diff --git a/policy-20100106.patch b/policy-20100106.patch
index b541117..b8b7f44 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -38,8 +38,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.6.32/policy/modules/admin/mcelog.te
 --- nsaserefpolicy/policy/modules/admin/mcelog.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te	2010-02-03 17:55:20.114145133 +0100
-@@ -0,0 +1,30 @@
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te	2010-02-09 09:59:05.624865373 +0100
+@@ -0,0 +1,31 @@
 +
 +policy_module(mcelog,1.0.0)
 +
@@ -59,6 +59,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +# mcelog local policy
 +#
++allow mcelog_t self:capability sys_admin;
 +
 +kernel_read_system_state(mcelog_t)
 +
@@ -81,6 +82,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_manage_user_home_content(prelink_t)
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te	2010-01-18 18:24:22.565530533 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/readahead.te	2010-02-09 10:21:28.868615982 +0100
+@@ -62,6 +62,8 @@
+ fs_search_auto_mountpoints(readahead_t)
+ fs_getattr_all_pipes(readahead_t)
+ fs_getattr_all_files(readahead_t)
++fs_read_cgroup_files(readahead_t)
++fs_read_tmpfs_files(readahead_t)
+ fs_read_tmpfs_symlinks(readahead_t)
+ fs_list_inotifyfs(readahead_t)
+ fs_dontaudit_search_ramfs(readahead_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2010-01-18 18:24:22.567540216 +0100
 +++ serefpolicy-3.6.32/policy/modules/admin/rpm.if	2010-01-29 10:12:23.130864561 +0100
@@ -131,7 +144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-01-18 18:24:22.584530156 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te	2010-01-26 14:45:59.214713808 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te	2010-02-08 14:09:13.659608943 +0100
 @@ -122,6 +122,10 @@
  # on user home dir
  userdom_dontaudit_search_user_home_content(chfn_t)
@@ -143,6 +156,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Crack local policy
+@@ -252,7 +256,7 @@
+ # Passwd local policy
+ #
+ 
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
++allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
+ allow passwd_t self:fd use;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.6.32/policy/modules/apps/cdrecord.te
+--- nsaserefpolicy/policy/modules/apps/cdrecord.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/cdrecord.te	2010-02-09 09:59:13.342615577 +0100
+@@ -32,6 +32,8 @@
+ allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+ allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+ 
++corecmd_exec_bin(cdrecord_t) 
++
+ # allow searching for cdrom-drive
+ dev_list_all_dev_nodes(cdrecord_t) 
+ dev_read_sysfs(cdrecord_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
 --- nsaserefpolicy/policy/modules/apps/chrome.te	2010-01-18 18:24:22.588542189 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/chrome.te	2010-02-02 14:30:20.961067885 +0100
@@ -386,6 +420,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # GPG helper local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te
+--- nsaserefpolicy/policy/modules/apps/kdumpgui.te	2010-01-18 18:24:22.610530600 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te	2010-02-08 11:58:12.837586833 +0100
+@@ -56,6 +56,10 @@
+ userdom_dontaudit_search_admin_dir(kdumpgui_t)
+ 
+ optional_policy(`
++	gnome_dontaudit_search_config(kdumpgui_t)
++')    
++
++optional_policy(`
+         dev_rw_lvm_control(kdumpgui_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
 --- nsaserefpolicy/policy/modules/apps/mozilla.fc	2010-01-18 18:24:22.616539953 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc	2010-01-18 18:27:02.741544960 +0100
@@ -466,6 +514,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  can_exec(pulseaudio_t, pulseaudio_exec_t)
  
  kernel_getattr_proc(pulseaudio_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
+--- nsaserefpolicy/policy/modules/apps/sambagui.te	2010-01-18 18:24:22.646540277 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te	2010-02-08 10:39:43.173336716 +0100
+@@ -52,6 +52,10 @@
+ userdom_dontaudit_search_admin_dir(sambagui_t)
+ 
+ optional_policy(`
++	gnome_dontaudit_search_config(sambagui_t)
++')
++
++optional_policy(`
+ 	consoletype_exec(sambagui_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	2010-01-18 18:24:22.648539903 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2010-01-22 15:41:50.752727640 +0100
@@ -804,7 +866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	domain_mmap_low(wine_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-02-04 18:36:15.524100702 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-02-09 09:59:17.989881706 +0100
 @@ -219,7 +219,7 @@
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
@@ -814,6 +876,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/share/cluster/svclib_nfslock  --   gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/SAPInstance  --      gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/SAPDatabase  --      gen_context(system_u:object_r:bin_t,s0)
+@@ -237,6 +237,7 @@
+ /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/sectool/.*\.py       --      gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/smolt/client(/.*)?	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/compiler\.pl	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2009-09-16 16:01:19.000000000 +0200
 +++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in	2010-02-02 15:20:43.717067439 +0100
@@ -894,7 +964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-02-04 18:30:05.373350781 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-02-09 09:59:21.541627154 +0100
 @@ -1398,6 +1398,42 @@
  	rw_chr_files_pattern($1, device_t, crypt_device_t)
  ')
@@ -938,7 +1008,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	getattr the dri devices.
-@@ -3551,6 +3587,24 @@
+@@ -1728,6 +1764,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Write to the kernel messages device
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_write_kmsg',`
++	gen_require(`
++		type device_t, kmsg_device_t;
++	')
++
++	write_chr_files_pattern($1, device_t, kmsg_device_t)
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of the ksm devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -3551,6 +3605,24 @@
  	rw_chr_files_pattern($1, device_t, usb_device_t)
  ')
  
@@ -963,7 +1058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Mount a usbfs filesystem.
-@@ -3833,6 +3887,24 @@
+@@ -3833,6 +3905,24 @@
  	write_chr_files_pattern($1, device_t, v4l_device_t)
  ')
  
@@ -1057,8 +1152,60 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-01-18 18:24:22.697530142 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2010-01-29 10:02:57.270864470 +0100
-@@ -4409,3 +4409,23 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2010-02-09 09:59:39.756615405 +0100
+@@ -3496,6 +3496,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Read generic tmpfs files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_tmpfs_files',`
++	gen_require(`
++		type tmpfs_t;
++	')
++
++	read_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write generic tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+@@ -4297,6 +4315,26 @@
+ 
+ ########################################
+ ## <summary>
++##	Read files on cgroup
++##	file systems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_cgroup_files',`
++	gen_require(`
++		type cgroup_t;
++
++	')
++
++	read_files_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write files on cgroup
+ ##	file systems.
+ ## </summary>
+@@ -4409,3 +4447,23 @@
  	write_files_pattern($1, cgroup_t, cgroup_t)
  ')
  
@@ -1533,7 +1680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-18 18:24:22.782530547 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-01-27 16:52:32.499864534 +0100
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-02-08 11:55:25.971336166 +0100
 @@ -82,6 +82,7 @@
  manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
  
@@ -1542,7 +1689,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
  
-@@ -277,6 +278,8 @@
+@@ -94,6 +95,7 @@
+ corenet_tcp_sendrecv_generic_node(dovecot_t)
+ corenet_tcp_sendrecv_all_ports(dovecot_t)
+ corenet_tcp_bind_generic_node(dovecot_t)
++corenet_tcp_bind_mail_port(dovecot_t)
+ corenet_tcp_bind_pop_port(dovecot_t)
+ corenet_tcp_connect_all_ports(dovecot_t)
+ corenet_tcp_connect_postgresql_port(dovecot_t)
+@@ -277,6 +279,8 @@
  ')
  
  tunable_policy(`use_nfs_home_dirs',`
@@ -1551,7 +1706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_manage_nfs_files(dovecot_deliver_t)
  	fs_manage_nfs_symlinks(dovecot_deliver_t)
  	fs_manage_nfs_files(dovecot_t)
-@@ -284,6 +287,8 @@
+@@ -284,6 +288,8 @@
  ')
  
  tunable_policy(`use_samba_home_dirs',`
@@ -1772,75 +1927,889 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')   
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
 --- nsaserefpolicy/policy/modules/services/git.fc	2010-01-18 18:24:22.788540040 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.fc	2010-01-22 12:32:18.191604638 +0100
-@@ -1,6 +1,9 @@
- /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
- /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++++ serefpolicy-3.6.32/policy/modules/services/git.fc	2010-02-09 12:46:59.674881314 +0100
+@@ -1,9 +1,16 @@
+-/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+-/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++HOME_DIR/public_git(/.*)?			gen_context(system_u:object_r:git_session_content_t, s0)
++HOME_DIR/\.gitconfig		--		gen_context(system_u:object_r:git_session_content_t, s0)
  
-+/var/www/git(/.*)?			gen_context(system_u:object_r:httpd_git_content_t,s0)
-+/var/www/git/gitweb\.cgi --	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)   
-+
- /srv/git(/.*)?					gen_context(system_u:object_r:git_data_t, s0)
+-/srv/git(/.*)?					gen_context(system_u:object_r:git_data_t, s0)
++/srv/git(/.*)?					gen_context(system_u:object_r:git_system_content_t, s0)
  
  /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t, s0)
+ 
+-# Conflict with Fedora cgit fc spec.
+-/var/lib/git(/.*)?				gen_context(system_u:object_r:git_data_t, s0)
++/var/cache/cgit(/.*)?				gen_context(system_u:object_r:httpd_git_content_rw_t,s0)
++/var/www/cgi-bin/cgit		--		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/var/www/git(/.*)?				gen_context(system_u:object_r:httpd_git_content_t,s0)
++
++/var/www/git/gitweb.cgi			gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/var/lib/git(/.*)?				gen_context(system_u:object_r:git_system_content_t, s0)
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if
 --- nsaserefpolicy/policy/modules/services/git.if	2010-01-18 18:24:22.789540167 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.if	2010-01-22 12:30:50.923622237 +0100
-@@ -104,7 +104,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/git.if	2010-02-09 12:46:59.675881993 +0100
+@@ -1,4 +1,4 @@
+-## <summary>Git daemon is a really simple server for Git repositories.</summary>
++## <summary>Git - Fast Version Control System.</summary>
+ ## <desc>
+ ##	<p>
+ ##		A really simple TCP git daemon that normally listens on
+@@ -6,27 +6,6 @@
+ ##		connection asking for a service, and will serve that
+ ##		service if it is enabled.
+ ##	</p>
+-##	<p>
+-##		It verifies that the directory has the magic file
+-##		git-daemon-export-ok, and it will refuse to export any
+-##		git directory that has not explicitly been marked for
+-##		export this way (unless the --export-all parameter is
+-##		specified). If you pass some directory paths as
+-##		git-daemon arguments, you can further restrict the
+-##		offers to a whitelist comprising of those.
+-##	</p>
+-##	<p>
+-##		By default, only upload-pack service is enabled, which
+-##		serves git-fetch-pack and git-ls-remote clients, which
+-##		are invoked from git-fetch, git-pull, and git-clone.
+-##	</p>
+-##	<p>
+-##		This is ideally suited for read-only updates, i.e.,
+-##		pulling from git repositories.
+-##	</p>
+-##	<p>
+-##		An upload-archive also exists to serve git-archive.
+-##	</p>
+ ## </desc>
+ 
+ #######################################
+@@ -46,50 +25,172 @@
+ #
+ interface(`git_session_role', `
+ 	gen_require(`
+-		type gitd_session_t, gitd_exec_t, git_home_t;
++		type git_session_t, gitd_exec_t;
  	')
  
- 	exec_files_pattern($1, git_data_t, git_data_t)
--	files_search_var($1)
+ 	########################################
+ 	#
+-	# Git daemon session data declarations.
++	# Git daemon session shared declarations.
+ 	#
+ 
+-	## <desc>
+-	## <p>
+-	## Allow transitions to the Git daemon
+-	## session domain.
+-	## </p>
+-	## </desc>
+-	gen_tunable(gitd_session_transition, false)
++	role $1 types git_session_t;
++
++	########################################
++	#
++	# Git daemon session shared policy.
++	#
++
++	domtrans_pattern($2, gitd_exec_t, git_session_t)
++
++	allow $2 git_session_t:process { ptrace signal_perms };
++	ps_process_pattern($2, git_session_t)
++')
++
++########################################
++## <summary>
++##	Create a set of derived types for Git
++##	daemon shared repository content.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving type names.
++##	</summary>
++## </param>
++#
++template(`git_content_template',`
+ 
+-	role $1 types gitd_session_t;
++	gen_require(`
++		attribute git_system_content;
++		attribute git_content;
++	')
+ 
+ 	########################################
+ 	#
+-	# Git daemon session data policy.
++	# Git daemon content shared declarations.
++	#
++
++	type git_$1_content_t, git_system_content, git_content;
++	files_type(git_$1_content_t)
++')
++
++########################################
++## <summary>
++##	Create a set of derived types for Git
++##	daemon shared repository roles.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving type names.
++##	</summary>
++## </param>
+ 	#
++template(`git_role_template',`
+ 
+-	tunable_policy(`gitd_session_transition', `
+-		domtrans_pattern($2, gitd_exec_t, gitd_session_t)
+-	', `
+-		can_exec($2, gitd_exec_t)
++	gen_require(`
++		class context contains;
++		role system_r;
+ 	')
+ 
+-	allow $2 gitd_session_t:process { ptrace signal_perms };
+-	ps_process_pattern($2, gitd_session_t)
++	########################################
++	#
++	# Git daemon role shared declarations.
++	#
++
++	attribute $1_usertype;
+ 
+-	exec_files_pattern($2, git_home_t, git_home_t)
+-	manage_dirs_pattern($2, git_home_t, git_home_t)
+-	manage_files_pattern($2, git_home_t, git_home_t)
++	type $1_t;
++	userdom_unpriv_usertype($1, $1_t)
++	domain_type($1_t)
+ 
+-	relabel_dirs_pattern($2, git_home_t, git_home_t)
+-	relabel_files_pattern($2, git_home_t, git_home_t)
++	role $1_r types $1_t;
++	allow system_r $1_r;
++
++	########################################
++	#
++	# Git daemon role shared policy.
++	#
++
++	allow $1_t self:context contains;
++	allow $1_t self:fifo_file rw_fifo_file_perms;
++
++	corecmd_exec_bin($1_t)
++	corecmd_bin_entry_type($1_t)
++	corecmd_shell_entry_type($1_t)
++
++	domain_interactive_fd($1_t)
++	domain_user_exemption_target($1_t)
++
++	kernel_read_system_state($1_t)
++
++	files_read_etc_files($1_t)
++	files_dontaudit_search_home($1_t)
++
++	miscfiles_read_localization($1_t)
++
++	git_rwx_generic_system_content($1_t)
++
++	ssh_rw_stream_sockets($1_t)
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_exec_cifs_files($1_t)
++		fs_manage_cifs_dirs($1_t)
++		fs_manage_cifs_files($1_t)
++	')
++
++	tunable_policy(`git_system_use_nfs',`
++		fs_exec_nfs_files($1_t)
++		fs_manage_nfs_dirs($1_t)
++		fs_manage_nfs_files($1_t)
++	')
++
++	optional_policy(`
++		nscd_read_pid($1_t)
++	')
++')
++
++#######################################
++## <summary>
++##	Allow specified domain access to the
++##	specified Git daemon content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	Type of the object that access is allowed to.
++##	</summary>
++## </param>
++#
++interface(`git_content_delegation',`
++	gen_require(`
++		type $1, $2;
++	')
++
++	exec_files_pattern($1, $2, $2)
++	manage_dirs_pattern($1, $2, $2)
++	manage_files_pattern($1, $2, $2)
++	files_search_var($1)
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`git_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow the specified domain to execute
+-##	Git daemon data files.
++##	Allow the specified domain to manage
++##	and execute all Git daemon content.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -98,19 +199,46 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_execute_data_files', `
++interface(`git_rwx_all_content',`
+ 	gen_require(`
+-		type git_data_t;
++		attribute git_content;
+ 	')
+ 
+-	exec_files_pattern($1, git_data_t, git_data_t)
++	exec_files_pattern($1, git_content, git_content)
++	manage_dirs_pattern($1, git_content, git_content)
++	manage_files_pattern($1, git_content, git_content)
++	userdom_search_user_home_dirs($1)
+ 	files_search_var($1)
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`git_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to manage
+-##	Git daemon data content.
++##	and execute all Git daemon system content.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -119,20 +247,33 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_manage_data_content', `
++interface(`git_rwx_all_system_content',`
+ 	gen_require(`
+-		type git_data_t;
++		attribute git_system_content;
+ 	')
+ 
+-	manage_dirs_pattern($1, git_data_t, git_data_t)
+-	manage_files_pattern($1, git_data_t, git_data_t)
++	exec_files_pattern($1, git_system_content, git_system_content)
++	manage_dirs_pattern($1, git_system_content, git_system_content)
++	manage_files_pattern($1, git_system_content, git_system_content)
+ 	files_search_var($1)
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`git_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to manage
+-##	Git daemon home content.
++##	and execute Git daemon generic system content.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -141,20 +282,33 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_manage_home_content', `
++interface(`git_rwx_generic_system_content',`
+ 	gen_require(`
+-		type git_home_t;
++		type git_system_content_t;
++	')
++
++	exec_files_pattern($1, git_system_content_t, git_system_content_t)
++	manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
++	manage_files_pattern($1, git_system_content_t, git_system_content_t)
++	files_search_var($1)
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
+ 	')
+ 
+-	manage_dirs_pattern($1, git_home_t, git_home_t)
+-	manage_files_pattern($1, git_home_t, git_home_t)
+-	files_search_home($1)
++	tunable_policy(`git_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to read
+-##	Git daemon home content.
++##	all Git daemon content files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -163,20 +317,41 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_read_home_content', `
++interface(`git_read_all_content_files',`
+ 	gen_require(`
+-		type git_home_t;
++		attribute git_content;
++	')
++
++	list_dirs_pattern($1, git_content, git_content)
++	read_files_pattern($1, git_content, git_content)
++	userdom_search_user_home_dirs($1)
 +	files_search_var_lib($1)
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
+ 	')
+ 
+-	list_dirs_pattern($1, git_home_t, git_home_t)
+-	read_files_pattern($1, git_home_t, git_home_t)
+-	files_search_home($1)
++	tunable_policy(`git_system_use_nfs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
  ')
  
  ########################################
-@@ -126,7 +126,7 @@
+ ## <summary>
+ ##	Allow the specified domain to read
+-##	Git daemon data content.
++##	Git daemon session content files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -185,20 +360,30 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_read_data_content', `
++interface(`git_read_session_content_files',`
+ 	gen_require(`
+-		type git_data_t;
++		type git_session_content_t;
+ 	')
  
- 	manage_dirs_pattern($1, git_data_t, git_data_t)
- 	manage_files_pattern($1, git_data_t, git_data_t)
+-	list_dirs_pattern($1, git_data_t, git_data_t)
+-	read_files_pattern($1, git_data_t, git_data_t)
 -	files_search_var($1)
-+	files_search_var_lib($1)
++	list_dirs_pattern($1, git_session_content_t, git_session_content_t)
++	read_files_pattern($1, git_session_content_t, git_session_content_t)
++	userdom_search_user_home_dirs($1)
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
  ')
  
  ########################################
-@@ -192,7 +192,7 @@
+ ## <summary>
+-##	Allow the specified domain to relabel
+-##	Git daemon data content.
++##	Allow the specified domain to read
++##	all Git daemon system content files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -207,20 +392,30 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_relabel_data_content', `
++interface(`git_read_all_system_content_files',`
+ 	gen_require(`
+-		type git_data_t;
++		attribute git_system_content;
+ 	')
  
- 	list_dirs_pattern($1, git_data_t, git_data_t)
- 	read_files_pattern($1, git_data_t, git_data_t)
+-	relabel_dirs_pattern($1, git_data_t, git_data_t)
+-	relabel_files_pattern($1, git_data_t, git_data_t)
 -	files_search_var($1)
++	list_dirs_pattern($1, git_system_content, git_system_content)
++	read_files_pattern($1, git_system_content, git_system_content)
 +	files_search_var_lib($1)
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
++
++	tunable_policy(`git_system_use_nfs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
  ')
  
  ########################################
-@@ -214,7 +214,7 @@
+ ## <summary>
+-##	Allow the specified domain to relabel
+-##	Git daemon home content.
++##	Allow the specified domain to read
++##	Git daemon generic system content files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -229,57 +424,112 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_relabel_home_content', `
++interface(`git_read_generic_system_content_files',`
+ 	gen_require(`
+-		type git_home_t;
++		type git_system_content_t;
+ 	')
  
- 	relabel_dirs_pattern($1, git_data_t, git_data_t)
- 	relabel_files_pattern($1, git_data_t, git_data_t)
--	files_search_var($1)
+-	relabel_dirs_pattern($1, git_home_t, git_home_t)
+-	relabel_files_pattern($1, git_home_t, git_home_t)
+-	files_search_home($1)
++	list_dirs_pattern($1, git_system_content_t, git_system_content_t)
++	read_files_pattern($1, git_system_content_t, git_system_content_t)
 +	files_search_var_lib($1)
++
++	tunable_policy(`git_system_use_cifs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
++
++	tunable_policy(`git_system_use_nfs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
  ')
  
  ########################################
+ ## <summary>
+-##	All of the rules required to administrate an
+-##	Git daemon system environment
++##	Allow the specified domain to relabel
++##	all Git daemon content.
+ ## </summary>
+-## <param name="userdomain_prefix">
++## <param name="domain">
+ ##	<summary>
+-##	Prefix of the domain. Example, user would be
+-##	the prefix for the user_t domain.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
++#
++interface(`git_relabel_all_content',`
++	gen_require(`
++		attribute git_content;
++	')
++
++	relabel_dirs_pattern($1, git_content, git_content)
++	relabel_files_pattern($1, git_content, git_content)
++	userdom_search_user_home_dirs($1)
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to relabel
++##	all Git daemon system content.
++## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
++## <rolecap/>
++#
++interface(`git_relabel_all_system_content',`
++	gen_require(`
++		attribute git_system_content;
++	')
++
++	relabel_dirs_pattern($1, git_system_content, git_system_content)
++	relabel_files_pattern($1, git_system_content, git_system_content)
++	files_search_var_lib($1)
++')
++
++########################################
+ ##	<summary>
+-##	The role to be allowed to manage the Git daemon domain.
++##	Allow the specified domain to relabel
++##	Git daemon generic system content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`git_system_admin', `
++interface(`git_relabel_generic_system_content',`
+ 	gen_require(`
+-		type gitd_t, gitd_exec_t;
++		type git_system_content_t;
+ 	')
+ 
+-	allow $1 gitd_t:process { getattr ptrace signal_perms };
+-	ps_process_pattern($1, gitd_t)
+-
+-	kernel_search_proc($1)
+-
+-	manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
+-
+-	# This will not work since git-shell needs to execute gitd content thus public content files.
+-	# There is currently no clean way to execute public content files.
+-	# miscfiles_manage_public_files($1)
++	relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
++	relabel_files_pattern($1, git_system_content_t, git_system_content_t)
++	files_search_var_lib($1)
++')
+ 
+-	git_manage_data_content($1)
+-	git_relabel_data_content($1)
++########################################
++## <summary>
++##	Allow the specified domain to relabel
++##	Git daemon session content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_session_content',`
++	gen_require(`
++		type git_session_content_t;
++	')
+ 
+-	seutil_domtrans_setfiles($1)
++	relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
++	relabel_files_pattern($1, git_session_content_t, git_session_content_t)
++	userdom_search_user_home_dirs($1)
+ ')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
 --- nsaserefpolicy/policy/modules/services/git.te	2010-01-18 18:24:22.790540016 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/git.te	2010-01-22 12:32:35.787604988 +0100
-@@ -73,7 +73,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/git.te	2010-02-09 12:46:59.675881993 +0100
+@@ -1,13 +1,5 @@
+ 
+-policy_module(git, 1.0)
+-
+-attribute gitd_type;
+-attribute git_content_type;
+-
+-########################################
+-#
+-# Git daemon system private declarations.
+-#
++policy_module(git, 1.0.3)
+ 
+ ## <desc>
+ ## <p>
+@@ -34,20 +26,29 @@
+ #
+ # Git daemon global private declarations.
+ #
++
++attribute git_domains;
++attribute git_system_content;
++attribute git_content;
++
+ type gitd_exec_t;
+ 
+-type gitd_t, gitd_type;
+-inetd_service_domain(gitd_t, gitd_exec_t)
+-role system_r types gitd_t;
++########################################
++#
++# Git daemon system private declarations.
++#
+ 
+-type git_data_t, git_content_type;
+-files_type(git_data_t)
++type git_system_t, git_domains;
++inetd_service_domain(git_system_t, gitd_exec_t)
++role system_r types git_system_t;
+ 
+-permissive gitd_t;
++type git_system_content_t, git_system_content, git_content;
++files_type(git_system_content_t)
++typealias git_system_content_t alias git_data_t;
+ 
+ ########################################
  #
+-# Git daemon session session private declarations.
++# Git daemon session private declarations.
+ #
+ 
+ ## <desc>
+@@ -58,85 +59,82 @@
+ ## </desc>
+ gen_tunable(git_session_bind_all_unreserved_ports, false)
+ 
+-type gitd_session_t, gitd_type;
+-application_domain(gitd_session_t, gitd_exec_t)
+-ubac_constrained(gitd_session_t)
+-
+-type git_home_t, git_content_type;
+-userdom_user_home_content(git_home_t)
++type git_session_t, git_domains;
++application_domain(git_session_t, gitd_exec_t)
++ubac_constrained(git_session_t)
  
- allow gitd_type self:fifo_file rw_fifo_file_perms;
+-permissive gitd_session_t;
++type git_session_content_t, git_content;
++userdom_user_home_content(git_session_content_t)
+ 
+ ########################################
+ #
+ # Git daemon global private policy.
+ #
+ 
+-allow gitd_type self:fifo_file rw_fifo_file_perms;
 -allow gitd_type self:tcp_socket create_socket_perms;
-+allow gitd_type self:tcp_socket create_stream_socket_perms;
- allow gitd_type self:udp_socket create_socket_perms;
- allow gitd_type self:unix_dgram_socket create_socket_perms;
+-allow gitd_type self:udp_socket create_socket_perms;
+-allow gitd_type self:unix_dgram_socket create_socket_perms;
++allow git_domains self:fifo_file rw_fifo_file_perms;
++allow git_domains self:netlink_route_socket create_netlink_socket_perms;
++allow git_domains self:tcp_socket { create_socket_perms listen };
++allow git_domains self:udp_socket create_socket_perms;
++allow git_domains self:unix_dgram_socket create_socket_perms;
+ 
+-corenet_all_recvfrom_netlabel(gitd_type)
+-corenet_all_recvfrom_unlabeled(gitd_type)
++corenet_all_recvfrom_netlabel(git_domains)
++corenet_all_recvfrom_unlabeled(git_domains)
+ 
+-corenet_tcp_sendrecv_all_if(gitd_type)
+-corenet_tcp_sendrecv_all_nodes(gitd_type)
+-corenet_tcp_sendrecv_all_ports(gitd_type)
++corenet_tcp_bind_generic_node(git_domains)
+ 
+-corenet_tcp_bind_all_nodes(gitd_type)
+-corenet_tcp_bind_git_port(gitd_type)
++corenet_tcp_sendrecv_generic_if(git_domains)
++corenet_tcp_sendrecv_generic_node(git_domains)
++corenet_tcp_sendrecv_generic_port(git_domains)
+ 
+-corecmd_exec_bin(gitd_type)
++corenet_tcp_bind_git_port(git_domains)
++corenet_sendrecv_git_server_packets(git_domains)
+ 
+-files_read_etc_files(gitd_type)
+-files_read_usr_files(gitd_type)
++corecmd_exec_bin(git_domains)
+ 
+-fs_search_auto_mountpoints(gitd_type)
++files_read_etc_files(git_domains)
++files_read_usr_files(git_domains)
+ 
+-kernel_read_system_state(gitd_type)
++fs_search_auto_mountpoints(git_domains)
+ 
+-logging_send_syslog_msg(gitd_type)
++kernel_read_system_state(git_domains)
+ 
+-auth_use_nsswitch(gitd_type)
++auth_use_nsswitch(git_domains)
+ 
+-miscfiles_read_localization(gitd_type)
++logging_send_syslog_msg(git_domains)
++
++miscfiles_read_localization(git_domains)
+ 
+ ########################################
+ #
+ # Git daemon system repository private policy.
+ #
+ 
+-list_dirs_pattern(gitd_t, git_content_type, git_content_type)
+-read_files_pattern(gitd_t, git_content_type, git_content_type)
+-files_search_var(gitd_t)
+-
+-# This will not work since git-shell needs to execute gitd content thus public content files.
+-# There is currently no clean way to execute public content files.
+-# miscfiles_read_public_files(gitd_t)
++list_dirs_pattern(git_system_t, git_content, git_content)
++read_files_pattern(git_system_t, git_content, git_content)
++files_search_var(git_system_t)
+ 
+ tunable_policy(`git_system_enable_homedirs', `
+-	userdom_search_user_home_dirs(gitd_t)
++	userdom_search_user_home_dirs(git_system_t)
+ ')
+ 
+ tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
+-	fs_list_nfs(gitd_t)
+-	fs_read_nfs_files(gitd_t)
++	fs_list_nfs(git_system_t)
++	fs_read_nfs_files(git_system_t)
+ ')
+ 
+ tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
+-	fs_list_cifs(gitd_t)
+-	fs_read_cifs_files(gitd_t)
++	fs_list_cifs(git_system_t)
++	fs_read_cifs_files(git_system_t)
+ ')
+ 
+ tunable_policy(`git_system_use_cifs', `
+-	fs_list_cifs(gitd_t)
+-	fs_read_cifs_files(gitd_t)
++	fs_list_cifs(git_system_t)
++	fs_read_cifs_files(git_system_t)
+ ')
+ 
+ tunable_policy(`git_system_use_nfs', `
+-	fs_list_nfs(gitd_t)
+-	fs_read_nfs_files(gitd_t)
++	fs_list_nfs(git_system_t)
++	fs_read_nfs_files(git_system_t)
+ ')
  
-@@ -171,3 +171,6 @@
+ ########################################
+@@ -144,24 +142,24 @@
+ # Git daemon session repository private policy.
+ #
+ 
+-list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
+-read_files_pattern(gitd_session_t, git_home_t, git_home_t)
+-userdom_search_user_home_dirs(gitd_session_t)
++list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
++read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
++userdom_search_user_home_dirs(git_session_t)
+ 
+-userdom_use_user_terminals(gitd_session_t)
++userdom_use_user_terminals(git_session_t)
+ 
+ tunable_policy(`git_session_bind_all_unreserved_ports', `
+-	corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
++	corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ ')
+ 
+ tunable_policy(`use_nfs_home_dirs', `
+-	fs_list_nfs(gitd_session_t)
+-	fs_read_nfs_files(gitd_session_t)
++	fs_list_nfs(git_session_t)
++	fs_read_nfs_files(git_session_t)
+ ')
  
+ tunable_policy(`use_samba_home_dirs', `
+-	fs_list_cifs(gitd_session_t)
+-	fs_read_cifs_files(gitd_session_t)
++	fs_list_cifs(git_session_t)
++	fs_read_cifs_files(git_session_t)
+ ')
+ 
+ ########################################
+@@ -169,5 +167,16 @@
+ # cgi git Declarations
+ #
+ 
++optional_policy(`
  apache_content_template(git)
- git_read_data_content(httpd_git_script_t)
+-git_read_data_content(httpd_git_script_t)
++	git_read_session_content_files(httpd_git_script_t)
++	files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
++')
 +
-+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) 
++########################################
++#
++# Git-shell private policy.
++#
 +
++#git_role_template(git_shell)
++#gen_user(git_shell_u, user, git_shell_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2010-01-18 18:24:22.799531033 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/kerberos.if	2010-01-22 17:08:10.300604739 +0100
@@ -1855,17 +2824,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	tunable_policy(`allow_kerberos',`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
 --- nsaserefpolicy/policy/modules/services/ldap.fc	2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc	2010-01-29 10:17:34.113864636 +0100
-@@ -2,6 +2,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/ldap.fc	2010-02-09 10:45:23.074866029 +0100
+@@ -1,8 +1,12 @@
+ 
  /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
++/etc/openldap/slapd\.d(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
++
  /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/dirsrv.* --  gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
  
-+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
-+
  /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
++/usr/sbin/ns-slapd 	--	gen_context(system_u:object_r:slapd_exec_t,s0)
  
  ifdef(`distro_debian',`
-@@ -10,8 +12,12 @@
+ /usr/lib/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
+@@ -10,8 +14,12 @@
  
  /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
  /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
@@ -1978,6 +2951,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +term_dontaudit_use_all_user_ptys(memcached_t)
 +term_dontaudit_use_all_user_ttys(memcached_t)
 +term_dontaudit_use_console(memcached_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if	2010-01-18 18:24:22.812540439 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mta.if	2010-02-09 12:33:50.721866005 +0100
+@@ -786,6 +786,25 @@
+ 	allow $1 mqueue_spool_t:dir search_dir_perms;
+ ')
+ 
++#####################################
++## <summary>
++## 	List the mail queue.
++## </summary>
++## <param name="domain">
++## 	<summary>
++## 	Domain allowed access.
++## 	</summary>
++## </param>
++#
++interface(`mta_list_queue',`
++	gen_require(`
++ 		type mqueue_spool_t;
++	')
++
++	allow $1 mqueue_spool_t:dir list_dir_perms;
++	files_search_spool($1)
++') 
++
+ #######################################
+ ## <summary>
+ ##	Read the mail queue.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2010-01-18 18:24:22.813543710 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/mta.te	2010-02-02 10:43:31.244162625 +0100
@@ -1989,9 +2991,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
+--- nsaserefpolicy/policy/modules/services/munin.te	2010-01-18 18:24:22.815530066 +0100
++++ serefpolicy-3.6.32/policy/modules/services/munin.te	2010-02-09 12:34:15.400865901 +0100
+@@ -134,6 +134,7 @@
+ optional_policy(`
+ 	mta_read_config(munin_t)
+ 	mta_send_mail(munin_t)
++	mta_list_queue(munin_t)
+ 	mta_read_queue(munin_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2010-01-18 18:24:22.819530575 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te	2010-01-26 14:38:16.349463228 +0100
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te	2010-02-08 11:12:04.320336459 +0100
+@@ -44,7 +44,7 @@
+ # Local policy
+ #
+ 
+-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
++allow mysqld_t self:capability { dac_override setgid setuid sys_resource ipc_lock net_bind_service };
+ dontaudit mysqld_t self:capability sys_tty_config;
+ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+ allow mysqld_t self:fifo_file rw_fifo_file_perms;
 @@ -147,6 +147,8 @@
  dontaudit mysqld_safe_t self:capability sys_ptrace;
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -2069,6 +3091,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# unconfined plugins
 +/usr/lib(64)?/nagios/plugins/check_by_ssh		--		gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
+--- nsaserefpolicy/policy/modules/services/nagios.if	2010-01-18 18:24:22.821530899 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.if	2010-02-09 12:44:57.821616516 +0100
+@@ -150,6 +150,8 @@
+         # needed by command.cfg
+         domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+     
++	allow nagios_t nagios_$1_plugin_t:process signal_perms;
++
+         # cjp: leaked file descriptor
+         dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2010-01-18 18:24:22.823530245 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/nagios.te	2010-01-22 16:03:19.932604694 +0100
@@ -2201,7 +3235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(openvpn_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
 --- nsaserefpolicy/policy/modules/services/plymouth.te	2010-01-18 18:24:22.847540282 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2010-02-03 23:23:09.612821595 +0100
++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2010-02-09 10:12:27.273913281 +0100
 @@ -41,6 +41,19 @@
  allow plymouthd_t self:fifo_file rw_fifo_file_perms;
  allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -2257,6 +3291,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_use_interactive_fds(plymouth_t)
  
  files_read_etc_files(plymouth_t)
+@@ -90,6 +94,8 @@
+ 
+ plymouth_stream_connect(plymouth_t)
+ 
++sysnet_read_config(plymouth_t)
++
+ optional_policy(`
+ 	lvm_domtrans(plymouth_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2010-01-18 18:24:22.850542758 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/policykit.te	2010-02-02 15:30:16.529067989 +0100
@@ -2595,7 +3638,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-01-18 18:24:22.886540773 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-02-01 20:42:31.450160322 +0100
++++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-02-09 10:52:45.543866160 +0100
+@@ -208,7 +208,7 @@
+ files_read_usr_symlinks(samba_net_t)
+ 
+ auth_use_nsswitch(samba_net_t)
+-auth_rw_cache(samba_net_t)
++auth_manage_cache(samba_net_t)
+ 
+ logging_send_syslog_msg(samba_net_t)
+ 
 @@ -286,6 +286,8 @@
  
  allow smbd_t winbind_t:process { signal signull };
@@ -2605,7 +3657,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
  kernel_read_network_state(smbd_t)
-@@ -350,7 +352,7 @@
+@@ -327,6 +329,7 @@
+ auth_use_nsswitch(smbd_t)
+ auth_domtrans_chk_passwd(smbd_t)
+ auth_domtrans_upd_passwd(smbd_t)
++auth_manage_cache(smbd_t)
+ 
+ domain_use_interactive_fds(smbd_t)
+ domain_dontaudit_list_all_domains_state(smbd_t)
+@@ -350,7 +353,7 @@
  miscfiles_read_public_files(smbd_t)
  
  userdom_use_unpriv_users_fds(smbd_t)
@@ -2614,7 +3674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_signal_all_users(smbd_t)
  
  usermanage_read_crack_db(smbd_t)
-@@ -485,6 +487,8 @@
+@@ -485,6 +488,8 @@
  
  manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
  
@@ -2623,7 +3683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow nmbd_t smbcontrol_t:process signal;
  
  allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -661,6 +665,7 @@
+@@ -661,6 +666,7 @@
  allow swat_t self:udp_socket create_socket_perms;
  allow swat_t self:unix_stream_socket connectto;
  
@@ -2631,6 +3691,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow swat_t nmbd_t:process { signal signull };
  
  allow swat_t nmbd_exec_t:file mmap_file_perms;
+@@ -829,6 +835,7 @@
+ corenet_tcp_bind_generic_node(winbind_t)
+ corenet_udp_bind_generic_node(winbind_t)
+ corenet_tcp_connect_smbd_port(winbind_t)
++corenet_tcp_connect_all_unreserved_ports(winbind_t)
+ 
+ dev_read_sysfs(winbind_t)
+ dev_read_urand(winbind_t)
+@@ -838,7 +845,7 @@
+ 
+ auth_domtrans_chk_passwd(winbind_t)
+ auth_use_nsswitch(winbind_t)
+-auth_rw_cache(winbind_t)
++auth_manage_cache(winbind_t)
+ 
+ domain_use_interactive_fds(winbind_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2010-01-18 18:24:22.889530888 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/sendmail.te	2010-01-18 18:27:02.771531176 +0100
@@ -2713,7 +3790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2010-01-18 18:24:22.896530172 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te	2010-02-04 18:16:54.117060833 +0100
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te	2010-02-09 12:37:21.512866130 +0100
 @@ -147,6 +147,8 @@
  
  kernel_read_kernel_sysctls(spamassassin_t)
@@ -2723,6 +3800,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_read_urand(spamassassin_t)
  
  fs_search_auto_mountpoints(spamassassin_t)
+@@ -470,6 +473,10 @@
+ userdom_search_user_home_dirs(spamd_t)
+ 
+ optional_policy(`
++	dcc_domtrans_cdcc(spamd_t)
++')
++
++optional_policy(`
+ 	exim_manage_spool_dirs(spamd_t)
+ 	exim_manage_spool_files(spamd_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-01-18 18:24:22.899530064 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/ssh.te	2010-02-08 00:22:54.835167354 +0100
@@ -3376,8 +4464,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-02-03 10:39:48.878145130 +0100
-@@ -301,6 +301,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-02-09 10:08:14.902615674 +0100
+@@ -253,6 +253,7 @@
+ allow xdm_t iceauth_home_t:file read_file_perms;
+ 
+ dev_read_rand(iceauth_t)
++dev_dontaudit_read_urand(iceauth_t)  
+ 
+ fs_search_auto_mountpoints(iceauth_t)
+ 
+@@ -301,6 +302,9 @@
  manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
  files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
  
@@ -3387,7 +4483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_use_interactive_fds(xauth_t)
  
  dev_rw_xserver_misc(xauth_t)
-@@ -309,8 +312,12 @@
+@@ -309,8 +313,12 @@
  files_read_usr_files(xauth_t)
  files_search_pids(xauth_t)
  files_dontaudit_getattr_all_dirs(xauth_t)
@@ -3400,7 +4496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_search_auto_mountpoints(xauth_t)
  
  # cjp: why?
-@@ -506,6 +513,7 @@
+@@ -506,6 +514,7 @@
  dev_dontaudit_rw_misc(xdm_t)
  dev_getattr_video_dev(xdm_t)
  dev_setattr_video_dev(xdm_t)
@@ -3408,7 +4504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
  dev_read_sound(xdm_t)
-@@ -582,6 +590,7 @@
+@@ -582,6 +591,7 @@
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
  userdom_stream_connect(xdm_t)
@@ -3416,7 +4512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_manage_user_tmp_dirs(xdm_t)
  userdom_manage_user_tmp_sockets(xdm_t)
  userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -668,6 +677,7 @@
+@@ -668,6 +678,7 @@
  
  optional_policy(`
  	gnome_read_gconf_config(xdm_t)
@@ -3424,7 +4520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -675,6 +685,10 @@
+@@ -675,6 +686,10 @@
  ')
  
  optional_policy(`
@@ -3435,7 +4531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	loadkeys_exec(xdm_t)
  ')
  
-@@ -712,6 +726,7 @@
+@@ -712,6 +727,7 @@
  optional_policy(`
  	pulseaudio_exec(xdm_t)
  	pulseaudio_dbus_chat(xdm_t)
@@ -3445,8 +4541,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # On crash gdm execs gdb to dump stack
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2010-01-18 18:24:22.925530368 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/application.te	2010-02-03 15:31:03.649144986 +0100
-@@ -15,6 +15,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/application.te	2010-02-09 12:51:23.459615874 +0100
+@@ -1,5 +1,5 @@
+ 
+-policy_module(application, 1.1.0)
++policy_module(application, 1.1.1)
+ 
+ # Attribute of user applications
+ attribute application_domain_type;
+@@ -7,14 +7,18 @@
+ # Executables to be run by user
+ attribute application_exec_type;
+ 
+-userdom_append_user_home_content_files(application_domain_type)
+-userdom_write_user_tmp_files(application_domain_type)
+-logging_rw_all_logs(application_domain_type)
++userdom_inherit_append_user_home_content_files(application_domain_type)
+ userdom_inherit_append_admin_home_files(application_domain_type)
++userdom_inherit_append_user_tmp_files(application_domain_type)
++logging_inherit_append_all_logs(application_domain_type)
+ 
  files_dontaudit_search_all_dirs(application_domain_type)
  
  optional_policy(`
@@ -3506,7 +4620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-01-18 18:24:22.933540325 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.if	2010-02-04 19:32:10.455185143 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.if	2010-02-09 09:59:47.912615584 +0100
 @@ -165,6 +165,7 @@
  		type init_t;
  		role system_r;
@@ -3532,15 +4646,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	application_domain($1,$2)
-@@ -281,6 +285,7 @@
+@@ -281,6 +285,8 @@
  
  	domtrans_pattern(initrc_t,$2,$1)
  	allow initrc_t $1:process siginh;
 +	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++	allow $1 initrc_transition_domain:fd use;
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -775,8 +780,10 @@
+@@ -554,7 +560,7 @@
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+-	allow $1 initctl_t:fifo_file write;
++	allow $1 initctl_t:fifo_file write_file_perms;
+ ')
+ 
+ ########################################
+@@ -775,8 +781,10 @@
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -3551,7 +4675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	domtrans_pattern($1, $2, initrc_t)
  	files_search_etc($1)
  ')
-@@ -1686,3 +1693,26 @@
+@@ -1686,3 +1694,26 @@
  	allow $1 initrc_t:sem rw_sem_perms;
  ')
  
@@ -3580,7 +4704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +') 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-02-04 17:25:21.696810756 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-02-09 09:59:50.702615499 +0100
 @@ -40,6 +40,7 @@
  attribute init_script_domain_type;
  attribute init_script_file_type;
@@ -3589,10 +4713,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Mark process types as daemons
  attribute daemon;
-@@ -212,6 +213,10 @@
+@@ -118,6 +119,7 @@
+ 
+ allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
++allow initrc_t init_t:fifo_file rw_fifo_file_perms;
+ 
+ # For /var/run/shutdown.pid.
+ allow init_t init_var_run_t:file manage_file_perms;
+@@ -191,6 +193,7 @@
+ ')
+ 
+ ifdef(`distro_redhat',`
++	fs_read_tmpfs_symlinks(init_t)
+ 	fs_rw_tmpfs_chr_files(init_t)
+ 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ ')
+@@ -212,6 +215,11 @@
  ')
  
  optional_policy(`
++	dbus_connect_system_bus(init_t)
 +	dbus_system_bus_client(init_t)
 +')
 +
@@ -3600,7 +4741,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
  	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
  	# the directory. But we do not want to allow this.
-@@ -872,6 +877,7 @@
+@@ -224,6 +232,10 @@
+ ')
+ 
+ optional_policy(`
++	sssd_stream_connect(init_t)
++')
++
++optional_policy(`
+ 	unconfined_domain(init_t)
+ ')
+ 
+@@ -312,6 +324,7 @@
+ 
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
+ dev_rw_sysfs(initrc_t)
+@@ -531,6 +544,7 @@
+ 	# Needs to cp localtime to /var dirs
+ 	files_write_var_dirs(initrc_t)
+ 
++	fs_read_tmpfs_symlinks(initrc_t)
+ 	fs_rw_tmpfs_chr_files(initrc_t)
+ 
+ 	storage_manage_fixed_disk(initrc_t)
+@@ -872,6 +886,7 @@
  
  optional_policy(`
  	unconfined_domain(initrc_t)
@@ -3608,7 +4776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -885,6 +891,9 @@
+@@ -885,6 +900,9 @@
  	# Allow SELinux aware applications to request rpm_script_t execution
  	rpm_transition_script(initrc_t)
  
@@ -3630,6 +4798,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
+--- nsaserefpolicy/policy/modules/system/iptables.if	2010-01-18 18:24:22.941530168 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iptables.if	2010-02-09 10:36:30.616615893 +0100
+@@ -67,6 +67,13 @@
+ 	optional_policy(`
+ 		modutils_run_insmod(iptables_t, $2)
+ 	')
++
++ifdef(`hide_broken_symptoms', `
++    dontaudit iptables_t $1:unix_stream_socket rw_socket_perms;
++    dontaudit iptables_t $1:tcp_socket rw_socket_perms;
++    dontaudit iptables_t $1:udp_socket rw_socket_perms;
++')
++
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2010-01-18 18:24:22.941530168 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/iptables.te	2010-02-02 15:25:03.135335306 +0100
@@ -3781,6 +4966,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 +/var/webmin(/.*)?  gen_context(system_u:object_r:var_log_t,s0)
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if	2010-01-18 18:24:22.950540043 +0100
++++ serefpolicy-3.6.32/policy/modules/system/logging.if	2010-02-09 12:55:48.458629829 +0100
+@@ -641,6 +641,24 @@
+ 	append_files_pattern($1, logfile, logfile)
+ ')
+ 
++######################################
++## <summary>
++##  Append to all log files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`logging_inherit_append_all_logs',`
++    gen_require(`
++        attribute logfile;
++    ')
++
++    allow $1 logfile:file { getattr append };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read all log files.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2010-01-18 18:24:22.951535142 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/logging.te	2010-02-02 14:39:43.439068166 +0100
@@ -3839,9 +5052,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +    allow $1 fonts_cache_t:dir setattr;
 +')   
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
+--- nsaserefpolicy/policy/modules/system/modutils.te	2010-01-18 18:24:22.959530712 +0100
++++ serefpolicy-3.6.32/policy/modules/system/modutils.te	2010-02-09 09:59:53.815865530 +0100
+@@ -131,6 +131,7 @@
+ kernel_read_debugfs(insmod_t)
+ # Rules for /proc/sys/kernel/tainted
+ kernel_read_kernel_sysctls(insmod_t)
++kernel_request_load_module(insmod_t)
+ kernel_rw_kernel_sysctl(insmod_t)
+ kernel_read_hotplug_sysctls(insmod_t)
+ kernel_setsched(insmod_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-02-02 18:59:46.438067812 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-02-08 11:03:56.385336831 +0100
 @@ -155,6 +155,8 @@
  seutil_read_config(mount_t)
  
@@ -3859,11 +5083,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -260,6 +263,14 @@
+@@ -260,6 +263,18 @@
  	samba_read_config(mount_t)
  ')
  
 +optional_policy(`
++	ssh_exec(mount_t)
++')
++
++optional_policy(`
 +    usbmuxd_stream_connect(mount_t)
 +')
 +
@@ -3898,8 +5126,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_use_fds(dhcpc_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2010-01-18 18:24:22.973540245 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/udev.te	2010-02-03 14:37:00.939144600 +0100
-@@ -273,6 +273,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/udev.te	2010-02-09 09:59:57.514626722 +0100
+@@ -100,6 +100,7 @@
+ # udev_node.c/node_symlink() symlink labels are explicitly
+ # preserved, instead of short circuiting the relabel
+ dev_relabel_generic_symlinks(udev_t)
++dev_manage_generic_symlinks(udev_t)
+ 
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
+@@ -273,6 +274,10 @@
  ')
  
  optional_policy(`
@@ -3999,7 +5235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  storage_raw_read_fixed_disk(xenstored_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-01-18 18:24:22.988541733 +0100
-+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt	2010-02-01 20:58:41.140409177 +0100
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt	2010-02-09 10:00:01.300658461 +0100
 @@ -28,8 +28,7 @@
  #
  # All socket classes.
@@ -4010,6 +5246,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  #
  # Datagram socket classes.
+@@ -227,7 +226,7 @@
+ define(`create_lnk_file_perms',`{ create getattr }')
+ define(`rename_lnk_file_perms',`{ getattr rename }')
+ define(`delete_lnk_file_perms',`{ getattr unlink }')
+-define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
++define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
 --- nsaserefpolicy/policy/users	2010-01-18 18:24:22.989541023 +0100
 +++ serefpolicy-3.6.32/policy/users	2010-01-18 18:27:02.799531176 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 85cada0..0c3be8c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 85%{?dist}
+Release: 86%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,15 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 9 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-86
+- Allow mysql ipc_lock capability
+- Allow passwd sys_nice capability
+- Allow plymouth to read network config files
+- Fixes for git 
+- Add label for /usr/sbin/ns-slapd
+- Allow munin to list mail queue
+- Add label for shorewall compiler
+
 * Fri Feb 5 2010 Dan Walsh <dwalsh@redhat.com> 3.6.32-85
 - Cleanup  spec file