        allow $1 portreserve_etc_t:dir list_dir_perms;
+        read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+        read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+#######################################
+## <summary>
+##      Allow the specified domain to manage
+##      portreserve etcuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+##
+#
+interface(`portreserve_manage_etc',`
+        gen_require(`
+                type portreserve_etc_t;
+        ')
+
+        files_search_etc($1)
+        manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
+        manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+        read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/portreserve.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,55 @@
+policy_module(portreserve,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type portreserve_t;
+type portreserve_exec_t;
+init_daemon_domain(portreserve_t, portreserve_exec_t)
+
+type portreserve_etc_t;
+files_type(portreserve_etc_t)
+
+type portreserve_var_run_t;
+files_pid_file(portreserve_var_run_t)
+
+########################################
+#
+# Portreserve local policy
+#
+allow portreserve_t self:fifo_file  rw_fifo_file_perms;
+allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+allow portreserve_t self:tcp_socket  create_socket_perms;
+allow portreserve_t self:udp_socket  create_socket_perms;
+
+# Read etc files
+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+
+# Manage /var/run/portreserve/*
+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file })
+
+corenet_all_recvfrom_unlabeled(portreserve_t)
+corenet_all_recvfrom_netlabel(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
+corenet_udp_bind_all_nodes(portreserve_t)
+corenet_udp_bind_all_ports(portreserve_t)
+corenet_tcp_bind_inaddr_any_node(portreserve_t)
+corenet_udp_bind_inaddr_any_node(portreserve_t)
+
+files_read_etc_files(portreserve_t)
+
+libs_use_ld_so(portreserve_t)
+libs_use_shared_libs(portreserve_t)
+
+# Init script handling
+#init_use_fds(portreserve_t)
+#init_use_script_ptys(portreserve_t)
+#domain_use_interactive_fds(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.13/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postfix.fc	2009-02-10 15:07:15.000000000 +0100
@@ -29,12 +29,10 @@
 /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 ')
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
 /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -46,7 +44,9 @@
 
 /var/lib/postfix(/.*)?		gen_context(system_u:object_r:postfix_data_t,s0)
 
-/var/spool/postfix(/.*)?		gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/run/postfix(/.*)?		gen_context(system_u:object_r:postfix_var_run_t,s0)
+
+/var/spool/postfix(/.*)?	gen_context(system_u:object_r:postfix_spool_t,s0)
 /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
 /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
 /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postfix.if	2009-06-03 14:57:00.000000000 +0200
@@ -46,6 +46,7 @@
 
 	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
 	read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+	read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
 
 	can_exec(postfix_$1_t, postfix_$1_exec_t)
 
@@ -78,6 +79,7 @@
 	files_read_etc_runtime_files(postfix_$1_t)
 	files_read_usr_symlinks(postfix_$1_t)
 	files_search_spool(postfix_$1_t)
+	files_search_all_mountpoints(postfix_$1_t)
 	files_getattr_tmp_dirs(postfix_$1_t)
 
 	init_dontaudit_use_fds(postfix_$1_t)
@@ -211,9 +213,8 @@
 		type postfix_etc_t;
 	')
 
-	allow $1 postfix_etc_t:dir { getattr read search };
-	allow $1 postfix_etc_t:file { read getattr };
-	allow $1 postfix_etc_t:lnk_file { getattr read };
+	read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+	read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
 	files_search_etc($1)
 ')
 
@@ -267,6 +268,25 @@
 	dontaudit $1 postfix_local_t:tcp_socket { read write };
 ')
 
+#######################################
+## <summary>
+##      Allow read/write postfix local pipes
+##      TCP sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`postfix_rw_local_pipes',`
+        gen_require(`
+                type postfix_local_t;
+        ')
+
+        allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow domain to read postfix local process state
@@ -421,7 +441,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`postfix_create_pivate_sockets',`
+interface(`postfix_create_private_sockets',`
 	gen_require(`
 		type postfix_private_t;
 	')
@@ -432,6 +452,44 @@
 
 ########################################
 ## <summary>
+##	manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_manage_private_sockets',`
+	gen_require(`
+		type postfix_private_t;
+	')
+
+	allow $1 postfix_private_t:dir list_dir_perms;
+	manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+#######################################
+## <summary>
+##      Execute the postqueue postfix program in the
+##      postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+        gen_require(`
+                type postfix_postqueue_t, postfix_postqueue_exec_t;
+        ')
+
+        domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+########################################
+## <summary>
 ##	Execute the master postfix program in the
 ##	postfix_master domain.
 ## </summary>
@@ -461,10 +519,10 @@
 #
 interface(`postfix_search_spool',`
 	gen_require(`
-		type postfix_spool_t;
+		attribute postfix_spool_type;
 	')
 
-	allow $1 postfix_spool_t:dir search_dir_perms;
+	allow $1 postfix_spool_type:dir search_dir_perms;
 	files_search_spool($1)
 ')
 
@@ -480,15 +538,34 @@
 #
 interface(`postfix_list_spool',`
 	gen_require(`
-		type postfix_spool_t;
+		attribute postfix_spool_type;
 	')
 
-	allow $1 postfix_spool_t:dir list_dir_perms;
+	allow $1 postfix_spool_type:dir list_dir_perms;
 	files_search_spool($1)
 ')
 
 ########################################
 ## <summary>
+##	Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_getattr_spool_files',`
+	gen_require(`
+		attribute postfix_spool_type;
+	')
+
+	files_search_spool($1)
+	getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+########################################
+## <summary>
 ##	Read postfix mail spool files.
 ## </summary>
 ## <param name="domain">
@@ -499,11 +576,30 @@
 #
 interface(`postfix_read_spool_files',`
 	gen_require(`
-		type postfix_spool_t;
+		attribute postfix_spool_type;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+########################################
+## <summary>
+##	Manage postfix mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_manage_spool_files',`
+	gen_require(`
+		attribute postfix_spool_type;
 	')
 
 	files_search_spool($1)
-	read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+	manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
 ')
 
 ########################################
@@ -524,3 +620,23 @@
 
 	typeattribute $1 postfix_user_domtrans;
 ')
+
+########################################
+## <summary>
+##	Execute the master postdrop in the
+##	postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_postdrop',`
+	gen_require(`
+		type postfix_postdrop_t, postfix_postdrop_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postfix.te	2009-04-16 11:01:18.000000000 +0200
@@ -6,6 +6,15 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## 
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
+attribute postfix_spool_type;
 attribute postfix_user_domains;
 # domains that transition to the
 # postfix user domains
@@ -13,13 +22,13 @@
 
 postfix_server_domain_template(bounce)
 
-type postfix_spool_bounce_t;
+type postfix_spool_bounce_t,  postfix_spool_type;
 files_type(postfix_spool_bounce_t)
 
 postfix_server_domain_template(cleanup)
 
 type postfix_etc_t;
-files_type(postfix_etc_t)
+files_config_file(postfix_etc_t)
 
 type postfix_exec_t;
 application_executable_file(postfix_exec_t)
@@ -27,6 +36,12 @@
 postfix_server_domain_template(local)
 mta_mailserver_delivery(postfix_local_t)
 
+sysadm_read_home_content_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+	mta_manage_spool(postfix_local_t)
+')
+
 type postfix_local_tmp_t;
 files_tmp_file(postfix_local_tmp_t)
 
@@ -34,6 +49,7 @@
 type postfix_map_t;
 type postfix_map_exec_t;
 application_domain(postfix_map_t, postfix_map_exec_t)
+role system_r types postfix_map_t;
 
 type postfix_map_tmp_t;
 files_tmp_file(postfix_map_tmp_t)
@@ -68,13 +84,13 @@
 
 postfix_server_domain_template(smtpd)
 
-type postfix_spool_t;
+type postfix_spool_t, postfix_spool_type;
 files_type(postfix_spool_t)
 
-type postfix_spool_maildrop_t;
+type postfix_spool_maildrop_t, postfix_spool_type;
 files_type(postfix_spool_maildrop_t)
 
-type postfix_spool_flush_t;
+type postfix_spool_flush_t, postfix_spool_type;
 files_type(postfix_spool_flush_t)
 
 type postfix_public_t;
@@ -103,6 +119,7 @@
 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
 
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
 
@@ -132,6 +149,7 @@
 # allow access to deferred queue and allow removing bogus incoming entries
 manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
 
 allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
 allow postfix_master_t postfix_spool_bounce_t:file getattr;
@@ -142,6 +160,7 @@
 
 delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
 kernel_read_all_sysctls(postfix_master_t)
 
@@ -153,14 +172,19 @@
 corenet_udp_sendrecv_all_nodes(postfix_master_t)
 corenet_tcp_sendrecv_all_ports(postfix_master_t)
 corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_all_nodes(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
 corenet_tcp_bind_all_nodes(postfix_master_t)
 corenet_tcp_bind_amavisd_send_port(postfix_master_t)
 corenet_tcp_bind_smtp_port(postfix_master_t)
+corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
 corenet_tcp_connect_all_ports(postfix_master_t)
 corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
 corenet_sendrecv_smtp_server_packets(postfix_master_t)
 corenet_sendrecv_all_client_packets(postfix_master_t)
 
+
 # for a find command
 selinux_dontaudit_search_fs(postfix_master_t)
 
@@ -170,6 +194,8 @@
 domain_use_interactive_fds(postfix_master_t)
 
 files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
+files_search_tmp(postfix_master_t)
 
 term_dontaudit_search_ptys(postfix_master_t)
 
@@ -181,15 +207,14 @@
 
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
 
-ifdef(`distro_redhat',`
-	# for newer main.cf that uses /etc/aliases
-	mta_manage_aliases(postfix_master_t)
-	mta_etc_filetrans_aliases(postfix_master_t)
+optional_policy(`
+	cyrus_stream_connect(postfix_master_t)
 ')
 
 optional_policy(`
-	cyrus_stream_connect(postfix_master_t)
+	kerberos_keytab_template(postfix, postfix_t)
 ')
 
 optional_policy(`
@@ -202,9 +227,29 @@
 ')
 
 optional_policy(`
+	postgrey_search_spool(postfix_master_t)
+')
+
+optional_policy(`
 	sendmail_signal(postfix_master_t)
 ')
 
+###########################################################
+#
+# Partially converted rules.  THESE ARE ONLY TEMPORARY
+#
+
+ifdef(`distro_redhat',`
+	# for newer main.cf that uses /etc/aliases
+	allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
+	allow postfix_master_t etc_aliases_t:file manage_file_perms;
+	allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
+	mta_etc_filetrans_aliases(postfix_master_t)
+	filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file })
+')
+
+# end partially converted rules
+
 ########################################
 #
 # Postfix bounce local policy
@@ -245,6 +290,10 @@
 
 corecmd_exec_bin(postfix_cleanup_t)
 
+optional_policy(`
+	mailman_read_data_files(postfix_cleanup_t)
+')
+
 ########################################
 #
 # Postfix local local policy
@@ -270,18 +319,25 @@
 
 files_read_etc_files(postfix_local_t)
 
+logging_dontaudit_search_logs(postfix_local_t)
+
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
 mta_read_config(postfix_local_t)
 
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
 optional_policy(`
 	clamav_search_lib(postfix_local_t)
+	clamav_exec_clamscan(postfix_local_t)
 ')
 
 optional_policy(`
 #	for postalias
 	mailman_manage_data_files(postfix_local_t)
+	mailman_append_log(postfix_local_t)
+	mailman_read_log(postfix_local_t)
 ')
 
 optional_policy(`
@@ -292,8 +348,7 @@
 #
 # Postfix map local policy
 #
-
-allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:capability { dac_override setgid setuid };
 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -343,8 +398,6 @@
 
 miscfiles_read_localization(postfix_map_t)
 
-seutil_read_config(postfix_map_t)
-
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
@@ -357,6 +410,11 @@
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 
+optional_policy(`
+#	for postalias
+	mailman_manage_data_files(postfix_map_t)
+')
+
 ########################################
 #
 # Postfix pickup local policy
@@ -381,6 +439,7 @@
 #
 
 allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+allow postfix_pipe_t self:process setrlimit;
 
 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
 
@@ -388,6 +447,12 @@
 
 rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
 
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+optional_policy(`
+	dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
 optional_policy(`
 	procmail_domtrans(postfix_pipe_t)
 ')
@@ -397,6 +462,15 @@
 ')
 
 optional_policy(`
+	mta_manage_spool(postfix_pipe_t)
+	mta_send_mail(postfix_pipe_t)
+')
+
+optional_policy(`
+	spamassassin_domtrans_spamc(postfix_pipe_t)
+')
+
+optional_policy(`
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
 
@@ -433,8 +507,11 @@
 ')
 
 optional_policy(`
-	ppp_use_fds(postfix_postqueue_t)
-	ppp_sigchld(postfix_postqueue_t)
+	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+')
+
+optional_policy(`
+	uucp_manage_spool(postfix_postdrop_t)
 ')
 
 #######################################
@@ -460,6 +537,15 @@
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
 
+optional_policy(`
+	cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
+
+optional_policy(`
+	ppp_use_fds(postfix_postqueue_t)
+	ppp_sigchld(postfix_postqueue_t)
+')
+
 ########################################
 #
 # Postfix qmgr local policy
@@ -520,6 +606,11 @@
 	cyrus_stream_connect(postfix_smtp_t)
 ')
 
+optional_policy(`
+       milter_stream_connect_all(postfix_smtp_t)
+')
+
+
 ########################################
 #
 # Postfix smtpd local policy
@@ -540,9 +631,18 @@
 
 # for OpenSSL certificates
 files_read_usr_files(postfix_smtpd_t)
+
+# postfix checks the size of all mounted file systems
+fs_getattr_all_dirs(postfix_smtpd_t)
+fs_getattr_all_fs(postfix_smtpd_t)
+
 mta_read_aliases(postfix_smtpd_t)
 
 optional_policy(`
+	dovecot_auth_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
 	mailman_read_data_files(postfix_smtpd_t)
 ')
 
@@ -569,7 +669,7 @@
 files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
 
 # connect to master process
-stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t)
+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
 
 corecmd_exec_shell(postfix_virtual_t)
 corecmd_exec_bin(postfix_virtual_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.13/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postgresql.fc	2009-02-10 15:07:15.000000000 +0100
@@ -2,6 +2,7 @@
 # /etc
 #
 /etc/postgresql(/.*)?			gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/postgresql	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
 
 #
 # /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.13/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postgresql.if	2009-02-10 15:07:15.000000000 +0100
@@ -372,3 +372,46 @@
 
 	typeattribute $1 sepgsql_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postgresql domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+	gen_require(`
+		type postgresql_t, postgresql_var_run_t;
+		type postgresql_tmp_t, postgresql_db_t;
+		type postgresql_etc_t, postgresql_log_t;
+		type postgresql_initrc_exec_t;
+	')
+
+	allow $1 postgresql_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postgresql_t)
+
+	init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postgresql_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, postgresql_var_run_t)
+
+	admin_pattern($1, postgresql_db_t)
+
+	admin_pattern($1, postgresql_etc_t)
+
+	admin_pattern($1, postgresql_log_t)
+
+	admin_pattern($1, postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.13/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postgresql.te	2009-09-02 10:20:41.000000000 +0200
@@ -32,6 +32,9 @@
 type postgresql_etc_t;
 files_config_file(postgresql_etc_t)
 
+type postgresql_initrc_exec_t;
+init_script_file(postgresql_initrc_exec_t)
+
 type postgresql_lock_t;
 files_lock_file(postgresql_lock_t)
 
@@ -104,6 +107,7 @@
 dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
 allow postgresql_t self:process signal_perms;
 allow postgresql_t self:fifo_file rw_fifo_file_perms;
+allow postgresql_t self:file { getattr read };
 allow postgresql_t self:sem create_sem_perms;
 allow postgresql_t self:shm create_shm_perms;
 allow postgresql_t self:tcp_socket create_stream_socket_perms;
@@ -158,7 +162,7 @@
 
 manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
 manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file })
 
 kernel_read_kernel_sysctls(postgresql_t)
 kernel_read_system_state(postgresql_t)
@@ -174,6 +178,7 @@
 corenet_udp_sendrecv_all_nodes(postgresql_t)
 corenet_tcp_sendrecv_all_ports(postgresql_t)
 corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_udp_bind_all_nodes(postgresql_t)
 corenet_tcp_bind_all_nodes(postgresql_t)
 corenet_tcp_bind_postgresql_port(postgresql_t)
 corenet_tcp_connect_auth_port(postgresql_t)
@@ -214,6 +219,7 @@
 libs_use_ld_so(postgresql_t)
 libs_use_shared_libs(postgresql_t)
 
+logging_send_audit_msgs(postgresql_t)
 logging_send_syslog_msg(postgresql_t)
 
 miscfiles_read_localization(postgresql_t)
@@ -288,7 +294,7 @@
 allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
 
 allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
-allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
 
 allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
 allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
@@ -329,7 +335,7 @@
 
 # unconfined domain is not allowed to invoke user defined procedure directly.
 # They have to confirm and relabel it at first.
-allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *;
 allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
 
 allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.13/policy/modules/services/postgrey.fc
--- nsaserefpolicy/policy/modules/services/postgrey.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postgrey.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,5 +1,7 @@
 
 /etc/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_etc_t,s0)
+/etc/rc\.d/init\.d/postgrey	--	gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+
 
 /usr/sbin/postgrey	--	gen_context(system_u:object_r:postgrey_exec_t,s0)
 
@@ -7,3 +9,5 @@
 
 /var/run/postgrey(/.*)?		gen_context(system_u:object_r:postgrey_var_run_t,s0)
 /var/run/postgrey\.pid	--	gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)?	gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.13/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postgrey.if	2009-02-10 15:07:15.000000000 +0100
@@ -12,10 +12,73 @@
 #
 interface(`postgrey_stream_connect',`
         gen_require(`
-                type postgrey_var_run_t, postgrey_t;
+                type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
         ')
 
 	allow $1 postgrey_t:unix_stream_socket connectto;
-        allow $1 postgrey_var_run_t:sock_file write;
+	write_sock_files_pattern($1, postgrey_var_run_t,  postgrey_var_run_t)
+	write_sock_files_pattern($1, postgrey_spool_t,  postgrey_spool_t)
 	files_search_pids($1)
 ')
+
+########################################
+## <summary>
+##      Search the spool directory
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+#
+interface(`postgrey_search_spool',`
+        gen_require(`
+                type postgrey_spool_t;
+        ')
+
+	allow $1 postgrey_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an postgrey environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postgrey domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgrey_admin',`
+	gen_require(`
+		type postgrey_t, postgrey_etc_t;
+		type postgrey_var_lib_t, postgrey_var_run_t;
+		type postgrey_initrc_exec_t;
+	')
+
+	allow $1 postgrey_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postgrey_t)
+	        
+	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postgrey_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, postgrey_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, postgrey_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, postgrey_var_run_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.13/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/postgrey.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,12 @@
 type postgrey_etc_t;
 files_config_file(postgrey_etc_t)
 
+type postgrey_initrc_exec_t;
+init_script_file(postgrey_initrc_exec_t)
+
+type postgrey_spool_t;
+files_type(postgrey_spool_t)
+
 type postgrey_var_lib_t;
 files_type(postgrey_var_lib_t)
 
@@ -24,15 +30,21 @@
 # Local policy
 #
 
-allow postgrey_t self:capability { chown setgid setuid };
+allow postgrey_t self:capability { chown dac_override setgid setuid };
 dontaudit postgrey_t self:capability sys_tty_config;
 allow postgrey_t self:process signal_perms;
 allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:fifo_file create_fifo_file_perms;
 
 allow postgrey_t postgrey_etc_t:dir list_dir_perms;
 read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
 read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
 
+manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+
 manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
 files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
 
@@ -86,6 +98,11 @@
 ')
 
 optional_policy(`
+	postfix_read_config(postgrey_t)
+	postfix_manage_spool_files(postgrey_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(postgrey_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.13/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ppp.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,16 +1,14 @@
 #
 # /etc
 #
-/etc/rc.d/init.d/ppp		--	gen_context(system_u:object_r:pppd_script_exec_t,s0)
-
 /etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
 /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/.*secrets		--	gen_context(system_u:object_r:pppd_secret_t,s0)
 /etc/ppp/resolv\.conf 		--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_script_exec_t,s0)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ppp	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
 #
 # /sbin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.13/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ppp.if	2009-02-10 15:07:15.000000000 +0100
@@ -58,6 +58,25 @@
 
 ########################################
 ## <summary>
+##	Send ppp a sigkill
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`ppp_sigkill',`
+	gen_require(`
+		type pppd_t;
+	')
+
+	allow $1 pppd_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Send a generic signal to PPP.
 ## </summary>
 ## <param name="domain">
@@ -310,6 +329,24 @@
 
 ########################################
 ## <summary>
+##	Execute ppp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ppp_initrc_domtrans',`
+	gen_require(`
+		type pppd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, pppd_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an ppp environment
 ## </summary>
@@ -327,33 +364,42 @@
 		type pppd_etc_rw_t, pppd_var_run_t;
 
 		type pptp_t, pptp_log_t, pptp_var_run_t;
+ 		type pppd_script_exec_t;
+ 		type pppd_initrc_exec_t;
 	')
 
 	allow $1 pppd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, pppd_t)
 	        
+	ppp_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pppd_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	files_list_tmp($1)
-	manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
+	admin_pattern($1, pppd_tmp_t, pppd_tmp_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, pppd_log_t, pppd_log_t)
+	admin_pattern($1, pppd_log_t, pppd_log_t)
 
-	manage_files_pattern($1, pppd_lock_t, pppd_lock_t)
+	admin_pattern($1, pppd_lock_t, pppd_lock_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, pppd_etc_t, pppd_etc_t)
+	admin_pattern($1, pppd_etc_t, pppd_etc_t)
+
+	admin_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
 
-	manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t)
+	admin_pattern($1, pppd_secret_t, pppd_secret_t)
 
-	manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
+ 	admin_pattern($1, pppd_script_exec_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
+	admin_pattern($1, pppd_var_run_t, pppd_var_run_t)
 
 	allow $1 pptp_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, pptp_t)
 
-	manage_files_pattern($1, pptp_log_t, pptp_log_t)
+	admin_pattern($1, pptp_log_t, pptp_log_t)
 
-	manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t)
+	admin_pattern($1, pptp_var_run_t, pptp_var_run_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ppp.te	2009-03-05 13:10:12.000000000 +0100
@@ -37,8 +37,8 @@
 type pppd_etc_rw_t;
 files_type(pppd_etc_rw_t)
 
-type pppd_script_exec_t;
-files_type(pppd_script_exec_t)
+type pppd_initrc_exec_t;
+files_type(pppd_initrc_exec_t)
 
 # pppd_secret_t is the type of the pap and chap password files
 type pppd_secret_t;
@@ -114,6 +114,8 @@
 # Access secret files
 allow pppd_t pppd_secret_t:file read_file_perms;
 
+ppp_initrc_domtrans(pppd_t)
+
 kernel_read_kernel_sysctls(pppd_t)
 kernel_read_system_state(pppd_t)
 kernel_rw_net_sysctls(pppd_t)
@@ -161,6 +163,7 @@
 
 init_read_utmp(pppd_t)
 init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
 
 auth_use_nsswitch(pppd_t)
 
@@ -197,6 +200,8 @@
 
 optional_policy(`
 	mta_send_mail(pppd_t)
+	mta_system_content(pppd_etc_t)
+	mta_system_content(pppd_etc_rw_t)
 ')
 
 optional_policy(`
@@ -220,7 +225,7 @@
 # PPTP Local policy
 #
 
-allow pptp_t self:capability net_raw;
+allow pptp_t self:capability { net_raw net_admin };
 dontaudit pptp_t self:capability sys_tty_config;
 allow pptp_t self:process signal;
 allow pptp_t self:fifo_file rw_fifo_file_perms;
@@ -228,14 +233,16 @@
 allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow pptp_t self:rawip_socket create_socket_perms;
 allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow pptp_t pppd_etc_t:dir list_dir_perms;
 allow pptp_t pppd_etc_t:file read_file_perms;
-allow pptp_t pppd_etc_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_t:lnk_file  read_lnk_file_perms;
 
 allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
 allow pptp_t pppd_etc_rw_t:file read_file_perms;
-allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
+allow pptp_t pppd_etc_rw_t:lnk_file  read_lnk_file_perms;
 can_exec(pptp_t, pppd_etc_rw_t)
 
 # Allow pptp to append to pppd log files
@@ -251,9 +258,13 @@
 kernel_list_proc(pptp_t)
 kernel_read_kernel_sysctls(pptp_t)
 kernel_read_proc_symlinks(pptp_t)
+kernel_read_system_state(pptp_t)
 
 dev_read_sysfs(pptp_t)
 
+corecmd_exec_shell(pptp_t)
+corecmd_read_bin_symlinks(pptp_t)
+
 corenet_all_recvfrom_unlabeled(pptp_t)
 corenet_all_recvfrom_netlabel(pptp_t)
 corenet_tcp_sendrecv_all_if(pptp_t)
@@ -269,12 +280,16 @@
 fs_getattr_all_fs(pptp_t)
 fs_search_auto_mountpoints(pptp_t)
 
+files_read_etc_files(pptp_t)
+
 term_ioctl_generic_ptys(pptp_t)
 term_search_ptys(pptp_t)
 term_use_ptmx(pptp_t)
 
 domain_use_interactive_fds(pptp_t)
 
+auth_use_nsswitch(pptp_t)
+
 libs_use_ld_so(pptp_t)
 libs_use_shared_libs(pptp_t)
 
@@ -282,7 +297,7 @@
 
 miscfiles_read_localization(pptp_t)
 
-sysnet_read_config(pptp_t)
+sysnet_exec_ifconfig(pptp_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
 
@@ -293,11 +308,15 @@
 ')
 
 optional_policy(`
-	hostname_exec(pptp_t)
+	dbus_system_domain(pppd_t, pppd_exec_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(pppd_t)
+	')
 ')
 
 optional_policy(`
-	nscd_socket_use(pptp_t)
+	hostname_exec(pptp_t)
 ')
 
 optional_policy(`
@@ -311,6 +330,3 @@
 optional_policy(`
 	postfix_read_config(pppd_t)
 ')
-
-# FIXME:
-domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.13/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/prelude.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,9 @@
+/etc/prelude-correlator(/.*)?   gen_context(system_u:object_r:prelude_correlator_config_t, s0)
+
+/etc/rc\.d/init\.d/prelude-correlator   --      gen_context(system_u:object_r:prelude_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/prelude-lml --      gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/prelude-manager	--	gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+
 /sbin/audisp-prelude		--	gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
 
 /usr/bin/prelude-manager	--	gen_context(system_u:object_r:prelude_exec_t,s0)
@@ -5,7 +11,15 @@
 
 /var/lib/prelude-lml(/.*)?		gen_context(system_u:object_r:prelude_var_lib_t,s0)
 
+/var/log/prelude.*			gen_context(system_u:object_r:prelude_log_t,s0)
+
 /var/run/prelude-manager(/.*)?		gen_context(system_u:object_r:prelude_var_run_t,s0)
 
 /var/spool/prelude-manager(/.*)?	gen_context(system_u:object_r:prelude_spool_t,s0)
 /var/spool/prelude(/.*)?		gen_context(system_u:object_r:prelude_spool_t,s0)
+
+/usr/bin/prelude-lml   --      gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/var/run/prelude-lml.pid       --      gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+
+/usr/bin/prelude-correlator     --      gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.13/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/prelude.if	2009-02-10 15:07:15.000000000 +0100
@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ## </summary>
 ## </param>
 #
@@ -42,7 +42,7 @@
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed acccess.
+##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
@@ -56,6 +56,45 @@
 
 ########################################
 ## <summary>
+##	Read the prelude spool files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelude_read_spool',`
+	gen_require(`
+		type prelude_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage to prelude-manager spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_manage_spool',`
+	gen_require(`
+		type prelude_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+	manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an prelude environment
 ## </summary>
@@ -64,6 +103,11 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`prelude_admin',`
@@ -71,6 +115,10 @@
 		type prelude_t, prelude_spool_t;
 		type prelude_var_run_t, prelude_var_lib_t;
 		type prelude_audisp_t, prelude_audisp_var_run_t;
+		type prelude_initrc_exec_t;
+
+		type prelude_lml_t, prelude_lml_tmp_t;
+		type prelude_lml_var_run_t;
 	')
 
 	allow $1 prelude_t:process { ptrace signal_perms };
@@ -79,11 +127,18 @@
 	allow $1 prelude_audisp_t:process { ptrace signal_perms };
 	ps_process_pattern($1, prelude_audisp_t)
 
-	manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
-
-	manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t)
-
-	manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t)
+	allow $1 prelude_lml_t:process { ptrace signal_perms };
+	ps_process_pattern($1, prelude_lml_t)
 
-	manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+	init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 prelude_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, prelude_spool_t)
+	admin_pattern($1, prelude_var_lib_t)
+	admin_pattern($1, prelude_var_run_t)
+	admin_pattern($1, prelude_audisp_var_run_t)
+	admin_pattern($1, prelude_lml_tmp_t)
+	admin_pattern($1, prelude_lml_var_run_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/prelude.te	2009-02-10 15:07:15.000000000 +0100
@@ -13,25 +13,57 @@
 type prelude_spool_t;
 files_type(prelude_spool_t)
 
+type prelude_log_t;
+logging_log_file(prelude_log_t)
+
 type prelude_var_run_t;
 files_pid_file(prelude_var_run_t)
 
 type prelude_var_lib_t;
 files_type(prelude_var_lib_t)
 
+type prelude_initrc_exec_t;
+init_script_file(prelude_initrc_exec_t)
+
 type prelude_audisp_t;
 type prelude_audisp_exec_t;
 init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+typealias prelude_audisp_t alias audisp_prelude_t;
+typealias prelude_audisp_exec_t alias audisp_prelude_exec_t;
 
 type prelude_audisp_var_run_t;
 files_pid_file(prelude_audisp_var_run_t)
+typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t;
+
+type prelude_lml_t;
+type prelude_lml_exec_t;
+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
+
+type prelude_lml_var_run_t;
+files_pid_file(prelude_lml_var_run_t)
+
+type prelude_lml_tmp_t;
+files_tmp_file(prelude_lml_tmp_t)
+
+########################################
+#
+# prelude_correlator declarations
+#
+
+type prelude_correlator_t;
+type prelude_correlator_exec_t;
+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+role system_r types prelude_correlator_t;
+
+type prelude_correlator_config_t;
+files_config_file(prelude_correlator_config_t)
 
 ########################################
 #
 # prelude local policy
 #
 
-allow prelude_t self:capability sys_tty_config;
+allow prelude_t self:capability { dac_override sys_tty_config };
 allow prelude_t self:fifo_file rw_file_perms;
 allow prelude_t self:unix_stream_socket create_stream_socket_perms;
 allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
@@ -49,6 +81,9 @@
 manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
 files_pid_filetrans(prelude_t, prelude_var_run_t, file)
 
+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
+logging_log_filetrans(prelude_t, prelude_log_t, file)
+
 corecmd_search_bin(prelude_t)
 
 corenet_all_recvfrom_unlabeled(prelude_t)
@@ -56,15 +91,25 @@
 corenet_tcp_sendrecv_all_if(prelude_t)
 corenet_tcp_sendrecv_all_nodes(prelude_t)
 corenet_tcp_bind_all_nodes(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
+corenet_tcp_connect_postgresql_port(prelude_t)
 
 dev_read_rand(prelude_t)
 dev_read_urand(prelude_t)
 
+kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
 # Init script handling
 domain_use_interactive_fds(prelude_t)
 
 files_read_etc_files(prelude_t)
+files_read_etc_runtime_files(prelude_t)
 files_read_usr_files(prelude_t)
+files_search_tmp(prelude_t)
+
+fs_rw_anon_inodefs_files(prelude_t)
 
 auth_use_nsswitch(prelude_t)
 
@@ -89,12 +134,13 @@
 #
 # prelude_audisp local policy
 #
-
+allow prelude_audisp_t self:capability dac_override;
 allow prelude_audisp_t self:fifo_file rw_file_perms;
 allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
 allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
 allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
 allow prelude_audisp_t self:tcp_socket create_socket_perms;
+allow prelude_audisp_t self:process signal;
 
 manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
 manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
@@ -110,6 +156,7 @@
 corenet_tcp_sendrecv_all_if(prelude_audisp_t)
 corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
 corenet_tcp_bind_all_nodes(prelude_audisp_t)
+corenet_tcp_connect_prelude_port(prelude_audisp_t)
 
 dev_read_rand(prelude_audisp_t)
 dev_read_urand(prelude_audisp_t)
@@ -117,15 +164,143 @@
 # Init script handling
 domain_use_interactive_fds(prelude_audisp_t)
 
+kernel_read_sysctl(prelude_audisp_t)
+kernel_read_system_state(prelude_audisp_t)
+
 files_read_etc_files(prelude_audisp_t)
+files_read_etc_runtime_files(prelude_audisp_t)
+files_search_tmp(prelude_audisp_t)
 
 libs_use_ld_so(prelude_audisp_t)
 libs_use_shared_libs(prelude_audisp_t)
 
 logging_send_syslog_msg(prelude_audisp_t)
+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
 
 miscfiles_read_localization(prelude_audisp_t)
 
+sysnet_dns_name_resolve(prelude_audisp_t)
+
+########################################
+#
+# prelude_correlator local policy
+#
+
+allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+prelude_manage_spool(prelude_correlator_t)
+
+corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
+corenet_tcp_sendrecv_all_if(prelude_correlator_t)
+corenet_tcp_sendrecv_all_nodes(prelude_correlator_t)
+corenet_tcp_connect_prelude_port(prelude_correlator_t)
+
+kernel_read_sysctl(prelude_correlator_t)
+
+dev_read_rand(prelude_correlator_t)
+dev_read_urand(prelude_correlator_t)
+
+files_read_etc_files(prelude_correlator_t)
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
+libs_use_ld_so(prelude_correlator_t)
+libs_use_shared_libs(prelude_correlator_t)
+
+logging_send_syslog_msg(prelude_correlator_t)
+
+miscfiles_read_localization(prelude_correlator_t)
+
+sysnet_dns_name_resolve(prelude_correlator_t)
+
+########################################
+#
+# prelude_lml local declarations
+#
+
+allow prelude_lml_t self:capability dac_override;
+
+# Init script handling
+domain_use_interactive_fds(prelude_lml_t)
+
+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+allow prelude_lml_t self:unix_stream_socket connectto;
+
+files_list_tmp(prelude_lml_t)
+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
+
+files_search_spool(prelude_lml_t)
+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+
+files_search_var_lib(prelude_lml_t)
+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
+corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
+corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
+kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
+files_read_etc_files(prelude_lml_t)
+files_read_etc_runtime_files(prelude_lml_t)
+
+files_search_spool(prelude_lml_t)
+files_search_usr(prelude_lml_t)
+files_search_var_lib(prelude_lml_t)
+
+fs_list_inotifyfs(prelude_lml_t)
+fs_read_anon_inodefs_files(prelude_lml_t)
+fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
+libs_use_ld_so(prelude_lml_t)
+libs_use_shared_libs(prelude_lml_t)
+libs_exec_lib_files(prelude_lml_t)
+libs_read_lib_files(prelude_lml_t)
+
+logging_send_syslog_msg(prelude_lml_t)
+logging_read_generic_logs(prelude_lml_t)
+
+miscfiles_read_localization(prelude_lml_t)
+
+sysnet_dns_name_resolve(prelude_lml_t)
+
+userdom_read_all_users_state(prelude_lml_t)
+
+optional_policy(`
+	apache_search_sys_content(prelude_lml_t)
+	apache_read_log(prelude_lml_t)
+')
+
 ########################################
 #
 # prewikka_cgi Declarations
@@ -134,6 +309,20 @@
 optional_policy(`
 	apache_content_template(prewikka)
 	files_read_etc_files(httpd_prewikka_script_t)
+	files_search_tmp(httpd_prewikka_script_t)
+
+	kernel_read_sysctl(httpd_prewikka_script_t)
+	kernel_search_network_sysctl(httpd_prewikka_script_t)
+
+	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+	corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
+
+	auth_use_nsswitch(httpd_prewikka_script_t)
+
+	logging_send_syslog_msg(httpd_prewikka_script_t)
+
+	apache_search_sys_content(httpd_prewikka_script_t)
 
 	optional_policy(`
 		mysql_search_db(httpd_prewikka_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.13/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/privoxy.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,5 +1,7 @@
 
 /etc/privoxy/user\.action --	gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/privoxy/default\.action --	gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/rc\.d/init\.d/privoxy --	gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
 
 /usr/sbin/privoxy	--	gen_context(system_u:object_r:privoxy_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.13/policy/modules/services/privoxy.if
--- nsaserefpolicy/policy/modules/services/privoxy.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/privoxy.if	2009-02-10 15:07:15.000000000 +0100
@@ -16,17 +16,23 @@
 	gen_require(`
 		type privoxy_t, privoxy_log_t;
 		type privoxy_etc_rw_t, privoxy_var_run_t;
+		type privoxy_initrc_exec_t;
 	')
 
 	allow $1 privoxy_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, privoxy_t)
 
+	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 privoxy_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	logging_list_logs($1)
-	manage_files_pattern($1, privoxy_log_t, privoxy_log_t)
+	admin_pattern($1, privoxy_log_t)
 
 	files_list_etc($1)
-	manage_files_pattern($1, privoxy_etc_rw_t, privoxy_etc_rw_t)
+	admin_pattern($1, privoxy_etc_rw_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t)
+	admin_pattern($1, privoxy_var_run_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.13/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/privoxy.te	2009-04-29 11:29:29.000000000 +0200
@@ -6,10 +6,21 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow privoxy to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(privoxy_connect_any, false)
+
 type privoxy_t; # web_client_domain
 type privoxy_exec_t;
 init_daemon_domain(privoxy_t, privoxy_exec_t)
 
+type privoxy_initrc_exec_t;
+init_script_file(privoxy_initrc_exec_t)
+
 type privoxy_etc_rw_t;
 files_type(privoxy_etc_rw_t)
 
@@ -50,6 +61,7 @@
 corenet_tcp_connect_http_port(privoxy_t)
 corenet_tcp_connect_http_cache_port(privoxy_t)
 corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
 corenet_tcp_connect_tor_port(privoxy_t)
 corenet_sendrecv_http_cache_client_packets(privoxy_t)
 corenet_sendrecv_http_cache_server_packets(privoxy_t)
@@ -81,6 +93,11 @@
 # cjp: this should really not be needed
 sysadm_use_terms(privoxy_t)
 
+tunable_policy(`privoxy_connect_any',`
+	corenet_tcp_connect_all_ports(privoxy_t)
+	corenet_sendrecv_all_packets(privoxy_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(privoxy_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.13/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/procmail.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,2 +1,5 @@
 
 /usr/bin/procmail	--	gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.*  -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.13/policy/modules/services/procmail.if
--- nsaserefpolicy/policy/modules/services/procmail.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/procmail.if	2009-02-10 15:07:15.000000000 +0100
@@ -39,3 +39,41 @@
 	corecmd_search_bin($1)
 	can_exec($1, procmail_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read procmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+	gen_require(`
+		type procmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 procmail_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/write procmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_rw_tmp_files',`
+	gen_require(`
+		type procmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.13/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/procmail.te	2009-03-05 15:08:42.000000000 +0100
@@ -14,6 +14,10 @@
 type procmail_tmp_t;
 files_tmp_file(procmail_tmp_t)
 
+# log files
+type procmail_log_t;
+logging_log_file(procmail_log_t) 
+
 ########################################
 #
 # Local policy
@@ -29,6 +33,13 @@
 
 can_exec(procmail_t,procmail_exec_t)
 
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
+allow procmail_t procmail_log_t:dir setattr;
+create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+
 allow procmail_t procmail_tmp_t:file manage_file_perms;
 files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
 
@@ -58,6 +69,7 @@
 
 corecmd_exec_bin(procmail_t)
 corecmd_exec_shell(procmail_t)
+corecmd_read_bin_symlinks(procmail_t)
 
 files_read_etc_files(procmail_t)
 files_read_etc_runtime_files(procmail_t)
@@ -75,10 +87,6 @@
 # only works until we define a different type for maildir
 userdom_priveleged_home_dir_manager(procmail_t)
 
-# Do not audit attempts to access /root.
-staff_dontaudit_search_home_dirs(procmail_t)
-sysadm_dontaudit_search_home_dirs(procmail_t)
-
 mta_manage_spool(procmail_t)
 
 ifdef(`hide_broken_symptoms',`
@@ -103,6 +111,10 @@
 ')
 
 optional_policy(`
+	fetchmail_append_log(procmail_t)
+')	
+
+optional_policy(`
 	munin_dontaudit_search_lib(procmail_t)
 ')
 
@@ -117,11 +129,13 @@
 
 optional_policy(`
 	pyzor_domtrans(procmail_t)
+	pyzor_signal(procmail_t)
 ')
 
 optional_policy(`
 	mta_read_config(procmail_t)
 	sendmail_domtrans(procmail_t)
+	sendmail_signal(procmail_t)
 	sendmail_rw_tcp_sockets(procmail_t)
 	sendmail_rw_unix_stream_sockets(procmail_t)
 ')
@@ -130,7 +144,16 @@
 	corenet_udp_bind_generic_port(procmail_t)
 	corenet_dontaudit_udp_bind_all_ports(procmail_t)
 
-	spamassassin_exec(procmail_t)
-	spamassassin_exec_client(procmail_t)
+	spamassassin_domtrans(procmail_t)
+	spamassassin_domtrans_spamc(procmail_t)
 	spamassassin_read_lib_files(procmail_t)
 ')
+
+optional_policy(`
+	# Do not audit attempts to access /root.
+	sysadm_dontaudit_search_home_dirs(procmail_t)
+')
+
+optional_policy(`
+	mailscanner_read_spool(procmail_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.5.13/policy/modules/services/psad.fc
--- nsaserefpolicy/policy/modules/services/psad.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/psad.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,17 @@
+
+
+/etc/rc\.d/init\.d/psad 		--   		gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+
+/etc/psad(/.*)?						gen_context(system_u:object_r:psad_etc_t,s0)
+
+/usr/sbin/psad				--		gen_context(system_u:object_r:psad_exec_t,s0)
+
+#/usr/sbin/psadwatchd			--		gen_context(system_u:object_r:psadwatchd_exec_t,s0)
+
+#/usr/sbin/kmsgsd			--		gen_context(system_u:object_r:kmsgsd_exec_t,s0)
+
+/var/run/psad(/.*)?					gen_context(system_u:object_r:psad_var_run_t,s0)
+
+/var/lib/psad(/.*)?					gen_context(system_u:object_r:psad_var_lib_t,s0)
+
+/var/log/psad(/.*)?  					gen_context(system_u:object_r:psad_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.5.13/policy/modules/services/psad.if
--- nsaserefpolicy/policy/modules/services/psad.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/psad.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,304 @@
+## <summary>Psad SELinux policy</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run psad.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`psad_domtrans',`
+	gen_require(`
+		type psad_t, psad_exec_t;
+	')
+
+	domtrans_pattern($1, psad_exec_t, psad_t)
+')
+
+########################################
+## <summary>
+##      Read and write psad UDP sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`psad_rw_udp_sockets',`
+        gen_require(`
+                type psad_t;
+       ')
+
+        allow $1 psad_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+##      Read and write psad packet sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`psad_rw_packet_sockets',`
+        gen_require(`
+                type psad_t;
+       ')
+
+        allow $1 psad_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+##      Send a generic signal to psad
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`psad_signal',`
+        gen_require(`
+                type psad_t;
+       ')
+
+        allow $1 psad_t:process signal;
+')
+
+#######################################
+## <summary>
+##      Send a null signal to psad.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`psad_signull',`
+        gen_require(`
+                type psad_t;
+	')
+
+	allow $1 psad_t:process signull;
+')
+
+########################################
+## <summary>
+##      Read psad etc configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+##
+#
+interface(`psad_read_etc',`
+        gen_require(`
+                type psad_etc_t;
+        ')
+
+	files_search_etc($1)
+        read_files_pattern($1, psad_etc_t, psad_etc_t)
+')
+
+########################################
+## <summary>
+##      Manage psad etc configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+##
+#
+interface(`psad_manage_etc',`
+        gen_require(`
+                type psad_etc_t;
+        ')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+        manage_files_pattern($1, psad_etc_t, psad_etc_t)
+
+')
+
+########################################
+## <summary>
+##      Read psad PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+##
+#
+interface(`psad_read_pid_files',`
+        gen_require(`
+                type psad_var_run_t;
+        ')
+
+        files_search_pids($1)
+	read_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+##      Read psad PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+##
+#
+interface(`psad_rw_pid_files',`
+        gen_require(`
+                type psad_var_run_t;
+        ')
+
+        files_search_pids($1)
+	rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to read psad's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`psad_read_log',`
+        gen_require(`
+                type psad_var_log_t;
+        ')
+
+        logging_search_logs($1)
+	list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+        read_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to append to psad's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`psad_append_log',`
+        gen_require(`
+                type psad_var_log_t;
+        ')
+
+        logging_search_logs($1)
+	list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+	append_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+##      Read and write psad fifo files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`psad_rw_fifo_file',`
+        gen_require(`
+                type psad_t;
+       ')
+
+	files_search_var_lib($1)
+	search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+	rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      Read and write psad tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`psad_rw_tmp_files',`
+        gen_require(`
+                type psad_tmp_t;
+        ')
+
+        files_search_tmp($1)
+        rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an psad environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_admin',`
+	gen_require(`
+		type psad_t, psad_var_run_t, psad_var_log_t;
+		type psad_initrc_exec_t, psad_var_lib_t;
+		type psad_tmp_t;
+	')
+
+	allow $1 psad_t:process { ptrace signal_perms };
+	ps_process_pattern($1, psad_t)
+
+	init_labeled_script_domtrans($1, psad_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 psad_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, psad_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, psad_var_run_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, psad_var_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, psad_var_lib_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, psad_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.5.13/policy/modules/services/psad.te
--- nsaserefpolicy/policy/modules/services/psad.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/psad.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,107 @@
+policy_module(psad,1.0.0) 
+
+########################################
+#
+# Declarations
+#
+type psad_t;
+type psad_exec_t;
+init_daemon_domain(psad_t, psad_exec_t)
+
+type psad_initrc_exec_t;
+init_script_file(psad_initrc_exec_t)
+
+# config files
+type psad_etc_t;
+files_config_file(psad_etc_t)
+
+# var/lib files
+type psad_var_lib_t;
+files_type(psad_var_lib_t)
+
+# log files
+type psad_var_log_t;
+logging_log_file(psad_var_log_t)
+
+# pid files
+type psad_var_run_t;
+files_pid_file(psad_var_run_t)
+
+# tmp files
+type psad_tmp_t;
+files_tmp_file(psad_tmp_t)
+
+########################################
+#
+# psad local policy
+#
+
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+dontaudit psad_t self:capability { sys_tty_config };
+allow psad_t self:process { signal signull };
+
+allow psad_t self:fifo_file  rw_fifo_file_perms;
+allow psad_t self:rawip_socket create_socket_perms;
+
+# config files
+read_files_pattern(psad_t,psad_etc_t,psad_etc_t)
+list_dirs_pattern(psad_t,psad_etc_t,psad_etc_t)
+
+# pid file
+manage_files_pattern(psad_t, psad_var_run_t,psad_var_run_t)
+manage_sock_files_pattern(psad_t, psad_var_run_t,psad_var_run_t)
+files_pid_filetrans(psad_t,psad_var_run_t, { file sock_file })
+
+# log files
+manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+logging_log_filetrans(psad_t,psad_var_log_t, { file dir })
+
+# tmp files
+manage_dirs_pattern(psad_t,psad_tmp_t,psad_tmp_t)
+manage_files_pattern(psad_t,psad_tmp_t,psad_tmp_t)
+files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
+
+# /var/lib files
+search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+
+kernel_read_system_state(psad_t)
+kernel_read_network_state(psad_t)
+#kernel_read_kernel_sysctls(psad_t)
+kernel_read_net_sysctls(psad_t)
+
+corecmd_exec_shell(psad_t)
+corecmd_exec_bin(psad_t)
+
+auth_use_nsswitch(psad_t)
+
+corenet_tcp_connect_whois_port(psad_t)
+
+dev_read_urand(psad_t)
+
+files_read_etc_runtime_files(psad_t)
+
+fs_getattr_all_fs(psad_t)
+
+libs_use_ld_so(psad_t)
+libs_use_shared_libs(psad_t)
+
+miscfiles_read_localization(psad_t)
+
+logging_read_generic_logs(psad_t)
+logging_read_syslog_config(psad_t)
+logging_send_syslog_msg(psad_t)
+
+#sysnet_domtrans_ifconfig(psad_t)
+sysnet_exec_ifconfig(psad_t)
+iptables_domtrans(psad_t)
+
+optional_policy(`
+        mta_send_mail(psad_t)
+	mta_read_queue(psad_t)
+')
+
+permissive psad_t;
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.13/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/pyzor.fc	2009-05-21 14:36:40.000000000 +0200
@@ -1,6 +1,10 @@
+/root/\.pyzor(/.*)?            gen_context(system_u:object_r:spamc_home_t,s0)
+
 /etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord	--	gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
 
-HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 
 /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
 /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.13/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/pyzor.if	2009-02-10 15:07:15.000000000 +0100
@@ -25,16 +25,16 @@
 #
 template(`pyzor_per_role_template',`
 	gen_require(`
-		type pyzord_t;
+		type pyzor_t;
+		type pyzor_home_t;
 	')
 
-	type $1_pyzor_home_t;
-	userdom_user_home_content($1, $1_pyzor_home_t)
+	typealias pyzor_home_t alias $1_pyzor_home_t;
 
-	manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+	manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+	manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+	manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+	userdom_user_home_dir_filetrans($1, pyzor_t, pyzor_home_t, { dir file lnk_file })
 ')
 
 ########################################
@@ -94,3 +94,50 @@
 	corecmd_search_bin($1)
 	can_exec($1, pyzor_exec_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pyzor environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the pyzor domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pyzor_admin',`
+	gen_require(`
+		type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+		type pyzor_etc_t, pyzor_var_lib_t;
+		type pyzord_initrc_exec_t;
+	')
+
+	allow $1 pyzord_t:process { ptrace signal_perms };
+	ps_process_pattern($1, pyzord_t)
+	        
+	init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 pyzord_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, pyzor_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, pyzord_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, pyzor_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, pyzor_var_lib_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.13/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/pyzor.te	2009-06-11 12:20:09.000000000 +0200
@@ -6,6 +6,38 @@
 # Declarations
 #
 
+
+ifdef(`distro_redhat',`
+
+	gen_require(`
+		type spamc_t;
+		type spamc_exec_t;
+		type spamd_t;
+		type spamd_initrc_exec_t;
+		type spamd_exec_t;
+		type spamc_tmp_t;
+		type spamd_log_t;
+		type spamd_var_lib_t;
+		type spamd_etc_t;
+		type spamc_tmp_t;
+		type spamc_home_t;
+	')
+
+	typealias spamc_t alias pyzor_t;
+	typealias spamc_exec_t alias pyzor_exec_t;
+	typealias spamd_t alias pyzord_t;
+	typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+	typealias spamd_exec_t alias pyzord_exec_t;
+	typealias spamc_tmp_t alias pyzor_tmp_t;
+	typealias spamd_log_t alias pyzor_log_t;
+	typealias spamd_log_t alias pyzord_log_t;
+	typealias spamd_var_lib_t alias pyzor_var_lib_t;
+	typealias spamd_etc_t alias pyzor_etc_t;
+	typealias spamc_home_t alias pyzor_home_t;
+	typealias spamc_home_t alias user_pyzor_home_t;
+
+',`
+
 type pyzor_t;
 type pyzor_exec_t;
 application_domain(pyzor_t, pyzor_exec_t)
@@ -17,7 +49,7 @@
 init_daemon_domain(pyzord_t, pyzord_exec_t)
 
 type pyzor_etc_t;
-files_type(pyzor_etc_t)
+   files_config_file(pyzor_etc_t)
 
 type pyzord_log_t;
 logging_log_file(pyzord_log_t)
@@ -28,6 +60,14 @@
 type pyzor_var_lib_t;
 files_type(pyzor_var_lib_t)
 
+type pyzor_home_t;
+userdom_user_home_content(user, pyzor_home_t)
+
+type pyzord_initrc_exec_t;
+init_script_file(pyzord_initrc_exec_t)
+
+')
+
 ########################################
 #
 # Pyzor local policy
@@ -46,6 +86,8 @@
 kernel_read_kernel_sysctls(pyzor_t)  
 kernel_read_system_state(pyzor_t)
 
+fs_getattr_xattr_fs(pyzor_t)
+
 corecmd_list_bin(pyzor_t)
 corecmd_getattr_bin_files(pyzor_t)
 
@@ -68,6 +110,8 @@
 
 miscfiles_read_localization(pyzor_t)
 
+mta_read_queue(pyzor_t)
+
 sysadm_dontaudit_search_home_dirs(pyzor_t)
 
 optional_policy(`
@@ -76,8 +120,13 @@
 ')
 
 optional_policy(`
+	procmail_read_tmp_files(pyzor_t)
+')
+
+optional_policy(`
 	spamassassin_signal_spamd(pyzor_t)
 	spamassassin_read_spamd_tmp_files(pyzor_t)
+	unprivuser_read_home_content_files(pyzor_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.13/policy/modules/services/qmail.te
--- nsaserefpolicy/policy/modules/services/qmail.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/qmail.te	2009-02-10 15:07:15.000000000 +0100
@@ -124,6 +124,10 @@
 
 qmail_domtrans_queue(qmail_local_t)
 
+optional_policy(`
+	spamassassin_domtrans_spamc(qmail_local_t)
+')
+
 ########################################
 #
 # qmail-lspawn local policy
@@ -255,6 +259,10 @@
 ')
 
 optional_policy(`
+	kerberos_keytab_template(qmail, qmail_smtpd_t)
+')
+
+optional_policy(`
 	ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.13/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/radius.te	2009-02-10 15:07:15.000000000 +0100
@@ -59,8 +59,9 @@
 
 manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
 
+manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
-files_pid_filetrans(radiusd_t, radiusd_var_run_t, file)
+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file })
 
 kernel_read_kernel_sysctls(radiusd_t)
 kernel_read_system_state(radiusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.5.13/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/radvd.te	2009-02-10 15:07:15.000000000 +0100
@@ -22,7 +22,7 @@
 #
 # Local policy
 #
-allow radvd_t self:capability { setgid setuid net_raw };
+allow radvd_t self:capability { setgid setuid net_raw net_admin };
 dontaudit radvd_t self:capability sys_tty_config;
 allow radvd_t self:process signal_perms;
 allow radvd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.13/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/razor.fc	2009-04-14 17:49:39.000000000 +0200
@@ -1,4 +1,6 @@
-HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+/root/\.razor(/.*)?             gen_context(system_u:object_r:spamc_home_t,s0)
+
+HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
 
 /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.13/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/razor.if	2009-02-10 15:07:15.000000000 +0100
@@ -137,6 +137,7 @@
 template(`razor_per_role_template',`
 	gen_require(`
 		type razor_exec_t;
+		type razor_home_t, razor_tmp_t;
 	')
 
 	type $1_razor_t;
@@ -145,12 +146,8 @@
 	razor_common_domain_template($1_razor)
 	role $3 types $1_razor_t;
 
-	type $1_razor_home_t alias $1_razor_rw_t;
-	files_poly_member($1_razor_home_t)
-	userdom_user_home_content($1, $1_razor_home_t)
-
-	type $1_razor_tmp_t;
-	files_tmp_file($1_razor_tmp_t)
+	typealias razor_home_t alias $1_razor_home_t;
+	typealias razor_tmp_t alias $1_razor_tmp_t;
 
 	##############################
 	#
@@ -159,10 +156,10 @@
 
 	allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
 
-	manage_dirs_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
-	manage_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
-	manage_lnk_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
-	userdom_user_home_dir_filetrans($1, $1_razor_t, $1_razor_home_t, dir)
+	manage_dirs_pattern($1_razor_t, razor_home_t, razor_home_t)
+	manage_files_pattern($1_razor_t, razor_home_t, razor_home_t)
+	manage_lnk_files_pattern($1_razor_t, razor_home_t, razor_home_t)
+	userdom_user_home_dir_filetrans($1, $1_razor_t, razor_home_t, dir)
 
 	manage_dirs_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t)
 	manage_files_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t)
@@ -170,12 +167,12 @@
 
 	domtrans_pattern($2, razor_exec_t, $1_razor_t)
 
-	manage_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	manage_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	manage_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	relabel_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	relabel_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	relabel_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
+	manage_dirs_pattern($2, razor_home_t, razor_home_t)
+	manage_files_pattern($2, razor_home_t, razor_home_t)
+	manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+	relabel_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
 
 	logging_send_syslog_msg($1_razor_t)
 
@@ -218,3 +215,61 @@
 
 	domtrans_pattern($1, razor_exec_t, razor_t)
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete razor files
+##	in a user home subdirectory.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete razor files
+##	in a user home subdirectory.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`razor_manage_user_home_files',`
+	gen_require(`
+		type user_home_dir_t, razor_home_t;
+	')
+
+	files_search_home($2)
+	allow $2 user_home_dir_t:dir search_dir_perms;
+	manage_files_pattern($2, razor_home_t, razor_home_t)
+	read_lnk_files_pattern($2, razor_home_t, razor_home_t)
+')
+
+########################################
+## <summary>
+##	read razor lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`razor_read_lib_files',`
+	gen_require(`
+		type razor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.13/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/razor.te	2009-03-11 11:54:03.000000000 +0100
@@ -6,21 +6,53 @@
 # Declarations
 #
 
+ifdef(`distro_redhat',`
+
+	gen_require(`
+		type spamc_t;
+		type spamc_exec_t;
+		type spamc_home_t;
+		type spamd_log_t;
+		type spamd_spool_t;
+		type spamd_var_lib_t;
+		type spamd_etc_t;
+		type spamassassin_home_t;
+		type spamc_tmp_t;
+	')
+
+	typealias spamc_t alias razor_t;
+	typealias spamc_exec_t alias razor_exec_t;
+	typealias spamd_log_t alias razor_log_t;
+	typealias spamd_var_lib_t alias razor_var_lib_t;
+	typealias spamd_etc_t alias razor_etc_t;
+	#typealias spamassassin_home_t alias razor_home_t;
+	typealias spamc_home_t alias razor_home_t;
+
+',`
+
 type razor_t;
 type razor_exec_t;
 domain_type(razor_t)
 domain_entry_file(razor_t, razor_exec_t)
 role system_r types razor_t;
 
-type razor_etc_t;
-files_config_file(razor_etc_t)
-
 type razor_log_t;
 logging_log_file(razor_log_t)
 
 type razor_var_lib_t;
 files_type(razor_var_lib_t)
 
+type razor_etc_t;
+files_config_file(razor_etc_t)
+
+type razor_home_t;
+userdom_user_home_content(user, razor_home_t)
+
+type razor_tmp_t;
+files_tmp_file(razor_tmp_t)
+
+')
+
 razor_common_domain_template(razor)
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.13/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ricci.te	2009-02-10 15:07:15.000000000 +0100
@@ -133,6 +133,8 @@
 
 dev_read_urand(ricci_t)
 
+domain_read_all_domains_state(ricci_t)
+
 files_read_etc_files(ricci_t)
 files_read_etc_runtime_files(ricci_t)
 files_create_boot_flag(ricci_t)
@@ -140,7 +142,7 @@
 auth_domtrans_chk_passwd(ricci_t)
 auth_append_login_records(ricci_t)
 
-init_dontaudit_stream_connect_script(ricci_t)
+init_stream_connect_script(ricci_t)
 
 libs_use_ld_so(ricci_t)
 libs_use_shared_libs(ricci_t)
@@ -205,7 +207,7 @@
 corecmd_exec_shell(ricci_modcluster_t)
 corecmd_exec_bin(ricci_modcluster_t)
 
-domain_dontaudit_read_all_domains_state(ricci_modcluster_t)
+domain_read_all_domains_state(ricci_modcluster_t)
 
 files_search_locks(ricci_modcluster_t)
 files_read_etc_runtime_files(ricci_modcluster_t)
@@ -293,14 +295,14 @@
 corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
 corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
 
-domain_dontaudit_read_all_domains_state(ricci_modclusterd_t)
+domain_read_all_domains_state(ricci_modclusterd_t)
 
 files_read_etc_files(ricci_modclusterd_t)
 files_read_etc_runtime_files(ricci_modclusterd_t)
 
 fs_getattr_xattr_fs(ricci_modclusterd_t)
 
-init_dontaudit_stream_connect_script(ricci_modclusterd_t)
+init_stream_connect_script(ricci_modclusterd_t)
 
 libs_use_ld_so(ricci_modclusterd_t)
 libs_use_shared_libs(ricci_modclusterd_t)
@@ -337,7 +339,7 @@
 
 corecmd_exec_bin(ricci_modlog_t)
 
-domain_dontaudit_read_all_domains_state(ricci_modlog_t)
+domain_read_all_domains_state(ricci_modlog_t)
 
 files_read_etc_files(ricci_modlog_t)
 files_search_usr(ricci_modlog_t)
@@ -450,7 +452,7 @@
 dev_read_urand(ricci_modstorage_t)
 dev_manage_generic_blk_files(ricci_modstorage_t)
 
-domain_dontaudit_read_all_domains_state(ricci_modstorage_t)
+domain_read_all_domains_state(ricci_modstorage_t)
 
 #Needed for editing /etc/fstab
 files_manage_etc_files(ricci_modstorage_t)
@@ -473,6 +475,10 @@
 
 modutils_read_module_deps(ricci_modstorage_t)
 
+consoletype_exec(ricci_modstorage_t)
+
+mount_domtrans(ricci_modstorage_t)
+
 optional_policy(`
 	ccs_stream_connect(ricci_modstorage_t)
 	ccs_read_config(ricci_modstorage_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.13/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rlogin.te	2009-02-10 15:07:15.000000000 +0100
@@ -94,10 +94,22 @@
 remotelogin_signal(rlogind_t)
 
 optional_policy(`
-	kerberos_use(rlogind_t)
-	kerberos_read_keytab(rlogind_t)
+	kerberos_keytab_template(rlogind, rlogind_t)
+	kerberos_manage_host_rcache(rlogind_t)
 ')
 
 optional_policy(`
 	tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
 ')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_nfs(rlogind_t)
+	fs_read_nfs_files(rlogind_t)
+	fs_read_nfs_symlinks(rlogind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_cifs(rlogind_t)
+	fs_read_cifs_files(rlogind_t)
+	fs_read_cifs_symlinks(rlogind_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.13/policy/modules/services/roundup.fc
--- nsaserefpolicy/policy/modules/services/roundup.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/roundup.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/roundup	--	gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
+
 #
 # /usr
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.13/policy/modules/services/roundup.if
--- nsaserefpolicy/policy/modules/services/roundup.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/roundup.if	2009-02-10 15:07:15.000000000 +0100
@@ -1 +1,39 @@
 ## <summary>Roundup Issue Tracking System policy</summary>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an roundup environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the roundup domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`roundup_admin',`
+	gen_require(`
+		type roundup_t, roundup_var_lib_t, roundup_var_run_t;
+		type roundup_initrc_exec_t;
+	')
+
+	allow $1 roundup_t:process { ptrace signal_perms };
+	ps_process_pattern($1, roundup_t)
+	        
+	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 roundup_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+	admin_pattern($1, roundup_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, roundup_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.13/policy/modules/services/roundup.te
--- nsaserefpolicy/policy/modules/services/roundup.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/roundup.te	2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,9 @@
 type roundup_exec_t;
 init_daemon_domain(roundup_t, roundup_exec_t)
 
+type roundup_initrc_exec_t;
+init_script_file(roundup_initrc_exec_t)
+
 type roundup_var_run_t;
 files_pid_file(roundup_var_run_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.13/policy/modules/services/rpcbind.fc
--- nsaserefpolicy/policy/modules/services/rpcbind.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/rpcbind --	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
 
 /sbin/rpcbind		--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.13/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te	2009-04-23 09:19:32.000000000 +0200
@@ -31,6 +31,8 @@
 allow rpcbind_t self:udp_socket create_socket_perms;
 allow rpcbind_t self:tcp_socket create_stream_socket_perms;
 
+fs_list_inotifyfs(rpcbind_t)
+
 manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
 manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
 files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
@@ -60,6 +62,7 @@
 domain_use_interactive_fds(rpcbind_t)
 
 files_read_etc_files(rpcbind_t)
+files_read_etc_runtime_files(rpcbind_t)
 
 libs_use_ld_so(rpcbind_t)
 libs_use_shared_libs(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.5.13/policy/modules/services/rpc.fc
--- nsaserefpolicy/policy/modules/services/rpc.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rpc.fc	2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,7 @@
 # /usr
 #
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.rquotad	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
 /usr/sbin/rpc\.mountd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
 /usr/sbin/rpc\.nfsd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.13/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rpc.if	2009-02-23 15:03:51.000000000 +0100
@@ -88,8 +88,11 @@
 	# bind to arbitary unused ports
 	corenet_tcp_bind_generic_port($1_t)
 	corenet_udp_bind_generic_port($1_t)
-	corenet_udp_bind_reserved_port($1_t)
+	corenet_dontaudit_tcp_bind_all_ports($1_t)
+	corenet_dontaudit_udp_bind_all_ports($1_t)
 	corenet_sendrecv_generic_server_packets($1_t)
+	corenet_tcp_bind_all_rpc_ports($1_t)
+	corenet_udp_bind_all_rpc_ports($1_t)
 
 	fs_rw_rpc_named_pipes($1_t) 
 	fs_search_auto_mountpoints($1_t)
@@ -208,6 +211,25 @@
 
 ########################################
 ## <summary>
+##      Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+	gen_require(`
+		type rpcd_t, rpcd_exec_t;
+	')
+
+	domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+	allow rpcd_t $1:process signal;
+')
+
+########################################
+## <summary>
 ##      Read NFS exported content.
 ## </summary>
 ## <param name="domain">
@@ -338,3 +360,22 @@
 	files_search_var_lib($1)
 	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
 ')
+
+########################################
+## <summary>
+##	Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rpc.te	2009-07-20 14:45:25.000000000 +0200
@@ -23,7 +23,7 @@
 gen_tunable(allow_nfsd_anon_write, false)
 
 type exports_t;
-files_type(exports_t)
+files_config_file(exports_t)
 
 rpc_domain_template(gssd)
 
@@ -68,16 +68,20 @@
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
 kernel_rw_fs_sysctls(rpcd_t)
+kernel_dontaudit_getattr_core_if(rpcd_t)
 
 corecmd_exec_bin(rpcd_t)
 
 files_manage_mounttab(rpcd_t)
 
+fs_list_inotifyfs(rpcd_t)
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
 fs_read_rpc_sockets(rpcd_t) 
 
+storage_getattr_fixed_disk_dev(rpcd_t)
+
 selinux_dontaudit_read_fs(rpcd_t)
 
 miscfiles_read_certs(rpcd_t)
@@ -85,6 +89,10 @@
 seutil_dontaudit_search_config(rpcd_t)
 
 optional_policy(`
+	automount_signal(rpcd_t)
+')
+
+optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
 ')
 
@@ -101,6 +109,7 @@
 # for /proc/fs/nfs/exports - should we have a new type?
 kernel_read_system_state(nfsd_t) 
 kernel_read_network_state(nfsd_t) 
+kernel_dontaudit_getattr_core_if(nfsd_t) 
 
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -116,6 +125,7 @@
 # cjp: this should really have its own type
 files_manage_mounttab(rpcd_t)
 
+fs_list_inotifyfs(nfsd_t)
 fs_mount_nfsd_fs(nfsd_t) 
 fs_search_nfsd_fs(nfsd_t) 
 fs_getattr_all_fs(nfsd_t) 
@@ -123,6 +133,7 @@
 fs_rw_nfsd_fs(nfsd_t) 
 
 storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_removable_device(nfsd_t)
 
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
@@ -133,13 +144,22 @@
 ') 
 
 tunable_policy(`nfs_export_all_rw',`
-	fs_read_noxattr_fs_files(nfsd_t) 
+	fs_read_noxattr_fs_files(nfsd_t)
+	dev_getattr_all_blk_files(nfsd_t)
+	dev_getattr_all_chr_files(nfsd_t)
 	auth_manage_all_files_except_shadow(nfsd_t)
+	#unprivuser_home_dir_filetrans_home_content(nfsd_t, { file dir })
 ')
+unprivuser_home_dir_filetrans_home_content(nfsd_t, { file dir })
 
 tunable_policy(`nfs_export_all_ro',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_read_all_files_except_shadow(nfsd_t)
+	auth_read_all_dirs_except_shadow(nfsd_t)
+	files_getattr_all_pipes(nfsd_t)
+	files_getattr_all_sockets(nfsd_t)
+	dev_getattr_all_blk_files(nfsd_t)
+	dev_getattr_all_chr_files(nfsd_t)
 ')
 
 ########################################
@@ -162,6 +182,7 @@
 
 corecmd_exec_bin(gssd_t)
 
+fs_list_inotifyfs(gssd_t)
 fs_list_rpc(gssd_t) 
 fs_read_rpc_sockets(gssd_t) 
 fs_read_rpc_files(gssd_t) 
@@ -170,9 +191,14 @@
 files_read_usr_symlinks(gssd_t) 
 
 auth_use_nsswitch(gssd_t)
+auth_manage_cache(gssd_t) 
 
 miscfiles_read_certs(gssd_t)
 
+userdom_dontaudit_search_users_home_dirs(gssd_t)
+sysadm_dontaudit_search_home_dirs(gssd_t)
+userdom_dontaudit_manage_user_tmp_files(user, gssd_t)
+
 tunable_policy(`allow_gssd_read_tmp',`
 	userdom_list_unpriv_users_tmp(gssd_t) 
 	userdom_read_unpriv_users_tmp_files(gssd_t) 
@@ -180,8 +206,7 @@
 ')
 
 optional_policy(`
-	kerberos_use(gssd_t)
-	kerberos_read_keytab(gssd_t) 
+	kerberos_keytab_template(gssd, gssd_t) 
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.13/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rshd.te	2009-02-10 15:07:15.000000000 +0100
@@ -16,7 +16,7 @@
 #
 # Local policy
 #
-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
 allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
 allow rshd_t self:fifo_file rw_fifo_file_perms;
 allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -33,6 +33,9 @@
 corenet_udp_sendrecv_all_ports(rshd_t)
 corenet_tcp_bind_all_nodes(rshd_t)
 corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
 corenet_sendrecv_rsh_server_packets(rshd_t)
 
 dev_read_urand(rshd_t)
@@ -44,20 +47,22 @@
 selinux_compute_relabel_context(rshd_t)
 selinux_compute_user_contexts(rshd_t)
 
-auth_domtrans_chk_passwd(rshd_t)
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
 
 corecmd_read_bin_symlinks(rshd_t)
 
 files_list_home(rshd_t)
 files_read_etc_files(rshd_t)
-files_search_tmp(rshd_t)
+files_manage_generic_tmp_dirs(rshd_t)
 
-auth_use_nsswitch(rshd_t)
+init_rw_utmp(rshd_t)
 
 libs_use_ld_so(rshd_t)
 libs_use_shared_libs(rshd_t)
 
 logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
 
 miscfiles_read_localization(rshd_t)
 
@@ -77,7 +82,8 @@
 ')
 
 optional_policy(`
-	kerberos_use(rshd_t)
+	kerberos_keytab_template(rshd, rshd_t)
+	kerberos_manage_host_rcache(rshd_t)
 ')
 
 optional_policy(`
@@ -86,4 +92,5 @@
 
 optional_policy(`
 	unconfined_shell_domtrans(rshd_t)
+	unconfined_signal(rshd_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.13/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rsync.fc	2009-02-10 15:07:15.000000000 +0100
@@ -3,4 +3,4 @@
 
 /var/log/rsync\.log      --	gen_context(system_u:object_r:rsync_log_t,s0)
 
-/var/run/rsyncd\.lock      --	gen_context(system_u:object_r:rsync_log_t,s0)
+/var/run/rsyncd\.lock      --	gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.13/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/rsync.te	2009-06-11 12:35:05.000000000 +0200
@@ -45,7 +45,7 @@
 # Local policy
 #
 
-allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
+allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_fifo_file_perms;
 allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -121,6 +121,13 @@
 ')
 
 tunable_policy(`rsync_export_all_ro',`
-	fs_read_noxattr_fs_files(rsync_t) 
+	fs_read_noxattr_fs_files(rsync_t)
+	fs_read_nfs_files(rsync_t)
+	fs_read_cifs_files(rsync_t)
+	auth_read_all_dirs_except_shadow(rsync_t)
 	auth_read_all_files_except_shadow(rsync_t)
+	auth_read_all_symlinks_except_shadow(rsync_t)
+	auth_tunable_read_shadow(rsync_t)
 ')
+
+auth_can_read_shadow_passwords(rsync_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.13/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/samba.fc	2009-02-10 15:07:15.000000000 +0100
@@ -2,6 +2,9 @@
 #
 # /etc
 #
+/etc/rc\.d/init\.d/winbind	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nmb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
 /etc/samba/MACHINE\.SID		--	gen_context(system_u:object_r:samba_secrets_t,s0)
 /etc/samba/passdb\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
 /etc/samba/secrets\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
@@ -15,6 +18,7 @@
 /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
 /usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
 /usr/bin/smbmnt			--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
 /usr/sbin/swat			--	gen_context(system_u:object_r:swat_exec_t,s0)
 
 /usr/sbin/nmbd			--	gen_context(system_u:object_r:nmbd_exec_t,s0)
@@ -47,3 +51,7 @@
 /var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
 
 /var/spool/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
+
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/samba.if	2009-02-10 15:07:15.000000000 +0100
@@ -6,6 +6,24 @@
 
 #######################################
 ## <summary>
+##	The role for the samba module.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the samba_net domain.
+##	</summary>
+## </param>
+#
+template(`samba_role_notrans',`
+	gen_require(`
+		type smbd_t;
+	')
+
+	role $1 types smbd_t;
+')
+
+#######################################
+## <summary>
 ##	The per role template for the samba module.
 ## </summary>
 ## <desc>
@@ -44,6 +62,44 @@
 
 ########################################
 ## <summary>
+##	Execute smbd net in the smbd_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_smb',`
+	gen_require(`
+		type smbd_t, smbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, smbd_exec_t, smbd_t)
+')
+
+########################################
+## <summary>
+##	Execute nmbd net in the nmbd_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_nmb',`
+	gen_require(`
+		type nmbd_t, nmbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nmbd_exec_t, nmbd_t)
+')
+
+########################################
+## <summary>
 ##	Execute samba net in the samba_net domain.
 ## </summary>
 ## <param name="domain">
@@ -63,6 +119,25 @@
 
 ########################################
 ## <summary>
+##	Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+	gen_require(`
+		type samba_unconfined_net_t, samba_net_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
 ##	Execute samba net in the samba_net domain, and
 ##	allow the specified role the samba_net domain.
 ## </summary>
@@ -95,6 +170,70 @@
 
 ########################################
 ## <summary>
+##	Execute smbd in the smbd domain, and
+##	allow the specified role the smbd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the samba_smb domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the samba_smb domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_smb',`
+	gen_require(`
+		type smbd_t;
+	')
+
+	samba_domtrans_smb($1)
+	role $2 types smbd_t;
+	allow smbd_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_unconfined_net domain, and
+##	allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the samba_unconfined_net domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the samba_unconfined_net domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+	gen_require(`
+		type samba_unconfined_net_t;
+	')
+
+	samba_domtrans_unconfined_net($1)
+	role $2 types samba_unconfined_net_t;
+	allow samba_unconfined_net_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Execute smbmount in the smbmount domain.
 ## </summary>
 ## <param name="domain">
@@ -188,6 +327,28 @@
 
 ########################################
 ## <summary>
+##	Allow the specified domain to read
+##	and write samba configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_manage_config',`
+	gen_require(`
+		type samba_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
+	manage_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read samba's log files.
 ## </summary>
 ## <param name="domain">
@@ -331,6 +492,25 @@
 
 ########################################
 ## <summary>
+##	dontaudit the specified domain to
+##	write samba /var files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to
 ##	read and write samba /var files.
 ## </summary>
@@ -348,6 +528,7 @@
 	files_search_var($1)
 	files_search_var_lib($1)
 	manage_files_pattern($1, samba_var_t, samba_var_t)
+	manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
 ')
 
 ########################################
@@ -420,6 +601,7 @@
 	')
 
 	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+	allow $1 winbind_helper_t:process signal;
 ')
 
 ########################################
@@ -503,3 +685,208 @@
 		stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`samba_helper_template',`
+	gen_require(`
+		type smbd_t;
+	')
+	#This type is for samba helper scripts
+	type samba_$1_script_t;
+	domain_type(samba_$1_script_t)
+	role system_r types samba_$1_script_t;
+
+	# This type is used for executable scripts files
+	type samba_$1_script_exec_t;
+	corecmd_shell_entry_type(samba_$1_script_t)
+	domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+	domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+	allow smbd_t samba_$1_script_exec_t:file ioctl;
+
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read samba's shares
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_read_share_files',`
+	gen_require(`
+		type samba_share_t;
+	')
+
+	allow $1 samba_share_t:filesystem getattr;
+	read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbcontrol',`
+	gen_require(`
+		type smbcontrol_t;
+                type smbcontrol_exec_t;
+	')
+
+	domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
+')
+
+
+########################################
+## <summary>
+##	Execute smbcontrol in the smbcontrol domain, and
+##	allow the specified role the smbcontrol domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the smbcontrol domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`samba_run_smbcontrol',`
+	gen_require(`
+		type smbcontrol_t;
+	')
+
+	samba_domtrans_smbcontrol($1)
+	role $2 types smbcontrol_t;
+	dontaudit smbcontrol_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`samba_initrc_domtrans',`
+	gen_require(`
+		type samba_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an samba environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the samba domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_admin',`
+	gen_require(`
+		type nmbd_t, nmbd_var_run_t;
+		type smbd_t, smbd_tmp_t;
+		type smbd_initrc_exec_t;
+		type smbd_spool_t, smbd_var_run_t;
+
+		type samba_log_t, samba_var_t;
+		type samba_etc_t, samba_share_t;
+		type samba_secrets_t;
+
+		type swat_var_run_t, swat_tmp_t;
+
+		type winbind_var_run_t, winbind_tmp_t;
+		type winbind_log_t;
+
+		type samba_unconfined_script_t, samba_unconfined_script_exec_t;
+		type samba_initrc_exec_t;
+	')
+
+	allow $1 smbd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, smbd_t)
+	        
+	allow $1 nmbd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, nmbd_t)
+	        
+	allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
+	        
+	samba_run_smbcontrol($1, $2, $3)
+	samba_run_winbind_helper($1, $2, $3)
+	samba_run_smbmount($1, $2, $3)
+	samba_run_net($1, $2, $3)
+
+	init_labeled_script_domtrans($1, samba_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 samba_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, smbd_tmp_t)
+	admin_pattern($1, swat_tmp_t)
+	admin_pattern($1, winbind_tmp_t)
+
+	admin_pattern($1, samba_secrets_t)
+
+	files_list_etc($1)
+	admin_pattern($1, samba_etc_t)
+
+	admin_pattern($1, samba_share_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, samba_log_t)
+	admin_pattern($1, winbind_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, smbd_spool_t)
+
+	files_list_var($1)
+	admin_pattern($1, samba_var_t)
+
+	files_list_pids($1)
+	admin_pattern($1, smbd_var_run_t)
+	admin_pattern($1, nmbd_var_run_t)
+	admin_pattern($1, swat_var_run_t)
+	admin_pattern($1, winbind_var_run_t)
+	admin_pattern($1, samba_unconfined_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/samba.te	2009-04-03 11:57:58.000000000 +0200
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
 
+## <desc>
+## <p>
+## Allow samba to export ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_fusefs, false)
+
 type nmbd_t;
 type nmbd_exec_t;
 init_daemon_domain(nmbd_t, nmbd_exec_t)
@@ -73,6 +80,9 @@
 type nmbd_var_run_t;
 files_pid_file(nmbd_var_run_t)
 
+type samba_initrc_exec_t;
+init_script_file(samba_initrc_exec_t)
+
 type samba_etc_t;
 files_config_file(samba_etc_t)
 
@@ -80,11 +90,9 @@
 logging_log_file(samba_log_t)
 
 type samba_net_t;
-domain_type(samba_net_t)
-role system_r types samba_net_t;
-
 type samba_net_exec_t;
-domain_entry_file(samba_net_t, samba_net_exec_t)
+role system_r types samba_net_t;
+application_domain(samba_net_t, samba_net_exec_t)
 
 type samba_net_tmp_t;
 files_tmp_file(samba_net_tmp_t)
@@ -146,11 +154,17 @@
 type winbind_var_run_t;
 files_pid_file(winbind_var_run_t)
 
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
 ########################################
 #
 # Samba net local policy
 #
-
+allow samba_net_t self:capability { sys_nice dac_read_search dac_override };
+allow samba_net_t self:process { getsched setsched };
 allow samba_net_t self:unix_dgram_socket create_socket_perms;
 allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
 allow samba_net_t self:udp_socket create_socket_perms;
@@ -165,11 +179,12 @@
 manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
 files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
-allow samba_net_t samba_var_t:dir rw_dir_perms;
+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
 manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 
 kernel_read_proc_symlinks(samba_net_t)
+kernel_read_system_state(samba_net_t)
 
 corenet_all_recvfrom_unlabeled(samba_net_t)
 corenet_all_recvfrom_netlabel(samba_net_t)
@@ -190,8 +205,10 @@
 domain_use_interactive_fds(samba_net_t)
 
 files_read_etc_files(samba_net_t)
+files_read_usr_symlinks(samba_net_t)
 
 auth_use_nsswitch(samba_net_t)
+auth_read_cache(samba_net_t)
 
 libs_use_ld_so(samba_net_t)
 libs_use_shared_libs(samba_net_t)
@@ -200,7 +217,14 @@
 
 miscfiles_read_localization(samba_net_t) 
 
+samba_read_var_files(samba_net_t) 
+
 sysadm_dontaudit_search_home_dirs(samba_net_t)
+userdom_list_all_users_home_dirs(samba_net_t)
+
+optional_policy(`
+	pcscd_read_pub_files(samba_net_t)
+')
 
 optional_policy(`
 	kerberos_use(samba_net_t)
@@ -210,7 +234,7 @@
 #
 # smbd Local policy
 #
-allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
 dontaudit smbd_t self:capability sys_tty_config;
 allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow smbd_t self:process setrlimit;
@@ -228,10 +252,8 @@
 
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
 
-create_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
 manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
-allow smbd_t samba_log_t:dir setattr;
-dontaudit smbd_t samba_log_t:dir remove_name;
 
 allow smbd_t samba_net_tmp_t:file getattr;
 
@@ -241,6 +263,7 @@
 manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+allow smbd_t samba_share_t:filesystem getattr;
 
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
@@ -258,7 +281,7 @@
 manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 files_pid_filetrans(smbd_t, smbd_var_run_t, file)
 
-allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
@@ -300,6 +323,7 @@
 
 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
+auth_domtrans_upd_passwd(smbd_t)
 
 domain_use_interactive_fds(smbd_t)
 domain_dontaudit_list_all_domains_state(smbd_t)
@@ -314,20 +338,24 @@
 
 init_rw_utmp(smbd_t)
 
-libs_use_ld_so(smbd_t)
-libs_use_shared_libs(smbd_t)
-
 logging_search_logs(smbd_t)
 logging_send_syslog_msg(smbd_t)
 
 miscfiles_read_localization(smbd_t)
 miscfiles_read_public_files(smbd_t)
 
+libs_use_ld_so(smbd_t)
+libs_use_shared_libs(smbd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(smbd_t)
 userdom_use_unpriv_users_fds(smbd_t)
 
+usermanage_read_crack_db(smbd_t)
+
 sysadm_dontaudit_search_home_dirs(smbd_t)
 
+term_use_ptmx(smbd_t)
+
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -344,10 +372,34 @@
 	usermanage_domtrans_groupadd(smbd_t)
 ')
 
+# Samba can read all content in the home directory
+tunable_policy(`samba_enable_home_dirs',`
+	userdom_manage_home_content(smbd_t)
+')
+
 # Support Samba sharing of NFS mount points
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
+	fs_manage_nfs_symlinks(smbd_t)
+	fs_manage_nfs_named_pipes(smbd_t)
+	fs_manage_nfs_named_sockets(smbd_t)
+')
+
+# Support Samba sharing of ntfs/fusefs mount points
+tunable_policy(`samba_share_fusefs',`
+	fs_manage_fusefs_dirs(smbd_t)
+	fs_manage_fusefs_files(smbd_t)
+',`
+	fs_search_fusefs_dirs(smbd_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(smbd, smbd_t)
+')
+
+optional_policy(`
+	lpd_exec_lpr(smbd_t)
 ')
 
 optional_policy(`
@@ -360,6 +412,11 @@
 ')
 
 optional_policy(`
+	qemu_manage_tmp_dirs(smbd_t)
+	qemu_manage_tmp_files(smbd_t)
+')
+
+optional_policy(`
 	rpc_search_nfs_state_data(smbd_t)
 ')
 
@@ -374,13 +431,16 @@
 tunable_policy(`samba_create_home_dirs',`
 	allow smbd_t self:capability chown;
 	unprivuser_create_home_dir(smbd_t)
-	unprivuser_home_filetrans_home_dir(smbd_t)
+	#unprivuser_home_filetrans_home_dir(smbd_t)
 ')
+unprivuser_home_filetrans_home_dir(smbd_t)
 
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
+	auth_read_all_dirs_except_shadow(smbd_t)
 	auth_read_all_files_except_shadow(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
+	auth_read_all_dirs_except_shadow(nmbd_t)
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
 
@@ -389,8 +449,10 @@
 	auth_manage_all_files_except_shadow(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
 	auth_manage_all_files_except_shadow(nmbd_t)
-	unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
+	#unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
 ')
+unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
+
 
 ########################################
 #
@@ -415,14 +477,11 @@
 files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
 
 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
 manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 
-read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-allow nmbd_t samba_log_t:dir setattr;
-
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -452,6 +511,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 
 fs_getattr_all_fs(nmbd_t)
+fs_list_inotifyfs(nmbd_t)
 fs_search_auto_mountpoints(nmbd_t)
 
 domain_use_interactive_fds(nmbd_t)
@@ -536,6 +596,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 
 term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
 
 corecmd_list_bin(smbmount_t)
 
@@ -547,32 +608,46 @@
 
 auth_use_nsswitch(smbmount_t)
 
+libs_use_ld_so(smbmount_t)
+libs_use_shared_libs(smbmount_t)
+
 miscfiles_read_localization(smbmount_t)
 
 mount_use_fds(smbmount_t)
 
-libs_use_ld_so(smbmount_t)
-libs_use_shared_libs(smbmount_t)
-
 locallogin_use_fds(smbmount_t)
 
 logging_search_logs(smbmount_t)
 
 userdom_use_all_users_fds(smbmount_t)
 
+optional_policy(`
+	cups_read_rw_config(smbmount_t)
+')
+
 ########################################
 #
 # SWAT Local policy
 #
 
-allow swat_t self:capability { setuid setgid };
-allow swat_t self:process signal_perms;
-allow swat_t self:fifo_file rw_file_perms;
+allow swat_t self:capability { setuid setgid sys_resource };
+allow swat_t self:process { setrlimit signal_perms };
+allow swat_t self:fifo_file rw_fifo_file_perms;
 allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow swat_t self:tcp_socket create_stream_socket_perms;
 allow swat_t self:udp_socket create_socket_perms;
 
+allow swat_t self:unix_stream_socket connectto;
+samba_domtrans_smb(swat_t)
+allow swat_t smbd_port_t:tcp_socket name_bind;
+allow swat_t smbd_t:process { signal signull };
+allow swat_t smbd_var_run_t:file { lock unlink };
+
 allow swat_t nmbd_exec_t:file mmap_file_perms;
+can_exec(swat_t, nmbd_exec_t)
+allow swat_t nmbd_port_t:udp_socket name_bind;
+allow swat_t nmbd_t:process { signal signull };
+allow swat_t nmbd_var_run_t:file { lock read unlink };
 
 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
 
@@ -592,6 +667,9 @@
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
 allow swat_t winbind_exec_t:file mmap_file_perms;
+can_exec(swat_t, winbind_exec_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
@@ -616,10 +694,12 @@
 
 dev_read_urand(swat_t)
 
+files_list_var_lib(swat_t)
 files_read_etc_files(swat_t)
 files_search_home(swat_t)
 files_read_usr_files(swat_t)
 fs_getattr_xattr_fs(swat_t)
+fs_list_inotifyfs(swat_t)
 
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
@@ -628,6 +708,7 @@
 libs_use_shared_libs(swat_t)
 
 logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
 
 miscfiles_read_localization(swat_t)
@@ -645,15 +726,26 @@
 	kerberos_use(swat_t)
 ')
 
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
+create_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
+manage_files_pattern(swat_t, samba_var_t, samba_var_t)
+files_list_var_lib(swat_t)
+
 ########################################
 #
 # Winbind local policy
 #
 
 
-allow winbind_t self:capability { dac_override ipc_lock setuid };
+allow winbind_t self:capability { sys_nice dac_override ipc_lock setuid };
 dontaudit winbind_t self:capability sys_tty_config;
-allow winbind_t self:process signal_perms;
+allow winbind_t self:process { signal_perms getsched setsched };
 allow winbind_t self:fifo_file rw_fifo_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -694,9 +786,10 @@
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, file)
 
+corecmd_exec_bin(winbind_t)
+
 kernel_read_kernel_sysctls(winbind_t)
-kernel_list_proc(winbind_t)
-kernel_read_proc_symlinks(winbind_t)
+kernel_read_system_state(winbind_t)
 
 corenet_all_recvfrom_unlabeled(winbind_t)
 corenet_all_recvfrom_netlabel(winbind_t)
@@ -720,10 +813,12 @@
 
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
+auth_rw_cache(winbind_t)
 
 domain_use_interactive_fds(winbind_t)
 
 files_read_etc_files(winbind_t)
+files_read_usr_symlinks(winbind_t)
 
 libs_use_ld_so(winbind_t)
 libs_use_shared_libs(winbind_t)
@@ -780,8 +875,13 @@
 miscfiles_read_localization(winbind_helper_t) 
 
 optional_policy(`
+	apache_append_log(winbind_helper_t)
+')
+
+optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
+	squid_rw_stream_sockets(winbind_helper_t)
 ')
 
 ########################################
@@ -790,6 +890,16 @@
 #
 
 optional_policy(`
+	type samba_unconfined_net_t;
+	domain_type(samba_unconfined_net_t)
+	role system_r types samba_unconfined_net_t;
+
+	unconfined_domain(samba_unconfined_net_t)
+
+	manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+	filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+')
+
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
@@ -800,9 +910,46 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
 
+optional_policy(`
 	unconfined_domain(samba_unconfined_script_t)
+')
 
 	tunable_policy(`samba_run_unconfined',`
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+', `
+	can_exec(smbd_t, samba_unconfined_script_exec_t)
 	')
-')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(smbcontrol_t)
+
+libs_use_ld_so(smbcontrol_t)
+libs_use_shared_libs(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+files_search_var_lib(smbcontrol_t)
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+allow smbcontrol_t smbd_t:process signal;
+domain_use_interactive_fds(smbcontrol_t)
+allow smbd_t smbcontrol_t:process { signal signull };
+
+allow nmbd_t smbcontrol_t:process signal;
+allow smbcontrol_t nmbd_t:process { signal signull };
+
+allow smbcontrol_t winbind_t:process { signal signull };
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.13/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/sasl.te	2009-03-11 10:34:53.000000000 +0100
@@ -103,6 +103,7 @@
 
 optional_policy(`
 	kerberos_keytab_template(saslauthd, saslauthd_t)
+	kerberos_manage_host_rcache(saslauthd_t)
 ')
 
 optional_policy(`
@@ -111,6 +112,10 @@
 ')
 
 optional_policy(`
+	nis_authenticate(saslauthd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(saslauthd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.13/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/sendmail.if	2009-02-10 15:07:15.000000000 +0100
@@ -89,7 +89,7 @@
 		type sendmail_t;
 	')
 
-	allow $1 sendmail_t:unix_stream_socket { read write };
+	allow $1 sendmail_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
@@ -149,3 +149,104 @@
 
 	logging_log_filetrans($1, sendmail_log_t, file)
 ')
+
+########################################
+## <summary>
+##	Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the sendmail domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the sendmail domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	sendmail_domtrans($1)
+	role $2 types sendmail_t;
+	allow sendmail_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t, sendmail_exec_t;
+	')
+
+	domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain, and
+##	allow the specified role the unconfined sendmail domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the unconfined sendmail domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the unconfined sendmail domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t;
+	')
+
+	sendmail_domtrans_unconfined($1)
+	role $2 types unconfined_sendmail_t;
+	allow unconfined_sendmail_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write to
+##	sendmail unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sendmail_rw_pipes',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:fifo_file rw_fifo_file_perms; 
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.13/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/sendmail.te	2009-06-03 14:57:34.000000000 +0200
@@ -20,13 +20,17 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
 
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t, sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
 ########################################
 #
 # Sendmail local policy
 #
 
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { setrlimit signal signull };
 allow sendmail_t self:fifo_file rw_fifo_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -47,6 +51,7 @@
 kernel_read_kernel_sysctls(sendmail_t)
 # for piping mail to a command
 kernel_read_system_state(sendmail_t)
+kernel_read_network_state(sendmail_t)
 
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
@@ -64,24 +69,30 @@
 
 fs_getattr_all_fs(sendmail_t)
 fs_search_auto_mountpoints(sendmail_t)
+fs_rw_anon_inodefs_files(sendmail_t)
+fs_list_inotifyfs(sendmail_t)
 
 term_dontaudit_use_console(sendmail_t)
 
 # for piping mail to a command
 corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
 
 domain_use_interactive_fds(sendmail_t)
 
 files_read_etc_files(sendmail_t)
+files_read_usr_files(sendmail_t)
 files_search_spool(sendmail_t)
 # for piping mail to a command
 files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
 
 init_use_fds(sendmail_t)
 init_use_script_ptys(sendmail_t)
 # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
 init_read_utmp(sendmail_t)
 init_dontaudit_write_utmp(sendmail_t)
+init_rw_script_tmp_files(sendmail_t)
 
 auth_use_nsswitch(sendmail_t)
 
@@ -91,34 +102,64 @@
 libs_read_lib_files(sendmail_t)
 
 logging_send_syslog_msg(sendmail_t)
+logging_dontaudit_write_generic_logs(sendmail_t)
 
 miscfiles_read_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+sysadm_dontaudit_search_home_dirs(sendmail_t)
+userdom_read_all_users_home_content_files(sendmail_t)
 
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
 # Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
+mta_manage_aliases(sendmail_t)
 # Write to /var/spool/mail and /var/spool/mqueue.
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
 
-sysadm_dontaudit_search_home_dirs(sendmail_t)
+optional_policy(`
+	cron_read_pipes(sendmail_t)
+')
 
 optional_policy(`
 	clamav_search_lib(sendmail_t)
+	clamav_stream_connect(sendmail_t)
 ')
 
 optional_policy(`
-	postfix_exec_master(sendmail_t)
+	cyrus_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	fail2ban_read_lib_files(sendmail_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(sendmail, sendmail_t)
+')
+
+optional_policy(`
+	milter_stream_connect_all(sendmail_t)
+')
+
+optional_policy(`
+	munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
+	postfix_domtrans_postdrop(sendmail_t)
+	postfix_domtrans_postqueue(sendmail_t)
+	postfix_domtrans_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
 ')
 
 optional_policy(`
 	procmail_domtrans(sendmail_t)
+	procmail_rw_tmp_files(sendmail_t)
 ')
 
 optional_policy(`
@@ -126,24 +167,33 @@
 ')
 
 optional_policy(`
+	samba_read_config(sendmail_t)
+')
+
+optional_policy(`
+	sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+	spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	uucp_domtrans_uux(sendmail_t)
+')
+
+optional_policy(`
 	udev_read_db(sendmail_t)
 ')
 
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file manage_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file manage_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
+########################################
+#
+# Unconfined sendmail local policy 
+# Allow unconfined domain to run newalias and have transitions work
+#
 
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+optional_policy(`
+	mta_etc_filetrans_aliases(unconfined_sendmail_t)
+	unconfined_domain(unconfined_sendmail_t)
+')
 
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.13/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/setroubleshoot	--	gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0)
+
 /usr/sbin/setroubleshootd	--	gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
 
 /var/run/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.13/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.if	2009-02-10 15:07:15.000000000 +0100
@@ -16,8 +16,8 @@
 	')
 
 	files_search_pids($1)
-	allow $1 setroubleshoot_var_run_t:sock_file write;
-	allow $1 setroubleshootd_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
+	allow $1 setroubleshoot_var_run_t:sock_file read;
 ')
 
 ########################################
@@ -36,6 +36,48 @@
 		type setroubleshootd_t, setroubleshoot_var_run_t;
 	')
 
-	dontaudit $1 setroubleshoot_var_run_t:sock_file write;
+	dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
 	dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an setroubleshoot environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the setroubleshoot domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`setroubleshoot_admin',`
+	gen_require(`
+		type setroubleshootd_t, setroubleshoot_log_t;
+		type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+		type setroubleshoot_initrc_exec_t;
+	')
+
+	allow $1 setroubleshootd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, setroubleshootd_t)
+		
+	init_labeled_script_domtrans($1, setroubleshoot_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 setroubleshoot_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, setroubleshoot_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, setroubleshoot_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, setroubleshoot_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te	2009-07-17 08:50:57.000000000 +0200
@@ -11,6 +11,9 @@
 domain_type(setroubleshootd_t)
 init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
 
+type setroubleshoot_initrc_exec_t;
+init_script_file(setroubleshoot_initrc_exec_t)
+
 type setroubleshoot_var_lib_t;
 files_type(setroubleshoot_var_lib_t)
 
@@ -27,8 +30,8 @@
 # setroubleshootd local policy
 #
 
-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signull signal getattr getsched };
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52,7 +55,10 @@
 
 kernel_read_kernel_sysctls(setroubleshootd_t)
 kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
 kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
+kernel_read_unlabeled_state(setroubleshootd_t)
 
 corecmd_exec_bin(setroubleshootd_t)
 corecmd_exec_shell(setroubleshootd_t)
@@ -68,16 +74,24 @@
 
 dev_read_urand(setroubleshootd_t)
 dev_read_sysfs(setroubleshootd_t)
+dev_getattr_all_blk_files(setroubleshootd_t)
+dev_getattr_all_chr_files(setroubleshootd_t)
 
 domain_dontaudit_search_all_domains_state(setroubleshootd_t)
 
+files_read_all_symlinks(setroubleshootd_t)
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
-files_getattr_all_dirs(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
 
 fs_getattr_all_dirs(setroubleshootd_t)
 fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
 
 selinux_get_enforce_mode(setroubleshootd_t)
 selinux_validate_context(setroubleshootd_t)
@@ -97,23 +111,30 @@
 
 locallogin_dontaudit_use_fds(setroubleshootd_t)
 
+logging_send_audit_msgs(setroubleshootd_t)
 logging_send_syslog_msg(setroubleshootd_t)
 logging_stream_connect_dispatcher(setroubleshootd_t)
 
 seutil_read_config(setroubleshootd_t)
 seutil_read_file_contexts(setroubleshootd_t)
-
-sysnet_read_config(setroubleshootd_t)
+seutil_read_bin_policy(setroubleshootd_t)
 
 sysadm_dontaudit_read_home_content_files(setroubleshootd_t)
+unprivuser_dontaudit_read_home_content_files(setroubleshootd_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
 	dbus_connect_system_bus(setroubleshootd_t)
+	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
 ')
 
 optional_policy(`
+	rpm_signull(setroubleshootd_t)
 	rpm_read_db(setroubleshootd_t)
 	rpm_dontaudit_manage_db(setroubleshootd_t)
         rpm_use_script_fds(setroubleshootd_t)
 ')
+
+optional_policy(`
+	unconfined_signull(setroubleshoot_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.13/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/smartmon.te	2009-02-10 15:07:15.000000000 +0100
@@ -19,6 +19,10 @@
 type fsdaemon_tmp_t;
 files_tmp_file(fsdaemon_tmp_t)
 
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(fsdaemon_t,fsdaemon_exec_t,mls_systemhigh)
+')
+
 ########################################
 #
 # Local policy
@@ -26,7 +30,7 @@
 
 allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
 dontaudit fsdaemon_t self:capability sys_tty_config;
-allow fsdaemon_t self:process signal_perms;
+allow fsdaemon_t self:process { signal_perms setfscreate };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
 allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
 allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
@@ -52,6 +56,7 @@
 corenet_udp_sendrecv_all_nodes(fsdaemon_t)
 corenet_udp_sendrecv_all_ports(fsdaemon_t)
 
+dev_delete_generic_dirs(fsdaemon_t)
 dev_read_sysfs(fsdaemon_t)
 dev_read_urand(fsdaemon_t)
 
@@ -67,9 +72,11 @@
 
 mls_file_read_all_levels(fsdaemon_t)
 
+storage_dev_filetrans_fixed_disk(fsdaemon_t)
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
 storage_raw_read_removable_device(fsdaemon_t)
+storage_manage_fixed_disk(fsdaemon_t)
 
 term_dontaudit_search_ptys(fsdaemon_t)
 
@@ -82,6 +89,8 @@
 
 miscfiles_read_localization(fsdaemon_t)
 
+selinux_validate_context(fsdaemon_t)
+
 sysnet_dns_name_resolve(fsdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
@@ -94,6 +103,7 @@
 
 optional_policy(`
 	seutil_sigchld_newrole(fsdaemon_t)
+	seutil_read_file_contexts(fsdaemon_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.13/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/snmp.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/snmpd	--	gen_context(system_u:object_r:snmp_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/snmptrapd --	gen_context(system_u:object_r:snmp_initrc_exec_t,s0)
+
 #
 # /usr
 #
@@ -8,6 +11,7 @@
 #
 # /var
 #
+/var/agentx(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 /var/lib/net-snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 /var/lib/snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 
@@ -15,5 +19,5 @@
 
 /var/net-snmp(/.*)		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 
-/var/run/snmpd		-d	gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
 /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.13/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/snmp.if	2009-02-10 15:07:15.000000000 +0100
@@ -67,6 +67,25 @@
 	dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
 ')
 
+#######################################
+## <summary>
+## Connect to snmpd using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_stream_connect',`
+ 	gen_require(`
+  		type snmpd_t, snmpd_var_lib_t;
+ 	')
+
+ 	files_search_var_lib($1)
+ 	stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
 ########################################
 ## <summary>
 ##	dontaudit write snmpd libraries files.
@@ -95,23 +114,34 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the snmp domain.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`snmp_admin',`
 	gen_require(`
 		type snmpd_t, snmpd_log_t;
 		type snmpd_var_lib_t, snmpd_var_run_t;
+		type snmpd_initrc_exec_t;
 	')
 
 	allow $1 snmpd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, snmpd_t)
 	        
+	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 snmpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	logging_list_logs($1)
-	manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
+	admin_pattern($1, snmpd_log_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+	admin_pattern($1, snmpd_var_lib_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t)
+	admin_pattern($1, snmpd_var_run_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.13/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/snmp.te	2009-02-10 15:07:15.000000000 +0100
@@ -9,6 +9,9 @@
 type snmpd_exec_t;
 init_daemon_domain(snmpd_t, snmpd_exec_t)
 
+type snmp_initrc_exec_t;
+init_script_file(snmp_initrc_exec_t)
+
 type snmpd_log_t;
 logging_log_file(snmpd_log_t)
 
@@ -22,8 +25,9 @@
 #
 # Local policy
 #
-allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { dac_override ipc_lock kill net_admin sys_nice sys_tty_config sys_ptrace };
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+allow snmpd_t self:process { getsched setsched };
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -45,10 +49,13 @@
 
 kernel_read_device_sysctls(snmpd_t)
 kernel_read_kernel_sysctls(snmpd_t)
+kernel_read_fs_sysctls(snmpd_t)
 kernel_read_net_sysctls(snmpd_t)
 kernel_read_proc_symlinks(snmpd_t)
 kernel_read_system_state(snmpd_t)
 kernel_read_network_state(snmpd_t)
+kernel_read_xen_state(snmpd_t)
+kernel_write_xen_state(snmpd_t)
 
 corecmd_exec_bin(snmpd_t)
 corecmd_exec_shell(snmpd_t)
@@ -66,6 +73,7 @@
 corenet_tcp_bind_snmp_port(snmpd_t)
 corenet_udp_bind_snmp_port(snmpd_t)
 corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_connect_agentx_port(snmpd_t)
 
 dev_list_sysfs(snmpd_t)
 dev_read_sysfs(snmpd_t)
@@ -76,13 +84,14 @@
 domain_use_interactive_fds(snmpd_t)
 domain_signull_all_domains(snmpd_t)
 domain_read_all_domains_state(snmpd_t)
+domain_dontaudit_ptrace_all_domains(snmpd_t)
+domain_exec_all_entry_files(snmpd_t)
 
 files_read_etc_files(snmpd_t)
 files_read_usr_files(snmpd_t)
 files_read_etc_runtime_files(snmpd_t)
 files_search_home(snmpd_t)
-files_getattr_boot_dirs(snmpd_t)
-files_dontaudit_getattr_home_dir(snmpd_t)
+auth_read_all_dirs_except_shadow(snmpd_t)
 
 fs_getattr_all_dirs(snmpd_t)
 fs_getattr_all_fs(snmpd_t)
@@ -94,6 +103,8 @@
 init_read_utmp(snmpd_t)
 init_dontaudit_write_utmp(snmpd_t)
 
+auth_use_nsswitch(snmpd_t)
+
 libs_use_ld_so(snmpd_t)
 libs_use_shared_libs(snmpd_t)
 
@@ -121,7 +132,7 @@
 ')
 
 optional_policy(`
-	auth_use_nsswitch(snmpd_t)
+	consoletype_exec(snmpd_t)
 ')
 
 optional_policy(`
@@ -152,3 +163,12 @@
 optional_policy(`
 	udev_read_db(snmpd_t)
 ')
+
+optional_policy(`
+	virt_stream_connect(snmpd_t)
+')
+
+optional_policy(`
+	xen_stream_connect(snmpd_t)
+	xen_stream_connect_xenstore(snmpd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.13/policy/modules/services/snort.if
--- nsaserefpolicy/policy/modules/services/snort.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/snort.if	2009-02-10 15:07:15.000000000 +0100
@@ -30,7 +30,7 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the snort domain.
+##	The role to be allowed to manage the syslog domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -50,11 +50,6 @@
 	allow $2 system_r;
 
 	admin_pattern($1, snort_etc_t)
-	files_search_etc($1)
-
-	admin_pattern($1, snort_log_t)
-	logging_search_logs($1)
-
 	admin_pattern($1, snort_var_run_t)
-	files_search_pids($1)
+	admin_pattern($1, snort_log_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.13/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/snort.te	2009-02-10 15:07:15.000000000 +0100
@@ -56,6 +56,7 @@
 files_pid_filetrans(snort_t, snort_var_run_t, file)
 
 kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
 kernel_list_proc(snort_t)
 kernel_read_proc_symlinks(snort_t)
 kernel_dontaudit_read_system_state(snort_t)
@@ -70,6 +71,7 @@
 corenet_raw_sendrecv_all_nodes(snort_t)
 corenet_tcp_sendrecv_all_ports(snort_t)
 corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
 
 dev_read_sysfs(snort_t)
 dev_read_rand(snort_t)
@@ -98,6 +100,13 @@
 
 sysadm_dontaudit_search_home_dirs(snort_t)
 
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
+
+optional_policy(`
+	prelude_manage_spool(snort_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(snort_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.13/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc	2009-05-21 14:36:57.000000000 +0200
@@ -1,16 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+/root/\.spamassassin(/.*)?     gen_context(system_u:object_r:spamc_home_t,s0)
+
+HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.*	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
 
 /usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamassassin	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
 
 /usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor --	gen_context(system_u:object_r:spamd_exec_t,s0)
 
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 
+/var/log/spamd\.log	--	gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/mimedefang	--	gen_context(system_u:object_r:spamd_log_t,s0)
+
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MIMEDefang(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.13/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if	2009-02-10 15:07:15.000000000 +0100
@@ -37,7 +37,8 @@
 
 	gen_require(`
 		type spamc_exec_t, spamassassin_exec_t;
-		type spamd_t, spamd_tmp_t;
+		type spamc_t, spamd_t, spamassassin_t, spamd_tmp_t;
+		type spamc_home_t, spamc_tmp_t;
 	')
 
 	##############################
@@ -45,277 +46,24 @@
 	# Declarations
 	#
 
-	type $1_spamc_t;
-	application_domain($1_spamc_t, spamc_exec_t)
-	role $3 types $1_spamc_t;
-
-	type $1_spamc_tmp_t;
-	files_tmp_file($1_spamc_tmp_t)
-
-	type $1_spamassassin_t;
-	application_domain($1_spamassassin_t, spamassassin_exec_t)
-	role $3 types $1_spamassassin_t;
-
-	type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
-	userdom_user_home_content($1, $1_spamassassin_home_t)
-	files_poly_member($1_spamassassin_home_t)
+	typealias  spamc_t alias $1_spamc_t;
+	role $3 types spamc_t;
 
-	type $1_spamassassin_tmp_t;
-	files_tmp_file($1_spamassassin_tmp_t)
+	typealias  spamassassin_t alias $1_spamassassin_t;
+	role $3 types spamassassin_t;
 
-	##############################
-	#
-	# $1_spamc_t local policy
-	#
-
-	allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_spamc_t self:fd use;
-	allow $1_spamc_t self:fifo_file rw_fifo_file_perms;
-	allow $1_spamc_t self:sock_file read_sock_file_perms;
-	allow $1_spamc_t self:shm create_shm_perms;
-	allow $1_spamc_t self:sem create_sem_perms;
-	allow $1_spamc_t self:msgq create_msgq_perms;
-	allow $1_spamc_t self:msg { send receive };
-	allow $1_spamc_t self:unix_dgram_socket create_socket_perms;
-	allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_spamc_t self:unix_dgram_socket sendto;
-	allow $1_spamc_t self:unix_stream_socket connectto;
-	allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
-	allow $1_spamc_t self:udp_socket create_socket_perms;
-
-	manage_dirs_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t)
-	manage_files_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t)
-	files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
-
-	# Allow connecting to a local spamd
-	stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t)
-
-	domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
-
-	kernel_read_kernel_sysctls($1_spamc_t)
-
-	corenet_all_recvfrom_unlabeled($1_spamc_t)
-	corenet_all_recvfrom_netlabel($1_spamc_t)
-	corenet_tcp_sendrecv_generic_if($1_spamc_t)
-	corenet_udp_sendrecv_generic_if($1_spamc_t)
-	corenet_tcp_sendrecv_all_nodes($1_spamc_t)
-	corenet_udp_sendrecv_all_nodes($1_spamc_t)
-	corenet_tcp_sendrecv_all_ports($1_spamc_t)
-	corenet_udp_sendrecv_all_ports($1_spamc_t)
-	corenet_tcp_connect_all_ports($1_spamc_t)
-	corenet_sendrecv_all_client_packets($1_spamc_t)
-
-	fs_search_auto_mountpoints($1_spamc_t)
-
-	# cjp: these should probably be removed:
-	corecmd_list_bin($1_spamc_t)
-	corecmd_read_bin_symlinks($1_spamc_t)
-	corecmd_read_bin_files($1_spamc_t)
-	corecmd_read_bin_pipes($1_spamc_t)
-	corecmd_read_bin_sockets($1_spamc_t)
-
-	domain_use_interactive_fds($1_spamc_t)
-
-	files_read_etc_files($1_spamc_t)
-	files_read_etc_runtime_files($1_spamc_t)
-	files_read_usr_files($1_spamc_t)
-	files_dontaudit_search_var($1_spamc_t)
-	# cjp: this may be removable:
-	files_list_home($1_spamc_t)
-
-	libs_use_ld_so($1_spamc_t)
-	libs_use_shared_libs($1_spamc_t)
-
-	logging_send_syslog_msg($1_spamc_t)
-
-	miscfiles_read_localization($1_spamc_t)
-
-	# cjp: this should probably be removed:
-	seutil_read_config($1_spamc_t)
-
-	sysnet_read_config($1_spamc_t)
-
-	userdom_use_unpriv_users_fds($1_spamc_t)
-	# cjp: this really should just be the
-	# terminal specific to the role
-	userdom_use_unpriv_users_ptys($1_spamc_t)
-
-	# cjp: this should probably be removed:
-	tunable_policy(`read_default_t',`
-		files_list_default($1_spamc_t)
-		files_read_default_files($1_spamc_t)
-		files_read_default_symlinks($1_spamc_t)
-		files_read_default_sockets($1_spamc_t)
-		files_read_default_pipes($1_spamc_t)
-	')
-
-	optional_policy(`
-		# Allow connection to spamd socket above
-		evolution_stream_connect($1, $1_spamc_t)
-	')
-
-	optional_policy(`
-		nis_use_ypbind($1_spamc_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_spamc_t)
-	')
-
-	optional_policy(`
-		mta_read_config($1_spamc_t)
-		sendmail_stub($1_spamc_t)
-	')
-
-	##############################
-	#
-	# $1_spamassassin_t local policy
-	#
-
-	allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_spamassassin_t self:fd use;
-	allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms;
-	allow $1_spamassassin_t self:sock_file read_sock_file_perms;
-	allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
-	allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_spamassassin_t self:unix_dgram_socket sendto;
-	allow $1_spamassassin_t self:unix_stream_socket connectto;
-	allow $1_spamassassin_t self:shm create_shm_perms;
-	allow $1_spamassassin_t self:sem create_sem_perms;
-	allow $1_spamassassin_t self:msgq create_msgq_perms;
-	allow $1_spamassassin_t self:msg { send receive };
-
-	manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
-
-	manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t)
-	manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t)
-	files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
-
-	manage_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	relabel_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	relabel_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	relabel_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-
-	domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
-
-	manage_dirs_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	userdom_user_home_dir_filetrans($1, spamd_t, $1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
-
-	kernel_read_kernel_sysctls($1_spamassassin_t)
-
-	dev_read_urand($1_spamassassin_t)
-
-	fs_search_auto_mountpoints($1_spamassassin_t)
-
-	# this should probably be removed
-	corecmd_list_bin($1_spamassassin_t)
-	corecmd_read_bin_symlinks($1_spamassassin_t)
-	corecmd_read_bin_files($1_spamassassin_t)
-	corecmd_read_bin_pipes($1_spamassassin_t)
-	corecmd_read_bin_sockets($1_spamassassin_t)
-
-	domain_use_interactive_fds($1_spamassassin_t)
-
-	files_read_etc_files($1_spamassassin_t)
-	files_read_etc_runtime_files($1_spamassassin_t)
-	files_list_home($1_spamassassin_t)
-	files_read_usr_files($1_spamassassin_t)
-	files_dontaudit_search_var($1_spamassassin_t)
-
-	libs_use_ld_so($1_spamassassin_t)
-	libs_use_shared_libs($1_spamassassin_t)
-
-	logging_send_syslog_msg($1_spamassassin_t)
-
-	miscfiles_read_localization($1_spamassassin_t)
-
-	# cjp: this could probably be removed
-	seutil_read_config($1_spamassassin_t)
-
-	sysnet_dns_name_resolve($1_spamassassin_t)
-
-	userdom_use_unpriv_users_fds($1_spamassassin_t)
-	userdom_search_user_home_dirs($1,$1_spamassassin_t)
-	# cjp: this really should just be the
-	# terminal specific to the role
-	userdom_use_unpriv_users_ptys($1_spamassassin_t)
-
-	# this should probably be removed:
-	tunable_policy(`read_default_t',`
-		files_list_default($1_spamassassin_t)
-		files_read_default_files($1_spamassassin_t)
-		files_read_default_symlinks($1_spamassassin_t)
-		files_read_default_sockets($1_spamassassin_t)
-		files_read_default_pipes($1_spamassassin_t)
-	')
-
-	# set tunable if you have spamassassin do DNS lookups
-	tunable_policy(`spamassassin_can_network',`
-		allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
-		allow $1_spamassassin_t self:udp_socket create_socket_perms;
-
-		corenet_all_recvfrom_unlabeled($1_spamassassin_t)
-		corenet_all_recvfrom_netlabel($1_spamassassin_t)
-		corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
-		corenet_udp_sendrecv_generic_if($1_spamassassin_t)
-		corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
-		corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
-		corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
-		corenet_udp_sendrecv_all_ports($1_spamassassin_t)
-		corenet_tcp_connect_all_ports($1_spamassassin_t)
-		corenet_sendrecv_all_client_packets($1_spamassassin_t)
-
-		sysnet_read_config($1_spamassassin_t)
-	')
-
-	tunable_policy(`spamd_enable_home_dirs',`
-		userdom_manage_user_home_content_dirs($1,spamd_t)
-		userdom_manage_user_home_content_files($1,spamd_t)
-		userdom_manage_user_home_content_symlinks($1,spamd_t)
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_spamassassin_t)
-		fs_manage_nfs_files($1_spamassassin_t)
-		fs_manage_nfs_symlinks($1_spamassassin_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_spamassassin_t)
-		fs_manage_cifs_files($1_spamassassin_t)
-		fs_manage_cifs_symlinks($1_spamassassin_t)
-	')
-
-	optional_policy(`
-		# Write pid file and socket in ~/.evolution/cache/tmp
-		evolution_home_filetrans($1, spamd_t, spamd_tmp_t, { file sock_file })
-	')
+	typealias spamc_home_t alias $1_spamassassin_home_t;
+	typealias spamc_tmp_t alias $1_spamassassin_tmp_t;
+	typealias spamc_tmp_t alias $1_spamc_tmp_t;
+
+	manage_dirs_pattern($2, spamc_home_t, spamc_home_t)
+	manage_files_pattern($2, spamc_home_t, spamc_home_t)
+	manage_lnk_files_pattern($2, spamc_home_t, spamc_home_t)
+	relabel_dirs_pattern($2, spamc_home_t, spamc_home_t)
+	relabel_files_pattern($2, spamc_home_t, spamc_home_t)
+	relabel_lnk_files_pattern($2, spamc_home_t, spamc_home_t)
 
-	optional_policy(`
-		# cjp: clearly some redundancy here
-
-		nis_use_ypbind($1_spamassassin_t)
-
-		tunable_policy(`spamassassin_can_network && allow_ypbind',`
-			nis_use_ypbind_uncond($1_spamassassin_t)
-		')
-	')
-
-	optional_policy(`
-		mta_read_config($1_spamassassin_t)
-		sendmail_stub($1_spamassassin_t)
-	')
+	domtrans_pattern($2, spamc_exec_t, spamc_t)
 ')
 
 ########################################
@@ -331,10 +79,10 @@
 #
 interface(`spamassassin_exec',`
 	gen_require(`
-		type spamassassin_exec_t;
+		type spamc_exec_t;
 	')
 
-	can_exec($1, spamassassin_exec_t)
+	can_exec($1, spamc_exec_t)
 
 ')
 
@@ -397,11 +145,66 @@
 ## </param>
 #
 template(`spamassassin_domtrans_user_client',`
+	spamassassin_domtrans_spamc($2)
+')
+
+########################################
+## <summary>
+##      Execute spamassassin client in the spamassassin client domain.
+## </summary>
+## <desc>
+##	<p>
+##	This is a template and should only be called 
+##	from per user domain tempaltes.
+##	</p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`spamassassin_domtrans_spamc',`
 	gen_require(`
-		type $1_spamc_t, spamc_exec_t;
+		type spamc_t, spamc_exec_t;
 	')
 
-	domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
+	domtrans_pattern($1, spamc_exec_t, spamc_t)
+	allow $1 spamc_exec_t:file ioctl;
+')
+
+########################################
+## <summary>
+##	Read spamassassin per user homedir
+## </summary>
+## <desc>
+##	<p>
+##	Read spamassassin per user homedir
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`spamassassin_read_user_home_files',`
+	gen_require(`
+		type spamassassin_home_t;
+	')
+
+	allow $1 spamassassin_home_t:dir list_dir_perms;
+	allow $1 spamassassin_home_t:file read_file_perms;
 ')
 
 ########################################
@@ -445,11 +248,27 @@
 ## </param>
 #
 template(`spamassassin_domtrans_user_local_client',`
-	gen_require(`
-		type $1_spamassassin_t, spamassassin_exec_t;
+	spamassassin_domtrans($2)
 	')
 
-	domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
+########################################
+## <summary>
+##      Execute spamassassin in the user spamassassin domain.
+## </summary>
+## <desc>
+##	<p>
+##	This is a template and should only be called 
+##	from per user domain tempaltes.
+##	</p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`spamassassin_domtrans',`
+	spamassassin_domtrans_spamc($1)
 ')
 
 ########################################
@@ -468,6 +287,7 @@
 	')
 
 	files_search_var_lib($1)
+	list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
 	read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
 ')
 
@@ -527,3 +347,103 @@
 
 	dontaudit $1 spamd_tmp_t:sock_file getattr;
 ')
+
+########################################
+## <summary>
+##	Connect to run spamd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to connect.
+##	</summary>
+## </param>
+#
+interface(`spamd_stream_connect',`
+	gen_require(`
+		type spamd_t, spamd_var_run_t;
+	')
+
+	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an spamassassin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the spamassassin domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_spamd_admin',`
+	gen_require(`
+		type spamd_t, spamd_tmp_t, spamd_log_t;
+		type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
+		type spamd_initrc_exec_t;
+	')
+
+	allow $1 spamd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, spamd_t, spamd_t)
+		
+	init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 spamd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, spamd_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, spamd_log_t)
+
+	files_list_spool($1)
+	admin_pattern($1, spamd_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, spamd_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, spamd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read spamassassin per user homedir
+## </summary>
+## <desc>
+##	<p>
+##	Read spamassassin per user homedir
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`spamassassin_manage_user_home_files',`
+	gen_require(`
+		type spamc_home_t;
+	')
+
+	manage_files_pattern($1, spamc_home_t, spamc_home_t)
+	razor_manage_user_home_files(user, $1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2009-09-17 16:43:19.000000000 +0200
@@ -21,16 +21,24 @@
 gen_tunable(spamd_enable_home_dirs, true)
 
 # spamassassin client executable
+type spamc_t;
 type spamc_exec_t;
-application_executable_file(spamc_exec_t)
+application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
 
 type spamd_t;
 type spamd_exec_t;
 init_daemon_domain(spamd_t,spamd_exec_t)
 
+type spamd_initrc_exec_t;
+init_script_file(spamd_initrc_exec_t)
+
 type spamd_spool_t;
 files_type(spamd_spool_t)
 
+type spamd_log_t;
+logging_log_file(spamd_log_t)
+
 type spamd_tmp_t;
 files_tmp_file(spamd_tmp_t)
 
@@ -41,8 +49,20 @@
 type spamd_var_run_t;
 files_pid_file(spamd_var_run_t)
 
-type spamassassin_exec_t;
-application_executable_file(spamassassin_exec_t)
+type spamd_etc_t;
+files_config_file(spamd_etc_t)
+
+typealias spamc_exec_t  alias spamassassin_exec_t;
+typealias spamc_t alias spamassassin_t;
+
+type spamc_home_t;
+userdom_user_home_content(user, spamc_home_t)
+typealias spamc_home_t alias spamassassin_home_t;
+typealias spamc_home_t alias user_spamassassin_home_t;
+
+type spamc_tmp_t;
+files_tmp_file(spamc_tmp_t)
+typealias spamc_tmp_t alias spamassassin_tmp_t;
 
 ########################################
 #
@@ -53,7 +73,7 @@
 # setuids to the user running spamc.  Comment this if you are not
 # using this ability.
 
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
 dontaudit spamd_t self:capability sys_tty_config;
 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamd_t self:fd use;
@@ -69,10 +89,14 @@
 allow spamd_t self:unix_stream_socket connectto;
 allow spamd_t self:tcp_socket create_stream_socket_perms;
 allow spamd_t self:udp_socket create_socket_perms;
-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
+
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t, spamd_log_t, file)
 
 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
 manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
 
 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
@@ -81,12 +105,22 @@
 
 # var/lib files for spamd
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 
 manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
 
+spamassassin_domtrans_spamc(spamd_t)
+manage_dirs_pattern(spamd_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(user, spamd_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+
 kernel_read_all_sysctls(spamd_t)
 kernel_read_system_state(spamd_t)
 
@@ -118,6 +152,7 @@
 dev_read_urand(spamd_t)
 
 fs_getattr_all_fs(spamd_t)
+fs_list_inotifyfs(spamd_t)
 fs_search_auto_mountpoints(spamd_t)
 
 auth_dontaudit_read_shadow(spamd_t)
@@ -134,6 +169,8 @@
 
 init_dontaudit_rw_utmp(spamd_t)
 
+auth_use_nsswitch(spamd_t)
+
 libs_use_ld_so(spamd_t)
 libs_use_shared_libs(spamd_t)
 
@@ -141,20 +178,33 @@
 
 miscfiles_read_localization(spamd_t)
 
-sysnet_read_config(spamd_t)
-sysnet_use_ldap(spamd_t)
-sysnet_dns_name_resolve(spamd_t)
-
 userdom_use_unpriv_users_fds(spamd_t)
 userdom_search_unpriv_users_home_dirs(spamd_t)
-
 sysadm_dontaudit_search_home_dirs(spamd_t)
 
+optional_policy(`
+	# Write pid file and socket in ~/.evolution/cache/tmp
+	evolution_home_filetrans(user, spamd_t, spamd_tmp_t, { file sock_file })
+')
+
+optional_policy(`
+	exim_manage_spool_dirs(spamd_t)
+	exim_manage_spool_files(spamd_t)
+')
+
+tunable_policy(`spamd_enable_home_dirs',`
+	unprivuser_manage_home_content_dirs(spamd_t)
+	unprivuser_manage_home_content_files(spamd_t)
+	unprivuser_manage_home_content_symlinks(spamd_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(spamd_t)
 	fs_manage_nfs_files(spamd_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(spamd_t)
 	fs_manage_cifs_files(spamd_t)
 ')
 
@@ -172,6 +222,7 @@
 
 optional_policy(`
 	dcc_domtrans_client(spamd_t)
+	dcc_signal_client(spamd_t)
 	dcc_stream_connect_dccifd(spamd_t)
 ')
 
@@ -181,10 +232,6 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(spamd_t)
-')
-
-optional_policy(`
 	postfix_read_config(spamd_t)
 ')
 
@@ -199,6 +246,10 @@
 
 optional_policy(`
 	razor_domtrans(spamd_t)
+	razor_read_lib_files(spamd_t)
+	tunable_policy(`spamd_enable_home_dirs',`
+		razor_manage_user_home_files(user, spamd_t)
+	')
 ')
 
 optional_policy(`
@@ -211,5 +262,144 @@
 ')
 
 optional_policy(`
+	milter_manage_spamass_state(spamd_t)
+')
+
+optional_policy(`
 	udev_read_db(spamd_t)
 ')
+
+##############################
+#
+# spamc_t local policy
+#
+
+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:fd use;
+allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+allow spamc_t self:unix_dgram_socket sendto;
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+can_exec(spamc_t, spamc_exec_t)
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_file_perms;
+spamd_stream_connect(spamc_t)
+
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(user, spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
+
+dev_read_urand(spamc_t)
+
+files_list_var_lib(spamc_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+fs_getattr_xattr_fs(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+fs_list_inotifyfs(spamc_t)  
+
+domain_use_interactive_fds(spamc_t)
+
+files_read_etc_files(spamc_t)
+files_read_etc_runtime_files(spamc_t)
+files_read_usr_files(spamc_t)
+files_list_home(spamc_t)
+files_read_usr_files(spamc_t)
+files_dontaudit_search_var(spamc_t)
+
+auth_use_nsswitch(spamc_t)
+
+libs_use_ld_so(spamc_t)
+libs_use_shared_libs(spamc_t)
+
+logging_send_syslog_msg(spamc_t)
+
+miscfiles_read_localization(spamc_t)
+
+# cjp: this really should just be the
+# terminal specific to the role
+userdom_use_unpriv_users_ptys(spamc_t)
+
+userdom_use_unpriv_users_fds(spamc_t)
+userdom_search_user_home_dirs(user, spamc_t)
+userdom_list_user_files(user, spamc_t)
+# cjp: this really should just be the
+# terminal specific to the role
+userdom_use_unpriv_users_ptys(spamc_t)
+
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_all_nodes(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
+
+# set tunable if you have spamc do DNS lookups
+tunable_policy(`spamassassin_can_network',`
+	corenet_udp_sendrecv_generic_if(spamc_t)
+	corenet_udp_sendrecv_all_nodes(spamc_t)
+	corenet_tcp_sendrecv_all_ports(spamc_t)
+	corenet_udp_sendrecv_all_ports(spamc_t)
+	corenet_tcp_connect_all_ports(spamc_t)
+	corenet_sendrecv_all_client_packets(spamc_t)
+	corenet_udp_bind_generic_port(spamc_t)
+	corenet_udp_bind_all_nodes(spamc_t)
+
+	sysnet_read_config(spamc_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(spamc_t)
+	fs_manage_nfs_files(spamc_t)
+	fs_manage_nfs_symlinks(spamc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(spamc_t)
+	fs_manage_cifs_files(spamc_t)
+	fs_manage_cifs_symlinks(spamc_t)
+')
+
+optional_policy(`
+	# Allow connection to spamd socket above
+	evolution_stream_connect(user, spamc_t)
+')
+
+optional_policy(`
+        milter_manage_spamass_state(spamc_t)
+')
+
+optional_policy(`
+        postfix_rw_local_pipes(spamc_t)
+')
+
+optional_policy(`
+	mta_read_config(spamc_t)
+	mta_read_queue(spamc_t)
+	sendmail_stub(spamc_t)
+	sendmail_rw_pipes(spamc_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.5.13/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/squid.fc	2009-02-18 14:34:30.000000000 +0100
@@ -6,7 +6,11 @@
 /usr/sbin/squid		--	gen_context(system_u:object_r:squid_exec_t,s0)
 /usr/share/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
 
+/var/squidGuard(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
 /var/cache/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
 /var/log/squid(/.*)?		gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
 /var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
 /var/spool/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.13/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/squid.if	2009-02-10 15:07:15.000000000 +0100
@@ -21,6 +21,24 @@
 
 ########################################
 ## <summary>
+##	Execute squid 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`squid_exec',`
+	gen_require(`
+		type squid_exec_t;
+	')
+
+	can_exec($1, squid_exec_t)
+')
+
+########################################
+## <summary>
 ##	Send generic signals to squid.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.13/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/squid.te	2009-02-10 15:07:15.000000000 +0100
@@ -117,7 +117,10 @@
 dev_read_urand(squid_t)
 
 fs_getattr_all_fs(squid_t)
+fs_list_inotifyfs(squid_t)
 fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
 
 selinux_dontaudit_getattr_dir(squid_t)
 
@@ -189,8 +192,3 @@
 optional_policy(`
 	udev_read_db(squid_t)
 ')
-
-ifdef(`TODO',`
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.13/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ssh.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,4 @@
-HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
 /etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ssh.if	2009-04-23 09:21:24.000000000 +0200
@@ -36,6 +36,7 @@
 	gen_require(`
 		attribute ssh_server;
 		type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+		type ssh_home_t, ssh_tmp_t;
 	')
 
 	##############################
@@ -47,8 +48,9 @@
 	application_domain($1_ssh_t, ssh_exec_t)
 	role $3 types $1_ssh_t;
 
-	type $1_home_ssh_t;
-	files_type($1_home_ssh_t)
+	typealias ssh_home_t alias $1_ssh_home_t;
+	typealias ssh_home_t alias $1_home_ssh_t;
+	typealias ssh_tmp_t alias $1_ssh_tmp_t;
 
 	##############################
 	#
@@ -65,8 +67,7 @@
 	allow $1_ssh_t self:sem create_sem_perms;
 	allow $1_ssh_t self:msgq create_msgq_perms;
 	allow $1_ssh_t self:msg { send receive };
-	allow $1_ssh_t self:tcp_socket create_socket_perms;
-	allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
+	allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
 
 	# for rsync
 	allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
@@ -93,20 +94,21 @@
 	ps_process_pattern($2, $1_ssh_t)
 
 	# user can manage the keys and config
-	manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t)
-	manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t)
-	manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t)
+	manage_files_pattern($2, ssh_home_t, ssh_home_t)
+	manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
+	manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
 
 	# ssh client can manage the keys and config
-	manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
-	read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
+	manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+	read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
 
 	# ssh servers can read the user keys and config
-	allow ssh_server $1_home_ssh_t:dir list_dir_perms;
-	read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t)
-	read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t)
+	allow ssh_server ssh_home_t:dir list_dir_perms;
+	read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+	read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
 
 	kernel_read_kernel_sysctls($1_ssh_t)
+	kernel_read_system_state($1_ssh_t)
 
 	corenet_all_recvfrom_unlabeled($1_ssh_t)
 	corenet_all_recvfrom_netlabel($1_ssh_t)
@@ -115,6 +117,8 @@
 	corenet_tcp_sendrecv_all_ports($1_ssh_t)
 	corenet_tcp_connect_ssh_port($1_ssh_t)
 	corenet_sendrecv_ssh_client_packets($1_ssh_t)
+	corenet_tcp_bind_all_nodes($1_ssh_t)
+	corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
 
 	dev_read_urand($1_ssh_t)
 
@@ -133,6 +137,8 @@
 	files_read_etc_files($1_ssh_t)
 	files_read_var_files($1_ssh_t)
 
+	auth_use_nsswitch($1_ssh_t)
+
 	libs_use_ld_so($1_ssh_t)
 	libs_use_shared_libs($1_ssh_t)
 
@@ -143,9 +149,6 @@
 
 	seutil_read_config($1_ssh_t)
 
-	sysnet_read_config($1_ssh_t)
-	sysnet_dns_name_resolve($1_ssh_t)
-
 	tunable_policy(`read_default_t',`
 		files_list_default($1_ssh_t)
 		files_read_default_files($1_ssh_t)
@@ -157,14 +160,6 @@
 	optional_policy(`
 		kerberos_use($1_ssh_t)
 	')
-
-	optional_policy(`
-		nis_use_ypbind($1_ssh_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_ssh_t)
-	')
 ')
 
 #######################################
@@ -212,7 +207,7 @@
 
 	ssh_basic_client_template($1, $2, $3)
 
-	userdom_user_home_content($1, $1_home_ssh_t)
+	userdom_user_home_content($1, ssh_home_t)
 
 	type $1_ssh_agent_t;
 	application_domain($1_ssh_agent_t, ssh_agent_exec_t)
@@ -240,9 +235,9 @@
 	manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
 	fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
-	manage_dirs_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
-	manage_sock_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
-	userdom_user_home_dir_filetrans($1, $1_ssh_t, $1_home_ssh_t, { dir sock_file })
+	manage_dirs_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+	manage_sock_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+	userdom_user_home_dir_filetrans($1, $1_ssh_t, ssh_home_t, { dir sock_file })
 
 	# Allow the ssh program to communicate with ssh-agent.
 	stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
@@ -254,6 +249,9 @@
 	userdom_use_unpriv_users_fds($1_ssh_t)
 	userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
 	userdom_search_user_home_dirs($1,$1_ssh_t)
+	userdom_write_user_tmp_sockets(user,$1_ssh_t)
+	userdom_read_user_home_content_symlinks(user, $1_ssh_t)
+
 	# Write to the user domain tty.
 	userdom_use_user_terminals($1,$1_ssh_t)
 	# needs to read krb tgt
@@ -279,24 +277,15 @@
 	# for port forwarding
 	tunable_policy(`user_tcp_server',`
 		corenet_tcp_bind_ssh_port($1_ssh_t)
+		corenet_tcp_bind_all_nodes($1_ssh_t)
 	')
 
 	optional_policy(`
-		xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
+#		xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
 		xserver_domtrans_user_xauth($1, $1_ssh_t)
+		xserver_stream_connect_xdm_xserver($1_ssh_t)
 	')
 
-	ifdef(`TODO',`
-	# for /bin/sh used to execute xauth
-	dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
-
-	#allow ssh to access keys stored on removable media
-	# Should we have a boolean around this?
-	files_search_mnt($1_ssh_t)
-	r_dir_file($1_ssh_t, removable_t) 
-
-	') dnl endif TODO
-
 	##############################
 	#
 	# $1_ssh_agent_t local policy
@@ -381,12 +370,9 @@
 	optional_policy(`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
+		xserver_dontaudit_rw_xdm_home_files($1_ssh_agent_t)
 	')
 
-	ifdef(`TODO',`
-	dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-	') dnl endif TODO
-
 	##############################
 	#
 	# $1_ssh_keysign_t local policy
@@ -413,6 +399,25 @@
 	')
 ')
 
+########################################
+## <summary>
+##	Execute the ssh agent client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_agent_exec',`
+	gen_require(`
+		type ssh_agent_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ssh_agent_exec_t)
+')
+
 #######################################
 ## <summary>
 ##	The template to define a ssh server.
@@ -443,13 +448,14 @@
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 
-	allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+	allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 	allow $1_t self:process { signal setsched setrlimit setexec };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 	# ssh agent connections:
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:shm create_shm_perms;
 
 	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
 	term_create_pty($1_t,$1_devpts_t)
@@ -462,6 +468,7 @@
 	# Access key files
 	allow $1_t sshd_key_t:file { getattr read };
 
+	kernel_read_network_state($1_t)
 	kernel_read_kernel_sysctls($1_t)
 
 	corenet_all_recvfrom_unlabeled($1_t)
@@ -478,7 +485,12 @@
 	corenet_udp_bind_all_nodes($1_t)
 	corenet_tcp_bind_ssh_port($1_t)
 	corenet_tcp_connect_all_ports($1_t)
+	corenet_tcp_bind_all_unreserved_ports($1_t)
+	corenet_sendrecv_ssh_server_packets($1_t)
+	# -R qualifier
 	corenet_sendrecv_ssh_server_packets($1_t)
+	# tunnel feature and -w (net_admin capability also)
+	corenet_rw_tun_tap_dev($1_t)
 
 	fs_dontaudit_getattr_all_fs($1_t)
 
@@ -495,6 +507,8 @@
 	files_read_etc_files($1_t)
 	files_read_etc_runtime_files($1_t)
 
+	files_read_var_lib_symlinks($1_t)
+
 	libs_use_ld_so($1_t)
 	libs_use_shared_libs($1_t)
 
@@ -506,9 +520,14 @@
 
 	userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
 	userdom_search_all_users_home_dirs($1_t)
+	userdom_read_all_users_home_content_files($1_t)
+
+	# Allow checking users mail at login
+	mta_getattr_spool($1_t)
 
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_read_nfs_files($1_t)
+		fs_read_nfs_symlinks($1_t)
 	')
 
 	tunable_policy(`use_samba_home_dirs',`
@@ -517,11 +536,7 @@
 
 	optional_policy(`
 		kerberos_use($1_t)
-	')
-
-	optional_policy(`
-		# Allow checking users mail at login
-		mta_getattr_spool($1_t)
+		kerberos_manage_host_rcache($1_t)
 	')
 
 	optional_policy(`
@@ -605,6 +620,25 @@
 	allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
 ')
 
+#######################################
+## <summary>
+##      Allow attempts to read and write to
+##      sshd unnamed pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ssh_rw_pipes',`
+        gen_require(`
+                type sshd_t;
+        ')
+
+        allow $1 sshd_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write
@@ -710,3 +744,22 @@
 
 	dontaudit $1 sshd_key_t:file { getattr read };
 ')
+
+#######################################
+## <summary>
+##	Delete from the ssh temp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_delete_tmp',`
+	gen_require(`
+		type ssh_tmp_t;
+	')
+
+	files_search_tmp($1)
+	delete_files_pattern($1, ssh_tmp_t, ssh_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ssh.te	2009-03-20 09:28:31.000000000 +0100
@@ -24,7 +24,7 @@
 
 # Type for the ssh-agent executable.
 type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
+application_executable_file(ssh_agent_exec_t)
 
 # ssh client executable.
 type ssh_exec_t;
@@ -47,6 +47,9 @@
 type sshd_key_t;
 files_type(sshd_key_t)
 
+type sshd_tmpfs_t;
+files_tmpfs_file(sshd_tmpfs_t)
+
 type sshd_tmp_t;
 files_tmp_file(sshd_tmp_t)
 files_poly_parent(sshd_tmp_t)
@@ -55,6 +58,16 @@
 	init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
 ')
 
+type ssh_home_t;
+userdom_user_home_content(user, ssh_home_t)
+
+type ssh_tmp_t;
+files_tmp_file(ssh_tmp_t)
+
+typealias ssh_home_t alias unconfined_ssh_home_t;
+typealias ssh_home_t alias unconfined_home_ssh_t;
+typealias ssh_tmp_t alias unconfined_ssh_tmp_t;
+
 #################################
 #
 # sshd local policy
@@ -66,6 +79,9 @@
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
 
+manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t)
+fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file)
+
 manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
@@ -74,10 +90,15 @@
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
 
+fs_list_inotifyfs(sshd_t)
+
 # for X forwarding
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
+userdom_read_all_users_home_content_files(sshd_t)
+userdom_read_all_users_home_content_symlinks(sshd_t)
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -99,10 +120,22 @@
 ')
 
 optional_policy(`
+	kerberos_keytab_template(sshd, sshd_t)
+')
+
+optional_policy(`
+	xserver_getattr_xauth(sshd_t)
+')
+
+optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
 optional_policy(`
+	gitosis_read_var_lib(sshd_t)
+')
+
+optional_policy(`
 	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
 
@@ -117,7 +150,11 @@
 ')
 
 optional_policy(`
-	unconfined_domain(sshd_t)
+	usermanage_domtrans_passwd(sshd_t)
+	usermanage_read_crack_db(sshd_t)
+')
+
+optional_policy(`
 	unconfined_shell_domtrans(sshd_t)
 ')
 
@@ -176,6 +213,8 @@
 init_use_fds(ssh_keygen_t)
 init_use_script_ptys(ssh_keygen_t)
 
+auth_use_nsswitch(ssh_keygen_t)
+
 libs_use_ld_so(ssh_keygen_t)
 libs_use_shared_libs(ssh_keygen_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc
--- nsaserefpolicy/policy/modules/services/stunnel.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc	2009-02-10 15:07:15.000000000 +0100
@@ -2,5 +2,6 @@
 /etc/stunnel(/.*)?          	gen_context(system_u:object_r:stunnel_etc_t,s0)
 
 /usr/sbin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
+/usr/bin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
 
 /var/run/stunnel(/.*)?		gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.13/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/stunnel.te	2009-02-10 15:07:15.000000000 +0100
@@ -54,6 +54,8 @@
 kernel_read_system_state(stunnel_t)
 kernel_read_network_state(stunnel_t)
 
+corecmd_exec_bin(stunnel_t)
+
 corenet_all_recvfrom_unlabeled(stunnel_t)
 corenet_all_recvfrom_netlabel(stunnel_t)
 corenet_tcp_sendrecv_all_if(stunnel_t)
@@ -109,6 +111,7 @@
 	dev_read_urand(stunnel_t)
 
 	files_read_etc_files(stunnel_t)
+	files_read_etc_runtime_files(stunnel_t)
 	files_search_home(stunnel_t)
 
 	optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.13/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/sysstat.te	2009-02-10 15:07:15.000000000 +0100
@@ -26,6 +26,7 @@
 can_exec(sysstat_t, sysstat_exec_t)
 
 manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
 
 # get info from /proc
@@ -47,6 +48,7 @@
 files_read_etc_files(sysstat_t)
 
 fs_getattr_xattr_fs(sysstat_t)
+fs_list_inotifyfs(sysstat_t)
 
 term_use_console(sysstat_t)
 term_use_all_terms(sysstat_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.13/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/telnet.te	2009-02-10 15:07:15.000000000 +0100
@@ -90,8 +90,8 @@
 userdom_search_unpriv_users_home_dirs(telnetd_t)
 
 optional_policy(`
-	kerberos_use(telnetd_t)
-	kerberos_read_keytab(telnetd_t)
+	kerberos_keytab_template(telnetd, telnetd_t)
+	kerberos_manage_host_rcache(telnetd_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.13/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/tftp.te	2009-02-10 15:07:15.000000000 +0100
@@ -75,6 +75,7 @@
 domain_use_interactive_fds(tftpd_t)
 
 files_read_etc_files(tftpd_t);
+files_read_etc_runtime_files(tftpd_t);
 files_read_var_files(tftpd_t)
 files_read_var_symlinks(tftpd_t)
 files_search_var(tftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.13/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/tor.te	2009-02-10 15:07:15.000000000 +0100
@@ -34,7 +34,7 @@
 # tor local policy
 #
 
-allow tor_t self:capability { setgid setuid };
+allow tor_t self:capability { setgid setuid sys_tty_config };
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket create_stream_socket_perms;
 allow tor_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.5.13/policy/modules/services/ulogd.fc
--- nsaserefpolicy/policy/modules/services/ulogd.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/ulogd.fc	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/ulogd                --              gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+
+/etc/ulogd.conf                         --          	gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+/usr/lib/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_modules_t,s0)	
+
+/usr/sbin/ulogd				--		gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+/var/log/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.5.13/policy/modules/services/ulogd.if
--- nsaserefpolicy/policy/modules/services/ulogd.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/ulogd.if	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,127 @@
+## <summary>policy for ulogd</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ulogd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ulogd_domtrans',`
+	gen_require(`
+		type ulogd_t, ulogd_exec_t;
+	')
+
+	domtrans_pattern($1,ulogd_exec_t,ulogd_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to read
+##      ulogd configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`ulogd_read_config',`
+        gen_require(`
+                type ulogd_etc_t;
+        ')
+
+        files_search_etc($1)
+        read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to read ulogd's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`ulogd_read_log',`
+        gen_require(`
+                type ulogd_var_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 ulogd_var_log_t:dir list_dir_perms;
+        read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to append to ulogd's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`ulogd_append_log',`
+        gen_require(`
+                type ulogd_var_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 ulogd_var_log_t:dir list_dir_perms;
+        allow $1 ulogd_var_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##      All of the rules required to administrate 
+##      an ulogd environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the syslog domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_admin',`
+        gen_require(`
+                type ulogd_t, ulogd_etc_t;
+                type ulogd_var_log_t, ulogd_initrc_exec_t;
+		type ulogd_modules_t;
+        ')
+
+        allow $1 ulogd_t:process { ptrace signal_perms };
+        ps_process_pattern($1, ulogd_t)
+
+        init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 ulogd_initrc_exec_t system_r;
+        allow $2 system_r;
+
+	files_search_etc($1)
+        admin_pattern($1, ulogd_etc_t)
+
+        logging_list_logs($1)
+        admin_pattern($1, ulogd_var_log_t)
+
+        files_search_usr($1)
+        admin_pattern($1, ulogd_modules_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.5.13/policy/modules/services/ulogd.te
--- nsaserefpolicy/policy/modules/services/ulogd.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/ulogd.te	2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,54 @@
+policy_module(ulogd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ulogd_t;
+type ulogd_exec_t;
+init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+type ulogd_initrc_exec_t;
+init_script_file(ulogd_initrc_exec_t)
+
+# /usr/lib files
+type ulogd_modules_t;
+files_type(ulogd_modules_t)
+
+# config files
+type ulogd_etc_t;
+files_type(ulogd_etc_t)
+
+# log files
+type ulogd_var_log_t;
+logging_log_file(ulogd_var_log_t)
+
+########################################
+
+#
+# ulogd local policy
+#
+
+allow ulogd_t self:capability net_admin;
+allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+
+# config files
+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+
+# modules for ulogd
+list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t)
+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+
+# log files
+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+logging_log_filetrans(ulogd_t,ulogd_var_log_t, file )
+
+files_search_etc(ulogd_t)
+
+libs_use_ld_so(ulogd_t)
+libs_use_shared_libs(ulogd_t)
+
+miscfiles_read_localization(ulogd_t)
+
+permissive ulogd_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.5.13/policy/modules/services/uucp.fc
--- nsaserefpolicy/policy/modules/services/uucp.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/uucp.fc	2009-02-10 15:07:15.000000000 +0100
@@ -3,7 +3,12 @@
 
 /usr/sbin/uucico	--	gen_context(system_u:object_r:uucpd_exec_t,s0)
 
+/var/lock/uucp(/.*)?  		gen_context(system_u:object_r:uucpd_lock_t,s0)
+
+/var/log/uucp(/.*)?		gen_context(system_u:object_r:uucpd_log_t,s0)
+
 /var/spool/uucp(/.*)?		gen_context(system_u:object_r:uucpd_spool_t,s0)
 /var/spool/uucppublic(/.*)?	gen_context(system_u:object_r:uucpd_spool_t,s0)
 
-/var/log/uucp(/.*)?		gen_context(system_u:object_r:uucpd_log_t,s0)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.5.13/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/uucp.te	2009-02-10 15:07:15.000000000 +0100
@@ -25,6 +25,9 @@
 type uucpd_spool_t;
 files_type(uucpd_spool_t)
 
+type uucpd_lock_t;
+files_lock_file(uucpd_lock_t)
+
 type uucpd_log_t;
 logging_log_file(uucpd_log_t)
 
@@ -48,6 +51,10 @@
 manage_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t)
 logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir })
 
+files_search_locks(uucpd_t)
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+
 allow uucpd_t uucpd_ro_t:dir list_dir_perms;
 read_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
 read_lnk_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
@@ -79,6 +86,7 @@
 corenet_udp_sendrecv_all_ports(uucpd_t)
 
 dev_read_urand(uucpd_t)
+dev_setattr_tty(uucpd_t)
 
 fs_getattr_xattr_fs(uucpd_t)
 
@@ -101,6 +109,7 @@
 	kerberos_use(uucpd_t)
 ')
 
+
 ########################################
 #
 # UUX Local policy
@@ -127,6 +136,11 @@
 
 optional_policy(`
 	mta_send_mail(uux_t)
+	mta_read_queue(uux_t)
+')
+
+optional_policy(`
+	sendmail_rw_unix_stream_sockets(uux_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc	2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/virt.fc	2009-02-10 15:07:15.000000000 +0100
@@ -2,6 +2,7 @@
 /etc/libvirt/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 /etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/rc\.d/init\.d/libvirtd	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 
 /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.13/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/virt.if	2009-02-26 14:56:14.000000000 +0100
@@ -18,6 +18,25 @@
 	domtrans_pattern($1, virtd_exec_t, virtd_t)
 ')
 
+#######################################
+## <summary>
+##	Connect to virt over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_stream_connect',`
+	gen_require(`
+		type virtd_t, virt_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1,virt_var_run_t,virt_var_run_t,virtd_t)
+')
+
 ########################################
 ## <summary>
 ##	Read virt config files.
@@ -41,6 +60,27 @@
 
 ########################################
 ## <summary>
+##	manage virt config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_config',`
+	gen_require(`
+		type virt_etc_t;
+		type virt_etc_rw_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, virt_etc_t, virt_etc_t)
+	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
 ##	Read virt PID files.
 ## </summary>
 ## <param name="domain">
@@ -78,6 +118,24 @@
 
 ########################################
 ## <summary>
+##	Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`virtd_initrc_domtrans',`
+	gen_require(`
+		type virtd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Search virt lib directories.
 ## </summary>
 ## <param name="domain">
@@ -196,6 +254,35 @@
 
 ########################################
 ## <summary>
+##	Make the specified type usable as a virt image
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable as a virt image
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used as a virtual image
+##	</summary>
+## </param>
+#
+#
+interface(`virt_image',`
+	gen_require(`
+		attribute virt_image_type;
+	')
+
+	typeattribute $1 virt_image_type;
+
+	files_type($1)
+
+	# virt images can be assigned to blk devices
+	dev_node($1)
+')
+
+########################################
+## <summary>
 ##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
@@ -214,6 +301,7 @@
 	manage_dirs_pattern($1, virt_image_t, virt_image_t)
 	manage_files_pattern($1, virt_image_t, virt_image_t)
 	read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+	rw_blk_files_pattern($1, virt_image_t, virt_image_t)
 
 	tunable_policy(`virt_use_nfs',`
 		fs_manage_nfs_dirs($1)
@@ -243,11 +331,17 @@
 interface(`virt_admin',`
 	gen_require(`
 		type virtd_t;
+		type virtd_initrc_exec_t;
 	')
 
 	allow $1 virtd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, virtd_t)
 
+	virtd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 virtd_initrc_exec_t system_r;
+	allow $2 system_r;
+
 	virt_manage_pid_files($1)
 
 	virt_manage_lib_files($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.13/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/virt.te	2009-02-10 15:07:15.000000000 +0100
@@ -5,6 +5,7 @@
 #
 # Declarations
 #
+attribute virt_image_type;
 
 ## <desc>
 ## <p>
@@ -27,10 +28,8 @@
 files_type(virt_etc_rw_t)
 
 # virt Image files
-type virt_image_t; # customizable
-files_type(virt_image_t)
-# virt_image_t can be assigned to blk devices
-dev_node(virt_image_t)
+type virt_image_t, virt_image_type; # customizable
+virt_image(virt_image_t)
 
 type virt_log_t;
 logging_log_file(virt_log_t)
@@ -45,13 +44,15 @@
 type virtd_exec_t;
 init_daemon_domain(virtd_t, virtd_exec_t)
 
+type virtd_initrc_exec_t;
+init_script_file(virtd_initrc_exec_t)
+
 ########################################
 #
 # virtd local policy
 #
-
 allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-allow virtd_t self:process { sigkill signal execmem };
+allow virtd_t self:process { getsched sigkill signal execmem };
 allow virtd_t self:fifo_file rw_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
 allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -64,7 +65,7 @@
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
-manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
+manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -82,6 +83,8 @@
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
+kernel_read_xen_state(virtd_t)
+kernel_write_xen_state(virtd_t)
 kernel_load_module(virtd_t)
 
 corecmd_exec_bin(virtd_t)
@@ -93,7 +96,7 @@
 corenet_tcp_sendrecv_all_nodes(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_all_nodes(virtd_t)
-#corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_virt_port(virtd_t)
 corenet_tcp_bind_vnc_port(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
@@ -107,8 +110,10 @@
 
 files_read_usr_files(virtd_t)
 files_read_etc_files(virtd_t)
+files_read_usr_files(virtd_t)
 files_read_etc_runtime_files(virtd_t)
 files_search_all(virtd_t)
+files_list_kernel_modules(virtd_t)
 
 fs_list_auto_mountpoints(virtd_t)
 
@@ -162,26 +167,27 @@
 	')
 ')
 
-#optional_policy(`
-#	dnsmasq_domtrans(virtd_t)
-#	dnsmasq_signal(virtd_t)
-#	dnsmasq_sigkill(virtd_t)
-#')
+optional_policy(`
+	dnsmasq_domtrans(virtd_t)
+	dnsmasq_signal(virtd_t)
+	dnsmasq_sigkill(virtd_t)
+')
 
 optional_policy(`
 	iptables_domtrans(virtd_t)
 ')
 
-#optional_policy(`
-#	polkit_domtrans_auth(virtd_t)
-#	polkit_domtrans_resolve(virtd_t)
-#')
+optional_policy(`
+	polkit_domtrans_auth(virtd_t)
+	polkit_domtrans_resolve(virtd_t)
+')
 
 optional_policy(`
 	qemu_domtrans(virtd_t)
 	qemu_read_state(virtd_t)
 	qemu_signal(virtd_t)
 	qemu_kill(virtd_t)
+	qemu_setsched(virtd_t)
 ')
 
 optional_policy(`
@@ -189,9 +195,10 @@
 ')
 
 optional_policy(`
-	kernel_read_xen_state(virtd_t)
-	kernel_write_xen_state(virtd_t)
-
 	xen_stream_connect(virtd_t)
 	xen_stream_connect_xenstore(virtd_t)
 ')
+
+optional_policy(`
+	unconfined_domain(virtd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.5.13/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/w3c.te	2009-02-10 15:07:15.000000000 +0100
@@ -8,11 +8,18 @@
 
 apache_content_template(w3c_validator)
 
+type httpd_w3c_validator_tmp_t;
+files_tmp_file(httpd_w3c_validator_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
+manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
+
 corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
 corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
 corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.13/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/xserver.fc	2009-02-10 15:07:15.000000000 +0100
@@ -1,13 +1,15 @@
 #
 # HOME_DIR
 #
-HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
-HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:ROLE_fonts_t,s0)
-HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
-HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:fonts_home_t,s0)
+HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:fonts_config_home_t,s0)
+HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:fonts_config_home_t,s0)
+HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:fonts_cache_home_t,s0)
+HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:fonts_cache_home_t,s0)
+HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 
 #
 # /dev
@@ -32,11 +34,6 @@
 /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
-ifdef(`distro_redhat',`
-/etc/gdm/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-')
-
 #
 # /opt
 #
@@ -50,7 +47,7 @@
 /tmp/\.ICE-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.ICE-unix/.*	-s	<<none>>
 /tmp/\.X0-lock		--	gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
-/tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
 /tmp/\.X11-unix/.*	-s	<<none>>
 
 #
@@ -58,9 +55,11 @@
 #
 
 /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/sbin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -89,16 +88,25 @@
 
 /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
-/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
 
-/var/log/[kw]dm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/spool/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
 
+/var/run/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 
 ifdef(`distro_suse',`
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if	2009-02-10 15:07:15.000000000 +0100
@@ -16,6 +16,7 @@
 	gen_require(`
 		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
 
+		attribute rootwindow_type;
 		attribute x_server_domain;
 		class x_drawable all_x_drawable_perms;
 		class x_colormap all_x_colormap_perms;
@@ -99,7 +100,7 @@
 	# Labeling rules for default windows and colormaps
 	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
 	ifdef(`enable_mls',`
-		range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
+		range_transition $1_xserver_t $1_xserver_t:x_drawable s0 - mls_systemhigh;
 	')
 
 	kernel_read_system_state($1_xserver_t)
@@ -134,18 +135,24 @@
 	dev_rw_agp($1_xserver_t)
 	dev_rw_framebuffer($1_xserver_t)
 	dev_manage_dri_dev($1_xserver_t)
-	dev_create_generic_dirs($1_xserver_t)
-	dev_setattr_generic_dirs($1_xserver_t)
+	dev_manage_generic_dirs($1_xserver_t)
 	# raw memory access is needed if not using the frame buffer
 	dev_read_raw_memory($1_xserver_t)
 	dev_wx_raw_memory($1_xserver_t)
 	# for other device nodes such as the NVidia binary-only driver
 	dev_rw_xserver_misc($1_xserver_t)
+	dev_setattr_xserver_misc_dev($1_xserver_t)
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
 	dev_rwx_zero($1_xserver_t)
+	dev_read_urand($1_xserver_t)
+	dev_rw_generic_usb_dev($1_xserver_t)
+	dev_rw_generic_usb_pipes($1_xserver_t)
 
+	domain_mmap_low_type($1_xserver_t)
 	domain_mmap_low($1_xserver_t)
+	domain_read_all_domains_state($1_xserver_t)
+	domain_dontaudit_ptrace_all_domains($1_xserver_t)
 
 	files_read_etc_files($1_xserver_t)
 	files_read_etc_runtime_files($1_xserver_t)
@@ -159,7 +166,8 @@
 	fs_getattr_xattr_fs($1_xserver_t)
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
-	fs_search_ramfs($1_xserver_t)
+	fs_manage_ramfs_files($1_xserver_t)
+	fs_list_inotifyfs($1_xserver_t)
 
 	selinux_validate_context($1_xserver_t)
 	selinux_compute_access_vector($1_xserver_t)
@@ -169,6 +177,9 @@
 
 	init_getpgid($1_xserver_t)
 
+	miscfiles_read_hwdata($1_xserver_t)
+
+	term_search_ptys($1_xserver_t)
 	term_setattr_unallocated_ttys($1_xserver_t)
 	term_use_unallocated_ttys($1_xserver_t)
 
@@ -276,6 +287,8 @@
 	gen_require(`
 		type iceauth_exec_t, xauth_exec_t;
 		attribute fonts_type, fonts_cache_type, fonts_config_type;
+		type fonts_home_t, fonts_cache_home_t, fonts_config_home_t;
+		type iceauth_home_t, xauth_t, xauth_home_t, xauth_tmp_t;
 	')
 
 	##############################
@@ -286,61 +299,41 @@
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;
 
-	type $1_fonts_t, fonts_type;
-	userdom_user_home_content($1, $1_fonts_t)
-
-	type $1_fonts_cache_t, fonts_cache_type;
-	userdom_user_home_content($1, $1_fonts_cache_t)
-
-	type $1_fonts_config_t, fonts_config_type;
-	userdom_user_home_content($1, $1_fonts_cache_t)
+	typealias fonts_home_t alias $1_fonts_t;
+	typealias fonts_cache_home_t alias $1_fonts_cache_t;
+	typealias fonts_config_home_t alias $1_fonts_config_t;
 
 	type $1_iceauth_t;
 	domain_type($1_iceauth_t)
 	domain_entry_file($1_iceauth_t, iceauth_exec_t)
 	role $3 types $1_iceauth_t;
 
-	type $1_iceauth_home_t alias $1_iceauth_rw_t;
-	files_poly_member($1_iceauth_home_t)
-	userdom_user_home_content($1, $1_iceauth_home_t)
-
-	type $1_xauth_t;
-	domain_type($1_xauth_t)
-	domain_entry_file($1_xauth_t, xauth_exec_t)
-	role $3 types $1_xauth_t;
-
-	type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
-	files_poly_member($1_xauth_home_t)
-	userdom_user_home_content($1, $1_xauth_home_t)
-
-	type $1_xauth_tmp_t;
-	files_tmp_file($1_xauth_tmp_t)
+	typealias iceauth_home_t alias $1_iceauth_rw_t;
+	typealias iceauth_home_t alias $1_iceauth_home_t;
 
-	##############################
-	#
-	# $1_xserver_t Local policy
-	#
+	typealias xauth_home_t alias $1_xauth_rw_t;
+	typealias xauth_home_t alias $1_xauth_home_t;
 
-	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+	allow $1_xserver_t xauth_home_t:file read_file_perms;
 
-	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+	domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
+	role $3 types xauth_t;
 
-	domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
 	allow $1_xserver_t $2:process signal;
 
 	allow $1_xserver_t $2:shm rw_shm_perms;
 
-	manage_dirs_pattern($2, $1_fonts_t, $1_fonts_t)
-	manage_files_pattern($2, $1_fonts_t, $1_fonts_t)
-	relabel_dirs_pattern($2, $1_fonts_t, $1_fonts_t)
-	relabel_files_pattern($2, $1_fonts_t, $1_fonts_t)
-
-	manage_dirs_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
-	manage_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
-	relabel_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
+	manage_dirs_pattern($2, fonts_home_t, fonts_home_t)
+	manage_files_pattern($2, fonts_home_t, fonts_home_t)
+	relabel_dirs_pattern($2, fonts_home_t, fonts_home_t)
+	relabel_files_pattern($2, fonts_home_t, fonts_home_t)
+
+	manage_dirs_pattern($2, fonts_config_home_t, fonts_config_home_t)
+	manage_files_pattern($2, fonts_config_home_t, fonts_config_home_t)
+	relabel_files_pattern($2, fonts_config_home_t, fonts_config_home_t)
 
 	# For startup relabel
-	allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+	allow $2 fonts_cache_home_t:{ dir file } { relabelto relabelfrom };
 
 	stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t)
 
@@ -354,85 +347,36 @@
 
 	locallogin_use_fds($1_xserver_t)
 
+	miscfiles_read_fonts($2)
+
 	userdom_search_user_home_dirs($1, $1_xserver_t)
 	userdom_use_user_ttys($1, $1_xserver_t)
 	userdom_setattr_user_ttys($1, $1_xserver_t)
 	userdom_rw_user_tmpfs_files($1, $1_xserver_t)
 
 	xserver_use_user_fonts($1, $1_xserver_t)
-	xserver_rw_xdm_tmp_files($1_xauth_t)
+	xserver_rw_xdm_tmp_files(xauth_t)
+	xserver_read_xdm_xserver_tmp_files($2)
 
 	optional_policy(`
 		userhelper_search_config($1_xserver_t)
 	')
 
-	ifdef(`TODO',`
-	ifdef(`xdm.te', `
-		allow $1_t xdm_tmp_t:sock_file unlink;
-		allow $1_xserver_t xdm_var_run_t:dir search;
+	optional_policy(`
+		wm_exec($2)
 	')
-	') dnl end TODO
-
-	##############################
-	#
-	# $1_xauth_t Local policy
-	#
-
-	allow $1_xauth_t self:process signal;
-	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
 
-	allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
+	domtrans_pattern($2, xauth_exec_t, xauth_t)
+	allow $2 xauth_t:process signal;
 
-	manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
-	manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
-	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
-
-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-
-	allow $2 $1_xauth_t:process signal;
+    	allow $2 xauth_home_t:file manage_file_perms;
+	allow $2 xauth_home_t:file { relabelfrom relabelto };
 
 	# allow ps to show xauth
-	ps_process_pattern($2,$1_xauth_t)
-
-	allow $2 $1_xauth_home_t:file manage_file_perms;
-	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
-	allow xdm_t $1_xauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file)
-
-	domain_use_interactive_fds($1_xauth_t)
-
-	files_read_etc_files($1_xauth_t)
-	files_search_pids($1_xauth_t)
-
-	fs_getattr_xattr_fs($1_xauth_t)
-	fs_search_auto_mountpoints($1_xauth_t)
-
-	# cjp: why?
-	term_use_ptmx($1_xauth_t)
+	ps_process_pattern($2,xauth_t)
 
-	auth_use_nsswitch($1_xauth_t)
-
-	libs_use_ld_so($1_xauth_t)
-	libs_use_shared_libs($1_xauth_t)
-
-	userdom_use_user_terminals($1, $1_xauth_t)
-	userdom_read_user_tmp_files($1, $1_xauth_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_xauth_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_xauth_t)
-	')
-
-	optional_policy(`
-		ssh_sigchld($1_xauth_t)
-		ssh_read_pipes($1_xauth_t)
-		ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
-	')
+	userdom_use_user_terminals($1, xauth_t)
+	userdom_read_user_tmp_files($1, xauth_t)
 
 	##############################
 	#
@@ -441,16 +385,17 @@
 
 	domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
 
-	allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1, $1_iceauth_t, $1_iceauth_home_t, file)
+	allow $1_iceauth_t iceauth_home_t:file manage_file_perms;
+	userdom_user_home_dir_filetrans($1, $1_iceauth_t, iceauth_home_t, file)
 
 	# allow ps to show iceauth
 	ps_process_pattern($2, $1_iceauth_t)
 
-	allow $2 $1_iceauth_home_t:file manage_file_perms;
-	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
+	allow $2 iceauth_home_t:file manage_file_perms;
+	allow $2 iceauth_home_t:file { relabelfrom relabelto };
 
-	allow xdm_t $1_iceauth_home_t:file read_file_perms;
+	xserver_use_xdm($2)
+	xserver_rw_xdm_xserver_shm($2)
 
 	fs_search_auto_mountpoints($1_iceauth_t)
 
@@ -473,33 +418,12 @@
 	#
 
 	# Device rules
-	allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
+	allow $1_x_domain $1_xserver_t:x_device { getattr use setattr setfocus grab bell };
 
 	allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
+	allow $2 $1_input_xevent_type:x_event send;
 	allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send;
-
-	# manage: xhost X11:ChangeHosts
-	# freeze: metacity X11:GrabKey
-	# force_cursor: metacity X11:GrabPointer
-	allow $2 $1_xserver_t:x_device { manage freeze force_cursor };
-
-	# gnome-settings-daemon XKEYBOARD:SetControls
-	allow $2 $1_xserver_t:x_server manage;
-
-	# gnome-settings-daemon RANDR:SelectInput
-	allow $2 $1_xserver_t:x_resource write;
-
-	# metacity X11:InstallColormap X11:UninstallColormap
-	allow $2 $1_rootwindow_t:x_colormap { install uninstall };
-
-	# read: gnome-settings-daemon RANDR:GetScreenSizeRange
-	# write: gnome-settings-daemon RANDR:SelectInput
-	# setattr: gnome-settings-daemon X11:GrabKey
-	# manage: metacity X11:ChangeWindowAttributes
-	allow $2 $1_rootwindow_t:x_drawable { read write manage setattr };
-
-	# setattr: metacity X11:InstallColormap
-	allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr };
+	allow $2 xdm_rootwindow_t:x_colormap remove_color;
 
 	# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
 	allow $2 info_xproperty_t:x_property { create write append };
@@ -548,7 +472,7 @@
 	allow $2 $1_xserver_t:process signal;
 
 	# Read /tmp/.X0-lock
-	allow $2 $1_xserver_tmp_t:file { getattr read };
+	allow $2 $1_xserver_tmp_t:file read_file_perms;
 
 	# Client read xserver shm
 	allow $2 $1_xserver_t:fd use;
@@ -616,7 +540,7 @@
 #	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
-		type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+		type xauth_home_t, iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
 	')
 
 	allow $2 self:shm create_shm_perms;
@@ -624,12 +548,12 @@
 	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $2 $1_xauth_home_t:file { getattr read };
-	allow $2 $1_iceauth_home_t:file { getattr read };
+	allow $2 xauth_home_t:file read_file_perms;
+	allow $2 iceauth_home_t:file read_file_perms;
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_fifo_files_perms;
 	allow $2 xdm_tmp_t:dir search;
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
@@ -649,11 +573,109 @@
 
 	xserver_read_xdm_tmp_files($2)
 
-	# Client write xserver shm
-	tunable_policy(`allow_write_xshm',`
-		allow $2 $1_xserver_t:shm rw_shm_perms;
-		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
 	')
+
+#######################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Provides the minimal set required by a basic
+##	X client application.
+## </summary>
+## <param name="user">
+##	<summary>
+##	The prefix of the X server domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the X client domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Client domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_use',`
+	gen_require(`
+		type $1_rootwindow_t;
+		type $1_xproperty_t;
+		attribute $1_x_domain, $1_input_xevent_type;
+		attribute x_domain;
+		type $1_xserver_t;
+#		type $2_input_xevent_t;
+')
+
+	allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
+
+#	typeattribute $2_input_xevent_t $1_input_xevent_type;
+
+	# can change properties of root window
+	allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
+	# X Windows
+	# operations allowed on root windows
+	allow $3 $1_rootwindow_t:x_drawable { read getattr list_child add_child remove_child send receive override destroy hide };
+#	type_transition $3 $1_rootwindow_t:x_drawable $2_t;
+
+	allow $3 $1_xproperty_t:x_property { write read };
+
+	# X Colormaps
+	# can use the default colormap
+	allow $3 $1_rootwindow_t:x_colormap { read use add_color };
+
+	# manage: xhost X11:ChangeHosts
+	# freeze: metacity X11:GrabKey
+	# force_cursor: metacity X11:GrabPointer
+	allow $3 $1_xserver_t:x_device { manage freeze force_cursor };
+	allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell };
+
+	# gnome-settings-daemon XKEYBOARD:SetControls
+	allow $3 $1_xserver_t:x_server { manage grab };
+
+	# gnome-settings-daemon RANDR:SelectInput
+	allow $3 $1_xserver_t:x_resource { read write };
+
+	# metacity X11:InstallColormap X11:UninstallColormap
+	allow $3 $1_rootwindow_t:x_colormap { use install uninstall };
+
+	# read: gnome-settings-daemon RANDR:GetScreenSizeRange
+	# write: gnome-settings-daemon RANDR:SelectInput
+	# setattr: gnome-settings-daemon X11:GrabKey
+	# manage: metacity X11:ChangeWindowAttributes
+	allow $3 $1_rootwindow_t:x_drawable { show write manage setattr get_property blend create add_child write receive set_property };
+
+	# setattr: metacity X11:InstallColormap
+	allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr };
+	ifdef(`enable_mls',`
+		mls_xwin_read_to_clearance($1_xserver_t)
+
+		mls_fd_use_all_levels($1_xserver_t)
+
+		mls_socket_read_all_levels($1_xserver_t)
+		mls_socket_write_all_levels($1_xserver_t)
+
+		mls_sysvipc_read_to_clearance($1_xserver_t)
+		mls_sysvipc_write_to_clearance($1_xserver_t)
+
+# missing socket transition
+		mls_file_write_within_range($1_xserver_t)
+		mls_xwin_write_all_levels($1_xserver_t)
+
+# /dev/mem
+		mls_file_read_all_levels($1_xserver_t)
+		mls_file_write_all_levels($1_xserver_t)
+	')
+
+	selinux_getattr_fs($1_xserver_t)
+	seutil_read_config($1_xserver_t)
+
+#        allow $1_xserver_t $2:process getpgid;
+
+	allow $1_xserver_t input_xevent_t:x_event send;
+	allow $1_xserver_t $1_rootwindow_t:x_drawable send;
 ')
 
 #######################################
@@ -668,6 +690,105 @@
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <param name="domain">
+##	<summary>
+##	Client domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_common_app',`
+	gen_require(`
+		type std_xext_t;
+#		type $1_rootwindow_t;
+#		type $1_xproperty_t;
+#		type $1_client_xevent_t;
+#		type $1_focus_xevent_t;
+#		type $1_input_xevent_t;
+#		type $1_manage_xevent_t;
+#		type $1_property_xevent_t;
+		attribute rootwindow_type;
+		attribute xproperty_type;
+		class x_drawable all_x_drawable_perms;
+		class x_screen all_x_screen_perms;
+		class x_gc all_x_gc_perms;
+		class x_font all_x_font_perms;
+		class x_colormap all_x_colormap_perms;
+		class x_property all_x_property_perms;
+		class x_selection all_x_selection_perms;
+		class x_cursor all_x_cursor_perms;	
+		class x_client all_x_client_perms;
+		class x_device all_x_device_perms;
+		class x_server all_x_server_perms;
+		class x_extension all_x_extension_perms;
+		class x_resource all_x_resource_perms;
+		class x_event all_x_event_perms;
+		class x_synthetic_event all_x_synthetic_event_perms;
+		type xevent_t, input_xevent_t, client_xevent_t;
+		type clipboard_xselection_t;
+		type xproperty_t, focus_xevent_t, info_xproperty_t, manage_xevent_t;
+		type manage_xevent_t, output_xext_t, property_xevent_t;
+		type debug_xext_t, screensaver_xext_t;
+		type shmem_xext_t, xselection_t;
+		attribute xevent_type, xextension_type;
+	')
+	# can receive certain root window events
+	allow $2 self:x_cursor { destroy create use setattr };
+	allow $2 self:x_drawable { write getattr read destroy create add_child };
+
+	allow $2 self:x_gc { destroy create use setattr };
+	allow $2 self:x_resource { write read };
+
+	allow $2 input_xevent_t:x_synthetic_event receive;
+	allow $2 client_xevent_t:x_synthetic_event { send receive };
+	allow $2 focus_xevent_t:x_event receive;
+	allow $2 info_xproperty_t:x_property read;
+	allow $2 manage_xevent_t:x_event receive;
+	allow $2 manage_xevent_t:x_synthetic_event { send receive };
+
+	allow $2 xextension_type:x_extension { query use };
+
+	allow $2 property_xevent_t:x_event receive;
+
+#	allow $2 $1_client_xevent_t:x_synthetic_event receive;
+#	allow $2 $1_client_xevent_t:x_event receive;
+#	allow $2 $1_focus_xevent_t:x_event receive;
+#	allow $2 $1_input_xevent_t:x_event receive;
+#	allow $2 $1_input_xevent_t:x_synthetic_event receive;
+#	allow $2 $1_manage_xevent_t:x_event receive;
+#	allow $2 $1_property_xevent_t:x_event receive;
+	allow $2 xevent_type:x_event receive;
+	allow $2 xevent_type:x_synthetic_event receive;
+
+	allow $2 $1_t:x_drawable { get_property setattr show receive blend create manage add_child write read getattr list_child set_property };
+
+#	Broken Compiler
+#	allow $2 $1_xproperty_t:x_property read;
+	allow $2 xproperty_type:x_property {getattr read };
+
+	allow $2 std_xext_t:x_extension { query use };
+	allow $2 xproperty_t:x_property { write create destroy };
+	allow $2 xselection_t:x_selection getattr;
+	allow $2 clipboard_xselection_t:x_selection { getattr setattr };
+
+	allow $1_t $2:x_resource { write read };
+
+#	xserver_use($1, $1, $2)
+	xserver_use(xdm, $1, $2)
+')
+
+
+#######################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Provides the minimal set required by a basic
+##	X client application.
+## </summary>
+## <param name="user">
+##	<summary>
+##	The prefix of the X server domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the X client domain (e.g., user
@@ -682,7 +803,7 @@
 #
 template(`xserver_common_x_domain_template',`
 	gen_require(`
-		type $1_rootwindow_t, std_xext_t, shmem_xext_t;
+		type std_xext_t, shmem_xext_t;
 		type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
 		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
 		type xevent_t, client_xevent_t;
@@ -691,7 +812,6 @@
 		attribute x_server_domain, x_domain;
 		attribute xproperty_type;
 		attribute xevent_type, xextension_type;
-		attribute $1_x_domain, $1_input_xevent_type;
 
 		class x_drawable all_x_drawable_perms;
 		class x_screen all_x_screen_perms;
@@ -708,6 +828,7 @@
 		class x_resource all_x_resource_perms;
 		class x_event all_x_event_perms;
 		class x_synthetic_event all_x_synthetic_event_perms;
+		attribute $1_x_domain;
 	')
 
 	##############################
@@ -715,20 +836,22 @@
 	# Declarations
 	#
 
-	# Type attributes
-	typeattribute $3 $1_x_domain, x_domain;
+	type $2_input_xevent_t, xevent_type;
 
 	# Types for properties
 	type $2_xproperty_t alias $2_default_xproperty_t, xproperty_type;
 
 	# Types for events
-	type $2_input_xevent_t, $1_input_xevent_type, xevent_type;
 	type $2_property_xevent_t, xevent_type;
 	type $2_focus_xevent_t, xevent_type;
 	type $2_manage_xevent_t, xevent_type;
 	type $2_default_xevent_t, xevent_type;
 	type $2_client_xevent_t, xevent_type;
 
+	# Type attributes
+	typeattribute $2_t x_domain;
+	typeattribute $2_t $1_x_domain;
+
 	##############################
 	#
 	# Local Policy
@@ -746,7 +869,7 @@
 	allow $3 x_server_domain:x_server getattr;
 	# everyone can do override-redirect windows.
 	# this could be used to spoof labels
-	allow $3 self:x_drawable override;
+	allow $3 $3:x_drawable override;
 	# everyone can receive management events on the root window
 	# allows to know when new windows appear, among other things
 	allow $3 manage_xevent_t:x_event receive;
@@ -755,36 +878,30 @@
 	# can read server-owned resources
 	allow $3 x_server_domain:x_resource read;
 	# can mess with own clients
-	allow $3 self:x_client { manage destroy };
+	allow $3 $3:x_client { manage destroy };
 
 	# X Protocol Extensions
 	allow $3 std_xext_t:x_extension { query use };
 	allow $3 shmem_xext_t:x_extension { query use };
 	dontaudit $3 xextension_type:x_extension { query use };
 
+	tunable_policy(`xserver_rw_x_device',`
+		allow $3 x_server_domain:x_device { read write };
+	')
+
 	# X Properties
 	# can read and write client properties
-	allow $3 $2_xproperty_t:x_property { create destroy read write append };
+	allow $3 $2_xproperty_t:x_property { getattr create destroy read write append };
 	type_transition $3 xproperty_t:x_property $2_xproperty_t;
 	# can read and write cut buffers
-	allow $3 clipboard_xproperty_t:x_property { create read write append };
+	allow $3 clipboard_xproperty_t:x_property { getattr create read write append };
 	# can read info properties
-	allow $3 info_xproperty_t:x_property read;
-	# can change properties of root window
-	allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
+	allow $3 info_xproperty_t:x_property { getattr read };
 	# can change properties of own windows
-	allow $3 self:x_drawable { list_property get_property set_property };
+	allow $3 $3:x_drawable { list_property get_property set_property };
 
-	# X Windows
-	# operations allowed on root windows
-	allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
 	# operations allowed on my windows
-	allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-	type_transition $3 $1_rootwindow_t:x_drawable $3;
-
-	# X Colormaps
-	# can use the default colormap
-	allow $3 $1_rootwindow_t:x_colormap { read use add_color };
+	allow $3 $3:x_drawable { blend create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
 
 	# X Input
 	# can receive own events
@@ -811,6 +928,12 @@
 	allow $3 manage_xevent_t:x_synthetic_event send;
 	allow $3 client_xevent_t:x_synthetic_event send;
 
+	allow $3 input_xevent_t:x_event receive;
+	allow $3 input_xevent_t:x_synthetic_event send;
+	allow $3 $2_client_xevent_t:x_synthetic_event send;
+	allow $3 xproperty_t:x_property { read destroy };
+	allow $3 xselection_t:x_selection setattr;
+
 	# X Selections
 	# can use the clipboard
 	allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
@@ -819,13 +942,15 @@
 
 	# Other X Objects
 	# can create and use cursors
-	allow $3 self:x_cursor *;
+	allow $3 $3:x_cursor *;
 	# can create and use graphics contexts
-	allow $3 self:x_gc *;
+	allow $3 $3:x_gc *;
 	# can create and use colormaps
-	allow $3 self:x_colormap *;
+	allow $3 $3:x_colormap *;
 	# can read and write own objects
-	allow $3 self:x_resource { read write };
+	allow $3 $3:x_resource { read write };
+
+	xserver_common_app($1, $3)
 
 	tunable_policy(`! xserver_object_manager',`
 		# should be xserver_unconfined($3),
@@ -885,24 +1010,17 @@
 #
 template(`xserver_user_x_domain_template',`
 	gen_require(`
-		type xdm_t, xdm_tmp_t;
-		type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+		type xdm_xproperty_t;
+		type xauth_home_t, iceauth_home_t;
 	')
 
-	allow $3 self:shm create_shm_perms;
-	allow $3 self:unix_dgram_socket create_socket_perms;
-	allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
+	allow $3 $3:shm create_shm_perms;
+	allow $3 $3:unix_dgram_socket create_socket_perms;
+	allow $3 $3:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $3 $1_xauth_home_t:file { getattr read };
-	allow $3 $1_iceauth_home_t:file { getattr read };
-
-	# for when /tmp/.X11-unix is created by the system
-	allow $3 xdm_t:fd use;
-	allow $3 xdm_t:fifo_file { getattr read write ioctl };
-	allow $3 xdm_tmp_t:dir search;
-	allow $3 xdm_tmp_t:sock_file { read write };
-	dontaudit $3 xdm_t:tcp_socket { read write };
+	allow $3 xauth_home_t:file read_file_perms;
+	allow $3 iceauth_home_t:file read_file_perms;
 
 	# Allow connections to X server.
 	files_search_tmp($3)
@@ -917,16 +1035,16 @@
 	xserver_rw_session_template($1, $3, $4)
 	xserver_use_user_fonts($1, $3)
 
-	xserver_read_xdm_tmp_files($3)
-
 	# X object manager
 	xserver_common_x_domain_template($1, $2, $3)
 
-	# Client write xserver shm
-	tunable_policy(`allow_write_xshm',`
-		allow $3 $1_xserver_t:shm rw_shm_perms;
-		allow $3 $1_xserver_tmpfs_t:file rw_file_perms;
-	')
+	allow $3 xdm_xproperty_t:x_property { write read };
+	allow $3 xdm_xserver_t:x_screen { saver_hide saver_show };
+
+#	allow $3 $1_rootwindow_t:x_drawable read;
+	allow $3 xdm_rootwindow_t:x_drawable read;
+
+	xserver_use_xdm($3)
 ')
 
 ########################################
@@ -958,26 +1076,43 @@
 #
 template(`xserver_use_user_fonts',`
 	gen_require(`
-		type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+		type fonts_home_t, fonts_cache_home_t, fonts_config_home_t;
 	')
 
 	# Read per user fonts
-	allow $2 $1_fonts_t:dir list_dir_perms;
-	allow $2 $1_fonts_t:file read_file_perms;
+	read_files_pattern($2, fonts_home_t,  fonts_home_t)
 
 	# Manipulate the global font cache
-	manage_dirs_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t)
-	manage_files_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t)
+	manage_dirs_pattern($2, fonts_cache_home_t, fonts_cache_home_t)
+	manage_files_pattern($2, fonts_cache_home_t, fonts_cache_home_t)
 
 	# Read per user font config
-	allow $2 $1_fonts_config_t:dir list_dir_perms;
-	allow $2 $1_fonts_config_t:file read_file_perms;
+	allow $2 fonts_config_home_t:dir list_dir_perms;
+	allow $2 fonts_config_home_t:file read_file_perms;
 
 	userdom_search_user_home_dirs($1, $2)
 ')
 
 ########################################
 ## <summary>
+##	Get the attributes of xauth executable
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_getattr_xauth',`
+	gen_require(`
+		type xauth_exec_t;
+	')
+
+	allow $1 xauth_exec_t:file getattr;
+')
+
+########################################
+## <summary>
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
@@ -1003,10 +1138,77 @@
 #
 template(`xserver_domtrans_user_xauth',`
 	gen_require(`
-		type $1_xauth_t, xauth_exec_t;
+		type xauth_t, xauth_exec_t;
+	')
+
+	domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
+########################################
+## <summary>
+##	Read a user Xauthority domain.
+## </summary>
+## <desc>
+##	<p>
+##	read to a user Xauthority domain.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`xserver_read_user_xauth',`
+	gen_require(`
+		type xauth_home_t;
 	')
 
-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+	allow $2 xauth_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read a user Iceauthority domain.
+## </summary>
+## <desc>
+##	<p>
+##	read to a user Iceauthority domain.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`xserver_read_user_iceauth',`
+	gen_require(`
+		type iceauth_home_t;
+	')
+
+	# Read .Iceauthority file
+	allow $2 iceauth_home_t:file read_file_perms;
 ')
 
 ########################################
@@ -1036,10 +1238,10 @@
 #
 template(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
-		type $1_xauth_home_t;
+		type xauth_home_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
+	userdom_user_home_dir_filetrans($1, $2, xauth_home_t, file)
 ')
 
 ########################################
@@ -1180,7 +1382,7 @@
 		type xdm_t;
 	')
 
-	allow $1 xdm_t:fifo_file { getattr read write }; 
+	allow $1 xdm_t:fifo_file rw_fifo_file_perms; 
 ')
 
 ########################################
@@ -1225,6 +1427,25 @@
 
 ########################################
 ## <summary>
+##	Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+	gen_require(`
+		type xdm_xserver_t, xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, xserver_var_run_t, xserver_var_run_t, xdm_xserver_t)
+')
+
+########################################
+## <summary>
 ##	Read xdm-writable configuration files.
 ## </summary>
 ## <param name="domain">
@@ -1239,7 +1460,7 @@
 	')
 
 	files_search_etc($1)
-	allow $1 xdm_rw_etc_t:file { getattr read };
+	allow $1 xdm_rw_etc_t:file read_file_perms;
 ')
 
 ########################################
@@ -1279,6 +1500,7 @@
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+	allow $1 xdm_tmp_t:sock_file unlink;
 ')
 
 ########################################
@@ -1297,7 +1519,7 @@
 	')
 
 	files_search_pids($1)
-	allow $1 xdm_var_run_t:file read_file_perms;
+	read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
 ')
 
 ########################################
@@ -1315,7 +1537,25 @@
 		type xdm_var_lib_t;
 	')
 
-	allow $1 xdm_var_lib_t:file { getattr read };
+	allow $1 xdm_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      dontaudit search of XDM var lib directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_dontaudit_xdm_lib_search',`
+	gen_require(`
+		type xdm_var_lib_t;
+	')
+
+	dontaudit $1 xdm_var_lib_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -1330,15 +1570,47 @@
 #
 interface(`xserver_domtrans_xdm_xserver',`
 	gen_require(`
-		type xdm_xserver_t, xserver_exec_t;
+		type xdm_xserver_t, xserver_exec_t, xdm_t;
 	')
 
  	allow $1 xdm_xserver_t:process siginh;
+ 	allow xdm_t $1:process sigchld;
 	domtrans_pattern($1, xserver_exec_t, xdm_xserver_t)
 ')
 
 ########################################
 ## <summary>
+##	Execute xsever in the xdm_xserver domain, and
+##	allow the specified role the xdm_xserver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the xdm_xserver domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the xdm_xserver domain to use.
+##	</summary>
+## </param>
+#
+interface(`xserver_run_xdm_xserver',`
+	gen_require(`
+		type xdm_xserver_t;
+	')
+
+	xserver_domtrans_xdm_xserver($1)
+	role $2 types xdm_xserver_t;
+	allow xdm_xserver_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
@@ -1430,6 +1702,25 @@
 	dontaudit $1 xserver_log_t:file { append write };
 ')
 
+#######################################
+## <summary>
+##      Allow to write the X server
+##      log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`xserver_write_log',`
+        gen_require(`
+                type xserver_log_t;
+        ')
+	write_files_pattern($1,xserver_log_t,xserver_log_t)
+
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write the X server
@@ -1488,7 +1779,7 @@
 		type xdm_xserver_tmp_t;
 	')
 
-	allow $1 xdm_xserver_tmp_t:file { getattr read };
+	read_files_pattern($1, xdm_xserver_tmp_t, xdm_xserver_tmp_t)
 ')
 
 ########################################
@@ -1680,6 +1971,26 @@
 
 ########################################
 ## <summary>
+##	Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_xdm_stream_connect',`
+	gen_require(`
+		type xdm_t, xdm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xdm_var_run_t:sock_file write;
+	allow $1 xdm_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
 ##	xdm xserver RW shared memory socket.
 ## </summary>
 ## <param name="domain">
@@ -1698,6 +2009,24 @@
 
 ########################################
 ## <summary>
+##	Ptrace XDM 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_ptrace_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process ptrace;
+')
+
+########################################
+## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
@@ -1710,8 +2039,176 @@
 #
 interface(`xserver_unconfined',`
 	gen_require(`
-		attribute xserver_unconfined_type;
+		attribute xserver_unconfined_type, x_domain;
+	')
+
+	typeattribute $1 xserver_unconfined_type, x_domain;
+')
+
+########################################
+## <summary>
+##	Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_pid',`
+	gen_require(`
+		type xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_exec_pid',`
+	gen_require(`
+		type xserver_var_run_t;
 	')
 
-	typeattribute $1 xserver_unconfined_type;
+	files_search_pids($1)
+	exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Write xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_write_pid',`
+	gen_require(`
+		type xserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_home_fonts',`
+	gen_require(`
+		type fonts_home_t;
+		type fonts_config_home_t;
+	')
+
+	manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
+	manage_files_pattern($1, fonts_home_t, fonts_home_t)
+	manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
+
+	manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t)
+')
+
+########################################
+## <summary>
+##	Read user homedir fonts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_read_home_fonts',`
+	gen_require(`
+		type fonts_home_t;
+	')
+
+	read_files_pattern($1, fonts_home_t, fonts_home_t)
+	read_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
+')
+
+########################################
+## <summary>
+##	write to .xsession-errors file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_home_files',`
+	gen_require(`
+		type xdm_home_t;
+	')
+
+	allow $1 xdm_home_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit write to .xsession-errors file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_xdm_home_files',`
+	gen_require(`
+		type xdm_home_t;
+	')
+
+	dontaudit $1 xdm_home_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Provides the minimal set required by a basic
+##	X client application.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Client domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_use_xdm',`
+	gen_require(`
+		type xdm_t, xdm_tmp_t;
+	')
+
+	allow $1 xdm_t:fd use;
+	allow $1 xdm_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1 xdm_t:tcp_socket { read write };
+
+	# Allow connections to X server.
+	xserver_stream_connect_xdm($1)
+	xserver_read_xdm_tmp_files($1)
+	xserver_xdm_stream_connect($1)
+
+	allow $1 xdm_t:x_client { getattr destroy };
+	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
+	allow $1 xdm_xproperty_t:x_property { write read };
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/xserver.te	2009-02-10 15:07:15.000000000 +0100
@@ -8,6 +8,14 @@
 
 ## <desc>
 ## <p>
+## Allows X clients to read/write the x devices (keyboard/mouse)
+## </p>
+## </desc>
+gen_tunable(xserver_rw_x_device, true)
+
+
+## <desc>
+## <p>
 ## Allows clients to write to the X server shared
 ## memory segments.
 ## </p>
@@ -16,6 +24,13 @@
 
 ## <desc>
 ## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem, false)
+
+## <desc>
+## <p>
 ## Allow xdm logins as sysadm
 ## </p>
 ## </desc>
@@ -36,6 +51,7 @@
 # Domains
 attribute xserver_unconfined_type;
 attribute x_server_domain;
+attribute x_server_domain_tmpfs;
 
 # Per-object attributes
 attribute rootwindow_type;
@@ -92,7 +108,10 @@
 files_lock_file(xdm_lock_t)
 
 type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
+files_config_file(xdm_rw_etc_t)
+
+type xdm_spool_t;
+files_type(xdm_spool_t)
 
 type xdm_var_lib_t;
 files_type(xdm_var_lib_t)
@@ -100,6 +119,12 @@
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
 
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
 typealias xdm_tmp_t alias ice_tmp_t;
@@ -107,6 +132,9 @@
 type xdm_tmpfs_t;
 files_tmpfs_file(xdm_tmpfs_t)
 
+type xdm_home_t;
+userdom_user_home_content(user, xdm_home_t)
+
 # type for /var/lib/xkb
 type xkb_var_lib_t;
 files_type(xkb_var_lib_t)
@@ -122,6 +150,37 @@
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
+type fonts_cache_home_t, fonts_cache_type;
+userdom_user_home_content(user, fonts_cache_home_t)
+
+type fonts_home_t, fonts_type;
+userdom_user_home_content(user, fonts_home_t)
+
+type fonts_config_home_t, fonts_config_type;
+userdom_user_home_content(user, fonts_config_home_t)
+
+type iceauth_home_t;
+userdom_user_home_content(user, iceauth_home_t)
+
+type xauth_t;
+domain_type(xauth_t)
+domain_entry_file(xauth_t, xauth_exec_t)
+
+type xauth_home_t, xauth_home_type;
+userdom_user_home_content(user, xauth_home_t)
+
+type admin_xauth_home_t;
+files_type(admin_xauth_home_t)
+
+type xauth_tmp_t;
+files_tmp_file(xauth_tmp_t)
+
+typealias fonts_home_t alias unconfined_fonts_t;
+typealias fonts_cache_home_t alias unconfined_fonts_cache_t;
+typealias fonts_config_home_t alias unconfined_fonts_config_t;
+typealias iceauth_home_t alias uncofined_iceauth_home_t;
+typealias xauth_home_t alias unconfiend_xauth_rw_t;
+
 xserver_common_domain_template(xdm)
 xserver_common_x_domain_template(xdm, xdm, xdm_t)
 init_system_domain(xdm_xserver_t, xserver_exec_t)
@@ -140,13 +199,14 @@
 # XDM Local policy
 #
 
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
+allow xdm_t self:process { getattr getcap setcap };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xdm_t self:tcp_socket create_stream_socket_perms;
 allow xdm_t self:udp_socket create_socket_perms;
 allow xdm_t self:socket create_socket_perms;
@@ -154,6 +214,12 @@
 allow xdm_t self:key { search link write };
 
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+unprivuser_home_dir_filetrans(xdm_t, xdm_home_t, file)
+#userdom_manage_user_home_content_files(user, xdm_t)
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -169,6 +235,8 @@
 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 
 manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -176,15 +244,32 @@
 manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_rw_tmpfs_files(xdm_xserver_t)
+fs_getattr_all_fs(xdm_t)
+fs_search_inotifyfs(xdm_t)
+fs_list_all(xdm_t)
+fs_read_noxattr_fs_files(xdm_t)
+
+manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t)
+
+files_search_spool(xdm_t)
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
 
 manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)	
 manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
 
 manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-files_pid_filetrans(xdm_t, xdm_var_run_t,