diff --git a/policy-F13.patch b/policy-F13.patch
index 8890092..fb2ce4c 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1573,7 +1573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.14/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/admin/shutdown.te 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/admin/shutdown.te 2010-03-14 22:42:45.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(shutdown,1.0.0)
+
@@ -1600,7 +1600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+# shutdown local policy
+#
+
-+allow shutdown_t self:capability { kill setuid sys_tty_config };
++allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
+allow shutdown_t self:process { fork signal };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
@@ -2002,7 +2002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.f
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.14/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/apps/chrome.if 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/apps/chrome.if 2010-03-15 14:11:08.000000000 -0400
@@ -0,0 +1,90 @@
+
+## policy for chrome
@@ -2242,8 +2242,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.14/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/apps/execmem.if 2010-03-12 09:30:00.000000000 -0500
-@@ -0,0 +1,116 @@
++++ serefpolicy-3.7.14/policy/modules/apps/execmem.if 2010-03-15 14:11:49.000000000 -0400
+@@ -0,0 +1,118 @@
+## execmem domain
+
+########################################
@@ -2308,7 +2308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+ allow $1_execmem_t self:process { execmem execstack };
+ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-+
++ifdef(`hide_broken_symptoms', `
++ dontaudit $1_execmem_t $3:socket_class_set { read write };
++')
+ files_execmod_tmp($1_execmem_t)
+
+ optional_policy(`
@@ -4506,7 +4508,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.14/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.14/policy/modules/apps/pulseaudio.if 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/apps/pulseaudio.if 2010-03-14 23:18:21.000000000 -0400
+@@ -18,7 +18,7 @@
+ interface(`pulseaudio_role',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+- class dbus { send_msg };
++ class dbus { acquire_svc send_msg };
+ ')
+
+ role $1 types pulseaudio_t;
@@ -29,7 +29,7 @@
ps_process_pattern($2, pulseaudio_t)
@@ -5932,7 +5943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
xserver_role($1_r, $1_wine_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.14/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/apps/wine.te 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/apps/wine.te 2010-03-14 23:34:28.000000000 -0400
@@ -1,6 +1,14 @@
policy_module(wine, 1.6.1)
@@ -5963,6 +5974,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
files_execmod_all_files(wine_t)
+@@ -41,6 +55,10 @@
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat(wine_t)
++')
++
++optional_policy(`
+ unconfined_domain_noaudit(wine_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.14/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400
+++ serefpolicy-3.7.14/policy/modules/apps/wm.if 2010-03-12 09:30:00.000000000 -0500
@@ -6187,7 +6209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.14/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/kernel/devices.if 2010-03-13 09:47:14.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/kernel/devices.if 2010-03-14 23:46:26.000000000 -0400
@@ -934,6 +934,42 @@
########################################
@@ -6231,7 +6253,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
##
##
-@@ -3440,6 +3476,24 @@
+@@ -2597,6 +2633,7 @@
+ type mtrr_device_t;
+ ')
+
++ dontaudit $1 mtrr_device_t:file write;
+ dontaudit $1 mtrr_device_t:chr_file write;
+ ')
+
+@@ -3440,6 +3477,24 @@
########################################
##
@@ -6256,7 +6286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
##
##
-@@ -3733,6 +3787,24 @@
+@@ -3733,6 +3788,24 @@
########################################
##
@@ -10006,7 +10036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.14/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/services/abrt.te 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/services/abrt.te 2010-03-15 14:38:06.000000000 -0400
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10102,7 +10132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sysnet_read_config(abrt_t)
-@@ -103,22 +133,98 @@
+@@ -103,22 +133,102 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10118,8 +10148,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+optional_policy(`
+ nis_use_ypbind(abrt_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
@@ -10130,10 +10162,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
+')
-
- optional_policy(`
-- dbus_connect_system_bus(abrt_t)
-- dbus_system_bus_client(abrt_t)
++
++optional_policy(`
+ prelink_exec(abrt_t)
+ libs_exec_ld_so(abrt_t)
+ corecmd_exec_all_executables(abrt_t)
@@ -10157,6 +10187,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
')
+
+optional_policy(`
++ sosreport_domtrans(abrt_t)
++')
++
++optional_policy(`
+ sssd_stream_connect(abrt_t)
+')
+
@@ -12649,6 +12683,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.7.14/policy/modules/services/avahi.if
+--- nsaserefpolicy/policy/modules/services/avahi.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.14/policy/modules/services/avahi.if 2010-03-14 23:10:43.000000000 -0400
+@@ -90,6 +90,7 @@
+ class dbus send_msg;
+ ')
+
++ allow avahi_t $1:file read;
+ allow $1 avahi_t:dbus send_msg;
+ allow avahi_t $1:dbus send_msg;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.14/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500
+++ serefpolicy-3.7.14/policy/modules/services/avahi.te 2010-03-12 09:30:00.000000000 -0500
@@ -12947,8 +12992,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.14/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/services/boinc.te 2010-03-12 09:30:00.000000000 -0500
-@@ -0,0 +1,73 @@
++++ serefpolicy-3.7.14/policy/modules/services/boinc.te 2010-03-15 14:49:29.000000000 -0400
+@@ -0,0 +1,76 @@
+
+policy_module(boinc,1.0.0)
+
@@ -13011,9 +13056,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+
++dev_read_urand(boinc_t)
++
+domain_read_all_domains_state(boinc_t)
+
+files_read_etc_files(boinc_t)
++files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
@@ -18481,8 +18529,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.14/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/services/mysql.te 2010-03-12 12:00:19.000000000 -0500
-@@ -176,6 +176,7 @@
++++ serefpolicy-3.7.14/policy/modules/services/mysql.te 2010-03-15 09:44:09.000000000 -0400
+@@ -65,6 +65,7 @@
+
+ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
++manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+
+@@ -176,6 +177,7 @@
domain_read_all_domains_state(mysqld_safe_t)
@@ -20781,7 +20837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.14/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.7.14/policy/modules/services/policykit.if 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/services/policykit.if 2010-03-14 23:34:00.000000000 -0400
@@ -17,12 +17,37 @@
class dbus send_msg;
')
@@ -24723,7 +24779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.14/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/services/setroubleshoot.te 2010-03-12 09:30:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/services/setroubleshoot.te 2010-03-15 17:01:04.000000000 -0400
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -24785,7 +24841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,79 @@
+@@ -94,23 +113,81 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -24793,6 +24849,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
++modutils_read_module_config(setroubleshootd_t)
++
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-
@@ -24805,13 +24863,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
- dbus_system_bus_client(setroubleshootd_t)
- dbus_connect_system_bus(setroubleshootd_t)
+ locate_read_lib_files(setroubleshootd_t)
- ')
-
- optional_policy(`
-+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+')
+
+optional_policy(`
++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+ ')
+
+ optional_policy(`
+ rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
@@ -27229,7 +27287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.14/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/services/xserver.if 2010-03-12 09:30:01.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/services/xserver.if 2010-03-15 09:51:26.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -29268,7 +29326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.14/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/system/init.if 2010-03-12 09:30:01.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/init.if 2010-03-14 23:44:09.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -30422,7 +30480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.14/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/system/iptables.te 2010-03-12 09:30:01.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/iptables.te 2010-03-14 23:44:16.000000000 -0400
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -32795,6 +32853,223 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.7.14/policy/modules/system/sosreport.fc
+--- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/sosreport.fc 2010-03-15 14:03:14.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.7.14/policy/modules/system/sosreport.if
+--- nsaserefpolicy/policy/modules/system/sosreport.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/sosreport.if 2010-03-15 14:03:14.000000000 -0400
+@@ -0,0 +1,74 @@
++
++## policy for sosreport
++
++########################################
++##
++## Execute a domain transition to run sosreport.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`sosreport_domtrans',`
++ gen_require(`
++ type sosreport_t, sosreport_exec_t;
++ ')
++
++ domtrans_pattern($1, sosreport_exec_t, sosreport_t)
++')
++
++
++########################################
++##
++## Execute sosreport in the sosreport domain, and
++## allow the specified role the sosreport domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sosreport domain.
++##
++##
++#
++interface(`sosreport_run',`
++ gen_require(`
++ type sosreport_t;
++ ')
++
++ sosreport_domtrans($1)
++ role $2 types sosreport_t;
++')
++
++########################################
++##
++## Role access for sosreport
++##
++##
++##
++## Role allowed access
++##
++##
++##
++##
++## User domain for the role
++##
++##
++#
++interface(`sosreport_role',`
++ gen_require(`
++ type sosreport_t;
++ ')
++
++ role $1 types sosreport_t;
++
++ sosreport_domtrans($2)
++
++ ps_process_pattern($2, sosreport_t)
++ allow $2 sosreport_t:process signal;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.7.14/policy/modules/system/sosreport.te
+--- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/sosreport.te 2010-03-15 14:03:14.000000000 -0400
+@@ -0,0 +1,129 @@
++
++policy_module(sosreport,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sosreport_t;
++type sosreport_exec_t;
++application_domain(sosreport_t, sosreport_exec_t)
++role system_r types sosreport_t;
++
++type sosreport_tmp_t;
++files_tmp_file(sosreport_tmp_t)
++
++type sosreport_tmpfs_t;
++files_tmpfs_file(sosreport_tmpfs_t)
++
++########################################
++#
++# sosreport local policy
++#
++
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_nice sys_ptrace dac_override };
++allow sosreport_t self:process { setsched signull };
++
++allow sosreport_t self:fifo_file rw_fifo_file_perms;
++allow sosreport_t self:tcp_socket create_stream_socket_perms;
++allow sosreport_t self:udp_socket create_socket_perms;
++allow sosreport_t self:unix_dgram_socket create_socket_perms;
++allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
++allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
++
++# sosreport tmp files
++manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
++manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
++manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
++files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
++
++manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
++fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file)
++
++kernel_read_device_sysctls(sosreport_t)
++kernel_read_hotplug_sysctls(sosreport_t)
++kernel_read_kernel_sysctls(sosreport_t)
++kernel_read_modprobe_sysctls(sosreport_t)
++kernel_read_net_sysctls(sosreport_t)
++kernel_read_network_state(sosreport_t)
++kernel_read_rpc_sysctls(sosreport_t)
++kernel_read_software_raid_state(sosreport_t)
++kernel_read_unix_sysctls(sosreport_t)
++kernel_read_vm_sysctls(sosreport_t)
++kernel_search_debugfs(sosreport_t)
++
++corecmd_exec_all_executables(sosreport_t)
++
++dev_getattr_all_chr_files(sosreport_t)
++dev_getattr_all_blk_files(sosreport_t)
++
++dev_read_rand(sosreport_t)
++dev_read_urand(sosreport_t)
++dev_read_raw_memory(sosreport_t)
++dev_read_sysfs(sosreport_t)
++
++domain_getattr_all_domains(sosreport_t)
++domain_read_all_domains_state(sosreport_t)
++
++# for blkid.tab
++files_manage_etc_runtime_files(sosreport_t)
++files_etc_filetrans_etc_runtime(sosreport_t, file)
++
++files_exec_etc_files(sosreport_t)
++files_list_all(sosreport_t)
++files_read_config_files(sosreport_t)
++files_read_etc_files(sosreport_t)
++files_read_generic_tmp_files(sosreport_t)
++files_read_usr_files(sosreport_t)
++files_read_var_lib_files(sosreport_t)
++files_read_var_symlinks(sosreport_t)
++files_read_kernel_modules(sosreport_t)
++
++fs_getattr_all_fs(sosreport_t)
++
++# cjp: some config files do not have configfile attribute
++# sosreport needs to read various files on system
++auth_read_all_files_except_shadow(sosreport_t)
++auth_use_nsswitch(sosreport_t)
++
++init_domtrans_script(sosreport_t)
++
++libs_domtrans_ldconfig(sosreport_t)
++
++logging_read_all_logs(sosreport_t)
++logging_send_syslog_msg(sosreport_t)
++
++miscfiles_read_localization(sosreport_t)
++
++# needed by modinfo
++modutils_read_module_deps(sosreport_t)
++
++sysnet_read_config(sosreport_t)
++
++optional_policy(`
++ cups_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++ lvm_domtrans(sosreport_t)
++')
++
++optional_policy(`
++ pulseaudio_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++ rpm_exec(sosreport_t)
++ rpm_dontaudit_manage_db(sosreport_t)
++ rpm_read_db(sosreport_t)
++')
++
++optional_policy(`
++ xserver_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(sosreport_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.14/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.7.14/policy/modules/system/sysnetwork.fc 2010-03-12 09:30:01.000000000 -0500
@@ -34098,7 +34373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.14/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.14/policy/modules/system/userdomain.if 2010-03-13 10:26:50.000000000 -0500
++++ serefpolicy-3.7.14/policy/modules/system/userdomain.if 2010-03-15 09:50:07.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -34457,7 +34732,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -498,7 +493,7 @@
+@@ -438,6 +433,7 @@
+ dev_dontaudit_rw_dri($1_t)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_t)
++ dev_rw_generic_usb_dev($1_t)
+
+ xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+@@ -498,7 +494,7 @@
attribute unpriv_userdomain;
')
@@ -34466,7 +34749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -508,71 +503,77 @@
+@@ -508,71 +504,77 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -34582,7 +34865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
tunable_policy(`user_ttyfile_stat',`
-@@ -580,65 +581,100 @@
+@@ -580,65 +582,100 @@
')
optional_policy(`
@@ -34701,7 +34984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -649,41 +685,50 @@
+@@ -649,41 +686,50 @@
optional_policy(`
# to allow monitoring of pcmcia status
@@ -34763,7 +35046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -711,13 +756,26 @@
+@@ -711,13 +757,26 @@
userdom_base_user_template($1)
@@ -34795,7 +35078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_change_password_template($1)
-@@ -735,70 +793,73 @@
+@@ -735,70 +794,73 @@
allow $1_t self:context contains;
@@ -34902,7 +35185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -830,12 +891,35 @@
+@@ -830,12 +892,35 @@
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -34938,7 +35221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +955,80 @@
+@@ -871,45 +956,80 @@
#
auth_role($1_r, $1_t)
@@ -35034,7 +35317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -944,7 +1063,7 @@
+@@ -944,7 +1064,7 @@
#
# Inherit rules for ordinary users.
@@ -35043,7 +35326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1072,73 @@
+@@ -953,54 +1073,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -35147,7 +35430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1036,7 +1174,7 @@
+@@ -1036,7 +1175,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -35156,7 +35439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1071,6 +1209,9 @@
+@@ -1071,6 +1210,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -35166,7 +35449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1226,7 @@
+@@ -1085,6 +1227,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -35174,7 +35457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1120,6 +1262,8 @@
+@@ -1120,6 +1263,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -35183,7 +35466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1207,6 +1351,8 @@
+@@ -1207,6 +1352,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -35192,7 +35475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1272,11 +1418,15 @@
+@@ -1272,11 +1419,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -35208,7 +35491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1537,7 @@
+@@ -1387,6 +1538,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -35216,7 +35499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1584,14 @@
+@@ -1433,6 +1585,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -35231,7 +35514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1607,11 @@
+@@ -1448,9 +1608,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -35243,7 +35526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1668,42 @@
+@@ -1507,6 +1669,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -35286,7 +35569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1581,6 +1778,8 @@
+@@ -1581,6 +1779,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -35295,7 +35578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1794,12 @@
+@@ -1595,10 +1795,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -35310,7 +35593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1842,24 @@
+@@ -1641,6 +1843,24 @@
########################################
##
@@ -35335,7 +35618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1692,6 +1911,7 @@
+@@ -1692,6 +1912,7 @@
type user_home_dir_t, user_home_t;
')
@@ -35343,7 +35626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1928,14 @@
+@@ -1708,11 +1929,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -35361,7 +35644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1819,20 +2042,14 @@
+@@ -1819,20 +2043,14 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -35386,7 +35669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
-@@ -1866,6 +2083,7 @@
+@@ -1866,6 +2084,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -35394,7 +35677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2320,25 @@
+@@ -2102,6 +2321,25 @@
########################################
##
@@ -35420,7 +35703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
##
-@@ -2218,6 +2455,25 @@
+@@ -2218,6 +2456,25 @@
########################################
##
@@ -35446,7 +35729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2427,13 +2683,14 @@
+@@ -2427,13 +2684,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -35462,7 +35745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2787,7 +3044,7 @@
+@@ -2787,7 +3045,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -35471,7 +35754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3060,13 @@
+@@ -2803,11 +3061,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -35487,7 +35770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3203,7 @@
+@@ -2944,7 +3204,7 @@
type user_tmp_t;
')
@@ -35496,7 +35779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3240,7 @@
+@@ -2981,6 +3241,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -35504,7 +35787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3371,745 @@
+@@ -3111,3 +3372,745 @@
allow $1 userdomain:dbus send_msg;
')