Blob Blame Raw
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-05-29 11:08:06.000000000 -0400
@@ -72,6 +72,8 @@
 files_read_etc_runtime_files(prelink_t)
 files_dontaudit_read_all_symlinks(prelink_t)
 files_manage_usr_files(prelink_t)
+# Delta RPMS
+files_manage_var_files(prelink_t)
 files_relabelfrom_usr_files(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
@@ -102,5 +104,9 @@
 ')
 
 optional_policy(`
+	rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
 	unconfined_domain(prelink_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-06-06 06:42:14.000000000 -0400
@@ -55,6 +55,7 @@
 files_read_non_security_files(readahead_t)
 files_dontaudit_read_security_files(readahead_t)
 files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_create_boot_flag(readahead_t)
 
 fs_getattr_all_fs(readahead_t)
 fs_search_auto_mountpoints(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2009-05-29 11:02:56.000000000 -0400
@@ -470,6 +470,24 @@
 
 ########################################
 ## <summary>
+##	Manage RPM tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+	gen_require(`
+		type rpm_tmp_t;
+	')
+
+	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read, 
 ##	write RPM tmp files
 ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te	2009-05-26 13:02:40.000000000 -0400
@@ -209,6 +209,7 @@
 files_manage_etc_files(groupadd_t)
 files_relabel_etc_files(groupadd_t)
 files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
 
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(groupadd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc	2009-06-08 13:49:44.000000000 -0400
@@ -1,2 +1,3 @@
 /usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te	2009-06-09 06:55:30.000000000 -0400
@@ -93,6 +93,7 @@
 
 optional_policy(`
 	virt_manage_images(qemu_t)
+	virt_append_log(qemu_t)
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2009-05-22 10:14:07.000000000 -0400
@@ -38,3 +38,6 @@
 miscfiles_read_localization(sandbox_t)
 
 userdom_use_user_ptys(sandbox_t)
+
+kernel_dontaudit_read_system_state(sandbox_t)
+corecmd_exec_all_executables(sandbox_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-04-07 15:54:49.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc	2009-05-26 08:07:56.000000000 -0400
@@ -63,6 +63,7 @@
 ')
 
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
 
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc	2009-06-08 08:49:07.000000000 -0400
@@ -7,6 +7,7 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -69,6 +70,8 @@
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
 
+/etc/racoon/scripts(/.*)?  		gen_context(system_u:object_r:bin_t,s0)
+
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
@@ -145,6 +148,7 @@
 /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -217,8 +221,11 @@
 /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath	--      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)?	        gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-shell(/.*)?        gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)?        gen_context(system_u:object_r:bin_t,s0)
 
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc	2009-06-08 09:12:26.000000000 -0400
@@ -46,8 +46,10 @@
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
 /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
 /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+        -c      gen_context(system_u:object_r:lirc_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-06-08 09:15:11.000000000 -0400
@@ -1727,6 +1727,133 @@
 
 ########################################
 ## <summary>
+##	Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##      Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+######################################
+## <summary>
+##      Read the lirc device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##      Read and write the lirc device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##      Automatic type transition to the type
+##      for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
 ##	Read the lvm comtrol device.
 ## </summary>
 ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-06-08 09:12:06.000000000 -0400
@@ -78,6 +78,13 @@
 dev_node(ipmi_device_t)
 
 #
+# ksm_device_t is the type of
+# /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
 # Type for /dev/kmsg
 #
 type kmsg_device_t;
@@ -91,6 +98,12 @@
 dev_node(kvm_device_t)
 
 #
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
 # Type for /dev/mapper/control
 #
 type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-06-02 11:47:44.000000000 -0400
@@ -65,8 +65,8 @@
 	')
 
 	optional_policy(`
-		selinux_dontaudit_getattr_fs($1)
-		selinux_dontaudit_read_fs($1)
+		selinux_getattr_fs($1)
+		selinux_search_fs($1)
 	')
 
 	optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-04 16:19:45.000000000 -0400
@@ -91,6 +91,9 @@
 kernel_read_proc_symlinks(domain)
 kernel_read_crypto_sysctls(domain)
 
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
 # Every domain gets the key ring, so we should default
 # to no one allowed to look at it; afs kernel support creates
 # a keyring
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-05-29 11:03:57.000000000 -0400
@@ -5224,6 +5224,7 @@
 		attribute file_type;
 	')
 
+	allow $1 file_type:dir search_dir_perms;
 	allow $1 file_type:file { getattr read write append lock };
 	allow $1 file_type:fifo_file { getattr read write append ioctl lock };
 	allow $1 file_type:sock_file { getattr read write append ioctl lock };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-05-22 08:57:53.000000000 -0400
@@ -817,7 +817,7 @@
 		type proc_t;
 	')
 
-	dontaudit $1 proc_t:file { getattr read };
+	dontaudit $1 proc_t:file { open getattr read };
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/staff.te	2009-06-01 08:41:46.000000000 -0400
@@ -44,6 +44,10 @@
 ')
 
 optional_policy(`
+	postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
 	secadm_role_change(staff_r)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-05-21 15:11:07.000000000 -0400
@@ -334,6 +334,10 @@
 ')
 
 optional_policy(`
+	virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
 	yam_run(sysadm_t, sysadm_r)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-05-22 05:49:21.000000000 -0400
@@ -52,6 +52,8 @@
 init_system_domain(unconfined_execmem_t, execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
 typealias execmem_exec_t alias unconfined_execmem_exec_t;
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
 
 type unconfined_notrans_t;
 type unconfined_notrans_exec_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc	2009-05-26 15:13:01.000000000 -0400
@@ -98,4 +98,6 @@
 
 /var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 
-/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.12/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if	2009-04-07 15:54:47.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/automount.if	2009-06-08 08:39:46.000000000 -0400
@@ -21,6 +21,25 @@
 
 ########################################
 ## <summary>
+##	Send automount a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`automount_signal',`
+	gen_require(`
+		type automount_t;
+	')
+
+	allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute automount in the caller domain.
 ## </summary>
 ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-06-01 06:47:53.000000000 -0400
@@ -14,7 +14,7 @@
 files_pid_file(consolekit_var_run_t)
 
 type consolekit_log_t;
-files_pid_file(consolekit_log_t)
+logging_log_file(consolekit_log_t)
 
 ########################################
 #
@@ -50,6 +50,7 @@
 files_read_usr_files(consolekit_t)
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
+files_search_all_mountpoints(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cron.if	2009-05-26 08:38:15.000000000 -0400
@@ -163,27 +163,14 @@
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
-		type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+		type unconfined_cronjob_t;
 	')
 
-	role $1 types { unconfined_cronjob_t admin_crontab_t };
+	role $1 types unconfined_cronjob_t;
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
 
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
-	# crontab shows up in user ps
-	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
-
-	# Run helper programs as the user domain
-	#corecmd_bin_domtrans(admin_crontab_t, $2)
-	#corecmd_shell_domtrans(admin_crontab_t, $2)
-	corecmd_exec_bin(admin_crontab_t)
-	corecmd_exec_shell(admin_crontab_t)
-
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te	2009-06-09 07:21:39.000000000 -0400
@@ -130,11 +130,13 @@
 
 # Access files in /var/dcc. The map file can be updated
 allow dcc_client_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_client_t)
 
+fs_getattr_all_fs(dcc_client_t)
+
 corenet_all_recvfrom_unlabeled(dcc_client_t)
 corenet_all_recvfrom_netlabel(dcc_client_t)
 corenet_udp_bind_generic_node(dcc_client_t)
@@ -154,6 +156,10 @@
 userdom_use_user_terminals(dcc_client_t)
 
 optional_policy(`
+	amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
 	spamassassin_read_spamd_tmp_files(dcc_client_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te	2009-05-21 12:57:07.000000000 -0400
@@ -55,7 +55,7 @@
 #
 # DeviceKit-Power local policy
 #
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-06-04 13:23:04.000000000 -0400
@@ -22,12 +22,15 @@
 
 corecmd_search_bin(fprintd_t)
 
+dev_list_usbfs(fprintd_t)
 dev_rw_generic_usb_dev(fprintd_t)
 dev_read_sysfs(fprintd_t)
 
 files_read_etc_files(fprintd_t)
 files_read_usr_files(fprintd_t)
 
+kernel_read_system_state(fprintd_t)
+
 auth_use_nsswitch(fprintd_t)
 
 miscfiles_read_localization(fprintd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/hal.te	2009-05-27 07:02:29.000000000 -0400
@@ -162,6 +162,7 @@
 fs_mount_dos_fs(hald_t)
 fs_unmount_dos_fs(hald_t)
 fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
 
 files_getattr_all_mountpoints(hald_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.if	2009-06-01 08:13:05.000000000 -0400
@@ -70,6 +70,7 @@
 interface(`kerberos_use',`
 	gen_require(`
 		type krb5_conf_t, krb5kdc_conf_t;
+		type krb5_host_rcache_t;
 	')
 
 	files_search_etc($1)
@@ -101,6 +102,7 @@
 		corenet_tcp_connect_ocsp_port($1)
 		corenet_sendrecv_kerberos_client_packets($1)
 		corenet_sendrecv_ocsp_client_packets($1)
+		allow $1 krb5_host_rcache_t:file getattr;
 	')
 
 	optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te	2009-06-01 08:22:04.000000000 -0400
@@ -45,6 +45,9 @@
 dev_filetrans(lircd_t, lircd_sock_t, sock_file )
 dev_read_generic_usb_dev(lircd_t)
 
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+
 logging_send_syslog_msg(lircd_t)
 
 files_read_etc_files(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/mailman.if	2009-05-26 13:53:04.000000000 -0400
@@ -197,6 +197,7 @@
 		type mailman_data_t;
 	')
 
+	list_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	read_files_pattern($1, mailman_data_t, mailman_data_t)
 	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/postfix.if	2009-06-03 08:38:18.000000000 -0400
@@ -580,6 +580,25 @@
 
 ########################################
 ## <summary>
+##	Execute the master postqueue in the
+##	postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+	gen_require(`
+		type postfix_postqueue_t, postfix_postqueue_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+########################################
+## <summary>
 ##	Execute the master postdrop in the
 ##	postfix_postdrop domain.
 ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc	2009-05-21 08:32:24.000000000 -0400
@@ -3,6 +3,8 @@
 
 HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 
 /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
 /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.te	2009-06-09 07:21:04.000000000 -0400
@@ -97,6 +97,8 @@
 kernel_read_kernel_sysctls(pyzor_t)  
 kernel_read_system_state(pyzor_t)
 
+fs_getattr_xattr_fs(pyzor_t)
+
 corecmd_list_bin(pyzor_t)
 corecmd_getattr_bin_files(pyzor_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-06-08 08:39:25.000000000 -0400
@@ -95,6 +95,10 @@
 userdom_signal_unpriv_users(rpcd_t)
 
 optional_policy(`
+	automount_signal(rpcd_t)
+')
+
+optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
 ')
 
@@ -214,6 +218,10 @@
 ')
 
 optional_policy(`
+	automount_signal(gssd_t)
+')
+
+optional_policy(`
 	kerberos_keytab_template(gssd, gssd_t) 
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te	2009-06-03 08:45:52.000000000 -0400
@@ -126,6 +126,8 @@
 
 tunable_policy(`rsync_export_all_ro',`
 	fs_read_noxattr_fs_files(rsync_t) 
+	fs_read_nfs_files(rsync_t)
+	fs_read_cifs_files(rsync_t)
 	auth_read_all_dirs_except_shadow(rsync_t)
 	auth_read_all_files_except_shadow(rsync_t)
 	auth_read_all_symlinks_except_shadow(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te	2009-06-03 08:38:28.000000000 -0400
@@ -148,6 +148,7 @@
 
 optional_policy(`
 	postfix_domtrans_postdrop(sendmail_t)
+	postfix_domtrans_postqueue(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te	2009-06-10 11:22:59.000000000 -0400
@@ -121,6 +121,10 @@
 userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
 
 optional_policy(`
+	locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(setroubleshootd_t)
 	dbus_connect_system_bus(setroubleshootd_t)
 	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc	2009-05-21 08:31:58.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 
 /etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-06-09 06:54:00.000000000 -0400
@@ -183,6 +183,7 @@
 seutil_read_default_contexts(virtd_t)
 
 term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
 term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
@@ -323,9 +324,13 @@
 userdom_read_all_users_state(svirt_t)
 
 append_files_pattern(svirt_t, virt_log_t, virt_log_t)
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
 
 allow svirt_t self:udp_socket create_socket_perms;
 
+corecmd_exec_bin(svirt_t)
+corecmd_exec_shell(svirt_t)
+
 corenet_udp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)
 corenet_udp_sendrecv_all_ports(svirt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-05-26 08:17:11.000000000 -0400
@@ -538,6 +538,7 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
 userdom_manage_user_tmp_sockets(xdm_t)
 userdom_manage_tmpfs_role(system_r, xdm_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-06-01 13:14:14.000000000 -0400
@@ -77,6 +77,8 @@
 
 	# for SSP/ProPolice
 	dev_read_urand($1)
+	# for encrypted homedir
+	dev_read_sysfs($1)
 	# for fingerprint readers
 	dev_rw_input_dev($1)
 	dev_rw_generic_usb_dev($1)
@@ -147,6 +149,10 @@
 	')
 
 	optional_policy(`
+		kerberos_manage_host_rcache($1)
+	')
+
+	optional_policy(`
 		nis_authenticate($1)
 	')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/init.fc	2009-05-26 09:15:52.000000000 -0400
@@ -6,6 +6,8 @@
 /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/etc/sysconfig/network-scripts/ifup-ipsec  	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
 /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-06-08 13:37:16.000000000 -0400
@@ -163,7 +163,7 @@
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
@@ -284,6 +284,7 @@
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
 allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
 
 # manage pid file
 manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -301,6 +302,13 @@
 kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 
+can_exec(racoon_t, racoon_exec_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
+
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
 corenet_udp_bind_all_nodes(racoon_t)
@@ -348,6 +356,7 @@
 files_read_etc_files(setkey_t)
 
 init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
 
 # allow setkey to set the context for ipsec SAs and policy.
 ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc	2009-06-08 08:45:27.000000000 -0400
@@ -139,6 +139,7 @@
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -366,6 +367,7 @@
 /usr/matlab.*\.so(\.[^/]*)*		gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/Zend/lib/ZendExtensionManager\.so	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/libcncpmslld328\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te	2009-05-28 21:07:39.000000000 -0400
@@ -211,6 +211,7 @@
 # Sulogin local policy
 #
 
+allow sulogin_t self:capability dac_override;
 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_file_perms;
@@ -258,7 +259,10 @@
 # suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
 ifdef(`distro_debian', `define(`sulogin_no_pam')')
-ifdef(`distro_redhat',`define(`sulogin_no_pam')')
+ifdef(`distro_redhat',`
+	define(`sulogin_no_pam')
+	selinux_compute_user_contexts(sulogin_t)
+')
 
 ifdef(`sulogin_no_pam', `
 	allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te	2009-06-01 13:01:59.000000000 -0400
@@ -45,7 +45,7 @@
 # DHCP client local policy
 #
 allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
 allow dhcpc_t self:process { setfscreate ptrace signal_perms };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-06-01 08:19:34.000000000 -0400
@@ -1880,7 +1880,7 @@
 		type user_home_t;
 	')
 
-	allow $1 user_home_t:dir delete_file_perms;
+	allow $1 user_home_t:file delete_file_perms;
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/virtual.te	2009-06-08 09:19:35.000000000 -0400
@@ -38,6 +38,7 @@
 dev_read_sound(virtualdomain)
 dev_write_sound(virtualdomain)
 dev_rw_kvm(virtualdomain)
+dev_rw_ksm(virtualdomain)
 dev_rw_qemu(virtualdomain)
 
 domain_use_interactive_fds(virtualdomain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/xen.te	2009-06-04 14:47:25.000000000 -0400
@@ -419,6 +419,7 @@
 kernel_read_xen_state(xm_ssh_t)
 kernel_write_xen_state(xm_ssh_t)
 
+userdom_search_admin_dir(xm_ssh_t)
 
 #Should have a boolean wrapping these
 fs_list_auto_mountpoints(xend_t)