diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls
index f46081d..cd8f5fd 100644
--- a/refpolicy/policy/mls
+++ b/refpolicy/policy/mls
@@ -22,6 +22,7 @@ sensitivity s9;
 #
 dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
 
+
 #
 # Define the categories
 #
@@ -207,7 +208,7 @@ level s9:c0.c127;
 # role_mls_op : == | != | eq | dom | domby | incomp
 #
 # names : name | { name_list }
-# name_list : name | name_list name#
+# name_list : name | name_list name
 #
 
 #
@@ -218,7 +219,7 @@ level s9:c0.c127;
 mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	( l2 eq h2 );
 
-# new file labels must be dominated by the relabling subject clearance
+# new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
 	( h1 dom h2 );
 
@@ -258,10 +259,10 @@ mlsconstrain dir { add_name remove_name reparent rmdir }
 # these access vectors have no MLS restrictions
 # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
 #
-# file { execute_no_trans entrypoint }
+# { file chr_file } { execute_no_trans entrypoint execmod }
 
 # the file upgrade/downgrade rule
-mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
 	((( l1 eq l2 ) or
 	  (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
 	  (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
@@ -285,11 +286,13 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
 	  (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
 
 
+
+
 #
 # MLS policy for the filesystem class
 #
 
-# new filesystem labels must be dominated by the relabling subject clearance
+# new filesystem labels must be dominated by the relabeling subject clearance
 mlsconstrain filesystem relabelto
 	( h1 dom h2 );
 
@@ -309,50 +312,46 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 # filesystem { transition associate }
 
 
+
+
 #
 # MLS policy for the socket classes
 #
 
-# new socket labels must be dominated by the relabling subject clearance
+# new socket labels must be dominated by the relabeling subject clearance
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
 	( h1 dom h2 );
 
-# the socket "read" ops (note that the we check dominance of the low level)
+# the socket "read" ops (note the check is dominance of the low level)
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
-mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
-	(( l1 dom l2 ) or
-	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
-	 ( t1 == mlsnetread ));
-
 mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
-	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
-
-mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
 	((( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
 # these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #
 # { tcp_socket udp_socket rawip_socket } node_bind
 #
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
 #
 
 
+
+
 #
 # MLS policy for the ipc classes
 #
@@ -393,6 +392,8 @@ mlsconstrain msg send
 # { ipc sem msgq shm } associate
 
 
+
+
 #
 # MLS policy for the fd class
 #
@@ -401,29 +402,38 @@ mlsconstrain msg send
 # fd use
 
 
-#
-# MLS policy for the node class
-#
-
-# these access vectors have no MLS restrictions
-# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
 
 
 #
-# MLS policy for the netif class
+# MLS policy for the network object classes
 #
 
+# the netif/node "read" ops (implicit single level socket doing the read)
+#                           (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+	(( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
+
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+	(( l1 dom l2 ) and ( l1 domby h2 ));
+
 # these access vectors have no MLS restrictions
-# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+# { netif node } { enforce_dest }
+
+
 
 
 #
 # MLS policy for the process class
 #
 
-# new process labels must be dominated by the relabling subject clearance and
-# sensitivity level changes require privilege
-mlsconstrain process { transition dyntransition }
+# new process labels must be dominated by the relabeling subject clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+	(( h1 dom h2 ) and
+	 (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+	  (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
 	(( h1 dom h2 ) and
 	 (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
 
@@ -440,7 +450,9 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 	 ( t1 == mlsprocwrite ));
 
 # these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
+
+
 
 
 #
@@ -451,6 +463,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 # security *
 
 
+
+
 #
 # MLS policy for the system class
 #
@@ -459,6 +473,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 # system *
 
 
+
+
 #
 # MLS policy for the capability class
 #
@@ -468,6 +484,7 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 
 
 
+
 #
 # MLS policy for the passwd class
 #
@@ -476,6 +493,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 # passwd *
 
 
+
+
 #
 # MLS policy for the drawable class
 #
@@ -493,6 +512,8 @@ mlsconstrain drawable { create destroy draw copy }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the gc class
 #
@@ -510,6 +531,8 @@ mlsconstrain gc { create free setattr }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the window class
 #
@@ -530,6 +553,8 @@ mlsconstrain window { addchild create destroy chstack chproplist chprop setattr 
 # window { map unmap }
 
 
+
+
 #
 # MLS policy for the font class
 #
@@ -550,6 +575,8 @@ mlsconstrain font free
 # font use
 
 
+
+
 #
 # MLS policy for the colormap class
 #
@@ -567,6 +594,8 @@ mlsconstrain colormap { create free install uninstall store setattr }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the property class
 #
@@ -583,6 +612,9 @@ mlsconstrain property { create free write }
 	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsxwinwrite ));
 
+
+
+
 #
 # MLS policy for the cursor class
 #
@@ -594,6 +626,8 @@ mlsconstrain cursor { create createglyph free assign setattr }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the xclient class
 #
@@ -605,6 +639,8 @@ mlsconstrain xclient kill
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the xinput class
 #
@@ -641,6 +677,8 @@ mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
 	 ( t1 == mlsxwinwrite ));
 
 
+
+
 #
 # MLS policy for the xextension class
 #
@@ -666,6 +704,8 @@ mlsconstrain xextension use
 # pax { pageexec emutramp mprotect randmmap randexec segmexec }
 
 
+
+
 #
 # MLS policy for the dbus class
 #
@@ -674,6 +714,8 @@ mlsconstrain xextension use
 # dbus { acquire_svc send_msg }
 
 
+
+
 #
 # MLS policy for the nscd class
 #
@@ -682,6 +724,8 @@ mlsconstrain xextension use
 # nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
 
 
+
+
 #
 # MLS policy for the association class
 #
@@ -702,7 +746,7 @@ attribute mlsnetwrite;
 attribute mlsnetwritetoclr;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
 
 attribute mlsipcread;
 attribute mlsipcreadtoclr;
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index f966524..9b21be4 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -11,7 +11,7 @@ type acct_exec_t;
 init_daemon_domain(acct_t,acct_exec_t)
 
 type acct_data_t;
-files_type(acct_data_t)
+logging_log_file(acct_data_t)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index d52097b..c95e40f 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -84,8 +84,6 @@ files_read_all_pids(logrotate_t)
 files_manage_generic_spools(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 
-hostname_exec(logrotate_t)
-
 # cjp: why is this needed?
 init_domtrans_script(logrotate_t)
 
@@ -124,6 +122,10 @@ optional_policy(`consoletype.te',`
 
 ')
 
+optional_policy(`hostname.te',`
+	hostname_exec(logrotate_t)
+')
+
 optional_policy(`mysql.te',`
 	mysql_read_config(logrotate_t)
 	mysql_search_db_dir(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 7c95c5c..8674b74 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -172,6 +172,7 @@ corenet_tcp_sendrecv_all_ports(traceroute_t)
 corenet_udp_sendrecv_all_ports(traceroute_t)
 corenet_udp_bind_all_nodes(traceroute_t)
 corenet_tcp_bind_all_nodes(traceroute_t)
+corenet_tcp_connect_all_ports(traceroute_t)
 
 fs_dontaudit_getattr_xattr_fs(traceroute_t)
 
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index a8864e3..8da01a7 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -106,6 +106,7 @@ corenet_tcp_sendrecv_all_ports(rpm_t)
 corenet_udp_sendrecv_all_ports(rpm_t)
 corenet_tcp_bind_all_nodes(rpm_t)
 corenet_udp_bind_all_nodes(rpm_t)
+corenet_tcp_connect_all_ports(rpm_t)
 
 dev_list_sysfs(rpm_t)
 dev_list_usbfs(rpm_t)
@@ -304,6 +305,10 @@ seutil_domtrans_restorecon(rpm_script_t)
 
 userdom_use_all_user_fd(rpm_script_t)
 
+if (allow_execmem) {
+	allow rpm_script_t self:process execmem;
+}
+
 # this should be tunable_policy, but
 # typeattribute does not work in conditionals
 ifdef(`unlimitedRPM',`
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index e9416e6..bdce124 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -718,6 +718,23 @@ interface(`corenet_udp_bind_all_ports',`
 
 ########################################
 ## <summary>
+##	Connect TCP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corenet_tcp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+		class tcp_socket name_connect;
+	')
+
+	allow $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on generic reserved ports.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 8a6c789..582e9d9 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -37,6 +37,7 @@ sid port context_template(system_u:object_r:port_t,s0)
 type reserved_port_t, port_type, reserved_port_type;
 
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(auth, tcp,113,s0)
 dnl network_port(biff) # no defined portcon in current strict
 network_port(dbskkd, tcp,1178,s0)
 network_port(dhcpc, udp,68,s0)
@@ -50,7 +51,7 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
 network_port(http, tcp,80,s0, tcp,443,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 dnl network_port(i18n_input) # no defined portcon in current strict
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,113,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
+network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
 network_port(innd, tcp,119,s0)
 network_port(ipp, tcp,631,s0, udp,631,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 7674b7d..bda7016 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -68,8 +68,10 @@ corenet_tcp_sendrecv_all_ports(inetd_t)
 corenet_udp_sendrecv_all_ports(inetd_t)
 corenet_tcp_bind_all_nodes(inetd_t)
 corenet_udp_bind_all_nodes(inetd_t)
+corenet_tcp_connect_all_ports(inetd_t)
 
 # listen on service ports:
+corenet_tcp_bind_auth_port(inetd_t)
 #corenet_udp_bind_comsat_port(inetd_t)
 corenet_tcp_bind_dbskkd_port(inetd_t)
 corenet_udp_bind_dbskkd_port(inetd_t)
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 475788c..0ef9c9a 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -74,6 +74,7 @@ corenet_udp_sendrecv_all_ports(innd_t)
 corenet_tcp_bind_all_nodes(innd_t)
 corenet_udp_bind_all_nodes(innd_t)
 corenet_tcp_bind_innd_port(innd_t)
+corenet_tcp_connect_all_ports(innd_t)
 
 dev_read_sysfs(innd_t)
 dev_read_urand(innd_t)
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 91f5b8e..a2d8d7e 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -32,7 +32,7 @@ files_pid_file(slapd_var_run_t)
 
 # should not need kill
 # cjp: why net_raw?
-allow slapd_t self:capability { kill setgid setuid net_raw };
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
 dontaudit slapd_t self:capability sys_tty_config;
 allow slapd_t self:process setsched;
 allow slapd_t self:fifo_file { read write };
@@ -71,6 +71,7 @@ corenet_udp_sendrecv_all_ports(slapd_t)
 corenet_tcp_bind_all_nodes(slapd_t)
 corenet_udp_bind_all_nodes(slapd_t)
 corenet_tcp_bind_ldap_port(slapd_t)
+corenet_tcp_connect_all_ports(slapd_t)
 
 dev_read_urand(slapd_t)
 dev_read_sysfs(slapd_t)
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 808e081..237bf30 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -73,6 +73,7 @@ corenet_tcp_bind_generic_port(ypbind_t)
 corenet_udp_bind_generic_port(ypbind_t)
 corenet_tcp_bind_reserved_port(ypbind_t)
 corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_connect_all_ports(ypbind_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
 
@@ -113,6 +114,10 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(ypbind_t)
 ')
 
+optional_policy(`portmap.te',`
+	portmap_udp_sendto(ypbind_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ypbind_t)
 ')
@@ -122,8 +127,6 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-can_udp_send(ypbind_t, portmap_t)
-
 optional_policy(`rhgb.te', `
 	rhgb_domain(ypbind_t)
 ')
@@ -199,6 +202,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(ypserv_t)
 ')
 
+optional_policy(`portmap.te',`
+	portmap_udp_sendto(ypserv_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ypserv_t)
 ')
@@ -212,9 +219,6 @@ optional_policy(`rhgb.te', `
 rhgb_domain(ypserv_t)
 ')
 
-# Send to portmap and initrc.
-can_udp_send(ypserv_t, portmap_t)
-
 # Read and write /var/yp.
 ifdef(`rpcd.te', `
 allow rpcd_t ypserv_conf_t:file { getattr read };
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 47ce143..0b1d97e 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -56,6 +56,7 @@ corenet_udp_sendrecv_all_ports(sendmail_t)
 corenet_tcp_bind_all_nodes(sendmail_t)
 corenet_udp_bind_all_nodes(sendmail_t)
 corenet_tcp_bind_smtp_port(sendmail_t)
+corenet_tcp_connect_all_ports(sendmail_t)
 
 dev_read_urand(sendmail_t)
 dev_read_sysfs(sendmail_t)
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index ddba18a..90d85a1 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -28,7 +28,7 @@ files_pid_file(squid_var_run_t)
 # Local policy
 #
 
-allow squid_t self:capability { setgid setuid };
+allow squid_t self:capability { setgid setuid dac_override };
 dontaudit squid_t self:capability sys_tty_config;
 allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow squid_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index e85c077..a53c3bf 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -84,9 +84,4 @@ rhgb_domain(hwclock_t)
 ')
 
 optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
-
-optional_policy(`apmd.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-')
-
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 1beb5de..125e95a 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -107,8 +107,6 @@ modutils_read_mods_deps(hotplug_t)
 
 miscfiles_read_localization(hotplug_t)
 
-mount_domtrans(hotplug_t)
-
 sysnet_read_config(hotplug_t)
 
 userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
@@ -147,6 +145,10 @@ optional_policy(`iptables.te',`
 	iptables_domtrans(hotplug_t)
 ')
 
+optional_policy(`mount.te',`
+	mount_domtrans(hotplug_t)
+')
+
 optional_policy(`mta.te', `
 	mta_send_mail(hotplug_t)
 ')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c44c2c4..c9fa5c7 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -145,6 +145,10 @@ ifdef(`distro_redhat',`
 	fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
 ')
 
+ifdef(`targeted_policy',`
+	unconfined_domain_template(init_t)
+')
+
 optional_policy(`authlogin.te',`
 	auth_rw_login_records(init_t)
 ')
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 6119e4b..3039425 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -31,7 +31,6 @@ interface(`seutil_domtrans_checkpol',`
 ##	Execute checkpolicy in the checkpolicy domain, and
 ##	allow the specified role the checkpolicy domain,
 ##	and use the caller's terminal.
-##	Has a SIGCHLD signal backchannel.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index fb66048..1a74046 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -94,6 +94,10 @@ role system_r types setfiles_t;
 type setfiles_exec_t;
 domain_entry_file(setfiles_t,setfiles_exec_t)
 
+ifdef(`distro_redhat',`
+	init_system_domain(setfiles_t,setfiles_exec_t)
+')
+
 ########################################
 #
 # Checkpolicy local policy
@@ -142,7 +146,8 @@ allow load_policy_t self:capability dac_override;
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+allow load_policy_t policy_config_t:file r_file_perms;
+allow load_policy_t policy_config_t:lnk_file r_file_perms;
 
 allow load_policy_t selinux_config_t:dir r_dir_perms;
 allow load_policy_t selinux_config_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index fc717a6..2842c25 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -99,6 +99,7 @@ corenet_udp_sendrecv_all_ports(dhcpc_t)
 corenet_tcp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_dhcpc_port(dhcpc_t)
+corenet_tcp_connect_all_ports(dhcpc_t)
 
 dev_read_sysfs(dhcpc_t)
 # for SSP:
@@ -216,7 +217,7 @@ rhgb_domain(dhcpc_t)
 #
 
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_admin sys_tty_config };
 dontaudit ifconfig_t self:capability sys_module;
 
 allow ifconfig_t self:fd use;
@@ -234,6 +235,7 @@ allow ifconfig_t self:msg { send receive };
 allow ifconfig_t self:udp_socket create_socket_perms;
 
 # for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 files_read_etc_files(ifconfig_t);
@@ -246,6 +248,8 @@ kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
 
 corenet_use_tun_tap_device(ifconfig_t)
 
+dev_read_sysfs(ifconfig_t)
+
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 1277194..7c3ec48 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -121,7 +121,6 @@ seutil_domtrans_restorecon(udev_t)
 sysnet_domtrans_ifconfig(udev_t)
 
 userdom_use_sysadm_tty(udev_t)
-userdom_dontaudit_search_staff_home_dir(udev_t)
 
 ifdef(`distro_redhat',`
 	fs_manage_tmpfs_symlinks(udev_t)
diff --git a/strict/attrib.te b/strict/attrib.te
index 4533bf7..cc79235 100644
--- a/strict/attrib.te
+++ b/strict/attrib.te
@@ -30,7 +30,7 @@ attribute mlsnetwrite;
 attribute mlsnetwritetoclr;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
 
 attribute mlsipcread;
 attribute mlsipcreadtoclr;
diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te
index 3a2447b..75f3074 100644
--- a/strict/domains/program/acct.te
+++ b/strict/domains/program/acct.te
@@ -21,7 +21,7 @@ file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
 # for SSP
 allow acct_t urandom_device_t:chr_file read;
 
-type acct_data_t, file_type, sysadmfile;
+type acct_data_t, file_type, logfile, sysadmfile;
 
 allow acct_t self:capability sys_pacct;
 
diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te
index d95725e..2785acf 100644
--- a/strict/domains/program/amanda.te
+++ b/strict/domains/program/amanda.te
@@ -31,7 +31,7 @@
 # General declarations
 ######################
 
-type amanda_t, domain, privlog, auth, nscd_client_domain ;
+type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
 role system_r types amanda_t;
 
 # type for the amanda executables
@@ -128,10 +128,7 @@ allow amanda_t amanda_usr_lib_t:dir search;
 
 # access to device_t and similar
 allow amanda_t device_t:dir search;
-allow amanda_t null_device_t:chr_file { getattr read write };
 allow amanda_t devpts_t:dir getattr;
-allow amanda_t fixed_disk_device_t:blk_file getattr;
-allow amanda_t removable_device_t:blk_file getattr;
 allow amanda_t devtty_t:chr_file { read write };
 
 # access to boot_t
@@ -160,7 +157,7 @@ allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
 allow amanda_t bin_t:file { execute execute_no_trans };
 
 allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld };
+allow amanda_t self:process { fork sigchld setpgid signal };
 allow amanda_t self:unix_dgram_socket create;
 
 
@@ -170,7 +167,8 @@ allow amanda_t self:unix_dgram_socket create;
 
 can_network_server(amanda_t);
 can_ypbind(amanda_t);
-
+can_exec(amanda_t, sbin_t);
+	
 allow amanda_t self:fifo_file { getattr read write ioctl lock };
 allow amanda_t self:unix_stream_socket { connect create read write };
 
@@ -237,7 +235,7 @@ file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
 
 uses_shlib(amanda_recover_t)
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
 allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
 allow amanda_recover_t privfd:fd use;
 
@@ -251,6 +249,9 @@ can_ypbind(amanda_recover_t);
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
 
+allow amanda_t self:dir search;
+allow amanda_t self:file { getattr read };
+
 
 # amrecover file permissions
 ############################
@@ -298,10 +299,24 @@ allow amanda_recover_t tmp_t:dir search;
 #
 #  Rules to allow amanda to be run as a service in xinetd
 #
-type amanda_port_t, port_type;
 allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
 
 allow amanda_t file_type:dir {getattr read search };
-allow amanda_t file_type:file {getattr read };
+allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+allow amanda_t device_type:{ blk_file chr_file } getattr;
+allow amanda_t fixed_disk_device_t:blk_file read;
+domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
+dontaudit amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
+dontaudit amanda_t autofs_t:dir { getattr read search };
+dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
+dontaudit amanda_t nfs_t:dir { getattr read };
+dontaudit amanda_t proc_t:dir read;
+dontaudit amanda_t proc_t:lnk_file read;
+dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
+dontaudit amanda_t security_t:dir { getattr read };
+dontaudit amanda_t sysfs_t:dir { getattr read };
+dontaudit amanda_t unlabeled_t:file getattr;
+dontaudit amanda_t usbfs_t:dir getattr;
diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te
index 981f852..3e7ef0a 100644
--- a/strict/domains/program/anaconda.te
+++ b/strict/domains/program/anaconda.te
@@ -17,13 +17,17 @@ unconfined_domain(anaconda_t)
 role system_r types ldconfig_t;
 domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
 
+ifdef(`su.te', `
 role system_r types sysadm_su_t;
 domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
+')
 
 # Run other rc scripts in the anaconda_t domain.
 domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
 
+ifdef(`dmesg.te', `
 domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
+')
 
 ifdef(`distro_redhat', `
 file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
@@ -44,4 +48,6 @@ ifdef(`ssh-agent.te', `
 role system_r types sysadm_ssh_agent_t;
 domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
 ')
+ifdef(`passwd.te', `
 domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
+')
diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te
index b01d3f3..72a708c 100644
--- a/strict/domains/program/apache.te
+++ b/strict/domains/program/apache.te
@@ -26,10 +26,11 @@ r_dir_file(httpd_suexec_t, $1)
 can_exec(httpd_suexec_t, $1)
 ')
 
-type http_port_t, port_type, reserved_port_type;
-
 bool httpd_unified false;
 
+# Allow httpd to use built in scripting (usually php)
+bool httpd_builtin_scripting false;
+
 # Allow httpd cgi support
 bool httpd_enable_cgi false;
 
@@ -42,6 +43,9 @@ bool httpd_ssi_exec false;
 # Allow http daemon to communicate with the TTY
 bool httpd_tty_comm false;
 
+# Allow http daemon to tcp connect 
+bool httpd_can_network_connect false;
+
 #########################################################
 # Apache types
 #########################################################
@@ -50,15 +54,6 @@ bool httpd_tty_comm false;
 #
 type httpd_config_t, file_type, sysadmfile;
 
-append_logdir_domain(httpd)
-#can read /etc/httpd/logs
-allow httpd_t httpd_log_t:lnk_file read;
-
-# For /etc/init.d/apache2 reload
-can_tcp_connect(httpd_t, httpd_t)
-
-can_tcp_connect(web_client_domain, httpd_t)
-
 # httpd_modules_t is the type given to module files (libraries) 
 # that come with Apache /etc/httpd/modules and /usr/lib/apache
 #
@@ -71,7 +66,16 @@ type httpd_cache_t, file_type, sysadmfile;
 
 # httpd_exec_t is the type give to the httpd executable.
 #
-daemon_domain(httpd, `, privmail')
+daemon_domain(httpd, `, privmail, nscd_client_domain')
+
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file read;
+
+# For /etc/init.d/apache2 reload
+can_tcp_connect(httpd_t, httpd_t)
+
+can_tcp_connect(web_client_domain, httpd_t)
 
 can_exec(httpd_t, httpd_exec_t)
 file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
@@ -82,53 +86,11 @@ allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read
 
 read_sysctl(httpd_t)
 
+allow httpd_t crypt_device_t:chr_file rw_file_perms;
+
 # for modules that want to access /etc/mtab and /proc/meminfo
 allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
 
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec)
-allow httpd_t httpd_suexec_exec_t:file read;
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir search;
-allow httpd_suexec_t httpd_log_t:file { append getattr };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-can_network(httpd_suexec_t)
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
 uses_shlib(httpd_t)
 allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_t usr_t:lnk_file { getattr read };
@@ -144,12 +106,31 @@ allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
 can_exec(httpd_t, { bin_t sbin_t })
 allow httpd_t bin_t:lnk_file read;
 
-can_network(httpd_t)
+########################################
+# Set up networking
+########################################
+
+can_network_server(httpd_t)
+can_kerberos(httpd_t)
+can_resolve(httpd_t)
 can_ypbind(httpd_t)
+can_ldap(httpd_t)
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
 
-###################
-# Allow httpd to search users diretories
-######################
+if (httpd_can_network_connect) {
+can_network_client(httpd_t)
+allow httpd_t port_type:tcp_socket name_connect;
+}
+
+##########################################
+# Legacy: remove when it's fixed         #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
+#########################################
+# Allow httpd to search users directories
+#########################################
 allow httpd_t home_root_t:dir { getattr search };
 dontaudit httpd_t sysadm_home_dir_t:dir getattr;
 
@@ -163,7 +144,6 @@ dontaudit httpd_t self:capability net_admin;
 # Allow the httpd_t to read the web servers config files
 ###################################################
 r_dir_file(httpd_t, httpd_config_t)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
 # allow logrotate to read the config files for restart
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, httpd_config_t)
@@ -173,11 +153,6 @@ allow logrotate_t httpd_t:process signull;
 r_dir_file(initrc_t, httpd_config_t)
 ##################################################
 
-########################################
-# Allow httpd_t to bind to the HTTP port
-########################################
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-
 ###############################
 # Allow httpd_t to put files in /var/cache/httpd etc
 ##############################
@@ -209,13 +184,14 @@ allow initrc_t httpd_modules_t:dir r_dir_perms;
 allow httpd_t etc_t:file { read getattr ioctl };
 allow httpd_t etc_t:lnk_file { getattr read };
 
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
 # Run SSI execs in system CGI script domain.
 if (httpd_ssi_exec) {
 domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
 }
-r_dir_file(httpd_t, httpd_sys_script_ro_t)
-create_dir_file(httpd_t, httpd_sys_script_rw_t)
-ra_dir_file(httpd_t, httpd_sys_script_ra_t)
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 ##################################################
@@ -242,7 +218,6 @@ allow httpd_php_t httpd_log_t:file ra_file_perms;
 # access to /tmp
 tmp_domain(httpd)
 tmp_domain(httpd_php)
-tmp_domain(httpd_suexec)
 
 # Creation of lock files for apache2
 lock_domain(httpd)
@@ -262,10 +237,11 @@ allow httpd_t bin_t:dir search;
 allow httpd_t sbin_t:dir search;
 allow httpd_t httpd_log_t:dir remove_name;
 
+read_fonts(httpd_t)
+
 allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
 
 allow httpd_t autofs_t:dir { search getattr };
-allow httpd_suexec_t autofs_t:dir { search getattr };
 
 if (use_nfs_home_dirs && httpd_enable_homedirs) {
 httpd_home_dirs(nfs_t)
@@ -273,33 +249,24 @@ httpd_home_dirs(nfs_t)
 if (use_samba_home_dirs && httpd_enable_homedirs) {
 httpd_home_dirs(cifs_t)
 }
-r_dir_file(httpd_t, fonts_t)
 
 #
 # Allow users to mount additional directories as http_source
 #
 allow httpd_t mnt_t:dir r_dir_perms;
 
-########################################
-# When the admin starts the server, the server wants to acess
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here. 
-##################################################
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-
-can_kerberos(httpd_t)
-
 ifdef(`targeted_policy', `
 typealias httpd_sys_content_t alias httpd_user_content_t;
 typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
 
 if (httpd_enable_homedirs) {
-allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
-allow httpd_t user_home_dir_t:dir { getattr search };
+allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
 }
 ') dnl targeted policy
 
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
 ifdef(`distro_redhat', `
 #
 # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
@@ -319,36 +286,118 @@ dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 dontaudit httpd_t usr_t:dir write;
 ')
 
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
-
 application_domain(httpd_helper)
 role system_r types httpd_helper_t;
 domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
 allow httpd_helper_t httpd_config_t:file { getattr read };
 allow httpd_helper_t httpd_log_t:file { append };
 
+########################################
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here. 
+##################################################
+
 if (httpd_tty_comm) {
 allow { httpd_t httpd_helper_t } devpts_t:dir { search };
 ifdef(`targeted_policy', `
 allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
 ')
 allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
 }
 
 read_sysctl(httpd_sys_script_t)
 allow httpd_sys_script_t var_lib_t:dir search;
 dontaudit httpd_t selinux_config_t:dir search;
 r_dir_file(httpd_t, cert_t)
+
+#
+# unconfined domain for apache scripts.  Only to be used as a last resort
+#
+type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
+type httpd_unconfined_script_t, domain, nscd_client_domain;
+role system_r types httpd_unconfined_script_t;
+unconfined_domain(httpd_unconfined_script_t)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
+allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+if (httpd_can_network_connect) {
+can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+allow httpd_suexec_t autofs_t:dir { search getattr };
+tmp_domain(httpd_suexec)
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+')
+}
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+}
+if (httpd_enable_cgi) {
+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
+allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+}
+
+#
+# Types for squirrelmail
+#
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
+create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te
index 2f3cf09..dd08d41 100644
--- a/strict/domains/program/apmd.te
+++ b/strict/domains/program/apmd.te
@@ -21,17 +21,19 @@ uses_shlib(apm_t)
 allow apm_t privfd:fd use;
 allow apm_t admin_tty_type:chr_file rw_file_perms;
 allow apm_t device_t:dir search;
-allow apm_t self:capability sys_admin;
+allow apm_t self:capability { dac_override sys_admin };
 allow apm_t proc_t:dir search;
-allow apm_t proc_t:file { read getattr };
+allow apm_t proc_t:file r_file_perms;
 allow apm_t fs_t:filesystem getattr;
 allow apm_t apm_bios_t:chr_file rw_file_perms;
 role sysadm_r types apm_t;
 role system_r types apm_t;
 
 allow apmd_t device_t:lnk_file read;
-allow apmd_t proc_t:file { getattr read };
-read_sysctl(apmd_t)
+allow apmd_t proc_t:file { getattr read write };
+can_sysctl(apmd_t)
+allow apmd_t sysfs_t:file write;
+
 allow apmd_t self:unix_dgram_socket create_socket_perms;
 allow apmd_t self:unix_stream_socket create_stream_socket_perms;
 allow apmd_t self:fifo_file rw_file_perms;
@@ -52,7 +54,7 @@ allow apmd_t self:file { getattr read ioctl };
 allow apmd_t self:process getsession;
 
 # Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
 
 # controlling an orderly resume of PCMCIA requires creating device
 # nodes 254,{0,1,2} for some reason.
@@ -67,7 +69,10 @@ can_exec_any(apmd_t)
 # apmd calls hwclock.sh on suspend and resume
 allow apmd_t clock_device_t:chr_file r_file_perms;
 ifdef(`hwclock.te', `
+domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
 allow apmd_t adjtime_t:file rw_file_perms;
+allow hwclock_t apmd_log_t:file append;
+allow hwclock_t apmd_t:unix_stream_socket { read write };
 ')
 
 
@@ -84,7 +89,7 @@ dontaudit apmd_t domain:dir search;
 ifdef(`distro_redhat', `
 can_exec(apmd_t, apmd_var_run_t)
 # for /var/lock/subsys/network
-rw_dir_create_file(apmd_t, var_lock_t)
+lock_domain(apmd)
 
 # ifconfig_exec_t needs to be run in its own domain for Red Hat
 ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
@@ -108,6 +113,7 @@ allow apmd_t initrc_var_run_t:file { read write lock };
 #
 # Allow it to run killof5 and pidof
 #
+typeattribute apmd_t unrestricted;
 r_dir_file(apmd_t, domain)
 
 # Same for apm/acpid scripts
diff --git a/strict/domains/program/arpwatch.te b/strict/domains/program/arpwatch.te
index 936d985..3065800 100644
--- a/strict/domains/program/arpwatch.te
+++ b/strict/domains/program/arpwatch.te
@@ -40,3 +40,9 @@ allow initrc_t arpwatch_data_t:dir { add_name write };
 allow initrc_t arpwatch_data_t:file create;
 ')dnl end distro_gentoo
 
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')
diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te
index dbbe8ef..d86e11d 100644
--- a/strict/domains/program/automount.te
+++ b/strict/domains/program/automount.te
@@ -25,8 +25,8 @@ allow automount_t fs_type:dir getattr;
 
 allow automount_t { etc_t etc_runtime_t }:file { getattr read };
 allow automount_t proc_t:file { getattr read };
-allow automount_t self:process { setpgid setsched };
-allow automount_t self:capability sys_nice;
+allow automount_t self:process { getpgid setpgid setsched };
+allow automount_t self:capability { sys_nice dac_override };
 allow automount_t self:unix_stream_socket create_socket_perms;
 allow automount_t self:unix_dgram_socket create_socket_perms;
 
@@ -63,7 +63,13 @@ dontaudit automount_t var_t:dir write;
 allow userdomain autofs_t:dir r_dir_perms;
 allow kernel_t autofs_t:dir { getattr ioctl read search };
 
-allow automount_t home_root_t:dir getattr;
+allow automount_t { boot_t home_root_t }:dir getattr;
 allow automount_t mnt_t:dir { getattr search };
 
-allow initrc_t automount_etc_t:file { getattr read };
+can_exec(initrc_t, automount_etc_t)
+
+# Allow automount to create and delete directories in / and /home
+file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
+
+allow automount_t var_lib_t:dir search;
+allow automount_t var_lib_nfs_t:dir search;
diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te
index 15ef978..b2e3622 100644
--- a/strict/domains/program/bluetooth.te
+++ b/strict/domains/program/bluetooth.te
@@ -17,7 +17,7 @@ tmp_domain(bluetooth)
 # Use capabilities.
 allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
 
-rw_dir_create_file(bluetooth_t, var_lock_t)
+lock_domain(bluetooth)
 
 # Use the network.
 can_network_server(bluetooth_t)
@@ -26,7 +26,8 @@ ifdef(`dbusd.te', `
 dbusd_client(system, bluetooth)
 allow bluetooth_t system_dbusd_t:dbus send_msg;
 ')
-allow bluetooth_t self:socket { create setopt ioctl bind listen };
+allow bluetooth_t self:socket create_stream_socket_perms;
+
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
 
@@ -39,4 +40,6 @@ type bluetooth_conf_t, file_type, sysadmfile;
 allow bluetooth_t bluetooth_conf_t:dir search;
 allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
 #/usr/sbin/hid2hci causes the following
-allow initrc_t usbfs_t:file { read };
+allow initrc_t usbfs_t:file { getattr read };
+allow bluetooth_t usbfs_t:dir r_dir_perms;
+allow bluetooth_t usbfs_t:file rw_file_perms; 
diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te
index 706945f..5046cd0 100644
--- a/strict/domains/program/bootloader.te
+++ b/strict/domains/program/bootloader.te
@@ -13,7 +13,6 @@
 type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
 type bootloader_exec_t, file_type, sysadmfile, exec_type;
 etc_domain(bootloader)
-typealias bootloader_etc_t alias etc_bootloader_t;
 
 role sysadm_r types bootloader_t;
 role system_r types bootloader_t;
diff --git a/strict/domains/program/canna.te b/strict/domains/program/canna.te
index f629788..feb4e52 100644
--- a/strict/domains/program/canna.te
+++ b/strict/domains/program/canna.te
@@ -29,6 +29,7 @@ allow canna_t canna_var_lib_t:dir create;
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
 can_network_tcp(canna_t)
+allow canna_t port_type:tcp_socket name_connect;
 can_ypbind(canna_t)
 
 allow userdomain canna_var_run_t:dir search;
@@ -41,3 +42,5 @@ allow i18n_input_t canna_var_run_t:sock_file write;
 can_unix_connect(i18n_input_t, canna_t)
 ')
 
+dontaudit canna_t kernel_t:fd use;
+dontaudit canna_t root_t:file read;
diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te
index 97ea0bc..d75b4f8 100644
--- a/strict/domains/program/checkpolicy.te
+++ b/strict/domains/program/checkpolicy.te
@@ -50,8 +50,6 @@ allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read 
 uses_shlib(checkpolicy_t)
 allow checkpolicy_t self:capability dac_override;
 
-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
-
 ##########################
 # Allow users to execute checkpolicy without a domain transition
 # so it can be used without privilege to write real binary policy file
diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te
index 684f440..c1685db 100644
--- a/strict/domains/program/cups.te
+++ b/strict/domains/program/cups.te
@@ -11,17 +11,15 @@
 # cupsd_t is the domain of cupsd.
 # cupsd_exec_t is the type of the cupsd executable.
 #
-type ipp_port_t, port_type, reserved_port_type;
 daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
 etcdir_domain(cupsd)
-typealias cupsd_etc_t alias etc_cupsd_t;
 type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
-typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
 
 can_network(cupsd_t)
+allow cupsd_t port_type:tcp_socket name_connect;
 logdir_domain(cupsd)
 
-tmp_domain(cupsd)
+tmp_domain(cupsd, `', { file dir fifo_file })
 
 allow cupsd_t devpts_t:dir search;
 
@@ -71,15 +69,22 @@ dontaudit cupsd_t etc_t:file write;
 can_exec(cupsd_t, cupsd_exec_t)
 allow cupsd_t cupsd_exec_t:dir search;
 allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t reserved_port_t:tcp_socket name_bind;
+dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
 
 allow cupsd_t self:unix_stream_socket create_socket_perms;
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:fifo_file rw_file_perms;
 
 # Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
 dontaudit cupsd_t self:capability net_admin;
 
+#
+# /usr/lib/cups/backend/serial needs sys_admin
+# Need new context to run under???
+allow cupsd_t self:capability sys_admin;
+
 allow cupsd_t self:process setsched;
 
 # for /var/lib/defoma
@@ -109,7 +114,7 @@ allow cupsd_t bin_t:lnk_file read;
 can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
 
 # They will also invoke ghostscript, which needs to read fonts
-r_dir_file(cupsd_t, fonts_t)
+read_fonts(cupsd_t)
 
 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
 allow cupsd_t lib_t:file { read getattr };
@@ -120,7 +125,9 @@ allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
 #
 # lots of errors generated requiring the following
 #
-allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+
 #
 # Satisfy readahead
 #
@@ -140,18 +147,23 @@ dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 # PTAL
 daemon_domain(ptal)
 etcdir_domain(ptal)
-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
-allow ptal_t self:capability chown;
+
+file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
+allow ptal_t self:capability { chown sys_rawio };
 allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ptal_t self:unix_stream_socket { listen accept };
+can_network_server_tcp(ptal_t)
+allow ptal_t ptal_port_t:tcp_socket name_bind;
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
+allow userdomain ptal_var_run_t:dir search;
 allow ptal_t self:fifo_file rw_file_perms;
 allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file { ioctl read write };
+allow ptal_t printer_device_t:chr_file rw_file_perms;
 allow initrc_t printer_device_t:chr_file getattr;
 allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
 r_dir_file(ptal_t, usbdevfs_t)
-r_dir_file(ptal_t, usbfs_t)
+rw_dir_file(ptal_t, usbfs_t)
 allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket connectto;
 allow cupsd_t ptal_var_run_t:dir search;
@@ -160,19 +172,47 @@ dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 allow initrc_t ptal_var_run_t:dir rmdir;
 allow initrc_t ptal_var_run_t:fifo_file unlink;
 
+
+# HPLIP
+daemon_domain(hplip)
+etcdir_domain(hplip)
+allow hplip_t etc_t:file r_file_perms;
+allow hplip_t etc_runtime_t:file { read getattr };
+allow hplip_t printer_device_t:chr_file rw_file_perms;
+allow cupsd_t hplip_var_run_t:file { read getattr };
+allow hplip_t cupsd_etc_t:dir search;
+can_network(hplip_t)
+allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
+allow hplip_t hplip_port_t:tcp_socket name_bind;
+
+# Uses networking to talk to the daemons
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+
+# for python
+can_exec(hplip_t, bin_t)
+allow hplip_t { sbin_t bin_t }:dir search;
+allow hplip_t self:file { getattr read };
+allow hplip_t proc_t:file r_file_perms;
+allow hplip_t urandom_device_t:chr_file { getattr read };
+allow hplip_t usr_t:{ file lnk_file } r_file_perms;
+
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
 
 allow cupsd_t printconf_t:file { getattr read };
 
+ifdef(`dbusd.te', `
 dbusd_client(system, cupsd)
-
-ifdef(`hald.te', `
+allow cupsd_t system_dbusd_t:dbus send_msg;
+allow cupsd_t userdomain:dbus send_msg;
+')
 
 # CUPS configuration daemon
 daemon_domain(cupsd_config)
 
 allow cupsd_config_t devpts_t:dir search;
+allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
 
 ifdef(`distro_redhat', `
 ifdef(`rpm.te', `
@@ -196,8 +236,11 @@ allow cupsd_config_t self:capability chown;
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
 
 can_network_tcp(cupsd_config_t)
+can_ypbind(cupsd_config_t)
+allow cupsd_config_t port_type:tcp_socket name_connect;
 can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
@@ -206,15 +249,23 @@ ifdef(`dbusd.te', `
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
 allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow cupsd_t system_dbusd_t:dbus send_msg;
 allow userdomain cupsd_config_t:dbus send_msg;
-allow cupsd_config_t hald_t:dbus send_msg;
-allow hald_t cupsd_config_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
+')dnl end if dbusd.te
+
+ifdef(`hald.te', `
+
+ifdef(`dbusd.te', `
 allow cupsd_t hald_t:dbus send_msg;
+allow cupsd_config_t hald_t:dbus send_msg;
 allow hald_t cupsd_t:dbus send_msg;
 ')dnl end if dbusd.te
 
+allow hald_t cupsd_config_t:process signal;
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+
+') dnl end if hald.te
+
+
 can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
 ifdef(`hostname.te', `
 can_exec(cupsd_t, hostname_exec_t)
@@ -235,23 +286,27 @@ allow cupsd_config_t printconf_t:file { getattr read };
 
 allow cupsd_config_t urandom_device_t:chr_file { getattr read };
 
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
 ifdef(`logrotate.te', `
 allow cupsd_config_t logrotate_t:fd use;
 ')dnl end if logrotate.te
 allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file read;
+allow cupsd_config_t crond_t:fifo_file r_file_perms;
 allow cupsd_t crond_t:fifo_file read;
+allow cupsd_t crond_t:fd use;
 
 # Alternatives asks for this
 allow cupsd_config_t initrc_exec_t:file getattr;
-') dnl end if hald.te
 ifdef(`targeted_policy', `
 can_unix_connect(cupsd_t, initrc_t)
 allow cupsd_t initrc_t:dbus send_msg;
 allow initrc_t cupsd_t:dbus send_msg;
+allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+allow unconfined_t cupsd_config_t:dbus send_msg;
+allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
 ')
-
-ifdef(`targeted_policy', `
-allow cupsd_t unconfined_t:dbus send_msg;
-')
+typealias printer_port_t alias cupsd_lpd_port_t;
+inetd_child_domain(cupsd_lpd)
+allow inetd_t printer_port_t:tcp_socket name_bind;
+r_dir_file(cupsd_lpd_t, cupsd_etc_t)
+r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
+allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te
index d101c1a..a22fce9 100644
--- a/strict/domains/program/cyrus.te
+++ b/strict/domains/program/cyrus.te
@@ -15,9 +15,8 @@ type cyrus_var_lib_t, file_type, sysadmfile;
 allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
 allow cyrus_t self:process setrlimit;
 
-allow initrc_su_t cyrus_var_lib_t:dir search;
-
 can_network(cyrus_t)
+allow cyrus_t port_type:tcp_socket name_connect;
 can_ypbind(cyrus_t)
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
@@ -27,14 +26,11 @@ allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
 read_locale(cyrus_t)
 read_sysctl(cyrus_t)
 tmp_domain(cyrus)
-ifdef(`use_pop', `
-allow cyrus_t pop_port_t:tcp_socket name_bind;
-')
+allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
 allow cyrus_t proc_t:dir search;
 allow cyrus_t proc_t:file { getattr read };
 allow cyrus_t sysadm_devpts_t:chr_file { read write };
 
-allow cyrus_t staff_t:fd use;
 allow cyrus_t var_lib_t:dir search;
 
 allow cyrus_t etc_runtime_t:file { read getattr };
@@ -42,6 +38,7 @@ ifdef(`crond.te', `
 system_crond_entry(cyrus_exec_t, cyrus_t)
 allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
-allow system_crond_su_t cyrus_var_lib_t:dir search;
 ')
-allow cyrus_t mail_port_t:tcp_socket name_bind;
+create_dir_file(cyrus_t, mail_spool_t)
+allow cyrus_t var_spool_t:dir search;
+
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
index 53f7de4..3703ce4 100644
--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@@ -15,14 +15,13 @@
 # dhcpc_exec_t is the type of the dhcpcd executable.
 # The dhcpc_t can be used for other DHCPC related files as well.
 #
-type dhcpc_port_t, port_type, reserved_port_type;
-
 daemon_domain(dhcpc)
 
 # for SSP
 allow dhcpc_t urandom_device_t:chr_file read;
 
 can_network(dhcpc_t)
+allow dhcpc_t port_type:tcp_socket name_connect;
 can_ypbind(dhcpc_t)
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
@@ -38,6 +37,7 @@ domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
 ')
 ifdef(`nscd.te', `
 domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
+allow dhcpc_t nscd_var_run_t:file { getattr read };
 ')
 ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
@@ -69,7 +69,6 @@ allow ping_t cardmgr_t:fd use;
 ifdef(`dhcpd.te', `', `
 type dhcp_state_t, file_type, sysadmfile;
 type dhcp_etc_t, file_type, sysadmfile, usercanread; 
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
 ')
 type dhcpc_state_t, file_type, sysadmfile;
 
diff --git a/strict/domains/program/dictd.te b/strict/domains/program/dictd.te
index 39df03a..d610d07 100644
--- a/strict/domains/program/dictd.te
+++ b/strict/domains/program/dictd.te
@@ -10,11 +10,10 @@
 #
 # dictd_exec_t is the type of the dictd executable.
 #
-type dict_port_t, port_type;
 daemon_base_domain(dictd)
-type var_lib_dictd_t, file_type, sysadmfile;
+type dictd_var_lib_t, file_type, sysadmfile;
+typealias dictd_var_lib_t alias var_lib_dictd_t;
 etc_domain(dictd)
-typealias dictd_etc_t alias etc_dictd_t;
 
 # for checking for nscd
 dontaudit dictd_t var_run_t:dir search;
@@ -25,8 +24,8 @@ allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
 read_locale(dictd_t)
 
 allow dictd_t { var_t var_lib_t }:dir search;
-allow dictd_t var_lib_dictd_t:dir r_dir_perms;
-allow dictd_t var_lib_dictd_t:file r_file_perms;
+allow dictd_t dictd_var_lib_t:dir r_dir_perms;
+allow dictd_t dictd_var_lib_t:file r_file_perms;
 
 allow dictd_t self:capability { setuid setgid };
 
diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te
index 9d91688..07f0f6f 100644
--- a/strict/domains/program/dovecot.te
+++ b/strict/domains/program/dovecot.te
@@ -3,17 +3,24 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: dovecot-imapd, dovecot-pop3d
 
+#
+# Main dovecot daemon
+#
 daemon_domain(dovecot, `, privhome')
+etc_domain(dovecot);
 
 allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
 
 can_exec(dovecot_t, dovecot_exec_t)
 
 type dovecot_cert_t, file_type, sysadmfile;
+type dovecot_passwd_t, file_type, sysadmfile;
+type dovecot_spool_t, file_type, sysadmfile;
 
 allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 allow dovecot_t self:process setrlimit;
 can_network_tcp(dovecot_t)
+allow dovecot_t port_type:tcp_socket name_connect;
 can_ypbind(dovecot_t)
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
@@ -25,9 +32,10 @@ allow dovecot_t bin_t:dir { getattr search };
 can_exec(dovecot_t, bin_t)
 
 allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t urandom_device_t:chr_file { getattr read };
 allow dovecot_t cert_t:dir search;
-allow dovecot_t dovecot_cert_t:file { getattr read };
+r_dir_file(dovecot_t, dovecot_cert_t)
+r_dir_file(dovecot_t, cert_t)
 
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
@@ -36,11 +44,21 @@ can_kerberos(dovecot_t)
 
 allow dovecot_t tmp_t:dir search;
 rw_dir_file(dovecot_t, mail_spool_t)
+create_dir_file(dovecot_t, dovecot_spool_t)
+create_dir_file(mta_delivery_agent, dovecot_spool_t)
 allow dovecot_t mail_spool_t:lnk_file read;
 allow dovecot_t var_spool_t:dir { search };
 
+#
+# Dovecot auth daemon
+#
 daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
+can_ldap(dovecot_auth_t)
+can_ypbind(dovecot_auth_t)
+can_kerberos(dovecot_auth_t)
+can_resolve(dovecot_auth_t)
 allow dovecot_auth_t self:process { fork signal_perms };
+allow dovecot_auth_t self:capability { setgid setuid };
 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -50,6 +68,6 @@ allow dovecot_auth_t etc_t:file { getattr read };
 allow dovecot_auth_t { self proc_t }:file { getattr read };
 read_locale(dovecot_auth_t)
 read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t sysctl_t:dir search;
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
 dontaudit dovecot_auth_t selinux_config_t:dir search;
 
diff --git a/strict/domains/program/fetchmail.te b/strict/domains/program/fetchmail.te
index d87c11f..225f08e 100644
--- a/strict/domains/program/fetchmail.te
+++ b/strict/domains/program/fetchmail.te
@@ -2,6 +2,7 @@
 #
 # Author: Greg Norris <haphazard@kc.rr.com>
 # X-Debian-Packages: fetchmail
+# Depends: mta.te
 #
 # Note: This policy is only required when running fetchmail in daemon mode.
 
@@ -17,7 +18,10 @@ type fetchmail_uidl_cache_t, file_type, sysadmfile;
 allow fetchmail_t self:process setrlimit;
 
 # network-related goodies
-can_network(fetchmail_t)
+can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
+can_network_udp(fetchmail_t, dns_port_t)
+allow fetchmail_t port_type:tcp_socket name_connect;
+
 allow fetchmail_t self:unix_dgram_socket create_socket_perms;
 allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
 
diff --git a/strict/domains/program/fingerd.te b/strict/domains/program/fingerd.te
index 86705eb..73fee16 100644
--- a/strict/domains/program/fingerd.te
+++ b/strict/domains/program/fingerd.te
@@ -12,9 +12,7 @@
 #
 daemon_domain(fingerd)
 
-type fingerd_port_t, port_type, reserved_port_type;
 etcdir_domain(fingerd)
-typealias fingerd_etc_t alias etc_fingerd_t;
 
 allow fingerd_t etc_t:lnk_file read;
 allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te
index 938899a..57d79f6 100644
--- a/strict/domains/program/ftpd.te
+++ b/strict/domains/program/ftpd.te
@@ -9,13 +9,11 @@
 #
 # Rules for the ftpd_t domain 
 #
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
-daemon_domain(ftpd, `, auth_chkpwd')
+daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
 etc_domain(ftpd)
-typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
+allow ftpd_t port_type:tcp_socket name_connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -41,10 +39,13 @@ can_exec(ftpd_t, logrotate_exec_t)
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
 allow ftpd_t port_t:tcp_socket name_bind;
 
+# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
+type ftpd_lock_t, file_type, sysadmfile, lockfile;
+
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
 if (ftpd_is_daemon) {
-rw_dir_create_file(ftpd_t, var_lock_t)
+file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
 allow ftpd_t ftp_port_t:tcp_socket name_bind;
 can_tcp_connect(userdomain, ftpd_t)
 # Allows it to check exec privs on daemon
@@ -99,6 +100,8 @@ bool ftp_home_dir false;
 if (ftp_home_dir) {
 # allow access to /home
 allow ftpd_t home_root_t:dir { getattr search };
+allow ftpd_t home_dir_type:dir r_dir_perms;
+create_dir_file(ftpd_t, home_type)
 }
 if (use_nfs_home_dirs && ftp_home_dir) {
 	r_dir_file(ftpd_t, nfs_t)
@@ -110,7 +113,6 @@ dontaudit ftpd_t selinux_config_t:dir search;
 #
 # Type for access to anon ftp
 #
-type ftpd_anon_t, file_type, sysadmfile, customizable;
 r_dir_file(ftpd_t,ftpd_anon_t)
 type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
 create_dir_file(ftpd_t,ftpd_anon_rw_t)
diff --git a/strict/domains/program/games.te b/strict/domains/program/games.te
index 6129631..dee046c 100644
--- a/strict/domains/program/games.te
+++ b/strict/domains/program/games.te
@@ -13,5 +13,8 @@ daemon_domain(games,,nosysadm)
 rw_dir_create_file(games_t, games_data_t)
 r_dir_file(initrc_t, games_data_t)
 
+# Run in user_t
+bool disable_games_trans false;
+
 # Everything else is in the x_client_domain macro in
 # macros/program/x_client_macros.te.
diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te
index 745d52e..fc8a2bb 100644
--- a/strict/domains/program/getty.te
+++ b/strict/domains/program/getty.te
@@ -11,7 +11,6 @@
 init_service_domain(getty, `, privfd')
 
 etcdir_domain(getty)
-typealias getty_etc_t alias etc_getty_t;
 
 allow getty_t console_device_t:chr_file setattr;
 
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 95ebff9..2bdd0b5 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -29,7 +29,6 @@ allow hald_t { self proc_t }:file { getattr read };
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t usr_t:file { getattr read };
-
 allow hald_t bin_t:file getattr;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te
index 7fd6a39..65f5396 100644
--- a/strict/domains/program/hotplug.te
+++ b/strict/domains/program/hotplug.te
@@ -29,7 +29,7 @@ allow hotplug_t sysctl_net_t:file { getattr read };
 
 # get info from /proc
 r_dir_file(hotplug_t, proc_t)
-allow hotplug_t self:file { getattr read };
+allow hotplug_t self:file { getattr read ioctl };
 
 allow hotplug_t devtty_t:chr_file rw_file_perms;
 
@@ -83,7 +83,9 @@ allow hotplug_t self:process { getsession getattr };
 allow hotplug_t self:file getattr;
 
 domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
+ifdef(`mount.te', `
 domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
+')
 domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
 ifdef(`updfstab.te', `
 domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
diff --git a/strict/domains/program/howl.te b/strict/domains/program/howl.te
index 026790a..ccb2fb1 100644
--- a/strict/domains/program/howl.te
+++ b/strict/domains/program/howl.te
@@ -3,7 +3,7 @@
 # Author:  Russell Coker <rcoker@redhat.com>
 #
 
-daemon_domain(howl)
+daemon_domain(howl, `, privsysmod')
 r_dir_file(howl_t, proc_net_t)
 can_network_server(howl_t)
 can_ypbind(howl_t)
@@ -12,7 +12,6 @@ allow howl_t self:capability { kill net_admin sys_module };
 
 allow howl_t self:fifo_file rw_file_perms;
 
-type howl_port_t, port_type;
 allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
 
 allow howl_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te
index 2af68ab..c4e3d77 100644
--- a/strict/domains/program/hwclock.te
+++ b/strict/domains/program/hwclock.te
@@ -19,9 +19,6 @@ daemon_base_domain(hwclock)
 role sysadm_r types hwclock_t;
 domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
 type adjtime_t, file_type, sysadmfile;
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-')
 
 allow hwclock_t fs_t:filesystem getattr;
 
diff --git a/strict/domains/program/i18n_input.te b/strict/domains/program/i18n_input.te
index 8de3839..cdff6ca 100644
--- a/strict/domains/program/i18n_input.te
+++ b/strict/domains/program/i18n_input.te
@@ -2,17 +2,16 @@
 # Security Policy for IIIMF htt server
 # Date: 2004, 12th April (Monday)
 
-# Types for server port
-type i18n_input_port_t, port_type;
-
 # Establish i18n_input as a daemon
 daemon_domain(i18n_input)
 
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
+allow i18n_input_t port_type:tcp_socket name_connect;
 can_ypbind(i18n_input_t)
 
 can_tcp_connect(userdomain, i18n_input_t)
+can_unix_connect(i18n_input_t, initrc_t)
 
 allow i18n_input_t self:fifo_file rw_file_perms;
 allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
@@ -21,9 +20,14 @@ allow i18n_input_t self:capability { kill setgid setuid };
 allow i18n_input_t self:process { setsched setpgid };
 
 allow i18n_input_t { bin_t sbin_t }:dir search;
+can_exec(i18n_input_t, bin_t)
 
 allow i18n_input_t etc_t:file r_file_perms;
 allow i18n_input_t self:unix_dgram_socket create_socket_perms;
 allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
 allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
 allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
+allow i18n_input_t usr_t:file { getattr read };
+allow i18n_input_t home_root_t:dir search;
+allow i18n_input_t etc_runtime_t:file { getattr read };
+allow i18n_input_t proc_t:file { getattr read };
diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te
index b2039ac..48ffb7b 100644
--- a/strict/domains/program/ifconfig.te
+++ b/strict/domains/program/ifconfig.te
@@ -21,9 +21,12 @@ uses_shlib(ifconfig_t)
 general_domain_access(ifconfig_t)
 
 domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
+')
 
 # for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 allow ifconfig_t etc_t:file { getattr read };
@@ -33,6 +36,7 @@ allow ifconfig_t self:socket create_socket_perms;
 # Use capabilities.
 allow ifconfig_t self:capability net_admin;
 dontaudit ifconfig_t self:capability sys_module;
+allow ifconfig_t self:capability sys_tty_config;
 
 # Inherit and use descriptors from init.
 allow ifconfig_t { kernel_t init_t }:fd use;
@@ -66,3 +70,4 @@ allow ifconfig_t lib_t:file { getattr read };
 rhgb_domain(ifconfig_t)
 allow ifconfig_t userdomain:fd use;
 dontaudit ifconfig_t root_t:file read;
+r_dir_file(ifconfig_t, sysfs_t)
diff --git a/strict/domains/program/inetd.te b/strict/domains/program/inetd.te
index c0eed55..5c88ab3 100644
--- a/strict/domains/program/inetd.te
+++ b/strict/domains/program/inetd.te
@@ -10,16 +10,11 @@
 # Rules for the inetd_t domain and
 # the inetd_child_t domain.
 #
-type biff_port_t, port_type, reserved_port_type;
-
-#################################
-#
-# Rules for the inetd_t domain.
-#
 
 daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t port_type:tcp_socket name_connect;
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
@@ -50,6 +45,7 @@ allow inetd_t talk_port_t:tcp_socket name_bind;
 allow inetd_t ntalk_port_t:tcp_socket name_bind;
 ')
 
+allow inetd_t auth_port_t:tcp_socket name_bind;
 # Communicate with the portmapper.
 ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 
diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te
index 3aeb04f..3fb67de 100644
--- a/strict/domains/program/init.te
+++ b/strict/domains/program/init.te
@@ -131,10 +131,8 @@ can_exec(init_t,etc_t)
 
 allow init_t lib_t:file { getattr read };
 
-ifdef(`rhgb.te', `
 allow init_t devtty_t:chr_file { read write };
 allow init_t ramfs_t:dir search;
-')
 r_dir_file(init_t, sysfs_t)
 
 r_dir_file(init_t, selinux_config_t)
@@ -142,6 +140,6 @@ r_dir_file(init_t, selinux_config_t)
 # file descriptors inherited from the rootfs.
 dontaudit init_t root_t:{ file chr_file } { read write }; 
 ifdef(`targeted_policy', `
-typeattribute init_t unrestricted;
+unconfined_domain(init_t)
 ')
 
diff --git a/strict/domains/program/innd.te b/strict/domains/program/innd.te
index 09b7c06..25047df 100644
--- a/strict/domains/program/innd.te
+++ b/strict/domains/program/innd.te
@@ -7,7 +7,6 @@
 
 # Types for the server port and news spool.
 #
-type innd_port_t, port_type, reserved_port_type;
 type news_spool_t, file_type, sysadmfile;
 
 
@@ -29,6 +28,7 @@ can_exec(innd_t, hostname_exec_t)
 allow innd_t var_spool_t:dir { getattr search };
 
 can_network(innd_t)
+allow innd_t port_type:tcp_socket name_connect;
 can_ypbind(innd_t)
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te
index 257c587..7ec13fc 100644
--- a/strict/domains/program/kudzu.te
+++ b/strict/domains/program/kudzu.te
@@ -20,7 +20,7 @@ allow kudzu_t memory_device_t:chr_file { read write execute };
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read };
+allow kudzu_t modules_conf_t:file { getattr read unlink };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
@@ -38,7 +38,7 @@ allow kudzu_t usbdevfs_t:dir search;
 allow kudzu_t usbdevfs_t:file { getattr read };
 allow kudzu_t usbfs_t:dir search;
 allow kudzu_t usbfs_t:file { getattr read };
-allow kudzu_t var_t:dir search;
+var_run_domain(kudzu)
 allow kudzu_t kernel_t:system syslog_console;
 allow kudzu_t self:udp_socket { create ioctl };
 allow kudzu_t var_lock_t:dir search;
@@ -94,9 +94,19 @@ dontaudit kudzu_t file_t:dir search;
 ifdef(`lpd.te', `
 allow kudzu_t printconf_t:file { getattr read };
 ')
+ifdef(`cups.te', `
 allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+')
 dontaudit kudzu_t src_t:dir search;
 ifdef(`xserver.te', `
 allow kudzu_t xserver_exec_t:file getattr;
 ')
 
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+allow kudzu_t initrc_t:unix_stream_socket connectto;
+allow kudzu_t net_conf_t:file { getattr read };
+
diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te
index 083063f..2ab5c48 100644
--- a/strict/domains/program/ldconfig.te
+++ b/strict/domains/program/ldconfig.te
@@ -39,7 +39,7 @@ dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
 
 allow ldconfig_t { var_t var_lib_t }:dir search;
-allow ldconfig_t proc_t:file read;
+allow ldconfig_t proc_t:file { getattr read };
 ifdef(`hide_broken_symptoms', `
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te
index f54c963..8276f58 100644
--- a/strict/domains/program/load_policy.te
+++ b/strict/domains/program/load_policy.te
@@ -37,8 +37,8 @@ can_setbool(load_policy_t)
 
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+r_dir_file(load_policy_t, policy_config_t)
+r_dir_file(load_policy_t, selinux_config_t)
 
 # directory search permissions for path to binary policy files
 allow load_policy_t root_t:dir search;
@@ -56,6 +56,4 @@ allow load_policy_t { userdomain privfd initrc_t }:fd use;
 
 allow load_policy_t fs_t:filesystem getattr;
 
-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
 read_locale(load_policy_t)
-r_dir_file(load_policy_t, selinux_config_t)
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
index 569c755..540b68f 100644
--- a/strict/domains/program/login.te
+++ b/strict/domains/program/login.te
@@ -37,8 +37,7 @@ allow $1_login_t { var_t var_spool_t }:dir search;
 allow $1_login_t var_t:lnk_file read;
 
 # Read /etc.
-allow $1_login_t etc_t:dir r_dir_perms;
-allow $1_login_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_login_t, etc_t)
 allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
 
 read_locale($1_login_t)
@@ -109,7 +108,7 @@ allow $1_login_t wtmp_t:file rw_file_perms;
 allow $1_login_t lastlog_t:file rw_file_perms;
 
 # Write to /var/log/btmp
-allow $1_login_t faillog_t:file { append read write };
+allow $1_login_t faillog_t:file { lock append read write };
 
 # Search for mail spool file.
 allow $1_login_t mail_spool_t:dir r_dir_perms;
diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te
index 6340f28..9cdcf6f 100644
--- a/strict/domains/program/logrotate.te
+++ b/strict/domains/program/logrotate.te
@@ -128,7 +128,7 @@ read_locale(logrotate_t)
 
 allow logrotate_t fs_t:filesystem getattr;
 can_exec(logrotate_t, shell_exec_t)
-can_exec(logrotate_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
 can_exec(logrotate_t,logfile)
 allow logrotate_t net_conf_t:file { getattr read };
 
diff --git a/strict/domains/program/lpd.te b/strict/domains/program/lpd.te
index 75825a3..76cd44d 100644
--- a/strict/domains/program/lpd.te
+++ b/strict/domains/program/lpd.te
@@ -15,12 +15,11 @@
 # printer_t is the type of the Unix domain socket created
 # by lpd.
 #
-type printer_port_t, port_type, reserved_port_type;
 daemon_domain(lpd)
 
 allow lpd_t lpd_var_run_t:sock_file create_file_perms;
 
-r_dir_file(lpd_t, fonts_t)
+read_fonts(lpd_t)
 
 type printer_t, file_type, sysadmfile, dev_fs;
 
@@ -37,6 +36,7 @@ type checkpc_t, domain, privlog;
 role system_r types checkpc_t;
 uses_shlib(checkpc_t)
 can_network_client(checkpc_t)
+allow checkpc_t port_type:tcp_socket name_connect;
 can_ypbind(checkpc_t)
 log_domain(checkpc)
 type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te
index 588459a..b2f593e 100644
--- a/strict/domains/program/mailman.te
+++ b/strict/domains/program/mailman.te
@@ -30,6 +30,7 @@ file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
+allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
 can_ypbind(mailman_$1_t)
 allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index 4643be1..ca8d7c1 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -30,7 +30,9 @@ type depmod_exec_t, file_type, exec_type, sysadmfile;
 domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
 allow depmod_t { bin_t sbin_t }:dir search;
 can_exec(depmod_t, depmod_exec_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
+')
 
 # Inherit and use descriptors from init and login programs.
 allow depmod_t { init_t privfd }:fd use;
@@ -94,7 +96,7 @@ allow insmod_t self:lnk_file read;
 allow insmod_t usr_t:file { getattr read };
 
 allow insmod_t privfd:fd use;
-allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write };
+allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
 
 allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
@@ -149,7 +151,7 @@ allow insmod_t proc_t:lnk_file read;
 allow insmod_t mtrr_device_t:file write;
 
 # Read /proc/sys/kernel/hotplug.
-allow insmod_t sysctl_hotplug_t:file read;
+allow insmod_t sysctl_hotplug_t:file { getattr read };
 
 allow insmod_t device_t:dir read;
 allow insmod_t devpts_t:dir { getattr search };
@@ -228,5 +230,3 @@ file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
 
 tmp_domain(update_modules)
 ')dnl end IS_INITRD
-
-
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
index e79168b..8f1b7c1 100644
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@@ -37,19 +37,7 @@ allow mount_t file_t:file { getattr read unlink };
 
 # Mount, remount and unmount file systems.
 allow mount_t fs_type:filesystem mount_fs_perms;
-allow mount_t default_t:dir mounton;
-allow mount_t file_t:dir mounton;
-allow mount_t usr_t:dir mounton;
-allow mount_t var_t:dir mounton;
-allow mount_t proc_t:dir mounton;
-allow mount_t root_t:dir mounton;
-allow mount_t home_root_t:dir mounton;
-allow mount_t tmp_t:dir mounton;
-allow mount_t mnt_t:dir mounton;
-allow mount_t devpts_t:dir mounton;
-allow mount_t usbdevfs_t:dir mounton;
-allow mount_t sysfs_t:dir mounton;
-allow mount_t nfs_t:dir mounton;
+allow mount_t mount_point:dir mounton;
 allow mount_t nfs_t:dir search;
 # nfsv4 has a filesystem to mount for its userspace daemons
 allow mount_t var_lib_nfs_t:dir mounton;
diff --git a/strict/domains/program/mozilla.te b/strict/domains/program/mozilla.te
index 3761e0d..f286ea0 100644
--- a/strict/domains/program/mozilla.te
+++ b/strict/domains/program/mozilla.te
@@ -8,11 +8,8 @@
 type mozilla_exec_t, file_type, sysadmfile, exec_type;
 type mozilla_conf_t, file_type, sysadmfile;
 
-# Allow mozilla to read files in the user home directory
-bool mozilla_readhome false;
-
-# Allow mozilla to write files in the user home directory
-bool mozilla_writehome false;
+# Run in user_t
+bool disable_mozilla_trans false;
 
 # Everything else is in the mozilla_domain macro in
 # macros/program/mozilla_macros.te.
diff --git a/strict/domains/program/mrtg.te b/strict/domains/program/mrtg.te
index 112b94d..e44889d 100644
--- a/strict/domains/program/mrtg.te
+++ b/strict/domains/program/mrtg.te
@@ -26,12 +26,14 @@ dontaudit mrtg_t usr_t:file ioctl;
 logdir_domain(mrtg)
 etcdir_domain(mrtg)
 typealias mrtg_etc_t alias etc_mrtg_t;
-type var_lib_mrtg_t, file_type, sysadmfile;
+type mrtg_var_lib_t, file_type, sysadmfile;
+typealias mrtg_var_lib_t alias var_lib_mrtg_t;
 type mrtg_lock_t, file_type, sysadmfile, lockfile;
 r_dir_file(mrtg_t, lib_t)
 
 # Use the network.
 can_network_client(mrtg_t)
+allow mrtg_t port_type:tcp_socket name_connect;
 can_ypbind(mrtg_t)
 
 allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -58,7 +60,7 @@ allow mrtg_t { proc_t proc_net_t }:file { read getattr };
 dontaudit mrtg_t proc_t:file ioctl;
 
 allow mrtg_t { var_lock_t var_lib_t }:dir search;
-rw_dir_create_file(mrtg_t, var_lib_mrtg_t)
+rw_dir_create_file(mrtg_t, mrtg_var_lib_t)
 rw_dir_create_file(mrtg_t, mrtg_lock_t)
 ifdef(`distro_redhat', `
 file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
@@ -79,7 +81,7 @@ read_sysctl(mrtg_t)
 
 # for uptime
 allow mrtg_t var_run_t:dir search;
-allow mrtg_t initrc_var_run_t:file read;
+allow mrtg_t initrc_var_run_t:file { getattr read };
 dontaudit mrtg_t initrc_var_run_t:file { write lock };
 allow mrtg_t etc_runtime_t:file { getattr read };
 
@@ -94,5 +96,5 @@ dontaudit mrtg_t quota_db_t:file getattr;
 dontaudit mrtg_t root_t:lnk_file getattr;
 
 allow mrtg_t self:capability { setgid setuid };
-can_exec(mrtg_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
 allow mrtg_t var_spool_t:dir search;
diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te
index f664e03..e0c1ea2 100644
--- a/strict/domains/program/pppd.te
+++ b/strict/domains/program/pppd.te
@@ -32,14 +32,15 @@ allow pppd_t sysfs_t:dir search;
 log_domain(pppd)
 
 # Use the network.
-can_network_server(pppd_t)
+can_network(pppd_t)
 can_ypbind(pppd_t)
 
-# Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid };
+allow pppd_t fingerd_port_t:tcp_socket name_connect;
+
 
-allow pppd_t var_lock_t:dir rw_dir_perms;
-allow pppd_t var_lock_t:file create_file_perms;
+# Use capabilities.
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+lock_domain(pppd)
 
 # Access secret files
 allow pppd_t pppd_secret_t:file r_file_perms;
@@ -47,15 +48,17 @@ allow pppd_t pppd_secret_t:file r_file_perms;
 ifdef(`postfix.te', `
 allow pppd_t postfix_etc_t:dir search;
 allow pppd_t postfix_etc_t:file r_file_perms;
-allow pppd_t postfix_master_exec_t:file read;
+allow pppd_t postfix_master_exec_t:file { getattr read };
 allow postfix_postqueue_t pppd_t:fd use;
 allow postfix_postqueue_t pppd_t:process sigchld;
 ')
 
 # allow running ip-up and ip-down scripts and running chat.
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
+can_exec(pppd_t, pppd_etc_rw_t)
+can_exec(pppd_t, hostname_exec_t)
 allow pppd_t { bin_t sbin_t }:dir search;
-allow pppd_t bin_t:lnk_file read;
+allow pppd_t { sbin_t bin_t }:lnk_file read;
 
 # Access /dev/ppp.
 allow pppd_t ppp_device_t:chr_file rw_file_perms;
@@ -66,6 +69,8 @@ allow pppd_t self:unix_stream_socket create_socket_perms;
 
 allow pppd_t proc_t:dir search;
 allow pppd_t proc_t:{ file lnk_file } r_file_perms;
+allow pppd_t proc_net_t:dir { read search };
+allow pppd_t proc_net_t:file r_file_perms;
 
 allow pppd_t etc_runtime_t:file r_file_perms;
 
@@ -92,8 +97,43 @@ allow unpriv_userdomain pppd_t:process signal;
 # for pppoe
 can_create_pty(pppd)
 allow pppd_t self:file { read getattr };
-allow pppd_t self:capability { fowner net_raw };
+
 allow pppd_t self:packet_socket create_socket_perms;
 
 file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
 tmp_domain(pppd)
+allow pppd_t sysctl_net_t:dir search;
+allow pppd_t sysctl_net_t:file r_file_perms;
+allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t initrc_var_run_t:file r_file_perms;
+dontaudit pppd_t initrc_var_run_t:file { lock write };
+
+# pppd needs to load kernel modules for certain modems
+bool pppd_can_insmod false;
+if (pppd_can_insmod) {
+ifdef(`modutil.te', `
+domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
+')
+}
+domain_auto_trans(pppd_t, named_exec_t, named_t)
+
+daemon_domain(pptp)
+can_network_client_tcp(pptp_t)
+allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
+can_exec(pptp_t, hostname_exec_t)
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+allow pptp_t devpts_t:chr_file ioctl;
+r_dir_file(pptp_t, pppd_etc_rw_t)
+r_dir_file(pptp_t, pppd_etc_t)
+allow pptp_t devpts_t:dir search;
+allow pppd_t devpts_t:chr_file ioctl;
+allow pppd_t pptp_t:process signal;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t ptmx_t:chr_file rw_file_perms;
+log_domain(pptp)
+allow pptp_t pppd_log_t:file append;
diff --git a/strict/domains/program/prelink.te b/strict/domains/program/prelink.te
index 2d36473..3ffa0d7 100644
--- a/strict/domains/program/prelink.te
+++ b/strict/domains/program/prelink.te
@@ -9,15 +9,10 @@
 #
 # prelink_exec_t is the type of the prelink executable.
 #
-daemon_base_domain(prelink, `, admin')
+daemon_base_domain(prelink, `, admin, privowner')
 
-if (allow_execmem) {
-allow prelink_t self:process execmem;
-}
-if (allow_execmod) {
+allow prelink_t self:process { execheap execmem execstack };
 allow prelink_t texrel_shlib_t:file execmod;
-}
-
 allow prelink_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
@@ -36,7 +31,7 @@ allow prelink_t etc_prelink_t:file { getattr read };
 allow prelink_t file_type:dir rw_dir_perms;
 allow prelink_t file_type:lnk_file r_file_perms;
 allow prelink_t file_type:file getattr;
-allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
 allow prelink_t ld_so_t:file execute_no_trans;
 
 allow prelink_t self:capability { chown dac_override fowner fsetid };
diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te
index 81af770..347587b 100644
--- a/strict/domains/program/procmail.te
+++ b/strict/domains/program/procmail.te
@@ -20,6 +20,7 @@ uses_shlib(procmail_t)
 allow procmail_t device_t:dir search;
 can_network_server(procmail_t)
 can_ypbind(procmail_t)
+can_winbind(procmail_t)
 
 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
 
@@ -57,6 +58,9 @@ allow procmail_t { self proc_t }:lnk_file read;
 
 # for spamassasin
 allow procmail_t usr_t:file { getattr ioctl read };
+ifdef(`spamassassin.te', `
+can_exec(procmail_t, spamassassin_exec_t)
+')
 
 # Search /var/run.
 allow procmail_t var_run_t:dir { getattr search };
diff --git a/strict/domains/program/radius.te b/strict/domains/program/radius.te
index 4e7f194..5d02923 100644
--- a/strict/domains/program/radius.te
+++ b/strict/domains/program/radius.te
@@ -10,12 +10,9 @@
 #
 # radiusd_exec_t is the type of the radiusd executable.
 #
-type radius_port_t, port_type;
-type radacct_port_t, port_type;
 daemon_domain(radiusd, `, auth')
 
 etcdir_domain(radiusd)
-typealias radiusd_etc_t alias etc_radiusd_t;
 
 system_crond_entry(radiusd_exec_t, radiusd_t)
 
diff --git a/strict/domains/program/radvd.te b/strict/domains/program/radvd.te
index 1e8b3ff..868ef8b 100644
--- a/strict/domains/program/radvd.te
+++ b/strict/domains/program/radvd.te
@@ -15,14 +15,15 @@ allow radvd_t etc_t:file { getattr read };
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
-allow radvd_t self:capability net_raw;
+allow radvd_t self:capability { setgid setuid net_raw };
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
 can_network_server(radvd_t)
+can_ypbind(radvd_t)
 
-allow radvd_t proc_t:dir r_dir_perms;
-allow radvd_t proc_t:file { getattr read };
+allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
+allow radvd_t { proc_t proc_net_t }:file { getattr read };
 allow radvd_t etc_t:lnk_file read;
 
 allow radvd_t sysctl_net_t:file r_file_perms;
diff --git a/strict/domains/program/rhgb.te b/strict/domains/program/rhgb.te
index cc15ff1..5d176e9 100644
--- a/strict/domains/program/rhgb.te
+++ b/strict/domains/program/rhgb.te
@@ -40,13 +40,13 @@ allow rhgb_t self:capability { sys_admin sys_tty_config };
 dontaudit rhgb_t var_run_t:dir search;
 
 can_network_client(rhgb_t)
+allow rhgb_t port_type:tcp_socket name_connect;
 can_ypbind(rhgb_t)
 
-# for fonts
 allow rhgb_t usr_t:{ file lnk_file } { getattr read };
 
 # for running setxkbmap
-r_dir_file(rhgb_t, var_lib_xkb_t)
+r_dir_file(rhgb_t, xkb_var_lib_t)
 
 # for localization
 allow rhgb_t lib_t:file { getattr read };
@@ -67,8 +67,7 @@ can_unix_connect(initrc_t, rhgb_t)
 tmpfs_domain(rhgb)
 allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
 
-allow rhgb_t fonts_t:dir { getattr read search };
-allow rhgb_t fonts_t:file { getattr read };
+read_fonts(rhgb_t)
 
 # for nscd
 dontaudit rhgb_t var_t:dir search;
diff --git a/strict/domains/program/rpcd.te b/strict/domains/program/rpcd.te
index d921e3c..9fae932 100644
--- a/strict/domains/program/rpcd.te
+++ b/strict/domains/program/rpcd.te
@@ -11,8 +11,13 @@
 # Rules for the rpcd_t and nfsd_t domain.
 #
 define(`rpc_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `, transitionbool')
+', `
 daemon_base_domain($1)
+')
 can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
@@ -88,7 +93,8 @@ type nfsd_ro_t, file_type, sysadmfile, usercanread;
 bool nfs_export_all_rw false;
 
 if(nfs_export_all_rw) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t, noexattrfile)
 create_dir_file(kernel_t,{ file_type -shadow_t })
 }
 
@@ -97,8 +103,8 @@ dontaudit kernel_t shadow_t:file getattr;
 bool nfs_export_all_ro false;
 
 if(nfs_export_all_ro) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ file_type -shadow_t })
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
 }
 
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
@@ -113,7 +119,7 @@ can_udp_send(nfsd_t, kernel_t)
 allow nfsd_t var_run_t:dir search;
 
 allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_t:filesystem getattr;
+allow nfsd_t fs_type:filesystem getattr;
 
 can_udp_send(nfsd_t, portmap_t)
 can_udp_send(portmap_t, nfsd_t)
@@ -131,7 +137,9 @@ allow rpcd_t proc_net_t:dir search;
 
 rpc_domain(gssd)
 can_kerberos(gssd_t)
+ifdef(`kerberos.te', `
 allow gssd_t krb5_keytab_t:file r_file_perms;
+')
 allow gssd_t urandom_device_t:chr_file { getattr read };
 r_dir_file(gssd_t, tmp_t)
 tmp_domain(gssd)
@@ -139,3 +147,7 @@ allow gssd_t self:fifo_file { read write };
 r_dir_file(gssd_t, proc_net_t)
 allow gssd_t rpc_pipefs_t:dir r_dir_perms;
 allow gssd_t rpc_pipefs_t:sock_file { read write };
+allow gssd_t rpc_pipefs_t:file r_file_perms;
+allow gssd_t self:capability setuid;
+allow nfsd_t devtty_t:chr_file rw_file_perms;
+allow rpcd_t devtty_t:chr_file rw_file_perms;
diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te
index c964b14..0fc36f9 100644
--- a/strict/domains/program/rpm.te
+++ b/strict/domains/program/rpm.te
@@ -7,8 +7,8 @@
 #
 # rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
 # rpm_exec_t is the type of the rpm executables.
-# var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
-# var_lib_rpm_t is the type for rpm files in /var/lib
+# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
+# rpm_var_lib_t is the type for rpm files in /var/lib
 #
 type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
 role system_r types rpm_t;
@@ -252,4 +252,7 @@ unconfined_domain(rpm_t)
 typeattribute rpm_script_t auth_write;
 unconfined_domain(rpm_script_t)
 ')
+if (allow_execmem) {
+allow rpm_script_t self:process execmem;
+}
 
diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te
index f1da21e..33006bd 100644
--- a/strict/domains/program/rshd.te
+++ b/strict/domains/program/rshd.te
@@ -9,7 +9,6 @@
 #
 # Rules for the rshd_t domain.
 #
-type rsh_port_t, port_type, reserved_port_type;
 daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
 
 ifdef(`tcpd.te', `
diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te
index f51ccd0..c10b03b 100644
--- a/strict/domains/program/saslauthd.te
+++ b/strict/domains/program/saslauthd.te
@@ -3,7 +3,7 @@
 # Author: Colin Walters <walters@verbum.org>
 #
 
-daemon_domain(saslauthd, `, auth_chkpwd')
+daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
 
 allow saslauthd_t self:fifo_file { read write };
 allow saslauthd_t self:unix_dgram_socket create_socket_perms;
@@ -15,9 +15,17 @@ allow saslauthd_t etc_t:file r_file_perms;
 allow saslauthd_t net_conf_t:file r_file_perms;
 
 allow saslauthd_t self:file r_file_perms;
-allow saslauthd_t proc_t:file read;
+allow saslauthd_t proc_t:file { getattr read };
 
 allow saslauthd_t urandom_device_t:chr_file { getattr read }; 
 
 # Needs investigation
 dontaudit saslauthd_t home_root_t:dir getattr;
+can_network_client_tcp(saslauthd_t)
+allow saslauthd_t pop_port_t:tcp_socket name_connect;
+
+bool allow_saslauthd_read_shadow false;
+
+if (allow_saslauthd_read_shadow) {
+allow saslauthd_t shadow_t:file r_file_perms;
+}
diff --git a/strict/domains/program/sendmail.te b/strict/domains/program/sendmail.te
index 958d13e..2ee8d2d 100644
--- a/strict/domains/program/sendmail.te
+++ b/strict/domains/program/sendmail.te
@@ -26,6 +26,7 @@ allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown
 
 # Use the network.
 can_network(sendmail_t)
+allow sendmail_t port_type:tcp_socket name_connect;
 can_ypbind(sendmail_t)
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te
index 26c275f..f3bdbd9 100644
--- a/strict/domains/program/setfiles.te
+++ b/strict/domains/program/setfiles.te
@@ -18,6 +18,9 @@ type setfiles_exec_t, file_type, sysadmfile, exec_type;
 role system_r types setfiles_t;
 role sysadm_r types setfiles_t;
 
+ifdef(`distro_redhat', `
+domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
+')
 allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
 allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
 
@@ -52,8 +55,8 @@ allow setfiles_t fs_type:dir r_dir_perms;
 
 read_locale(setfiles_t)
 
-allow setfiles_t etc_runtime_t:file read;
-allow setfiles_t etc_t:file read;
+allow setfiles_t etc_runtime_t:file { getattr read };
+allow setfiles_t etc_t:file { getattr read };
 allow setfiles_t proc_t:file { getattr read };
 dontaudit setfiles_t proc_t:lnk_file { getattr read };
 
diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te
index bab118a..8cca78e 100644
--- a/strict/domains/program/slapd.te
+++ b/strict/domains/program/slapd.te
@@ -12,11 +12,9 @@
 #
 daemon_domain(slapd)
 
-type ldap_port_t, port_type, reserved_port_type;
 allow slapd_t ldap_port_t:tcp_socket name_bind;
 
 etc_domain(slapd)
-typealias slapd_etc_t alias etc_slapd_t;
 type slapd_db_t, file_type, sysadmfile;
 type slapd_replog_t, file_type, sysadmfile;
 
@@ -24,6 +22,7 @@ tmp_domain(slapd)
 
 # Use the network.
 can_network(slapd_t)
+allow slapd_t port_type:tcp_socket name_connect;
 can_ypbind(slapd_t)
 allow slapd_t self:fifo_file { read write };
 allow slapd_t self:unix_stream_socket create_socket_perms;
@@ -32,7 +31,7 @@ allow slapd_t self:unix_dgram_socket create_socket_perms;
 can_tcp_connect(domain, slapd_t)
 
 # Use capabilities  should not need kill...
-allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
+allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
 allow slapd_t self:process setsched;
 
 allow slapd_t proc_t:file r_file_perms;
@@ -50,7 +49,7 @@ allow slapd_t etc_t:{ file lnk_file } { getattr read };
 allow slapd_t etc_runtime_t:file { getattr read };
 
 # for startup script
-allow initrc_t slapd_etc_t:file read;
+allow initrc_t slapd_etc_t:file { getattr read };
 
 allow slapd_t etc_t:dir r_dir_perms;
 
diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te
index da3219c..d854f59 100644
--- a/strict/domains/program/slocate.te
+++ b/strict/domains/program/slocate.te
@@ -2,7 +2,6 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
-# Depends: inetd.te
 
 #################################
 #
@@ -36,11 +35,11 @@ allow locate_t unlabeled_t:dir read;
 
 logdir_domain(locate)
 etcdir_domain(locate)
-typealias locate_etc_t alias etc_locate_t;
 
-type var_lib_locate_t, file_type, sysadmfile;
+type locate_var_lib_t, file_type, sysadmfile;
+typealias locate_var_lib_t alias var_lib_locate_t;
 
-create_dir_file(locate_t, var_lib_locate_t)
+create_dir_file(locate_t, locate_var_lib_t)
 dontaudit locate_t sysadmfile:file getattr;
 
 allow locate_t proc_t:file { getattr read };
diff --git a/strict/domains/program/spamd.te b/strict/domains/program/spamd.te
index c54d771..01283ca 100644
--- a/strict/domains/program/spamd.te
+++ b/strict/domains/program/spamd.te
@@ -9,7 +9,6 @@ daemon_domain(spamd)
 
 tmp_domain(spamd)
 
-type spamd_port_t, port_type, reserved_port_type;
 allow spamd_t spamd_port_t:tcp_socket name_bind;
 
 general_domain_access(spamd_t)
diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te
index b0810b1..06d411d 100644
--- a/strict/domains/program/squid.te
+++ b/strict/domains/program/squid.te
@@ -28,7 +28,7 @@ allow squid_t usr_t:file { getattr read };
 # type for /var/cache/squid
 type squid_cache_t, file_type, sysadmfile;
 
-allow squid_t self:capability { setgid setuid net_bind_service };
+allow squid_t self:capability { setgid setuid net_bind_service dac_override };
 allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
 allow squid_t etc_t:lnk_file read;
 allow squid_t self:unix_stream_socket create_socket_perms;
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index d07b314..a1eb5ec 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -19,8 +19,6 @@ bool run_ssh_inetd false;
 type sshd_exec_t, file_type, exec_type, sysadmfile;
 type sshd_key_t, file_type, sysadmfile;
 
-type ssh_port_t, port_type, reserved_port_type;
-
 define(`sshd_program_domain', `
 # privowner is for changing the identity on the terminal device
 # privfd is for passing the terminal file handle to the user process
diff --git a/strict/domains/program/stunnel.te b/strict/domains/program/stunnel.te
index 1b3a937..4dbfcec 100644
--- a/strict/domains/program/stunnel.te
+++ b/strict/domains/program/stunnel.te
@@ -3,11 +3,11 @@
 # Author:   petre rodan <kaiowas@gentoo.org>
 #
 ifdef(`distro_gentoo', `
-type stunnel_port_t, port_type;
 
 daemon_domain(stunnel)
 
 can_network(stunnel_t)
+allow stunnel_t port_type:tcp_socket name_connect;
 
 allow stunnel_t self:capability { setgid setuid sys_chroot };
 allow stunnel_t self:fifo_file { read write };
diff --git a/strict/domains/program/sysstat.te b/strict/domains/program/sysstat.te
index 4010c95..f01da4c 100644
--- a/strict/domains/program/sysstat.te
+++ b/strict/domains/program/sysstat.te
@@ -42,7 +42,6 @@ allow sysstat_t self:fifo_file rw_file_perms;
 
 # Type for files created during execution of sysstatd.
 logdir_domain(sysstat)
-typealias sysstat_log_t alias var_log_sysstat_t;
 allow sysstat_t var_t:dir search;
 
 allow sysstat_t etc_t:dir r_dir_perms;
diff --git a/strict/domains/program/tftpd.te b/strict/domains/program/tftpd.te
index 3e9de29..c749987 100644
--- a/strict/domains/program/tftpd.te
+++ b/strict/domains/program/tftpd.te
@@ -13,8 +13,6 @@
 #
 daemon_domain(tftpd)
 
-type tftp_port_t, port_type, reserved_port_type;
-
 # tftpdir_t is the type of files in the /tftpboot directories.
 type tftpdir_t, file_type, sysadmfile;
 r_dir_file(tftpd_t, tftpdir_t)
diff --git a/strict/domains/program/traceroute.te b/strict/domains/program/traceroute.te
index ed9106a..af25e20 100644
--- a/strict/domains/program/traceroute.te
+++ b/strict/domains/program/traceroute.te
@@ -19,6 +19,7 @@ role system_r types traceroute_t;
 in_user_role(traceroute_t)
 uses_shlib(traceroute_t)
 can_network_client(traceroute_t)
+allow traceroute_t port_type:tcp_socket name_connect;
 can_ypbind(traceroute_t)
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
index 74c368d..eae23a2 100644
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@@ -19,7 +19,6 @@ allow udev_t self:process execmem;
 }
 
 etc_domain(udev)
-typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
 can_exec_any(udev_t)
 
@@ -75,7 +74,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 allow udev_t initrc_var_run_t:file r_file_perms;
 dontaudit udev_t initrc_var_run_t:file write;
 
-domain_auto_trans(initrc_t, udev_exec_t, udev_t)
 domain_auto_trans(kernel_t, udev_exec_t, udev_t)
 domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
 ifdef(`hide_broken_symptoms', `
@@ -86,7 +84,6 @@ allow udev_t etc_runtime_t:file { getattr read };
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
-dontaudit udev_t staff_home_dir_t:dir search;
 
 ifdef(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)
diff --git a/strict/domains/program/unused/NetworkManager.te b/strict/domains/program/unused/NetworkManager.te
new file mode 100644
index 0000000..1ef8916
--- /dev/null
+++ b/strict/domains/program/unused/NetworkManager.te
@@ -0,0 +1,108 @@
+#DESC NetworkManager - 
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon. 
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+ifdef(`named.te', `
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow named_t NetworkManager_t:netlink_route_socket { read write };
+allow NetworkManager_t named_t:process signal;
+allow named_t NetworkManager_t:packet_socket { read write };
+')
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t self:dbus send_msg;
+ifdef(`hald.te', `
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t initrc_t:dbus send_msg;
+allow initrc_t NetworkManager_t:dbus send_msg;
+ifdef(`targeted_policy', `
+allow NetworkManager_t unconfined_t:dbus send_msg;
+allow unconfined_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t userdomain:dbus send_msg;
+allow userdomain NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+r_dir_file(NetworkManager_t, proc_net_t)
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
+allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+
+domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
+domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+ifdef(`vpnc.te', `
+domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
+')
+
+ifdef(`dhcpc.te', `
+allow NetworkManager_t dhcp_state_t:dir search;
+allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
+')
+allow NetworkManager_t var_lib_t:dir search;
+dontaudit NetworkManager_t user_tty_type:chr_file { read write };
diff --git a/strict/domains/program/unused/afs.te b/strict/domains/program/unused/afs.te
new file mode 100644
index 0000000..8bcab3b
--- /dev/null
+++ b/strict/domains/program/unused/afs.te
@@ -0,0 +1,166 @@
+#
+# Policy for AFS server
+#
+
+type afs_files_t, file_type;
+type afs_config_t, file_type, sysadmfile;
+type afs_logfile_t, file_type, logfile;
+type afs_dbdir_t, file_type;
+
+allow afs_files_t afs_files_t:filesystem associate;
+# df should show sizes
+allow sysadm_t afs_files_t:filesystem getattr;
+
+#
+# Macros for defining AFS server domains
+#
+
+define(`afs_server_domain',`
+type afs_$1server_t, domain $2;
+type afs_$1server_exec_t, file_type, sysadmfile;
+
+role system_r types afs_$1server_t;
+
+allow afs_$1server_t afs_config_t:file r_file_perms;
+allow afs_$1server_t afs_config_t:dir r_dir_perms;
+allow afs_$1server_t afs_logfile_t:file create_file_perms;
+allow afs_$1server_t afs_logfile_t:dir create_dir_perms;
+allow afs_$1server_t afs_$1_port_t:udp_socket name_bind;
+uses_shlib(afs_$1server_t)
+can_network(afs_$1server_t)
+read_locale(afs_$1server_t)
+
+dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms;
+dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms;
+dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms;
+')
+
+define(`afs_under_bos',`
+domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t)
+allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms;
+allow afs_$1server_t net_conf_t:file r_file_perms;
+allow afs_bosserver_t afs_$1server_t:process signal_perms;
+')
+
+define(`afs_server_db',`
+type afs_$1_db_t, file_type;
+
+allow afs_$1server_t afs_$1_db_t:file create_file_perms;
+file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file);
+')
+
+
+#
+# bosserver
+#
+
+afs_server_domain(`bos')
+base_file_read_access(afs_bosserver_t)
+
+domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t)
+
+allow afs_bosserver_t self:process { fork setsched signal_perms };
+allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms };
+allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
+allow afs_bosserver_t afs_config_t:file create_file_perms;
+allow afs_bosserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms;
+allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_bosserver_t device_t:dir r_dir_perms;
+
+# allow sysadm to use bos
+allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto };
+
+#
+# fileserver, volserver, and salvager
+#
+
+afs_server_domain(`fs',`,privlog')
+afs_under_bos(`fs')
+
+base_file_read_access(afs_fsserver_t)
+file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t)
+
+allow afs_fsserver_t self:process { fork sigchld setsched signal_perms };
+allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:fifo_file { rw_file_perms };
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+allow afs_fsserver_t afs_files_t:file create_file_perms;
+allow afs_fsserver_t afs_files_t:dir create_dir_perms;
+allow afs_fsserver_t afs_config_t:file create_file_perms;
+allow afs_fsserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind;
+allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr;
+
+allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_fsserver_t device_t:dir r_dir_perms;
+allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms;
+allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms;
+
+allow afs_fsserver_t proc_t:dir r_dir_perms;
+allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms;
+allow afs_fsserver_t { self proc_t } : dir r_dir_perms;
+
+# fs communicates with other servers
+allow afs_fsserver_t self:unix_dgram_socket create_socket_perms;
+allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom };
+allow afs_fsserver_t self:udp_socket { sendto recvfrom };
+allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom };
+allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto };
+
+dontaudit afs_fsserver_t self:capability fsetid;
+dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms;
+dontaudit afs_fsserver_t initrc_t:fd use;
+dontaudit afs_fsserver_t mnt_t:dir search;
+
+
+#
+# kaserver
+#
+
+afs_server_domain(`ka')
+afs_under_bos(`ka')
+afs_server_db(`ka')
+
+base_file_read_access(afs_kaserver_t)
+
+allow afs_kaserver_t kerberos_port_t:udp_socket name_bind;
+allow afs_kaserver_t self:capability { net_bind_service };
+allow afs_kaserver_t afs_config_t:file create_file_perms;
+allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
+
+# allow sysadm to use kas
+allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto };
+
+
+#
+# ptserver
+#
+
+afs_server_domain(`pt')
+afs_under_bos(`pt')
+afs_server_db(`pt')
+
+# allow users to use pts
+allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom };
+allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto };
+allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom };
+
+
+#
+# vlserver
+#
+
+afs_server_domain(`vl')
+afs_under_bos(`vl')
+afs_server_db(`vl')
+
+allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto };
+allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom };
diff --git a/strict/domains/program/unused/alsa.te b/strict/domains/program/unused/alsa.te
new file mode 100644
index 0000000..5717244
--- /dev/null
+++ b/strict/domains/program/unused/alsa.te
@@ -0,0 +1,17 @@
+#DESC       ainit - configuration tool for ALSA
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+#
+type alsa_t, domain, privlog, daemon;
+type alsa_exec_t, file_type, sysadmfile, exec_type;
+uses_shlib(alsa_t)
+allow alsa_t self:sem  create_sem_perms;
+allow alsa_t self:shm  create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
+rw_dir_create_file(alsa_t,alsa_etc_rw_t)
+allow alsa_t self:capability { setgid setuid ipc_owner };
+allow alsa_t devpts_t:chr_file { read write };
+allow alsa_t etc_t:file { getattr read };
+domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
diff --git a/strict/domains/program/unused/amavis.te b/strict/domains/program/unused/amavis.te
index eb029f7..1e1752f 100644
--- a/strict/domains/program/unused/amavis.te
+++ b/strict/domains/program/unused/amavis.te
@@ -12,10 +12,13 @@
 type amavisd_etc_t, file_type, sysadmfile;
 type amavisd_lib_t, file_type, sysadmfile;
 
-type amavis_port_t, port_type;
+# Virus and spam found and quarantined.
+type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
+
 daemon_domain(amavisd)
 tmp_domain(amavisd)
 
+allow initrc_t amavisd_etc_t:file { getattr read };
 allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
 allow initrc_t amavisd_lib_t:file unlink;
 allow initrc_t amavisd_var_run_t:dir setattr;
@@ -26,11 +29,17 @@ allow amavisd_t usr_t:{ file lnk_file } { getattr read };
 dontaudit amavisd_t usr_t:file ioctl;
 
 # networking
-can_network(amavisd_t)
+can_network_server_tcp(amavisd_t, amavisd_recv_port_t)
+allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;
+allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;
+# The next line doesn't work right so drop the port specification.
+#can_network_client_tcp(amavisd_t, amavisd_send_port_t)
+can_network_client_tcp(amavisd_t)
+allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;
+can_resolve(amavisd_t);
 can_ypbind(amavisd_t);
 can_tcp_connect(mail_server_sender, amavisd_t);
 can_tcp_connect(amavisd_t, mail_server_domain)
-allow amavisd_t amavis_port_t:tcp_socket name_bind;
 
 ifdef(`scannerdaemon.te', `
 can_tcp_connect(amavisd_t, scannerdaemon_t);
@@ -49,6 +58,25 @@ allow clamd_t amavisd_lib_t:dir r_dir_perms;
 allow clamd_t amavisd_lib_t:file r_file_perms;
 ')
 
+# DCC
+ifdef(`dcc.te', `
+allow dcc_client_t amavisd_lib_t:file r_file_perms;
+')
+
+# Pyzor
+ifdef(`pyzor.te',`
+domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)
+#allow pyzor_t amavisd_data_t:dir search;
+# Pyzor creates a temp file adjacent to the working file.
+create_dir_file(pyzor_t, amavisd_lib_t);
+')
+
+# SpamAssassin is executed from within amavisd, but needs to read its
+# config
+ifdef(`spamd.te', `
+r_dir_file(amavisd_t, etc_mail_t)
+')
+
 # Can create unix sockets
 allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
 allow amavisd_t self:unix_dgram_socket create_socket_perms;
@@ -64,6 +92,9 @@ log_domain(amavisd)
 # Access amavisd var/lib files.
 create_dir_file(amavisd_t, amavisd_lib_t)
 
+# Access amavisd quarantined files.
+create_dir_file(amavisd_t, amavisd_quarantine_t)
+
 # Run helper programs.
 can_exec_any(amavisd_t,bin_t)
 allow amavisd_t bin_t:dir { getattr search };
@@ -83,3 +114,4 @@ allow amavisd_t etc_runtime_t:file { getattr read };
 dontaudit amavisd_t sysadm_home_dir_t:dir search;
 dontaudit amavisd_t shadow_t:file { getattr read };
 dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
+
diff --git a/strict/domains/program/unused/asterisk.te b/strict/domains/program/unused/asterisk.te
index c8d182d..7ae5ffc 100644
--- a/strict/domains/program/unused/asterisk.te
+++ b/strict/domains/program/unused/asterisk.te
@@ -4,8 +4,6 @@
 #
 # X-Debian-Packages: asterisk
 
-type asterisk_port_t, port_type;
-
 daemon_domain(asterisk)
 allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
 allow initrc_t asterisk_var_run_t:fifo_file unlink;
diff --git a/strict/domains/program/unused/authbind.te b/strict/domains/program/unused/authbind.te
index d34e659..6aabc3e 100644
--- a/strict/domains/program/unused/authbind.te
+++ b/strict/domains/program/unused/authbind.te
@@ -16,7 +16,6 @@ type authbind_exec_t, file_type, sysadmfile, exec_type;
 role system_r types authbind_t;
 
 etcdir_domain(authbind)
-typealias authbind_etc_t alias etc_authbind_t;
 
 can_exec(authbind_t, authbind_etc_t)
 allow authbind_t etc_t:dir r_dir_perms;
diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te
index 211e761..89c5171 100644
--- a/strict/domains/program/unused/backup.te
+++ b/strict/domains/program/unused/backup.te
@@ -27,6 +27,7 @@ rw_dir_create_file(system_crond_t, backup_store_t)
 allow backup_t urandom_device_t:chr_file read;
 
 can_network_client(backup_t)
+allow backup_t port_type:tcp_socket name_connect;
 can_ypbind(backup_t)
 uses_shlib(backup_t)
 
diff --git a/strict/domains/program/unused/bonobo.te b/strict/domains/program/unused/bonobo.te
new file mode 100644
index 0000000..c23f1d2
--- /dev/null
+++ b/strict/domains/program/unused/bonobo.te
@@ -0,0 +1,9 @@
+# DESC - Bonobo Activation Server 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executable
+type bonobo_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/bonobo_macros.te
diff --git a/strict/domains/program/unused/ciped.te b/strict/domains/program/unused/ciped.te
index 91ed9f3..6fddf97 100644
--- a/strict/domains/program/unused/ciped.te
+++ b/strict/domains/program/unused/ciped.te
@@ -5,11 +5,11 @@ daemon_base_domain(ciped)
 # for SSP
 allow ciped_t urandom_device_t:chr_file read;
 
-type cipe_port_t, port_type;
+# cipe uses the afs3-bos port (udp 7007)
+allow ciped_t afs_bos_port_t:udp_socket name_bind;
 
 can_network_udp(ciped_t)
 can_ypbind(ciped_t)
-allow ciped_t cipe_port_t:udp_socket name_bind;
 
 allow ciped_t devpts_t:dir search;
 allow ciped_t devtty_t:chr_file { read write };
diff --git a/strict/domains/program/unused/clamav.te b/strict/domains/program/unused/clamav.te
index 47407db..3ef34ee 100644
--- a/strict/domains/program/unused/clamav.te
+++ b/strict/domains/program/unused/clamav.te
@@ -15,13 +15,22 @@ type clamav_var_lib_t, file_type, sysadmfile;
 # clamscan_t is the domain of the clamscan virus scanner
 type clamscan_exec_t, file_type, sysadmfile, exec_type;
 
-daemon_base_domain(freshclam)
+##########
+##########
+
+#
+# Freshclam
+#
+
+daemon_base_domain(freshclam, `, web_client_domain')
 read_locale(freshclam_t)
 
 # not sure why it needs this
 read_sysctl(freshclam_t)
 
-can_network_server(freshclam_t)
+can_network_client_tcp(freshclam_t, http_port_t);
+allow freshclam_t http_port_t:tcp_socket name_connect;
+can_resolve(freshclam_t)
 can_ypbind(freshclam_t)
 
 # Access virus signatures
@@ -56,24 +65,59 @@ allow freshclam_t self:fifo_file rw_file_perms;
 logdir_domain(freshclam)
 allow initrc_t freshclam_log_t:file append;
 
+# Pid files for freshclam
+allow initrc_t clamd_var_run_t:file { create setattr };
+
 system_crond_entry(freshclam_exec_t, freshclam_t)
 domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
 
 domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
 role sysadm_r types freshclam_t;
 
+create_dir_file(freshclam_t, clamd_var_run_t)
+
+##########
+##########
+
+#
+# Clamscan
+#
+
 # macros/program/clamav_macros.te.
 user_clamscan_domain(sysadm)
 
+##########
+##########
+
+#
+# Clamd
+#
+
+type clamd_sock_t, file_type, sysadmfile;
+
 # clamd executable
 daemon_domain(clamd)
 
 tmp_domain(clamd)
+
+# The dir containing the clamd log files is labelled freshclam_t
 logdir_domain(clamd)
+allow clamd_t freshclam_log_t:dir search;
+
+allow clamd_t self:capability { kill setgid setuid dac_override };
 
-file_type_auto_trans(clamd_t, var_run_t, clamd_var_run_t, sock_file)
+# Give the clamd local communications socket a unique type
+ifdef(`distro_debian', `
+file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
+')
+ifdef(`distro_redhat', `
+file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
+')
 
-allow clamd_t self:capability { kill setgid setuid };
+# Clamd can be configured to listen on a TCP port.
+can_network_server_tcp(clamd_t, clamd_port_t)
+allow clamd_t clamd_port_t:tcp_socket name_bind;
+can_resolve(clamd_t);
 
 allow clamd_t var_lib_t:dir search;
 r_dir_file(clamd_t, clamav_var_lib_t)
@@ -86,3 +130,18 @@ allow clamd_t self:fifo_file rw_file_perms;
 
 allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
+
+
+##########
+##########
+
+#
+# Interaction with external programs
+#
+
+ifdef(`amavis.te',`
+allow amavisd_t clamd_var_run_t:dir search;
+allow amavisd_t clamd_t:unix_stream_socket connectto;
+allow amavisd_t clamd_sock_t:sock_file write;
+')
+
diff --git a/strict/domains/program/unused/clockspeed.te b/strict/domains/program/unused/clockspeed.te
new file mode 100644
index 0000000..ef51d66
--- /dev/null
+++ b/strict/domains/program/unused/clockspeed.te
@@ -0,0 +1,25 @@
+#DESC clockspeed - Simple network time protocol client
+#
+# Author Petre Rodan <kaiowas@gentoo.org>
+#
+
+daemon_base_domain(clockspeed)
+var_lib_domain(clockspeed)
+can_network(clockspeed_t)
+allow clockspeed_t port_type:tcp_socket name_connect;
+read_locale(clockspeed_t)
+
+allow clockspeed_t self:capability { sys_time net_bind_service };
+allow clockspeed_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_t self:unix_stream_socket create_socket_perms;
+allow clockspeed_t clockspeed_port_t:udp_socket name_bind;
+allow clockspeed_t domain:packet_socket recvfrom;
+
+allow clockspeed_t var_t:dir search;
+allow clockspeed_t clockspeed_var_lib_t:file create_file_perms;
+allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
+
+# sysadm can play with clockspeed
+role sysadm_r types clockspeed_t;
+domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
+
diff --git a/strict/domains/program/unused/courier.te b/strict/domains/program/unused/courier.te
index d2e9ad0..75e42d3 100644
--- a/strict/domains/program/unused/courier.te
+++ b/strict/domains/program/unused/courier.te
@@ -9,7 +9,6 @@ type courier_var_run_t, file_type, sysadmfile, pidfile;
 type courier_var_lib_t, file_type, sysadmfile;
 
 type courier_etc_t, file_type, sysadmfile;
-typealias courier_etc_t alias etc_courier_t;
 
 # allow start scripts to read the config
 allow initrc_t courier_etc_t:file r_file_perms;
@@ -93,7 +92,7 @@ allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
 allow courier_tcpd_t sbin_t:dir search;
 allow courier_tcpd_t var_lib_t:dir search;
 # for TLS
-allow courier_tcpd_t urandom_device_t:chr_file read;
+allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 read_locale(courier_tcpd_t)
 can_exec(courier_tcpd_t, courier_exec_t)
 allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
diff --git a/strict/domains/program/unused/cvs.te b/strict/domains/program/unused/cvs.te
new file mode 100644
index 0000000..ca089ed
--- /dev/null
+++ b/strict/domains/program/unused/cvs.te
@@ -0,0 +1,26 @@
+#DESC cvs - Concurrent Versions System
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the cvs_t domain.
+#
+# cvs_exec_t is the type of the cvs executable.
+#
+
+inetd_child_domain(cvs, tcp)
+typeattribute cvs_t privmail;
+typeattribute cvs_t auth_chkpwd;
+
+type cvs_data_t, file_type, sysadmfile;
+create_dir_file(cvs_t, cvs_data_t)
+can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t etc_runtime_t:file { getattr read };
+allow system_mail_t cvs_data_t:file { getattr read };
+dontaudit cvs_t devtty_t:chr_file { read write };
+allow cvs_t default_t:dir search;
+allow cvs_t default_t:lnk_file read;
+
diff --git a/strict/domains/program/unused/daemontools.te b/strict/domains/program/unused/daemontools.te
new file mode 100644
index 0000000..b24a58c
--- /dev/null
+++ b/strict/domains/program/unused/daemontools.te
@@ -0,0 +1,203 @@
+#DESC Daemontools - Tools for managing UNIX services
+#
+# Author:  Petre Rodan <kaiowas@gentoo.org>
+# with the help of Chris PeBenito, Russell Coker and Tad Glines
+# 
+
+#
+# selinux policy for daemontools
+# http://cr.yp.to/daemontools.html
+#
+# thanks for D. J. Bernstein and the NSA team for the great software
+# they provide
+#
+
+##############################################################
+# type definitions
+
+type svc_conf_t, file_type, sysadmfile;
+type svc_log_t, file_type, sysadmfile;
+type svc_svc_t, file_type, sysadmfile;
+
+
+##############################################################
+# Macros
+define(`svc_filedir_domain', `
+create_dir_file($1, svc_svc_t)
+file_type_auto_trans($1, svc_svc_t, svc_svc_t);
+')
+
+##############################################################
+# the domains
+daemon_base_domain(svc_script)
+svc_filedir_domain(svc_script_t)
+
+# part started by initrc_t
+daemon_base_domain(svc_start)
+domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
+svc_filedir_domain(svc_start_t)
+
+# also get here from svc_script_t
+domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
+
+# the domain for /service/*/run and /service/*/log/run
+daemon_sub_domain(svc_start_t, svc_run)
+r_dir_file(svc_run_t, svc_conf_t)
+
+# the logger
+daemon_sub_domain(svc_run_t, svc_multilog)
+file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
+
+######
+# rules for all those domains
+
+# sysadm can tweak svc_run_exec_t files
+allow sysadm_t svc_run_exec_t:file create_file_perms;
+
+# run_init can control svc_script_t and svc_start_t domains
+domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
+domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
+allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
+svc_filedir_domain(initrc_t)
+
+# svc_start_t
+allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
+allow svc_start_t { var_t var_run_t }:dir search;
+can_exec(svc_start_t, bin_t)
+can_exec(svc_start_t, shell_exec_t)
+allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_start_t svc_run_t:process signal;
+dontaudit svc_start_t proc_t:file r_file_perms;
+dontaudit svc_start_t devtty_t:chr_file { read write };
+
+# svc script
+allow svc_script_t self:capability sys_admin;
+allow svc_script_t self:fifo_file { getattr read write };
+allow svc_script_t self:file r_file_perms;
+allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
+allow svc_script_t bin_t:lnk_file r_file_perms;
+can_exec(svc_script_t, bin_t)
+can_exec(svc_script_t, shell_exec_t)
+allow svc_script_t proc_t:file r_file_perms;
+allow svc_script_t shell_exec_t:file rx_file_perms;
+allow svc_script_t devtty_t:chr_file rw_file_perms;
+allow svc_script_t etc_runtime_t:file r_file_perms;
+allow svc_script_t svc_run_exec_t:file r_file_perms;
+allow svc_script_t svc_script_exec_t:file execute_no_trans;
+allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_script_t sysctl_kernel_t:file r_file_perms;
+
+# svc_run_t
+allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:file r_file_perms;
+allow svc_run_t self:process { fork setrlimit };
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+allow svc_run_t svc_svc_t:dir r_dir_perms;
+allow svc_run_t svc_svc_t:file r_file_perms;
+allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_run_t { var_t var_run_t }:dir search;
+can_exec(svc_run_t, etc_t)
+can_exec(svc_run_t, lib_t)
+can_exec(svc_run_t, bin_t)
+can_exec(svc_run_t, sbin_t)
+can_exec(svc_run_t, ls_exec_t)
+can_exec(svc_run_t, shell_exec_t)
+allow svc_run_t devtty_t:chr_file rw_file_perms;
+allow svc_run_t etc_runtime_t:file r_file_perms;
+allow svc_run_t exec_type:{ file lnk_file } getattr;
+allow svc_run_t init_t:fd use;
+allow svc_run_t initrc_t:fd use;
+allow svc_run_t proc_t:file r_file_perms;
+allow svc_run_t sysctl_t:dir search;
+allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_run_t sysctl_kernel_t:file r_file_perms;
+allow svc_run_t var_lib_t:dir r_dir_perms;
+
+# multilog creates /service/*/log/status
+allow svc_multilog_t svc_svc_t:dir { read search };
+allow svc_multilog_t svc_svc_t:file { append write };
+# writes to /var/log/*/*
+allow svc_multilog_t var_t:dir search;
+allow svc_multilog_t var_log_t:dir create_dir_perms;
+allow svc_multilog_t var_log_t:file create_file_perms;
+# misc
+allow svc_multilog_t init_t:fd use;
+allow svc_start_t svc_multilog_t:process signal;
+svc_ipc_domain(svc_multilog_t)
+
+################################################################
+# scripts that can be started by daemontools
+# keep it sorted please.
+
+ifdef(`apache.te', `
+domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
+svc_ipc_domain(httpd_t)
+dontaudit httpd_t svc_svc_t:dir { search };
+')
+
+ifdef(`clamav.te', `
+domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
+svc_ipc_domain(clamd_t)
+')
+
+ifdef(`clockspeed.te', `
+domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
+svc_ipc_domain(clockspeed_t)
+r_dir_file(svc_run_t, clockspeed_var_lib_t)
+allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
+')
+
+ifdef(`dante.te', `
+domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
+svc_ipc_domain(dante_t)
+')
+
+ifdef(`publicfile.te', `
+svc_ipc_domain(publicfile_t)
+')
+
+ifdef(`qmail.te', `
+allow svc_run_t qmail_start_exec_t:file rx_file_perms;
+domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
+r_dir_file(svc_run_t, qmail_etc_t)
+svc_ipc_domain(qmail_send_t)
+svc_ipc_domain(qmail_start_t)
+svc_ipc_domain(qmail_queue_t)
+svc_ipc_domain(qmail_smtpd_t)
+')
+
+ifdef(`rsyncd.te', `
+domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
+svc_ipc_domain(rsyncd_t)
+')
+
+ifdef(`spamd.te', `
+domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
+svc_ipc_domain(spamd_t)
+')
+
+ifdef(`ssh.te', `
+domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
+svc_ipc_domain(sshd_t)
+')
+
+ifdef(`stunnel.te', `
+domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
+svc_ipc_domain(stunnel_t)
+')
+
+ifdef(`ucspi-tcp.te', `
+domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
+allow svc_run_t utcpserver_t:process { signal };
+svc_ipc_domain(utcpserver_t)
+')
+
diff --git a/strict/domains/program/unused/dante.te b/strict/domains/program/unused/dante.te
index ca1649a..70885ab 100644
--- a/strict/domains/program/unused/dante.te
+++ b/strict/domains/program/unused/dante.te
@@ -4,17 +4,20 @@
 #
 
 type dante_conf_t, file_type, sysadmfile;
-type socks_port_t, port_type;
 
 daemon_domain(dante)
 can_network_server(dante_t)
 
 allow dante_t self:fifo_file { read write };
-allow dante_t self:capability { setuid };
+allow dante_t self:capability { setuid setgid };
 allow dante_t self:unix_dgram_socket { connect create write };
 allow dante_t self:unix_stream_socket { connect create read setopt write };
+allow dante_t self:tcp_socket connect;
 
 allow dante_t socks_port_t:tcp_socket name_bind;
 
 allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
 r_dir_file(dante_t, dante_conf_t)
+
+allow dante_t initrc_var_run_t:file { getattr write };
+
diff --git a/strict/domains/program/unused/dcc.te b/strict/domains/program/unused/dcc.te
new file mode 100644
index 0000000..598d929
--- /dev/null
+++ b/strict/domains/program/unused/dcc.te
@@ -0,0 +1,252 @@
+#
+# DCC - Distributed Checksum Clearinghouse
+# Author:  David Hampton <hampton@employees.org>
+#
+#
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc.  For now this policy supports both directories being
+# writable.
+
+# Files common to all dcc programs
+type dcc_client_map_t, file_type, sysadmfile;
+type dcc_var_t, file_type, sysadmfile;
+type dcc_var_run_t, file_type, sysadmfile;
+
+
+##########
+##########
+
+#
+# common to all dcc variants
+#
+define(`dcc_common',`
+# Access files in /var/dcc. The map file can be updated
+r_dir_file($1_t, dcc_var_t)
+allow $1_t dcc_client_map_t:file rw_file_perms;
+
+# Read mtab, nsswitch and locale
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+
+#Networking
+can_resolve($1_t)
+ifelse($2, `server', `
+can_network_udp($1_t)
+', `
+can_network_udp($1_t, `dcc_port_t')
+')
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# Create private temp files
+tmp_domain($1)
+
+# Triggered by a call to gethostid(2) in dcc client libs
+allow $1_t self:unix_stream_socket { connect create };
+
+allow $1_t sysadm_su_t:process { sigchld };
+allow $1_t dcc_script_t:fd use;
+
+dontaudit $1_t kernel_t:fd use;
+dontaudit $1_t root_t:file read;
+')
+
+allow initrc_t dcc_var_run_t:dir rw_dir_perms;
+
+
+##########
+##########
+
+#
+# dccd - Server daemon that can be accessed over the net
+#
+daemon_domain(dccd, `, privlog, nscd_client_domain')
+dcc_common(dccd, server);
+
+# Runs the dbclean program
+allow dccd_t bin_t:dir search;
+domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+
+# The daemon needs to listen on the dcc ports
+allow dccd_t dcc_port_t:udp_socket name_bind;
+
+# Updating dcc_db, flod, ...
+create_dir_file(dccd_t, dcc_var_t);
+
+allow dccd_t self:capability net_admin;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+
+# Reading /proc/meminfo
+allow dccd_t proc_t:file { getattr read };
+
+
+#
+# cdcc - control dcc daemon
+#
+application_domain(cdcc, `, nscd_client_domain')
+role system_r types cdcc_t;
+dcc_common(cdcc)
+
+# suid program
+allow cdcc_t self:capability setuid;
+
+# Running from the command line
+allow cdcc_t sshd_t:fd use;
+allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+
+##########
+##########
+
+#
+# DCC Clients
+#
+
+#
+# dccifd  - Spamassassin and general MTA persistent client
+#
+daemon_domain(dccifd, `, privlog, nscd_client_domain')
+dcc_common(dccifd);
+file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating dcc_db, flod, ...
+create_dir_notdevfile(dccifd_t, dcc_var_t);
+
+# Updating map, ...
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# dccifd communications socket
+type dccifd_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file)
+
+# Reading /proc/meminfo
+allow dccifd_t proc_t:file { getattr read };
+
+
+#
+# dccm  - sendmail milter client
+#
+daemon_domain(dccm, `, privlog, nscd_client_domain')
+dcc_common(dccm);
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating map, ...
+create_dir_notdevfile(dccm_t, dcc_var_t);
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+# dccm communications socket
+type dccm_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file)
+
+
+#
+# dccproc - dcc procmail interface
+#
+application_domain(dcc_client, `, privlog, nscd_client_domain')
+role system_r types dcc_client_t;
+dcc_common(dcc_client)
+
+# suid program
+allow dcc_client_t self:capability setuid;
+
+# Running from the command line
+allow dcc_client_t sshd_t:fd use;
+allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+##########
+##########
+
+#
+# DCC Utilities
+#
+
+#
+# dbclean - database cleanup tool
+#
+application_domain(dcc_dbclean, `, nscd_client_domain')
+role system_r types dcc_dbclean_t;
+dcc_common(dcc_dbclean)
+
+# Updating various files.
+create_dir_file(dcc_dbclean_t, dcc_var_t);
+
+# wants to look at /proc/meminfo
+allow dcc_dbclean_t proc_t:dir search;
+allow dcc_dbclean_t proc_t:file { getattr read };
+
+# Running from the command line
+allow dcc_dbclean_t sshd_t:fd use;
+allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms;
+
+##########
+##########
+
+#
+# DCC Startup scripts
+#
+# These are shell sccripts that start/stop/restart the various dcc
+# programs.
+#
+init_service_domain(dcc_script, `, nscd_client_domain')
+general_domain_access(dcc_script_t)
+general_proc_read_access(dcc_script_t)
+can_exec_any(dcc_script_t)
+dcc_common(dcc_script)
+
+# Allow calling the script from an init script (initrt_t) or from
+# rc.local (staff_t)
+domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t)
+
+# Start up the daemon process.  These scripts run 'su' to change to
+# the dcc user (even though the default dcc user is root).
+allow dcc_script_t self:capability setuid;
+su_restricted_domain(dcc_script, system)
+role system_r types dcc_script_su_t;
+domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t)
+domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t)
+domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t)
+
+# Stop the daemon process
+allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal };
+
+# Access various DCC files
+allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search };
+allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read };
+
+allow { dcc_script_t dcc_script_su_t } initrc_t:fd use;
+allow { dcc_script_t dcc_script_su_t } devpts_t:dir search;
+allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms;
+allow dcc_script_t devtty_t:chr_file { read write };
+allow dcc_script_su_t sysadm_home_dir_t:dir search;
+allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition };
+allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto };
+
+dontaudit dcc_script_su_t kernel_t:fd use;
+dontaudit dcc_script_su_t root_t:file read;
+dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search };
+
+allow sysadm_t dcc_script_t:fd use;
+
+##########
+##########
+
+#
+# External spam checkers need to run and/or talk to DCC
+#
+define(`access_dcc',`
+domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t);
+allow $1_t dcc_var_t:dir search;
+allow $1_t dccifd_sock_t:sock_file { getattr write };
+allow $1_t dccifd_t:unix_stream_socket connectto;
+allow $1_t dcc_script_t:unix_stream_socket connectto;
+')
+
+ifdef(`amavis.te',`access_dcc(amavisd)')
+ifdef(`spamd.te',`access_dcc(spamd)')
diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te
index 8b134dc..21f1f8e 100644
--- a/strict/domains/program/unused/ddclient.te
+++ b/strict/domains/program/unused/ddclient.te
@@ -26,12 +26,13 @@ allow ddclient_t self:socket create_socket_perms;
 allow ddclient_t etc_t:file { getattr read };
 allow ddclient_t etc_runtime_t:file r_file_perms;
 allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
-allow ddclient_t urandom_device_t:chr_file { read };
+allow ddclient_t urandom_device_t:chr_file read;
 general_proc_read_access(ddclient_t)
-allow ddclient_t sysctl_net_t:dir { search };
+allow ddclient_t sysctl_net_t:dir search;
 
 # network-related goodies
 can_network_client(ddclient_t)
+allow ddclient_t port_type:tcp_socket name_connect;
 allow ddclient_t self:unix_dgram_socket create_socket_perms;
 allow ddclient_t self:unix_stream_socket create_socket_perms;
 
diff --git a/strict/domains/program/unused/ddcprobe.te b/strict/domains/program/unused/ddcprobe.te
new file mode 100644
index 0000000..4087126
--- /dev/null
+++ b/strict/domains/program/unused/ddcprobe.te
@@ -0,0 +1,42 @@
+#DESC ddcprobe - output ddcprobe results from kudzu
+#
+# Author: dan walsh <dwalsh@redhat.com>
+#
+
+type ddcprobe_t, domain, privmem;
+type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
+
+# Allow execution by the sysadm
+role sysadm_r types ddcprobe_t;
+role system_r types ddcprobe_t;
+domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
+
+uses_shlib(ddcprobe_t)
+
+# Allow terminal access
+access_terminal(ddcprobe_t, sysadm)
+
+# Allow ddcprobe to read /dev/mem
+allow ddcprobe_t memory_device_t:chr_file read;
+allow ddcprobe_t memory_device_t:chr_file { execute write };
+allow ddcprobe_t self:process execmem;
+allow ddcprobe_t zero_device_t:chr_file { execute read };
+
+allow ddcprobe_t proc_t:dir search;
+allow ddcprobe_t proc_t:file { getattr read };
+can_exec(ddcprobe_t, sbin_t)
+allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
+allow ddcprobe_t userdomain:fd use;
+read_sysctl(ddcprobe_t)
+allow ddcprobe_t urandom_device_t:chr_file { getattr read };
+allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+
+allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
+allow ddcprobe_t kudzu_exec_t:file getattr;
+allow ddcprobe_t lib_t:file { getattr read };
+read_locale(ddcprobe_t)
+allow ddcprobe_t modules_object_t:dir search;
+allow ddcprobe_t modules_dep_t:file { getattr read };
+allow ddcprobe_t usr_t:file { getattr read };
+allow ddcprobe_t kernel_t:system syslog_console;
diff --git a/strict/domains/program/unused/devfsd.te b/strict/domains/program/unused/devfsd.te
deleted file mode 100644
index 7bbc314..0000000
--- a/strict/domains/program/unused/devfsd.te
+++ /dev/null
@@ -1,93 +0,0 @@
-#DESC Devfsd - Control daemon for devfs device file system
-#
-# Author:  Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: devfsd
-#
-
-#################################
-#
-# Rules for the devfsd_t domain.
-#
-etcdir_domain(devfsd)
-typealias devfsd_etc_t alias etc_devfsd_t;
-
-allow kernel_t { device_t root_t }:dir mounton;
-
-daemon_domain(devfsd, `, privmodule')
-
-allow devfsd_t urandom_device_t:chr_file read;
-
-# for startup scripts
-can_exec(devfsd_t, bin_t)
-allow devfsd_t self:fifo_file rw_file_perms;
-allow devfsd_t proc_t:dir r_dir_perms;
-allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
-allow devfsd_t devtty_t:chr_file rw_file_perms;
-
-# for alsa
-allow devfsd_t proc_t:file setattr;
-
-# for /sbin/modprobe
-allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;
-
-ifdef(`distro_debian', `
-# for the makedev script - this may be a bad idea
-domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)
-
-# for package upgrade
-allow devfsd_t lib_t:file execute;
-')
-
-# mknod capability is for the startup scripts
-allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };
-
-# allow devfsd to change any object from type devfsd_t to any other type
-# also allow to unlink
-allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
-# allow devfsd to get and set attributes of any device node and to change the
-# type to any device type
-allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
-allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
-allow devfsd_t initctl_t:fifo_file getattr;
-allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
-allow devfsd_t device_t:dir { r_dir_perms setattr };
-
-allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
-allow devfsd_t devpts_t:chr_file { getattr setattr };
-allow devpts_t device_t:filesystem associate;
-allow initctl_t device_t:filesystem associate;
-allow device_t device_t:filesystem associate;
-allow devlog_t device_t:filesystem associate;
-
-# allow all devices to be under device_t
-allow { device_type ttyfile ptyfile } device_t:filesystem associate;
-
-allow domain device_t:lnk_file r_file_perms;
-
-# read the config files
-allow devfsd_t etc_t:dir r_dir_perms;
-
-# allow the permissions and symlinks to be done
-allow devfsd_t device_t:lnk_file create_file_perms;
-allow devfsd_t device_t:dir rw_dir_perms;
-allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
-allow devfsd_t file_type:lnk_file r_file_perms;
-
-allow devfsd_t self:unix_dgram_socket create_socket_perms;
-allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
-allow devfsd_t self:unix_dgram_socket sendto;
-allow devfsd_t self:unix_stream_socket connect;
-
-allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
-dontaudit userdomain devfs_control_t:chr_file getattr;
-
-# allow resolv.conf and UDP access for LDAP or other NSS data source
-allow devfsd_t self:udp_socket create_socket_perms;
-
-allow devfsd_t privfd:fd use;
-
-allow kernel_t device_t:filesystem mount;
-
-# for nss-ldap etc
-can_network_client_tcp(devfsd_t)
-can_ypbind(devfsd_t)
diff --git a/strict/domains/program/unused/distcc.te b/strict/domains/program/unused/distcc.te
index dee96a7..56034f9 100644
--- a/strict/domains/program/unused/distcc.te
+++ b/strict/domains/program/unused/distcc.te
@@ -9,7 +9,6 @@ can_ypbind(distccd_t)
 log_domain(distccd)
 tmp_domain(distccd)
 
-type distccd_port_t, port_type;
 allow distccd_t distccd_port_t:tcp_socket name_bind;
 allow distccd_t self:capability { setgid setuid };
 
diff --git a/strict/domains/program/unused/djbdns.te b/strict/domains/program/unused/djbdns.te
new file mode 100644
index 0000000..3e11395
--- /dev/null
+++ b/strict/domains/program/unused/djbdns.te
@@ -0,0 +1,46 @@
+# DESC selinux policy for djbdns
+# http://cr.yp.to/djbdns.html
+#
+# Author:  petre rodan <kaiowas@gentoo.org>
+#
+# this policy depends on ucspi-tcp and daemontools policies
+#
+
+ifdef(`daemontools.te', `
+ifdef(`ucspi-tcp.te', `
+
+define(`djbdns_daemon_domain', `
+type djbdns_$1_conf_t, file_type, sysadmfile;
+daemon_domain(djbdns_$1)
+domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
+svc_ipc_domain(djbdns_$1_t)
+can_network(djbdns_$1_t)
+allow djbdns_$1_t port_type:tcp_socket name_connect;
+allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+allow djbdns_$1_t port_t:udp_socket name_bind;
+r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
+allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+allow djbdns_$1_t svc_svc_t:dir r_dir_perms;
+')
+
+define(`djbdns_tcpserver_domain', `
+type djbdns_$1_conf_t, file_type, sysadmfile;
+daemon_domain(djbdns_$1)
+domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)
+svc_ipc_domain(djbdns_$1_t)
+allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
+allow djbdns_$1_t utcpserver_t:tcp_socket { read write };
+')
+
+djbdns_daemon_domain(dnscache)
+# read seed file
+allow djbdns_dnscache_t svc_svc_t:file r_file_perms;
+
+djbdns_daemon_domain(tinydns)
+
+djbdns_tcpserver_domain(axfrdns)
+r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)
+
+') dnl ifdef ucspi-tcp.te
+') dnl ifdef daemontools.te
diff --git a/strict/domains/program/unused/dmidecode.te b/strict/domains/program/unused/dmidecode.te
new file mode 100644
index 0000000..05b93f7
--- /dev/null
+++ b/strict/domains/program/unused/dmidecode.te
@@ -0,0 +1,22 @@
+#DESC dmidecode - decodes DMI data for x86/ia64 bioses 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+type dmidecode_t, domain, privmem;
+type dmidecode_exec_t, file_type, exec_type, sysadmfile;
+
+# Allow execution by the sysadm
+role sysadm_r types dmidecode_t;
+role system_r types dmidecode_t;
+domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
+
+uses_shlib(dmidecode_t)
+
+# Allow terminal access
+access_terminal(dmidecode_t, sysadm)
+
+# Allow dmidecode to read /dev/mem
+allow dmidecode_t memory_device_t:chr_file read;
+
+allow dmidecode_t self:capability sys_rawio;
diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te
index 89458ef..34ba329 100644
--- a/strict/domains/program/unused/dpkg.te
+++ b/strict/domains/program/unused/dpkg.te
@@ -12,7 +12,6 @@ type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
 type dpkg_exec_t, file_type, sysadmfile, exec_type;
 type dpkg_var_lib_t, file_type, sysadmfile;
 type dpkg_etc_t, file_type, sysadmfile, usercanread;
-typealias dpkg_etc_t alias etc_dpkg_t;
 type dpkg_lock_t, file_type, sysadmfile;
 type debconf_cache_t, file_type, sysadmfile;
 
@@ -176,9 +175,7 @@ type apt_exec_t, file_type, sysadmfile, exec_type;
 type apt_var_lib_t, file_type, sysadmfile;
 type var_cache_apt_t, file_type, sysadmfile;
 etcdir_domain(apt)
-typealias apt_etc_t alias etc_apt_t;
 type apt_rw_etc_t, file_type, sysadmfile;
-typealias apt_rw_etc_t alias etc_apt_rw_t;
 tmp_domain(apt, `', `{ dir file lnk_file }')
 can_exec(apt_t, apt_tmp_t)
 
@@ -322,6 +319,7 @@ allow apt_t { bin_t sbin_t }:dir search;
 allow apt_t self:process { signal sigchld fork };
 allow apt_t sysadm_t:process sigchld;
 can_network({ apt_t dpkg_t })
+allow { apt_t dpkg_t } port_type:tcp_socket name_connect;
 can_ypbind({ apt_t dpkg_t })
 
 allow { apt_t dpkg_t } var_t:dir { search getattr };
diff --git a/strict/domains/program/unused/ethereal.te b/strict/domains/program/unused/ethereal.te
new file mode 100644
index 0000000..a56d321
--- /dev/null
+++ b/strict/domains/program/unused/ethereal.te
@@ -0,0 +1,48 @@
+# DESC - Ethereal  
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executables
+type tethereal_exec_t, file_type, exec_type, sysadmfile;
+type ethereal_exec_t, file_type, exec_type, sysadmfile;
+
+########################################################
+# Tethereal 
+#
+
+# Type for program
+type tethereal_t, domain, nscd_client_domain;
+
+# Transition from sysadm type
+domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t)
+role sysadm_r types tethereal_t;
+
+uses_shlib(tethereal_t)
+read_locale(tethereal_t)
+
+# Terminal output
+access_terminal(tethereal_t, sysadm)
+
+# /proc
+read_sysctl(tethereal_t)
+allow tethereal_t { self proc_t }:dir { read search getattr };
+allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr };
+
+# Access root
+allow tethereal_t root_t:dir search;
+
+# Read ethereal files in /usr
+allow tethereal_t usr_t:file { read getattr };
+
+# /etc/nsswitch.conf
+allow tethereal_t etc_t:file { read getattr };
+
+# Ethereal sysadm rules
+ethereal_networking(tethereal)
+
+# FIXME: policy is incomplete
+
+#####################################
+# Ethereal (GNOME) policy can be found
+# in ethereal_macros.te 
diff --git a/strict/domains/program/unused/evolution.te b/strict/domains/program/unused/evolution.te
new file mode 100644
index 0000000..c8a045e
--- /dev/null
+++ b/strict/domains/program/unused/evolution.te
@@ -0,0 +1,14 @@
+# DESC - Evolution  
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executables
+type evolution_exec_t, file_type, exec_type, sysadmfile;
+type evolution_server_exec_t, file_type, exec_type, sysadmfile;
+type evolution_webcal_exec_t, file_type, exec_type, sysadmfile;
+type evolution_alarm_exec_t, file_type, exec_type, sysadmfile;
+type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/evolution_macros.te
+bool disable_evolution_trans false;
diff --git a/strict/domains/program/unused/fontconfig.te b/strict/domains/program/unused/fontconfig.te
new file mode 100644
index 0000000..836470a
--- /dev/null
+++ b/strict/domains/program/unused/fontconfig.te
@@ -0,0 +1,7 @@
+#
+# Fontconfig related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in fontconfig_macros.te
diff --git a/strict/domains/program/unused/gatekeeper.te b/strict/domains/program/unused/gatekeeper.te
index 161f474..a1b464e 100644
--- a/strict/domains/program/unused/gatekeeper.te
+++ b/strict/domains/program/unused/gatekeeper.te
@@ -15,9 +15,7 @@ daemon_domain(gatekeeper)
 # for SSP
 allow gatekeeper_t urandom_device_t:chr_file read;
 
-type gatekeeper_port_t, port_type;
 etc_domain(gatekeeper)
-typealias gatekeeper_etc_t alias etc_gatekeeper_t;
 allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
 logdir_domain(gatekeeper)
 
diff --git a/strict/domains/program/unused/gconf.te b/strict/domains/program/unused/gconf.te
new file mode 100644
index 0000000..e4dfa4b
--- /dev/null
+++ b/strict/domains/program/unused/gconf.te
@@ -0,0 +1,12 @@
+# DESC - GConf preference daemon
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executable
+type gconfd_exec_t, file_type, exec_type, sysadmfile;
+
+# Type for /etc files
+type gconf_etc_t, file_type, sysadmfile;
+
+# Everything else is in macros/gconfd_macros.te
diff --git a/strict/domains/program/unused/gift.te b/strict/domains/program/unused/gift.te
index 90e19ea..9e9786e 100644
--- a/strict/domains/program/unused/gift.te
+++ b/strict/domains/program/unused/gift.te
@@ -6,4 +6,4 @@
 type gift_exec_t, file_type, exec_type, sysadmfile;
 type giftd_exec_t, file_type, exec_type, sysadmfile;
 
-# Everything else is in macros/gift_macros.te
+# Everything else is in macros/program/gift_macros.te
diff --git a/strict/domains/program/unused/gnome.te b/strict/domains/program/unused/gnome.te
new file mode 100644
index 0000000..b45ea8e
--- /dev/null
+++ b/strict/domains/program/unused/gnome.te
@@ -0,0 +1,7 @@
+#
+# GNOME related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in gnome_macros.te
diff --git a/strict/domains/program/unused/gnome_vfs.te b/strict/domains/program/unused/gnome_vfs.te
new file mode 100644
index 0000000..d4cabb6
--- /dev/null
+++ b/strict/domains/program/unused/gnome_vfs.te
@@ -0,0 +1,9 @@
+# DESC - GNOME VFS Daemon
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executable
+type gnome_vfs_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/gnome_vfs_macros.te
diff --git a/strict/domains/program/unused/iceauth.te b/strict/domains/program/unused/iceauth.te
new file mode 100644
index 0000000..f41ad9e
--- /dev/null
+++ b/strict/domains/program/unused/iceauth.te
@@ -0,0 +1,12 @@
+#DESC ICEauth - ICE authority file utility
+#
+# Domains for the iceauth program.
+#
+# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
+#
+# iceauth_exec_t is the type of the xauth executable.
+#
+type iceauth_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the iceauth_domain macro in
+# macros/program/iceauth_macros.te.
diff --git a/strict/domains/program/unused/imazesrv.te b/strict/domains/program/unused/imazesrv.te
index af18409..27bae3f 100644
--- a/strict/domains/program/unused/imazesrv.te
+++ b/strict/domains/program/unused/imazesrv.te
@@ -15,7 +15,6 @@ log_domain(imazesrv);
 
 r_dir_file(imazesrv_t, imazesrv_data_t)
 
-type imaze_port_t, port_type;
 allow imazesrv_t imaze_port_t:tcp_socket name_bind;
 allow imazesrv_t imaze_port_t:udp_socket name_bind;
 
diff --git a/strict/domains/program/unused/ircd.te b/strict/domains/program/unused/ircd.te
index 1b9c5fd..c85390e 100644
--- a/strict/domains/program/unused/ircd.te
+++ b/strict/domains/program/unused/ircd.te
@@ -12,11 +12,9 @@
 #
 daemon_domain(ircd)
 
-type ircd_port_t, port_type;
 allow ircd_t ircd_port_t:tcp_socket name_bind;
 
 etcdir_domain(ircd)
-typealias ircd_etc_t alias etc_ircd_t;
 
 logdir_domain(ircd)
 
diff --git a/strict/domains/program/unused/jabberd.te b/strict/domains/program/unused/jabberd.te
index 55f0819..aed3b81 100644
--- a/strict/domains/program/unused/jabberd.te
+++ b/strict/domains/program/unused/jabberd.te
@@ -7,9 +7,6 @@ daemon_domain(jabberd)
 logdir_domain(jabberd)
 var_lib_domain(jabberd)
 
-type jabber_client_port_t, port_type;
-type jabber_interserver_port_t, port_type;
-
 allow jabberd_t jabber_client_port_t:tcp_socket name_bind;
 allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind;
 
diff --git a/strict/domains/program/unused/lrrd.te b/strict/domains/program/unused/lrrd.te
index 3059c03..b1916f1 100644
--- a/strict/domains/program/unused/lrrd.te
+++ b/strict/domains/program/unused/lrrd.te
@@ -15,9 +15,7 @@ daemon_domain(lrrd)
 allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
 
 etcdir_domain(lrrd)
-typealias lrrd_etc_t alias etc_lrrd_t;
 type lrrd_var_lib_t, file_type, sysadmfile;
-type lrrd_port_t, port_type;
 
 log_domain(lrrd)
 tmp_domain(lrrd)
diff --git a/strict/domains/program/unused/monopd.te b/strict/domains/program/unused/monopd.te
index 56ced81..3512592 100644
--- a/strict/domains/program/unused/monopd.te
+++ b/strict/domains/program/unused/monopd.te
@@ -10,18 +10,18 @@
 # Rules for the monopd_t domain.
 #
 daemon_domain(monopd)
+etc_domain(monopd)
+typealias monopd_etc_t alias etc_monopd_t;
 
-type etc_monopd_t, file_type, sysadmfile;
-type share_monopd_t, file_type, sysadmfile;
+type monopd_share_t, file_type, sysadmfile;
+typealias monopd_share_t alias share_monopd_t;
 
 # Use the network.
 can_network_server(monopd_t)
 can_ypbind(monopd_t)
 
-type monopd_port_t, port_type;
 allow monopd_t monopd_port_t:tcp_socket name_bind;
 
-r_dir_file(monopd_t,etc_monopd_t)
 r_dir_file(monopd_t,share_monopd_t)
 
 allow monopd_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/unused/nagios.te b/strict/domains/program/unused/nagios.te
index fb5fd14..9d540c8 100644
--- a/strict/domains/program/unused/nagios.te
+++ b/strict/domains/program/unused/nagios.te
@@ -14,7 +14,6 @@
 daemon_domain(nagios, `, privmail')
 
 etcdir_domain(nagios)
-typealias nagios_etc_t alias etc_nagios_t;
 
 logdir_domain(nagios)
 allow nagios_t nagios_log_t:fifo_file create_file_perms;
diff --git a/strict/domains/program/unused/nessusd.te b/strict/domains/program/unused/nessusd.te
index e0f71fd..65d89e1 100644
--- a/strict/domains/program/unused/nessusd.te
+++ b/strict/domains/program/unused/nessusd.te
@@ -13,16 +13,15 @@
 daemon_domain(nessusd)
 
 etc_domain(nessusd)
-typealias nessusd_etc_t alias etc_nessusd_t;
 type nessusd_db_t, file_type, sysadmfile;
 
-type nessus_port_t, port_type;
 allow nessusd_t nessus_port_t:tcp_socket name_bind;
 
 #tmp_domain(nessusd)
 
 # Use the network.
 can_network(nessusd_t)
+allow nessusd_t port_type:tcp_socket name_connect;
 can_ypbind(nessusd_t)
 allow nessusd_t self:unix_stream_socket create_socket_perms;
 #allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/unused/nsd.te b/strict/domains/program/unused/nsd.te
index 2711cdd..2aa35c5 100644
--- a/strict/domains/program/unused/nsd.te
+++ b/strict/domains/program/unused/nsd.te
@@ -20,6 +20,7 @@ type nsd_crond_t, domain, privlog;
 role system_r types nsd_crond_t;
 uses_shlib(nsd_crond_t)
 can_network_client(nsd_crond_t)
+allow nsd_crond_t port_type:tcp_socket name_connect;
 can_ypbind(nsd_crond_t)
 allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
 allow nsd_crond_t self:process { fork signal_perms };
diff --git a/strict/domains/program/unused/nx_server.te b/strict/domains/program/unused/nx_server.te
new file mode 100644
index 0000000..a6e723a
--- /dev/null
+++ b/strict/domains/program/unused/nx_server.te
@@ -0,0 +1,70 @@
+# DESC NX - NX Server
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# Depends: sshd.te
+#
+
+# Type for the nxserver executable, called from ssh
+type nx_server_exec_t, file_type, sysadmfile, exec_type;
+
+# type of the nxserver; userdomain is needed so sshd can transition
+type nx_server_t, domain, userdomain;
+
+# we need an extra role because nxserver is called from sshd
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
+
+# not really sure if the additional attributes are needed, copied from userdomains
+can_create_pty(nx_server, `, userpty_type, user_tty_type')
+type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
+
+uses_shlib(nx_server_t)
+read_locale(nx_server_t)
+
+tmp_domain(nx_server)
+var_run_domain(nx_server)
+
+# nxserver is a shell script --> call other programs
+can_exec(nx_server_t, { bin_t shell_exec_t })
+allow nx_server_t self:process { fork sigchld };
+allow nx_server_t self:fifo_file { getattr ioctl read write };
+allow nx_server_t bin_t:dir { getattr read search };
+allow nx_server_t bin_t:lnk_file read;
+
+r_dir_file(nx_server_t, proc_t)
+allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
+
+# we do not actually need this attribute or the types defined here, 
+# but otherwise we cannot call the ssh_domain-macro
+attribute nx_server_file_type;
+type nx_server_home_dir_t alias nx_server_home_t;
+type nx_server_xauth_home_t;
+type nx_server_tty_device_t;
+type nx_server_gph_t;
+type nx_server_fonts_cache_t;
+type nx_server_fonts_t;
+type nx_server_fonts_config_t;
+type nx_server_gnome_settings_t;
+
+ssh_domain(nx_server)
+
+can_network_client(nx_server_t)
+allow nx_server_t port_type:tcp_socket name_connect;
+
+allow nx_server_t devtty_t:chr_file { read write };
+allow nx_server_t sysctl_kernel_t:dir search;
+allow nx_server_t sysctl_kernel_t:file { getattr read };
+allow nx_server_t urandom_device_t:chr_file read;
+# for reading the config files; maybe a separate type, 
+# but users need to be able to also read the config
+allow nx_server_t usr_t:file { getattr read };
+
+dontaudit nx_server_t selinux_config_t:dir search;
+
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+
diff --git a/strict/domains/program/unused/openvpn.te b/strict/domains/program/unused/openvpn.te
index 241c8f2..0ab1317 100644
--- a/strict/domains/program/unused/openvpn.te
+++ b/strict/domains/program/unused/openvpn.te
@@ -8,8 +8,6 @@
 daemon_domain(openvpn)
 etcdir_domain(openvpn)
 
-type openvpn_port_t, port_type;
-
 allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
 
 allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
diff --git a/strict/domains/program/unused/orbit.te b/strict/domains/program/unused/orbit.te
new file mode 100644
index 0000000..dad353b
--- /dev/null
+++ b/strict/domains/program/unused/orbit.te
@@ -0,0 +1,7 @@
+#
+# ORBit related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Look in orbit_macros.te
diff --git a/strict/domains/program/unused/perdition.te b/strict/domains/program/unused/perdition.te
index c75a8e9..b95cb75 100644
--- a/strict/domains/program/unused/perdition.te
+++ b/strict/domains/program/unused/perdition.te
@@ -13,7 +13,6 @@ daemon_domain(perdition)
 allow perdition_t pop_port_t:tcp_socket name_bind;
 
 etc_domain(perdition)
-typealias perdition_etc_t alias etc_perdition_t;
 
 # Use the network.
 can_network_server(perdition_t)
diff --git a/strict/domains/program/unused/portslave.te b/strict/domains/program/unused/portslave.te
index a70597f..55dfad6 100644
--- a/strict/domains/program/unused/portslave.te
+++ b/strict/domains/program/unused/portslave.te
@@ -79,7 +79,7 @@ allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
 allow portslave_t ttyfile:chr_file rw_file_perms;
 
 
-rw_dir_create_file(portslave_t, var_lock_t)
+lock_domain(portslave)
 can_exec(portslave_t, pppd_exec_t)
 allow portslave_t { bin_t sbin_t }:dir search;
 allow portslave_t bin_t:lnk_file read;
diff --git a/strict/domains/program/unused/postgrey.te b/strict/domains/program/unused/postgrey.te
index 5176665..f60e67b 100644
--- a/strict/domains/program/unused/postgrey.te
+++ b/strict/domains/program/unused/postgrey.te
@@ -3,14 +3,12 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: postgrey
 
-type postgrey_port_t, port_type;
-
 daemon_domain(postgrey)
 
 allow postgrey_t urandom_device_t:chr_file { getattr read };
 
 # for perl
-allow postgrey_t sbin_t:dir search;
+allow postgrey_t { bin_t sbin_t }:dir { getattr search };
 allow postgrey_t usr_t:{ file lnk_file } { getattr read };
 dontaudit postgrey_t usr_t:file ioctl;
 
diff --git a/strict/domains/program/unused/publicfile.te b/strict/domains/program/unused/publicfile.te
new file mode 100644
index 0000000..b6a206b
--- /dev/null
+++ b/strict/domains/program/unused/publicfile.te
@@ -0,0 +1,25 @@
+#DESC Publicfile - HTTP and FTP file services
+# http://cr.yp.to/publicfile.html
+#
+# Author: petre rodan <kaiowas@gentoo.org>
+#
+# this policy depends on ucspi-tcp
+#
+
+daemon_domain(publicfile)
+type publicfile_content_t, file_type, sysadmfile;
+domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
+
+ifdef(`ucspi-tcp.te', `
+domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t)
+allow publicfile_t utcpserver_t:tcp_socket { read write };
+allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind;
+')
+
+allow publicfile_t initrc_t:tcp_socket { read write };
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+
+r_dir_file(publicfile_t, publicfile_content_t)
+
+
diff --git a/strict/domains/program/unused/pump.te b/strict/domains/program/unused/pump.te
deleted file mode 100644
index e69de29..0000000
--- a/strict/domains/program/unused/pump.te
+++ /dev/null
diff --git a/strict/domains/program/unused/pxe.te b/strict/domains/program/unused/pxe.te
index 27d39d2..1515593 100644
--- a/strict/domains/program/unused/pxe.te
+++ b/strict/domains/program/unused/pxe.te
@@ -10,7 +10,6 @@
 #
 daemon_domain(pxe)
 
-type pxe_port_t, port_type;
 allow pxe_t pxe_port_t:udp_socket name_bind;
 
 allow pxe_t etc_t:file { getattr read };
diff --git a/strict/domains/program/unused/pyzor.te b/strict/domains/program/unused/pyzor.te
new file mode 100644
index 0000000..b0629ad
--- /dev/null
+++ b/strict/domains/program/unused/pyzor.te
@@ -0,0 +1,57 @@
+#
+# Pyzor - Pyzor is a collaborative, networked system to detect and
+#         block spam using identifying digests of messages.
+#
+# Author:  David Hampton <hampton@employees.org>
+#
+
+# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms.
+# Pyzor normally dumps everything into $HOME/.pyzor.  By putting the
+# following line to the spamassassin config file:
+#
+#	pyzor_options --homedir /etc/pyzor
+#
+# the various files will be put into appropriate directories.
+# (I.E. The log file into /var/log, etc.)  This policy will work
+# either way.
+
+##########
+# pyzor daemon
+##########
+daemon_domain(pyzord, `, privlog, nscd_client_domain')
+pyzor_base_domain(pyzord)
+allow pyzord_t pyzor_port_t:udp_socket name_bind;
+home_domain_access(pyzord_t, sysadm, pyzor)
+log_domain(pyzord)
+
+# Read shared daemon/client config file
+r_dir_file(pyzord_t, pyzor_etc_t)
+
+# Write shared daemon/client data dir
+allow pyzord_t var_lib_t:dir search;
+create_dir_file(pyzord_t, pyzor_var_lib_t)
+
+##########
+# Pyzor query application - from system_r applictions
+##########
+type pyzor_t, domain, privlog, daemon;
+type pyzor_exec_t, file_type, sysadmfile, exec_type;
+role system_r types pyzor_t;
+
+pyzor_base_domain(pyzor)
+
+# System config/data files
+etcdir_domain(pyzor)
+var_lib_domain(pyzor)
+
+##########
+##########
+
+#
+# Some spam filters executes the pyzor code directly.  Allow them access here.
+#
+ifdef(`spamd.te',`
+domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t);
+# pyzor needs access to the email spamassassin is checking
+allow pyzor_t spamd_tmp_t:file r_file_perms;
+')
diff --git a/strict/domains/program/unused/qmail.te b/strict/domains/program/unused/qmail.te
index b93321b..6c51cd7 100644
--- a/strict/domains/program/unused/qmail.te
+++ b/strict/domains/program/unused/qmail.te
@@ -10,7 +10,6 @@
 type qmail_var_run_t, file_type, sysadmfile, pidfile;
 
 type qmail_etc_t, file_type, sysadmfile;
-typealias qmail_etc_t alias etc_qmail_t;
 
 allow inetd_t smtp_port_t:tcp_socket name_bind;
 
@@ -83,7 +82,7 @@ allow qmail_rspawn_t self:fifo_file read;
 allow qmail_rspawn_t { bin_t sbin_t }:dir search;
 
 qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
-allow qmail_rspawn_t qmail_remote_exec_t:file read;
+allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read };
 can_network_server(qmail_remote_t)
 can_ypbind(qmail_remote_t)
 allow qmail_remote_t qmail_spool_t:dir search;
@@ -97,10 +96,10 @@ allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
 
 # privhome will do until we get a separate maildir type
 qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
-allow qmail_lspawn_t qmail_local_exec_t:file read;
+allow qmail_lspawn_t qmail_local_exec_t:file { getattr read };
 allow qmail_local_t self:process { fork signal_perms };
 domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_local_t qmail_queue_exec_t:file read;
+allow qmail_local_t qmail_queue_exec_t:file { getattr read };
 allow qmail_local_t qmail_spool_t:file { ioctl read };
 allow qmail_local_t self:fifo_file write;
 allow qmail_local_t sbin_t:dir search;
@@ -129,7 +128,7 @@ can_network_server(qmail_tcp_env_t)
 can_ypbind(qmail_tcp_env_t)
 
 qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
-allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read };
 can_network_server(qmail_smtpd_t)
 can_ypbind(qmail_smtpd_t)
 allow qmail_smtpd_t inetd_t:fd use;
@@ -140,7 +139,7 @@ allow qmail_smtpd_t self:fifo_file write;
 allow qmail_smtpd_t self:tcp_socket create_socket_perms;
 allow qmail_smtpd_t sbin_t:dir search;
 domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_smtpd_t qmail_queue_exec_t:file read;
+allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read };
 
 qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
 allow qmail_inject_t self:process { fork signal_perms };
@@ -159,7 +158,7 @@ allow qmail_qread_t privfd:fd use;
 qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
 role sysadm_r types qmail_queue_t;
 in_user_role(qmail_queue_t)
-allow qmail_inject_t qmail_queue_exec_t:file read;
+allow qmail_inject_t qmail_queue_exec_t:file { getattr read };
 rw_dir_create_file(qmail_queue_t, qmail_spool_t)
 allow qmail_queue_t qmail_spool_t:fifo_file { read write };
 allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
@@ -172,10 +171,10 @@ allow qmail_queue_t inetd_t:tcp_socket { read write };
 allow qmail_queue_t sysadm_t:fd use;
 allow qmail_queue_t sysadm_t:fifo_file write;
 
-allow user_crond_t qmail_etc_t:dir search;
-allow user_crond_t qmail_etc_t:file read;
+allow user_crond_domain qmail_etc_t:dir search;
+allow user_crond_domain qmail_etc_t:file { getattr read };
 
-qmaild_sub_domain(user_crond_t, qmail_serialmail)
+qmaild_sub_domain(user_crond_domain, qmail_serialmail)
 in_user_role(qmail_serialmail_t)
 can_network_server(qmail_serialmail_t)
 can_ypbind(qmail_serialmail_t)
diff --git a/strict/domains/program/unused/razor.te b/strict/domains/program/unused/razor.te
new file mode 100644
index 0000000..e88bb49
--- /dev/null
+++ b/strict/domains/program/unused/razor.te
@@ -0,0 +1,53 @@
+#
+# Razor - Vipul's Razor is a distributed, collaborative, spam
+#         detection and filtering network.
+#
+# Author:  David Hampton <hampton@employees.org>
+#
+
+# NOTE: This policy will work with either the ATrpms provided config
+# file in /etc/razor, or with the default of dumping everything into
+# $HOME/.razor.
+
+##########
+# Razor query application - from system_r applictions
+##########
+type razor_t, domain, privlog, daemon;
+type razor_exec_t, file_type, sysadmfile, exec_type;
+role system_r types razor_t;
+
+razor_base_domain(razor)
+
+# Razor config file directory.  When invoked as razor-admin, it can
+# update files in this directory.
+etcdir_domain(razor)
+create_dir_file(razor_t, razor_etc_t);
+
+# Shared razor files updated freuently
+var_lib_domain(razor)
+
+# Log files
+log_domain(razor)
+allow razor_t var_log_t:dir search;
+ifdef(`logrotate.te', `
+allow logrotate_t razor_log_t:file r_file_perms;
+')
+
+##########
+##########
+
+#
+# Some spam filters executes the razor code directly.  Allow them access here.
+#
+define(`razor_access',`
+r_dir_file($1, razor_etc_t)
+allow $1 var_log_t:dir search;
+allow $1 razor_log_t:file ra_file_perms;
+r_dir_file($1, razor_var_lib_t)
+r_dir_file($1, sysadm_razor_home_t)
+can_network_client_tcp($1, razor_port_t)
+allow $1 razor_port_t:tcp_socket name_connect;
+')
+
+ifdef(`spamd.te', `razor_access(spamd_t)');
+ifdef(`amavis.te', `razor_access(amavisd_t)');
diff --git a/strict/domains/program/unused/rdisc.te b/strict/domains/program/unused/rdisc.te
new file mode 100644
index 0000000..79331fa
--- /dev/null
+++ b/strict/domains/program/unused/rdisc.te
@@ -0,0 +1,13 @@
+#DESC rdisc - network router discovery daemon
+#
+# Author:  Russell Coker <russell@coker.com.au>
+
+daemon_base_domain(rdisc)
+allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
+allow rdisc_t self:rawip_socket create_socket_perms;
+allow rdisc_t self:udp_socket create_socket_perms;
+allow rdisc_t self:capability net_raw;
+
+can_network_udp(rdisc_t)
+
+allow rdisc_t etc_t:file { getattr read };
diff --git a/strict/domains/program/unused/snort.te b/strict/domains/program/unused/snort.te
index d0ddd69..24188f6 100644
--- a/strict/domains/program/unused/snort.te
+++ b/strict/domains/program/unused/snort.te
@@ -28,6 +28,6 @@ allow snort_t self:unix_dgram_socket create_socket_perms;
 allow snort_t self:unix_stream_socket create_socket_perms;
 
 # for start script
-allow initrc_t snort_etc_t:file read;
+allow initrc_t snort_etc_t:file { getattr read };
 
-dontaudit snort_t { etc_runtime_t proc_t }:file read;
+dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
diff --git a/strict/domains/program/unused/sound-server.te b/strict/domains/program/unused/sound-server.te
index 09894f0..c84a1fa 100644
--- a/strict/domains/program/unused/sound-server.te
+++ b/strict/domains/program/unused/sound-server.te
@@ -11,7 +11,6 @@
 #
 daemon_domain(soundd)
 
-type soundd_port_t, port_type;
 allow soundd_t soundd_port_t:tcp_socket name_bind;
 
 type etc_soundd_t, file_type, sysadmfile;
diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te
index c827eae..3397b0b 100644
--- a/strict/domains/program/unused/sxid.te
+++ b/strict/domains/program/unused/sxid.te
@@ -31,7 +31,7 @@ allow sxid_t file_type:notdevfile_class_set getattr;
 allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
 allow sxid_t ttyfile:chr_file getattr;
 allow sxid_t file_type:dir { getattr read search };
-allow sxid_t sysadmfile:file read;
+allow sxid_t sysadmfile:file { getattr read };
 allow sxid_t fs_type:dir { getattr read search };
 
 # Use the network.
diff --git a/strict/domains/program/unused/thunderbird.te b/strict/domains/program/unused/thunderbird.te
new file mode 100644
index 0000000..c640f87
--- /dev/null
+++ b/strict/domains/program/unused/thunderbird.te
@@ -0,0 +1,10 @@
+# DESC - Thunderbird  
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for executables
+type thunderbird_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/thunderbird_macros.te
+bool disable_thunderbird_trans false;
diff --git a/strict/domains/program/unused/tinydns.te b/strict/domains/program/unused/tinydns.te
index a8c101a..a911b89 100644
--- a/strict/domains/program/unused/tinydns.te
+++ b/strict/domains/program/unused/tinydns.te
@@ -36,7 +36,7 @@ allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
 can_udp_send(domain, tinydns_t)
 can_udp_send(tinydns_t, domain)
 # tinydns itself doesn't do zone transfers
-# so we don't need to have it tcp_connect
+# so we do not need to have it tcp_connect
 
 #read configuration files
 r_dir_file(tinydns_t, tinydns_conf_t)
diff --git a/strict/domains/program/unused/transproxy.te b/strict/domains/program/unused/transproxy.te
index fb0710f..e34b804 100644
--- a/strict/domains/program/unused/transproxy.te
+++ b/strict/domains/program/unused/transproxy.te
@@ -12,8 +12,6 @@
 #
 daemon_domain(transproxy)
 
-type transproxy_port_t, port_type;
-
 # Use the network.
 can_network_server_tcp(transproxy_t)
 allow transproxy_t transproxy_port_t:tcp_socket name_bind;
diff --git a/strict/domains/program/unused/tripwire.te b/strict/domains/program/unused/tripwire.te
new file mode 100644
index 0000000..9ee61e8
--- /dev/null
+++ b/strict/domains/program/unused/tripwire.te
@@ -0,0 +1,139 @@
+# DESC tripwire
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+# NOTE: Tripwire creates temp file in its current working directory.
+# This policy does not allow write access to home directories, so
+# users will need to either cd to a directory where they have write
+# permission, or set the TEMPDIRECTORY variable in the tripwire config
+# file.  The latter is preferable, as then the file_type_auto_trans
+# rules will kick in and label the files as private to tripwire.
+
+
+# Common definitions
+type tripwire_report_t, file_type, sysadmfile;
+etcdir_domain(tripwire)
+var_lib_domain(tripwire)
+tmp_domain(tripwire)
+
+
+# Macro for defining tripwire domains
+define(`tripwire_domain',`
+application_domain($1, `, auth')
+role system_r types $1_t;
+
+# Allow access to common tripwire files
+allow $1_t tripwire_etc_t:file r_file_perms;
+allow $1_t tripwire_etc_t:dir r_dir_perms;
+allow $1_t tripwire_etc_t:lnk_file { getattr read };
+file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
+allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
+file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')
+
+allow $1_t self:process { fork sigchld };
+allow $1_t self:capability { setgid setuid dac_override };
+
+# Tripwire needs to read all files on the system
+general_proc_read_access($1_t)
+allow $1_t file_type:dir { search getattr read};
+allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
+allow $1_t file_type:fifo_file { getattr };
+allow $1_t device_type:file { getattr read };
+allow $1_t sysctl_t:dir { getattr read };
+allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;
+
+# Tripwire report files
+create_dir_file($1_t, tripwire_report_t)
+
+# gethostid()?
+allow $1_t self:unix_stream_socket { connect create };
+
+# Running editor program (tripwire forks then runs bash which rins editor)
+can_exec($1_t, shell_exec_t)
+can_exec($1_t, bin_t)
+uses_shlib($1_t)
+
+allow $1_t self:dir search;
+allow $1_t self:file { getattr read };
+')
+
+
+##########
+##########
+
+#
+# When run by a user
+#
+tripwire_domain(`tripwire')
+
+# Running from the command line
+allow tripwire_t devpts_t:dir search;
+allow tripwire_t devtty_t:chr_file { read write };
+allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
+allow tripwire_t privfd:fd use;
+
+
+##########
+##########
+
+#
+# When run from cron
+#
+tripwire_domain(`tripwire_crond')
+system_crond_entry(tripwire_exec_t, tripwire_crond_t)
+domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)
+
+# Tripwire uses a temp file in the root home directory
+#create_dir_file(tripwire_crond_t, root_t)
+
+
+##########
+# Twadmin
+##########
+application_domain(twadmin)
+read_locale(twadmin_t)
+create_dir_file(twadmin_t, tripwire_etc_t)
+
+allow twadmin_t sysadm_tmp_t:file { getattr read write };
+
+# Running from the command line
+allow twadmin_t sshd_t:fd use;
+allow twadmin_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit twadmin_t { bin_t sbin_t }:dir search;
+dontaudit twadmin_t home_root_t:dir search;
+dontaudit twprint_t user_home_dir_t:dir search;
+
+
+##########
+# Twprint
+##########
+application_domain(twprint)
+read_locale(twprint_t)
+r_dir_file(twprint_t, tripwire_etc_t)
+allow twprint_t { var_t var_lib_t }:dir search;
+r_dir_file(twprint_t, tripwire_var_lib_t)
+r_dir_file(twprint_t, tripwire_report_t)
+
+# Running from the command line
+allow twprint_t sshd_t:fd use;
+allow twprint_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit twprint_t { bin_t sbin_t }:dir search;
+dontaudit twprint_t home_root_t:dir search;
+
+
+##########
+# Siggen
+##########
+application_domain(siggen, `, auth')
+read_locale(siggen_t)
+
+# Need permission to read files
+allow siggen_t file_type:dir { search getattr read};
+allow siggen_t file_type:file {getattr read};
+
+# Running from the command line
+allow siggen_t sshd_t:fd use;
+allow siggen_t admin_tty_type:chr_file rw_file_perms;
diff --git a/strict/domains/program/unused/ucspi-tcp.te b/strict/domains/program/unused/ucspi-tcp.te
new file mode 100644
index 0000000..b2eeb5c
--- /dev/null
+++ b/strict/domains/program/unused/ucspi-tcp.te
@@ -0,0 +1,49 @@
+#DESC ucspi-tcp - TCP Server and Client Tools
+#
+# Author Petre Rodan <kaiowas@gentoo.org>
+#			Andy Dustman (rblsmtp-related policy)
+#
+
+# http://cr.yp.to/ucspi-tcp.html
+
+daemon_base_domain(utcpserver)
+can_network(utcpserver_t)
+
+allow utcpserver_t etc_t:file r_file_perms;
+allow utcpserver_t { bin_t sbin_t var_t }:dir search;
+
+allow utcpserver_t self:capability { net_bind_service setgid setuid };
+allow utcpserver_t self:fifo_file { read write };
+allow utcpserver_t self:process { fork sigchld };
+
+allow utcpserver_t port_t:udp_socket name_bind;
+
+ifdef(`qmail.te', `
+domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow utcpserver_t smtp_port_t:tcp_socket name_bind;
+allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr };
+allow utcpserver_t qmail_etc_t:dir r_dir_perms;
+allow utcpserver_t qmail_etc_t:file r_file_perms;
+')
+
+daemon_base_domain(rblsmtpd)
+can_network(rblsmtpd_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+allow rblsmtpd_t etc_t:file r_file_perms;
+allow rblsmtpd_t { bin_t var_t }:dir search;
+allow rblsmtpd_t port_t:udp_socket name_bind;
+allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr };
+
+ifdef(`qmail.te', `
+domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow qmail_queue_t rblsmtpd_t:fd use;
+')
+
+ifdef(`daemontools.te', `
+svc_ipc_domain(rblsmtpd_t)
+')
+
+domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t)
+
diff --git a/strict/domains/program/unused/uml_net.te b/strict/domains/program/unused/uml_net.te
index 63ae6b7..da3fe34 100644
--- a/strict/domains/program/unused/uml_net.te
+++ b/strict/domains/program/unused/uml_net.te
@@ -15,7 +15,7 @@ allow uml_net_t self:udp_socket { create ioctl };
 uses_shlib(uml_net_t)
 allow uml_net_t devtty_t:chr_file { read write };
 allow uml_net_t etc_runtime_t:file { getattr read };
-allow uml_net_t etc_t:file read;
+allow uml_net_t etc_t:file { getattr read };
 allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
 allow uml_net_t proc_t:file { getattr read };
 
diff --git a/strict/domains/program/unused/uptimed.te b/strict/domains/program/unused/uptimed.te
index c4bd79e..0c9b1c7 100644
--- a/strict/domains/program/unused/uptimed.te
+++ b/strict/domains/program/unused/uptimed.te
@@ -10,7 +10,6 @@
 # General Types
 #
 
-type etc_uptimed_t, file_type, sysadmfile;
 type uptimed_spool_t, file_type, sysadmfile;
 
 #################################
@@ -18,8 +17,10 @@ type uptimed_spool_t, file_type, sysadmfile;
 # Rules for the uptimed_t domain.
 #
 daemon_domain(uptimed, `,privmail')
+etc_domain(uptimed)
+typealias uptimed_etc_t alias etc_uptimed_t;
 file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t)
-allow uptimed_t { etc_uptimed_t proc_t }:file { getattr read };
+allow uptimed_t proc_t:file { getattr read };
 read_locale(uptimed_t)
 allow uptimed_t uptimed_spool_t:file create_file_perms;
 allow uptimed_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/unused/uucpd.te b/strict/domains/program/unused/uucpd.te
new file mode 100644
index 0000000..05791bd
--- /dev/null
+++ b/strict/domains/program/unused/uucpd.te
@@ -0,0 +1,24 @@
+#DESC uucpd - UUCP file transfer daemon
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the uucpd_t domain.
+#
+# uucpd_exec_t is the type of the uucpd executable.
+#
+
+inetd_child_domain(uucpd, tcp)
+type uucpd_rw_t, file_type, sysadmfile;
+type uucpd_ro_t, file_type, sysadmfile;
+type uucpd_spool_t, file_type, sysadmfile;
+create_dir_file(uucpd_t, uucpd_rw_t)
+r_dir_file(uucpd_t, uucpd_ro_t)
+allow uucpd_t sbin_t:dir search;
+can_exec(uucpd_t, sbin_t)
+logdir_domain(uucpd)
+allow uucpd_t var_spool_t:dir search;
+create_dir_file(uucpd_t, uucpd_spool_t)
diff --git a/strict/domains/program/unused/uwimapd.te b/strict/domains/program/unused/uwimapd.te
index 7274d38..f1f5831 100644
--- a/strict/domains/program/unused/uwimapd.te
+++ b/strict/domains/program/unused/uwimapd.te
@@ -9,6 +9,7 @@ daemon_domain(imapd, `, auth_chkpwd, privhome')
 tmp_domain(imapd)
 
 can_network_server_tcp(imapd_t)
+allow imapd_t port_type:tcp_socket name_connect;
 
 #declare our own services
 allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --git a/strict/domains/program/unused/watchdog.te b/strict/domains/program/unused/watchdog.te
index 2693382..01ceea8 100644
--- a/strict/domains/program/unused/watchdog.te
+++ b/strict/domains/program/unused/watchdog.te
@@ -12,6 +12,8 @@
 daemon_domain(watchdog, `, privmail')
 type watchdog_device_t, device_type, dev_fs;
 
+allow watchdog_t self:process setsched;
+
 log_domain(watchdog)
 
 allow watchdog_t etc_t:file r_file_perms;
@@ -24,6 +26,7 @@ allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
 allow watchdog_t self:fifo_file rw_file_perms;
 allow watchdog_t self:unix_stream_socket create_socket_perms;
 can_network(watchdog_t)
+allow watchdog_t port_type:tcp_socket name_connect;
 can_ypbind(watchdog_t)
 allow watchdog_t bin_t:dir search;
 allow watchdog_t bin_t:lnk_file read;
diff --git a/strict/domains/program/unused/yam.te b/strict/domains/program/unused/yam.te
new file mode 100644
index 0000000..da85a8c
--- /dev/null
+++ b/strict/domains/program/unused/yam.te
@@ -0,0 +1,149 @@
+# DESC yam - Yum/Apt Mirroring
+#
+# Author: David Hampton <hampton@employees.org>
+#
+
+
+#
+# Yam downloads lots of files, indexes them, and makes them available
+# for upload.  Define a type for these file.
+#
+type yam_content_t, file_type, sysadmfile, httpdcontent;
+
+
+#
+# Common definitions used by both the command line and the cron
+# invocation of yam.
+#
+define(`yam_common',`
+
+# Update the content being managed by yam.
+create_dir_file($1_t, yam_content_t)
+
+# Content can also be on ISO image files.
+r_dir_file($1_t, iso9660_t)
+
+# Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+allow $1_t var_t:dir { getattr search };
+allow $1_t httpd_sys_content_t:dir { getattr search };
+
+# Allow access to locale database,  nsswitch, and mtab
+read_locale($1_t)
+allow $1_t etc_t:file { getattr read };
+allow $1_t etc_runtime_t:file { getattr read };
+
+# Python seems to need things from various places
+allow $1_t { bin_t sbin_t }:dir { search getattr };
+allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read };
+allow $1_t bin_t:lnk_file read;
+
+# Python works fine without reading /proc/meminfo
+dontaudit $1_t proc_t:dir search;
+dontaudit $1_t proc_t:file { getattr read };
+
+# Yam wants to run rsync, lftp, mount, and a shell.  Allow the latter
+# two here.  Run rsync and lftp in the yam_t context so that we dont
+# have to give any other programs write access to the yam_t files.
+general_domain_access($1_t)
+can_exec($1_t, shell_exec_t)
+can_exec($1_t, rsync_exec_t)
+can_exec($1_t, bin_t)
+can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py
+ifdef(`mount.te', `
+domain_auto_trans($1_t, mount_exec_t, mount_t)
+')
+
+# Rsync and lftp need to network.  They also set files attributes to
+# match whats on the remote server.
+can_network_client($1_t)
+allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect;
+allow $1_t self:capability { chown fowner fsetid dac_override };
+allow $1_t self:process execmem;
+
+# access to sysctl_kernel_t ( proc/sys/kernel/* )
+read_sysctl($1_t)
+
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+allow $1_t var_t:file { getattr read write };
+allow $1_t var_t:dir read;
+# mktemp
+allow $1_t urandom_device_t:chr_file read;
+# mv
+allow $1_t proc_t:lnk_file read;
+allow $1_t selinux_config_t:dir search;
+allow $1_t selinux_config_t:file { getattr read };
+')
+
+
+##########
+##########
+
+#
+# Runnig yam from the command line
+#
+application_domain(yam, `, nscd_client_domain')
+role system_r types yam_t;
+yam_common(yam)
+etc_domain(yam)
+tmp_domain(yam)
+
+# Terminal access
+allow yam_t devpts_t:dir search;
+allow yam_t devtty_t:chr_file { read write };
+allow yam_t sshd_t:fd use;
+allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+
+# Reading dotfiles...
+allow yam_t sysadm_home_dir_t:dir search;		# /root
+allow yam_t sysadm_home_t:dir search;			# /root/xxx
+allow yam_t home_root_t:dir search;			# /home
+allow yam_t user_home_dir_t:dir r_dir_perms;		# /home/user
+
+
+##########
+##########
+
+#
+# Running yam from cron
+#
+application_domain(yam_crond, `, nscd_client_domain')
+role system_r types yam_crond_t;
+ifdef(`crond.te', `
+system_crond_entry(yam_exec_t, yam_crond_t)
+')
+
+yam_common(yam_crond)
+allow yam_crond_t yam_etc_t:file r_file_perms;
+file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
+
+allow yam_crond_t devtty_t:chr_file { read write };
+
+# Reading dotfiles...
+# LFTP uses a directory for its dotfiles
+allow yam_crond_t default_t:dir search;
+
+# Don't know why init tries to read this.
+allow initrc_t yam_etc_t:file { getattr read };
+
+
+##########
+##########
+
+# The whole point of this program is to make updates available on a
+# local web server.  Allow apache access to these files.
+ifdef(`apache.te', `
+r_dir_file(httpd_t, yam_content_t)
+')
+
+ifdef(`webalizer.te', `
+dontaudit webalizer_t yam_content_t:dir search;
+')
+
+# Mount needs access to the yam directories in order to mount the ISO
+# files on a loobpack file system.
+ifdef(`mount.te', `
+allow mount_t yam_content_t:dir mounton;
+allow mount_t yam_content_t:file { read write };
+')
diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te
index 4ba342e..b2fff63 100644
--- a/strict/domains/program/vpnc.te
+++ b/strict/domains/program/vpnc.te
@@ -10,12 +10,15 @@
 # vpnc_t is the domain for the vpnc program.
 # vpnc_exec_t is the type of the vpnc executable.
 #
-daemon_domain(vpnc)
+daemon_domain(vpnc, `, sysctl_net_writer')
 
 allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
 
 # Use the network.
 can_network(vpnc_t)
+allow vpnc_t port_type:tcp_socket name_connect;
+allow vpnc_t isakmp_port_t:udp_socket name_bind;
+
 can_ypbind(vpnc_t)
 allow vpnc_t self:socket create_socket_perms;
 
@@ -28,14 +31,21 @@ allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
 allow vpnc_t self:rawip_socket create_socket_perms;
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
 allow vpnc_t port_t:udp_socket name_bind;
 allow vpnc_t etc_runtime_t:file { getattr read };
 allow vpnc_t proc_t:file { getattr read };
 dontaudit vpnc_t selinux_config_t:dir search;
 can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
 allow vpnc_t sysctl_net_t:dir search;
+allow vpnc_t sysctl_net_t:file write;
 allow vpnc_t sbin_t:dir search;
 allow vpnc_t bin_t:dir search;
 allow vpnc_t bin_t:lnk_file read;
 r_dir_file(vpnc_t, proc_net_t)
+tmp_domain(vpnc)
+allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:file { getattr read };
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
+allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
diff --git a/strict/domains/program/webalizer.te b/strict/domains/program/webalizer.te
index 73b1902..381f68b 100644
--- a/strict/domains/program/webalizer.te
+++ b/strict/domains/program/webalizer.te
@@ -4,7 +4,7 @@
 #
 # Depends: apache.te
 
-application_domain(webalizer)
+application_domain(webalizer, `, nscd_client_domain')
 # to use from cron
 system_crond_entry(webalizer_exec_t,webalizer_t)
 role system_r types webalizer_t;
diff --git a/strict/domains/program/winbind.te b/strict/domains/program/winbind.te
index 36cef3e..aca9174 100644
--- a/strict/domains/program/winbind.te
+++ b/strict/domains/program/winbind.te
@@ -8,18 +8,22 @@
 # Declarations for winbind
 #
 
-daemon_domain(winbind, `, privhome, auth_chkpwd')
+daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
 log_domain(winbind)
+tmp_domain(winbind)
 allow winbind_t etc_t:file r_file_perms;
 allow winbind_t etc_t:lnk_file read;
 can_network(winbind_t)
+allow winbind_t smbd_port_t:tcp_socket name_connect;
+can_resolve(winbind_t)
+
 ifdef(`samba.te', `', `
 type samba_etc_t, file_type, sysadmfile, usercanread;
 type samba_log_t, file_type, sysadmfile, logfile;
 type samba_var_t, file_type, sysadmfile;
 type samba_secrets_t, file_type, sysadmfile;
 ')
-rw_dir_file(winbind_t, samba_etc_t)
+file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
 rw_dir_create_file(winbind_t, samba_log_t)
 allow winbind_t samba_secrets_t:file rw_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
@@ -27,7 +31,19 @@ allow winbind_t self:unix_stream_socket create_stream_socket_perms;
 allow winbind_t urandom_device_t:chr_file { getattr read };
 allow winbind_t self:fifo_file { read write };
 rw_dir_create_file(winbind_t, samba_var_t)
-allow winbind_t krb5_conf_t:file { getattr read };
-dontaudit winbind_t krb5_conf_t:file { write };
+can_kerberos(winbind_t)
 allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow winbind_t winbind_var_run_t:sock_file create_file_perms;
+allow initrc_t winbind_var_run_t:file r_file_perms;
+
+application_domain(winbind_helper, `, nscd_client_domain')
+role system_r types winbind_helper_t;
+access_terminal(winbind_helper_t, sysadm)
+read_locale(winbind_helper_t) 
+r_dir_file(winbind_helper_t, samba_etc_t)
+r_dir_file(winbind_t, samba_etc_t)
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
+can_winbind(winbind_helper_t)
+allow winbind_helper_t privfd:fd use;
diff --git a/strict/domains/program/xauth.te b/strict/domains/program/xauth.te
index 020aa8d..6382d77 100644
--- a/strict/domains/program/xauth.te
+++ b/strict/domains/program/xauth.te
@@ -9,7 +9,5 @@
 #
 type xauth_exec_t, file_type, sysadmfile, exec_type;
 
-file_type_auto_trans(sysadm_xauth_t, staff_home_dir_t, staff_home_xauth_t)
-
 # Everything else is in the xauth_domain macro in
 # macros/program/xauth_macros.te.
diff --git a/strict/domains/program/xdm.te b/strict/domains/program/xdm.te
index 4b116e4..3e9dba6 100644
--- a/strict/domains/program/xdm.te
+++ b/strict/domains/program/xdm.te
@@ -46,6 +46,7 @@ allow xdm_t default_context_t:dir search;
 allow xdm_t default_context_t:{ file lnk_file } { read getattr };
 
 can_network(xdm_t)
+allow xdm_t port_type:tcp_socket name_connect;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
@@ -77,7 +78,7 @@ domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
 allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
 allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
 allow unpriv_userdomain xdm_xserver_t:fd use;
-allow unpriv_userdomain xdm_xserver_tmpfs_t:file read;
+allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
 allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
 allow xdm_xserver_t unpriv_userdomain:fd use;
 
@@ -95,7 +96,7 @@ domain_trans(xdm_t, xsession_exec_t, sysadm_t)
 allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
 allow sysadm_t xdm_xserver_t:shm r_shm_perms;
 allow sysadm_t xdm_xserver_t:fd use;
-allow sysadm_t xdm_xserver_tmpfs_t:file read;
+allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
 allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
 allow xdm_xserver_t sysadm_t:fd use;
 }
@@ -144,7 +145,7 @@ allow xdm_t self:shm create_shm_perms;
 allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
 allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
 allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
-allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file read;
+allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
 allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
 allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
 
@@ -176,8 +177,8 @@ tmpfs_domain(xdm)
 # perhaps define derived types.
 allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
 allow xdm_t var_lib_t:file { create write unlink };
-allow xdm_t var_lock_t:dir { write search add_name remove_name };
-allow xdm_t var_lock_t:file { create write unlink };
+
+lock_domain(xdm)
 
 # Connect to xfs.
 ifdef(`xfs.te', `
@@ -224,7 +225,9 @@ dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
 
 # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
 allow xdm_t usr_t:{ lnk_file file } { getattr read };
-r_dir_file(xdm_t, fonts_t)
+
+# Read fonts
+read_fonts(xdm_t)
 
 # Do not audit attempts to write to index files under /usr
 dontaudit xdm_t usr_t:file write;
@@ -259,14 +262,13 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
 
 # Run xkbcomp.
 allow xdm_xserver_t var_lib_t:dir search;
-allow xdm_xserver_t var_lib_xkb_t:lnk_file read;
-can_exec(xdm_xserver_t, var_lib_xkb_t)
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
 
 # Insert video drivers.  
 allow xdm_xserver_t self:capability mknod;
-allow xdm_xserver_t sysctl_modprobe_t:file read;
+allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
 domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
-allow insmod_t xdm_t:fd use;
 allow insmod_t xserver_log_t:file write;
 allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
 
@@ -276,6 +278,11 @@ allow xdm_xserver_t proc_t:dir { search read };
 # Search /var/run.
 allow xdm_xserver_t var_run_t:dir search;
 
+# FIXME: After per user fonts are properly working
+# xdm_xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+
 # Search home directories.
 allow xdm_xserver_t user_home_type:dir search;
 allow xdm_xserver_t user_home_type:file { getattr read };
@@ -297,6 +304,16 @@ can_exec(xdm_t, cifs_t)
 allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
 
+ifdef(`support_polyinstatiation', `
+# xdm_t can polyinstantiate
+polyinstantiater(xdm_t)
+# xdm needs access for linking .X11-unix to poly /tmp
+allow xdm_t polymember:dir { add_name remove_name write };
+allow xdm_t polymember:lnk_file { create unlink };
+# xdm needs access for copying .Xauthority into new home
+allow xdm_t polymember:file { create getattr write };
+')
+
 allow xdm_t mnt_t:dir { getattr read search };
 #
 # Wants to delete .xsession-errors file
@@ -306,34 +323,37 @@ allow xdm_t user_home_type:file unlink;
 # Should fix exec of pam_timestamp_check is not closing xdm file descriptor
 #
 ifdef(`pam.te', `
-dontaudit pam_t xdm_t:fd use;
 allow xdm_t pam_var_run_t:dir create_dir_perms;
 allow xdm_t pam_var_run_t:file create_file_perms;
 allow pam_t xdm_t:fifo_file { getattr ioctl write };
+domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
 can_exec(xdm_t, pam_exec_t)
 # For pam_console
 rw_dir_create_file(xdm_t, pam_var_console_t)
 ')
 
-allow xdm_t var_log_t:file read;
+# Pamconsole/alsa 
+ifdef(`alsa.te', `
+domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
+') dnl ifdef
+
+allow xdm_t var_log_t:file { getattr read };
 allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
 allow xdm_t self:process setrlimit;
 allow xdm_t wtmp_t:file { getattr read };
 
 domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
 #
-# Poweroff wants to create the /root/poweroff directory when run from xdm
-# Seems to work without it.
+# Poweroff wants to create the /poweroff file when run from xdm
 #
-dontaudit xdm_t root_t:dir { add_name write };
-dontaudit xdm_t root_t:file create;
+file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
+
 #
 # xdm tries to bind to biff_port_t
 #
 dontaudit xdm_t port_type:tcp_socket name_bind;
 
 # VNC v4 module in X server
-type vnc_port_t, port_type;
 allow xdm_xserver_t vnc_port_t:tcp_socket name_bind; 
 ifdef(`crack.te', `
 allow xdm_t crack_db_t:file r_file_perms;
@@ -342,3 +362,12 @@ r_dir_file(xdm_t, selinux_config_t)
 
 # Run telinit->init to shutdown.
 can_exec(xdm_t, init_exec_t)
+allow xdm_t self:sem create_sem_perms;
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+# Supress permission check on .ICE-unix
+dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+
+#### Also see xdm_macros.te
diff --git a/strict/domains/program/xserver.te b/strict/domains/program/xserver.te
index 7cfce4c..cc2c493 100644
--- a/strict/domains/program/xserver.te
+++ b/strict/domains/program/xserver.te
@@ -11,11 +11,10 @@ type xserver_exec_t, file_type, sysadmfile, exec_type;
 type xserver_log_t, file_type, sysadmfile, logfile;
 
 # type for /var/lib/xkb
-type var_lib_xkb_t, file_type, sysadmfile, usercanread;
-
-# Allow the xserver to check for fonts in ~/.gnome or ~/.kde
-bool allow_xserver_home_fonts false;
+type xkb_var_lib_t, file_type, sysadmfile, usercanread;
+typealias xkb_var_lib_t alias var_lib_xkb_t;
 
 # Everything else is in the xserver_domain macro in
 # macros/program/xserver_macros.te.
 
+allow initrc_t xserver_log_t:fifo_file { read write };
diff --git a/strict/domains/program/ypbind.te b/strict/domains/program/ypbind.te
index 605afd1..ed7c3f8 100644
--- a/strict/domains/program/ypbind.te
+++ b/strict/domains/program/ypbind.te
@@ -20,6 +20,7 @@ dontaudit ypbind_t self:capability net_admin;
 
 # Use the network.
 can_network(ypbind_t)
+allow ypbind_t port_type:tcp_socket name_connect;
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
 
 allow ypbind_t self:fifo_file rw_file_perms;
diff --git a/strict/domains/program/zebra.te b/strict/domains/program/zebra.te
index 12ef473..640c621 100644
--- a/strict/domains/program/zebra.te
+++ b/strict/domains/program/zebra.te
@@ -3,7 +3,6 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: zebra
 #
-type zebra_port_t, port_type;
 
 daemon_domain(zebra, `, sysctl_net_writer')
 type zebra_conf_t, file_type, sysadmfile;
diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc
index 2de04ab..6df147c 100644
--- a/strict/file_contexts/distros.fc
+++ b/strict/file_contexts/distros.fc
@@ -35,8 +35,7 @@ ifdef(`distro_redhat', `
 /usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
 /usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
 /usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
-/usr/share/ssl/certs(/.*)?		system_u:object_r:cert_t
-/usr/share/ssl/private(/.*)?		system_u:object_r:cert_t
+/etc/rhgb(/.*)?		-d		system_u:object_r:mnt_t
 /usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
 #
 # /emul/ia32-linux/usr
@@ -69,7 +68,7 @@ ifdef(`dbusd.te', `', `
 # Some of them should be fixed and removed from this list
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 /usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
@@ -85,23 +84,22 @@ ifdef(`dbusd.te', `', `
 /usr/lib/libSDL-.*\.so.*			-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/modules/dri/.*\.so		-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libOSMesa\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libfglrx_gamma\.so.* 		--  system_u:object_r:texrel_shlib_t
 /usr/lib/libHermes\.so.*			-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/libpthread\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgpreload_addrcheck\.so	-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgpreload_memcheck\.so	-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_addrcheck\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_cachegrind\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_callgrind\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_corecheck\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_helgrind\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_lackey\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_massif\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_memcheck\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_none\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libicudata\.so.*	-- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/hp2ps				-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/stage2			-- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vg.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program(/.*)?			system_u:object_r:bin_t
+/usr/lib/.*/program/.*\.so.*			system_u:object_r:shlib_t
+/usr/lib/.*/program/libicudata\.so.*		-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libswd680li\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t
+
 # Fedora Extras packages: ladspa, imlib2, ocaml
 /usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
 /usr/lib/ladspa/bandpass_a_iir_1893\.so		-- system_u:object_r:texrel_shlib_t
@@ -123,6 +121,8 @@ ifdef(`dbusd.te', `', `
 /usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
 /usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
 /usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
@@ -140,7 +140,16 @@ HOME_DIR/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib/libmlib_jai\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxdecore.so.0			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxencore.so.0			-- system_u:object_r:texrel_shlib_t
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/.*/jre/lib/i386/libdeploy.so		-- system_u:object_r:texrel_shlib_t
 
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api	-- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl  --  system_u:object_r:texrel_shlib_t
 ')
 
 ifdef(`distro_suse', `
diff --git a/strict/file_contexts/program/NetworkManager.fc b/strict/file_contexts/program/NetworkManager.fc
new file mode 100644
index 0000000..99ea03d
--- /dev/null
+++ b/strict/file_contexts/program/NetworkManager.fc
@@ -0,0 +1,2 @@
+# NetworkManager 
+/usr/bin/NetworkManager	--	system_u:object_r:NetworkManager_exec_t
diff --git a/strict/file_contexts/program/afs.fc b/strict/file_contexts/program/afs.fc
new file mode 100644
index 0000000..fb49f33
--- /dev/null
+++ b/strict/file_contexts/program/afs.fc
@@ -0,0 +1,20 @@
+# afs
+/usr/afs/bin/bosserver	--	system_u:object_r:afs_bosserver_exec_t
+/usr/afs/bin/kaserver	--	system_u:object_r:afs_kaserver_exec_t
+/usr/afs/bin/vlserver	--	system_u:object_r:afs_vlserver_exec_t
+/usr/afs/bin/ptserver	--	system_u:object_r:afs_ptserver_exec_t
+/usr/afs/bin/fileserver	--	system_u:object_r:afs_fsserver_exec_t
+/usr/afs/bin/volserver	--	system_u:object_r:afs_fsserver_exec_t
+/usr/afs/bin/salvager	--	system_u:object_r:afs_fsserver_exec_t
+
+/usr/afs/logs(/.*)?		system_u:object_r:afs_logfile_t
+/usr/afs/etc(/.*)?		system_u:object_r:afs_config_t		
+/usr/afs/local(/.*)?		system_u:object_r:afs_config_t
+/usr/afs/db		-d	system_u:object_r:afs_dbdir_t
+/usr/afs/db/pr.*	--	system_u:object_r:afs_pt_db_t
+/usr/afs/db/ka.*	--	system_u:object_r:afs_ka_db_t
+/usr/afs/db/vl.*	--	system_u:object_r:afs_vl_db_t
+
+/vicepa				system_u:object_r:afs_files_t
+/vicepb				system_u:object_r:afs_files_t
+/vicepc				system_u:object_r:afs_files_t
diff --git a/strict/file_contexts/program/alsa.fc b/strict/file_contexts/program/alsa.fc
new file mode 100644
index 0000000..837b071
--- /dev/null
+++ b/strict/file_contexts/program/alsa.fc
@@ -0,0 +1,3 @@
+#DESC       ainit - configuration tool for ALSA
+/usr/bin/ainit 			-- system_u:object_r:alsa_exec_t
+/etc/alsa/pcm(/.*)? 		 system_u:object_r:alsa_etc_rw_t
diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc
index 258ff2b..69fecd7 100644
--- a/strict/file_contexts/program/bluetooth.fc
+++ b/strict/file_contexts/program/bluetooth.fc
@@ -4,4 +4,5 @@
 /usr/sbin/hcid		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/sdpd		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/hciattach	--	system_u:object_r:bluetooth_exec_t
-/var/run/sdp		--	system_u:object_r:bluetooth_var_run_t
+/var/run/sdp		-s	system_u:object_r:bluetooth_var_run_t
+/usr/sbin/hid2hci	--	system_u:object_r:bluetooth_exec_t
diff --git a/strict/file_contexts/program/bonobo.fc b/strict/file_contexts/program/bonobo.fc
new file mode 100644
index 0000000..9c27b25
--- /dev/null
+++ b/strict/file_contexts/program/bonobo.fc
@@ -0,0 +1 @@
+/usr/libexec/bonobo-activation-server	--	system_u:object_r:bonobo_exec_t
diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc
index f08b276..4262e05 100644
--- a/strict/file_contexts/program/clamav.fc
+++ b/strict/file_contexts/program/clamav.fc
@@ -6,7 +6,10 @@
 /var/lib/clamav(/.*)?		system_u:object_r:clamav_var_lib_t
 /var/log/clam-update\.log --	system_u:object_r:freshclam_log_t
 /var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/run/clamd\.ctl	-s	system_u:object_r:clamd_var_run_t
+/var/log/clamav(/.*)?			system_u:object_r:freshclam_log_t
+/var/log/clamav/clamd\.log.*     --	system_u:object_r:clamd_log_t
+/var/log/clamav/freshclam\.log.* --	system_u:object_r:freshclam_log_t
+/var/run/clamd\.ctl	-s	system_u:object_r:clamd_sock_t
 /var/run/clamd\.pid	--	system_u:object_r:clamd_var_run_t
-/var/log/clamav(/.*)?		system_u:object_r:freshclam_log_t
 /var/run/clamav(/.*)?		system_u:object_r:clamd_var_run_t
+/var/run/clamav/clamd.sock -s	system_u:object_r:clamd_sock_t
diff --git a/strict/file_contexts/program/clockspeed.fc b/strict/file_contexts/program/clockspeed.fc
new file mode 100644
index 0000000..e00cd56
--- /dev/null
+++ b/strict/file_contexts/program/clockspeed.fc
@@ -0,0 +1,11 @@
+# clockspeed
+/usr/bin/clockspeed	--	system_u:object_r:clockspeed_exec_t
+/usr/bin/clockadd	--	system_u:object_r:clockspeed_exec_t
+/usr/bin/clockview	--	system_u:object_r:clockspeed_exec_t
+/usr/bin/sntpclock	--	system_u:object_r:clockspeed_exec_t
+/usr/bin/taiclock	--	system_u:object_r:clockspeed_exec_t
+/usr/bin/taiclockd	--	system_u:object_r:clockspeed_exec_t
+/usr/sbin/ntpclockset	--	system_u:object_r:clockspeed_exec_t
+
+/var/lib/clockspeed(/.*)?	system_u:object_r:clockspeed_var_lib_t
+
diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc
index 2395746..d4c1eb2 100644
--- a/strict/file_contexts/program/cups.fc
+++ b/strict/file_contexts/program/cups.fc
@@ -17,6 +17,7 @@
 /etc/printcap.* 	--	system_u:object_r:cupsd_rw_etc_t
 /usr/lib(64)?/cups/backend/.* --	system_u:object_r:cupsd_exec_t
 /usr/lib(64)?/cups/daemon/.*	 --	system_u:object_r:cupsd_exec_t
+/usr/lib(64)?/cups/daemon/cups-lpd --	system_u:object_r:cupsd_lpd_exec_t
 /usr/sbin/cupsd		--	system_u:object_r:cupsd_exec_t
 ifdef(`hald.te', `
 # cupsd_config depends on hald
@@ -25,12 +26,20 @@ ifdef(`hald.te', `
 /usr/sbin/printconf-backend --	system_u:object_r:cupsd_config_exec_t
 ')
 /var/log/cups(/.*)?		system_u:object_r:cupsd_log_t
+/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t
 /var/spool/cups(/.*)?		system_u:object_r:print_spool_t
 /var/run/cups/printcap	--	system_u:object_r:cupsd_var_run_t
 /usr/lib(64)?/cups/filter/.*	--	system_u:object_r:bin_t
 /usr/lib(64)?/cups/cgi-bin/.* --	system_u:object_r:bin_t
 /usr/sbin/ptal-printd	--	system_u:object_r:ptal_exec_t
 /usr/sbin/ptal-mlcd	--	system_u:object_r:ptal_exec_t
+/usr/sbin/ptal-photod	--	system_u:object_r:ptal_exec_t
 /var/run/ptal-printd(/.*)?	system_u:object_r:ptal_var_run_t
 /var/run/ptal-mlcd(/.*)?	system_u:object_r:ptal_var_run_t
+/etc/hp(/.*)?			system_u:object_r:hplip_etc_t
+/usr/sbin/hpiod		--	system_u:object_r:hplip_exec_t
+/usr/share/hplip/hpssd.py	--	system_u:object_r:hplip_exec_t
 /usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
+/var/cache/foomatic(/.*)? 	--	system_u:object_r:cupsd_rw_etc_t
+/var/run/hp.*\.pid		--	system_u:object_r:hplip_var_run_t
+/var/run/hp.*\.port		--	system_u:object_r:hplip_var_run_t
diff --git a/strict/file_contexts/program/cvs.fc b/strict/file_contexts/program/cvs.fc
new file mode 100644
index 0000000..ce38032
--- /dev/null
+++ b/strict/file_contexts/program/cvs.fc
@@ -0,0 +1,2 @@
+# cvs program
+/usr/bin/cvs	--	system_u:object_r:cvs_exec_t
diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc
index 6129446..04b78be 100644
--- a/strict/file_contexts/program/cyrus.fc
+++ b/strict/file_contexts/program/cyrus.fc
@@ -2,3 +2,4 @@
 /var/lib/imap(/.*)?				system_u:object_r:cyrus_var_lib_t
 /usr/lib(64)?/cyrus-imapd/.*		 	--	system_u:object_r:bin_t
 /usr/lib(64)?/cyrus-imapd/cyrus-master 		--	system_u:object_r:cyrus_exec_t	
+/var/spool/imap(/.*)?		system_u:object_r:mail_spool_t
diff --git a/strict/file_contexts/program/daemontools.fc b/strict/file_contexts/program/daemontools.fc
new file mode 100644
index 0000000..c2642ed
--- /dev/null
+++ b/strict/file_contexts/program/daemontools.fc
@@ -0,0 +1,54 @@
+# daemontools
+
+/var/service/.*			system_u:object_r:svc_svc_t
+
+# symlinks to /var/service/*
+/service(/.*)?			system_u:object_r:svc_svc_t
+
+# supervise scripts
+/usr/bin/svc-add	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-isdown	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-isup	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-remove	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-start	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-status	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-stop	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-waitdown	--	system_u:object_r:svc_script_exec_t
+/usr/bin/svc-waitup	--	system_u:object_r:svc_script_exec_t
+
+# supervise init binaries
+# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/*
+/usr/bin/svc		--	system_u:object_r:svc_start_exec_t
+/usr/bin/svscan		--	system_u:object_r:svc_start_exec_t
+/usr/bin/svscanboot	--	system_u:object_r:svc_start_exec_t
+/usr/bin/svok		--	system_u:object_r:svc_start_exec_t
+/usr/bin/supervise	--	system_u:object_r:svc_start_exec_t
+
+# starting scripts
+/var/service/.*/run.*		system_u:object_r:svc_run_exec_t
+/var/service/.*/log/run		system_u:object_r:svc_run_exec_t
+
+# configurations
+/var/service/.*/env(/.*)?   system_u:object_r:svc_conf_t
+
+# log
+/var/service/.*/log/main(/.*)?  system_u:object_r:svc_log_t
+
+# programs that impose a given environment to daemons
+/usr/bin/softlimit	--	system_u:object_r:svc_run_exec_t
+/usr/bin/setuidgid	--	system_u:object_r:svc_run_exec_t
+/usr/bin/envuidgid	--	system_u:object_r:svc_run_exec_t
+/usr/bin/envdir		--	system_u:object_r:svc_run_exec_t
+/usr/bin/setlock	--	system_u:object_r:svc_run_exec_t
+
+# helper programs
+/usr/bin/fghack		--	system_u:object_r:svc_run_exec_t
+/usr/bin/pgrphack	--	system_u:object_r:svc_run_exec_t
+
+/var/run/svscan\.pid	--	system_u:object_r:initrc_var_run_t
+# daemontools logger # writes to service/*/log/main/ and /var/log/*/
+/usr/bin/multilog	--	system_u:object_r:svc_multilog_exec_t
+
+/sbin/svcinit       --  system_u:object_r:initrc_exec_t
+/sbin/runsvcscript\.sh	--	system_u:object_r:initrc_exec_t
+
diff --git a/strict/file_contexts/program/dcc.fc b/strict/file_contexts/program/dcc.fc
new file mode 100644
index 0000000..a6b1372
--- /dev/null
+++ b/strict/file_contexts/program/dcc.fc
@@ -0,0 +1,17 @@
+# DCC
+/etc/dcc(/.*)?				system_u:object_r:dcc_var_t
+/etc/dcc/map			--	system_u:object_r:dcc_client_map_t
+/etc/dcc/dccifd			-s	system_u:object_r:dccifd_sock_t
+/usr/bin/cdcc				system_u:object_r:cdcc_exec_t
+/usr/bin/dccproc			system_u:object_r:dcc_client_exec_t
+/usr/libexec/dcc/dbclean		system_u:object_r:dcc_dbclean_exec_t
+/usr/libexec/dcc/dccd			system_u:object_r:dccd_exec_t
+/usr/libexec/dcc/dccifd			system_u:object_r:dccifd_exec_t
+/usr/libexec/dcc/dccm			system_u:object_r:dccm_exec_t
+/usr/libexec/dcc/start-.*		system_u:object_r:dcc_script_exec_t
+/usr/libexec/dcc/stop-.*		system_u:object_r:dcc_script_exec_t
+/var/dcc(/.*)?				system_u:object_r:dcc_var_t
+/var/dcc/map			--	system_u:object_r:dcc_client_map_t
+/var/run/dcc				system_u:object_r:dcc_var_run_t
+/var/run/dcc/map		--	system_u:object_r:dcc_client_map_t
+/var/run/dcc/dccifd		-s	system_u:object_r:dccifd_sock_t
diff --git a/strict/file_contexts/program/ddclient.fc b/strict/file_contexts/program/ddclient.fc
index ba003c9..83ee3d2 100644
--- a/strict/file_contexts/program/ddclient.fc
+++ b/strict/file_contexts/program/ddclient.fc
@@ -7,5 +7,5 @@
 /usr/sbin/ddtcd		--	system_u:object_r:ddclient_exec_t
 /var/run/ddtcd\.pid	--	system_u:object_r:ddclient_var_run_t
 /etc/ddtcd\.conf	--	system_u:object_r:ddclient_etc_t
-/var/lib/ddt-client(/.*)?	system_u:object_r:var_lib_ddclient_t
+/var/lib/ddt-client(/.*)?	system_u:object_r:ddclient_var_lib_t
 /var/log/ddtcd\.log.*	--	system_u:object_r:ddclient_log_t
diff --git a/strict/file_contexts/program/ddcprobe.fc b/strict/file_contexts/program/ddcprobe.fc
new file mode 100644
index 0000000..4313349
--- /dev/null
+++ b/strict/file_contexts/program/ddcprobe.fc
@@ -0,0 +1 @@
+/usr/sbin/ddcprobe      --		system_u:object_r:ddcprobe_exec_t
diff --git a/strict/file_contexts/program/devfsd.fc b/strict/file_contexts/program/devfsd.fc
deleted file mode 100644
index 7587e2e..0000000
--- a/strict/file_contexts/program/devfsd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# devfsd
-/etc/devfs(/.*)?		system_u:object_r:devfsd_etc_t
-/sbin/devfsd.*		--	system_u:object_r:devfsd_exec_t
-/etc/init\.d/makedev	--	system_u:object_r:devfsd_exec_t
diff --git a/strict/file_contexts/program/dictd.fc b/strict/file_contexts/program/dictd.fc
index 75e4493..0d97d0a 100644
--- a/strict/file_contexts/program/dictd.fc
+++ b/strict/file_contexts/program/dictd.fc
@@ -1,4 +1,4 @@
 # dictd
 /etc/dictd\.conf		--	system_u:object_r:dictd_etc_t
 /usr/sbin/dictd		--	system_u:object_r:dictd_exec_t
-/var/lib/dictd(/.*)?		system_u:object_r:var_lib_dictd_t
+/var/lib/dictd(/.*)?		system_u:object_r:dictd_var_lib_t
diff --git a/strict/file_contexts/program/djbdns.fc b/strict/file_contexts/program/djbdns.fc
new file mode 100644
index 0000000..6174b9f
--- /dev/null
+++ b/strict/file_contexts/program/djbdns.fc
@@ -0,0 +1,26 @@
+#djbdns
+/usr/bin/dnscache               -- system_u:object_r:djbdns_dnscache_exec_t
+/usr/bin/tinydns                -- system_u:object_r:djbdns_tinydns_exec_t
+/usr/bin/axfrdns                -- system_u:object_r:djbdns_axfrdns_exec_t
+
+/var/dnscache[a-z]?(/.*)?          system_u:object_r:svc_svc_t
+/var/dnscache[a-z]?/run        --  system_u:object_r:svc_run_exec_t
+/var/dnscache[a-z]?/log/run    --  system_u:object_r:svc_run_exec_t
+/var/dnscache[a-z]?/env(/.*)?      system_u:object_r:svc_conf_t
+/var/dnscache[a-z]?/root(/.*)?     system_u:object_r:djbdns_dnscache_conf_t
+/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t
+
+/var/tinydns(/.*)?                 system_u:object_r:svc_svc_t
+/var/tinydns/run               --  system_u:object_r:svc_run_exec_t
+/var/tinydns/log/run           --  system_u:object_r:svc_run_exec_t
+/var/tinydns/env(/.*)?             system_u:object_r:svc_conf_t
+/var/tinydns/root(/.*)?            system_u:object_r:djbdns_tinydns_conf_t
+/var/tinydns/log/main(/.*)?        system_u:object_r:var_log_t
+
+/var/axfrdns(/.*)?                 system_u:object_r:svc_svc_t
+/var/axfrdns/run               --  system_u:object_r:svc_run_exec_t
+/var/axfrdns/log/run           --  system_u:object_r:svc_run_exec_t
+/var/axfrdns/env(/.*)?             system_u:object_r:svc_conf_t
+/var/axfrdns/root(/.*)?            system_u:object_r:djbdns_axfrdns_conf_t
+/var/axfrdns/log/main(/.*)?        system_u:object_r:var_log_t
+
diff --git a/strict/file_contexts/program/dmidecode.fc b/strict/file_contexts/program/dmidecode.fc
new file mode 100644
index 0000000..b5ce71b
--- /dev/null
+++ b/strict/file_contexts/program/dmidecode.fc
@@ -0,0 +1,4 @@
+# dmidecode 
+/usr/sbin/dmidecode	--	   	system_u:object_r:dmidecode_exec_t
+/usr/sbin/ownership	--		system_u:object_r:dmidecode_exec_t
+/usr/sbin/vpddecode	--		system_u:object_r:dmidecode_exec_t
diff --git a/strict/file_contexts/program/dovecot.fc b/strict/file_contexts/program/dovecot.fc
index 83fc652..75a65dd 100644
--- a/strict/file_contexts/program/dovecot.fc
+++ b/strict/file_contexts/program/dovecot.fc
@@ -1,4 +1,6 @@
 # for Dovecot POP and IMAP server
+/etc/dovecot.conf.*			system_u:object_r:dovecot_etc_t
+/etc/dovecot.passwd.*			system_u:object_r:dovecot_passwd_t
 /usr/sbin/dovecot		--	system_u:object_r:dovecot_exec_t
 ifdef(`distro_redhat', `
 /usr/libexec/dovecot/dovecot-auth --	system_u:object_r:dovecot_auth_exec_t
@@ -8,5 +10,7 @@ ifdef(`distro_debian', `
 ')
 /usr/share/ssl/certs/dovecot\.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot\.pem --	system_u:object_r:dovecot_cert_t
+/etc/pki/dovecot(/.*)?			system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
 /usr/lib(64)?/dovecot/.+	--		system_u:object_r:bin_t
+/var/spool/dovecot(/.*)?		system_u:object_r:dovecot_spool_t
diff --git a/strict/file_contexts/program/dpkg.fc b/strict/file_contexts/program/dpkg.fc
index 44f0f2c..f0f56f6 100644
--- a/strict/file_contexts/program/dpkg.fc
+++ b/strict/file_contexts/program/dpkg.fc
@@ -32,7 +32,6 @@
 /var/cache/debconf(/.*)?	system_u:object_r:debconf_cache_t
 /etc/dpkg/.+		--	system_u:object_r:dpkg_etc_t
 /etc/menu-methods/.*	--	system_u:object_r:install_menu_exec_t
-/etc/kde2/.+\.sh	--	system_u:object_r:install_menu_exec_t
 /usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t
 /var/run/update-menus\.pid --	system_u:object_r:install_menu_var_run_t
 /usr/share/dlint/digparse --	system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/ethereal.fc b/strict/file_contexts/program/ethereal.fc
new file mode 100644
index 0000000..abe9b02
--- /dev/null
+++ b/strict/file_contexts/program/ethereal.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tethereal.*		--	system_u:object_r:tethereal_exec_t
+/usr/sbin/ethereal.*		--	system_u:object_r:ethereal_exec_t				
+HOME_DIR/\.ethereal(/.*)? 		system_u:object_r:ROLE_ethereal_home_t		
diff --git a/strict/file_contexts/program/evolution.fc b/strict/file_contexts/program/evolution.fc
new file mode 100644
index 0000000..1a3bf38
--- /dev/null
+++ b/strict/file_contexts/program/evolution.fc
@@ -0,0 +1,8 @@
+/usr/bin/evolution.*					--	system_u:object_r:evolution_exec_t
+/usr/libexec/evolution/.*evolution-alarm-notify.*	--	system_u:object_r:evolution_alarm_exec_t
+/usr/libexec/evolution/.*evolution-exchange-storage.*	--	system_u:object_r:evolution_exchange_exec_t
+/usr/libexec/evolution-data-server.*			--	system_u:object_r:evolution_server_exec_t
+/usr/libexec/evolution-webcal.*				--	system_u:object_r:evolution_webcal_exec_t
+HOME_DIR/\.evolution(/.*)?					system_u:object_r:ROLE_evolution_home_t
+HOME_DIR/\.camel_certs(/.*)?					system_u:object_r:ROLE_evolution_home_t
+/tmp/\.exchange-USER(/.*)?					system_u:object_r:ROLE_evolution_exchange_tmp_t
diff --git a/strict/file_contexts/program/fetchmail.fc b/strict/file_contexts/program/fetchmail.fc
index fe0fd08..5186172 100644
--- a/strict/file_contexts/program/fetchmail.fc
+++ b/strict/file_contexts/program/fetchmail.fc
@@ -1,5 +1,5 @@
 # fetchmail
 /etc/fetchmailrc		--	system_u:object_r:fetchmail_etc_t
 /usr/bin/fetchmail		--	system_u:object_r:fetchmail_exec_t
-/var/run/fetchmail(/.*)?	--	system_u:object_r:fetchmail_var_run_t
+/var/run/fetchmail/.*	--	system_u:object_r:fetchmail_var_run_t
 /var/mail/\.fetchmail-UIDL-cache --	system_u:object_r:fetchmail_uidl_cache_t
diff --git a/strict/file_contexts/program/fontconfig.fc b/strict/file_contexts/program/fontconfig.fc
new file mode 100644
index 0000000..d8a8dc9
--- /dev/null
+++ b/strict/file_contexts/program/fontconfig.fc
@@ -0,0 +1,4 @@
+HOME_DIR/\.fonts.conf		--	system_u:object_r:ROLE_fonts_config_t
+HOME_DIR/\.fonts(/.*)?			system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.fonts/auto(/.*)?		system_u:object_r:ROLE_fonts_cache_t
+HOME_DIR/\.fonts.cache-.*	--	system_u:object_r:ROLE_fonts_cache_t
diff --git a/strict/file_contexts/program/gconf.fc b/strict/file_contexts/program/gconf.fc
new file mode 100644
index 0000000..3ee63e0
--- /dev/null
+++ b/strict/file_contexts/program/gconf.fc
@@ -0,0 +1,5 @@
+/usr/libexec/gconfd-2	--	system_u:object_r:gconfd_exec_t
+/etc/gconf(/.*)?		system_u:object_r:gconf_etc_t
+HOME_DIR/\.gconf(/.*)?		system_u:object_r:ROLE_gconfd_home_t
+HOME_DIR/\.gconfd(/.*)?		system_u:object_r:ROLE_gconfd_home_t
+/tmp/gconfd-USER(/.*)?		system_u:object_r:ROLE_gconfd_tmp_t
diff --git a/strict/file_contexts/program/gnome.fc b/strict/file_contexts/program/gnome.fc
new file mode 100644
index 0000000..670c86f
--- /dev/null
+++ b/strict/file_contexts/program/gnome.fc
@@ -0,0 +1,8 @@
+# FIXME: add a lot more GNOME folders
+HOME_DIR/\.gnome(2)?(/.*)?			system_u:object_r:ROLE_gnome_settings_t
+HOME_DIR/\.gnome(2)?_private(/.*)?              system_u:object_r:ROLE_gnome_secret_t
+ifdef(`evolution.te', `
+HOME_DIR/\.gnome(2)?_private/Evolution	--	system_u:object_r:ROLE_evolution_secret_t
+')
+HOME_DIR/\.gnome(2)?/share/fonts(/.*)?          system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)?   system_u:object_r:ROLE_fonts_t
diff --git a/strict/file_contexts/program/gnome_vfs.fc b/strict/file_contexts/program/gnome_vfs.fc
new file mode 100644
index 0000000..f945d59
--- /dev/null
+++ b/strict/file_contexts/program/gnome_vfs.fc
@@ -0,0 +1 @@
+/usr/libexec/gnome-vfs-daemon 	--	system_u:object_r:gnome_vfs_exec_t
diff --git a/strict/file_contexts/program/i18n_input.fc b/strict/file_contexts/program/i18n_input.fc
index 41379d0..5403e2b 100644
--- a/strict/file_contexts/program/i18n_input.fc
+++ b/strict/file_contexts/program/i18n_input.fc
@@ -1,7 +1,11 @@
 # i18n_input.fc
 /usr/sbin/htt                   --     system_u:object_r:i18n_input_exec_t
 /usr/sbin/htt_server            --     system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimd\.bin	        --     system_u:object_r:i18n_input_exec_t
 /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
 /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimx                  --     system_u:object_r:i18n_input_exec_t
+/usr/lib/iiim/iiim-xbe          --     system_u:object_r:i18n_input_exec_t
 /usr/lib(64)?/im/.*\.so.*       --     system_u:object_r:shlib_t
+/usr/lib(64)?/iiim/.*\.so.*     --     system_u:object_r:shlib_t
 /var/run/iiim(/.*)?		       system_u:object_r:i18n_input_var_run_t
diff --git a/strict/file_contexts/program/irc.fc b/strict/file_contexts/program/irc.fc
index 5086de7..9f52efb 100644
--- a/strict/file_contexts/program/irc.fc
+++ b/strict/file_contexts/program/irc.fc
@@ -2,4 +2,4 @@
 /usr/bin/[st]irc	--	system_u:object_r:irc_exec_t
 /usr/bin/ircII		--	system_u:object_r:irc_exec_t
 /usr/bin/tinyirc	--	system_u:object_r:irc_exec_t
-HOME_DIR/\.ircmotd	--	system_u:object_r:ROLE_home_irc_t
+HOME_DIR/\.ircmotd	--	system_u:object_r:ROLE_irc_home_t
diff --git a/strict/file_contexts/program/kudzu.fc b/strict/file_contexts/program/kudzu.fc
index eed8191..c75870a 100644
--- a/strict/file_contexts/program/kudzu.fc
+++ b/strict/file_contexts/program/kudzu.fc
@@ -1,3 +1,4 @@
 # kudzu
 /usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
 /sbin/kmodule	--	system_u:object_r:kudzu_exec_t
+/var/run/Xconfig --	root:object_r:kudzu_var_run_t
diff --git a/strict/file_contexts/program/monopd.fc b/strict/file_contexts/program/monopd.fc
index 0c00ab6..457493e 100644
--- a/strict/file_contexts/program/monopd.fc
+++ b/strict/file_contexts/program/monopd.fc
@@ -1,4 +1,4 @@
 # monopd
-/etc/monopd\.conf	--	system_u:object_r:etc_monopd_t
+/etc/monopd\.conf	--	system_u:object_r:monopd_etc_t
 /usr/sbin/monopd	--	system_u:object_r:monopd_exec_t
-/usr/share/monopd/games(/.*)?	system_u:object_r:share_monopd_t
+/usr/share/monopd/games(/.*)?	system_u:object_r:monopd_share_t
diff --git a/strict/file_contexts/program/mozilla.fc b/strict/file_contexts/program/mozilla.fc
index 7a8c13c..2b533a6 100644
--- a/strict/file_contexts/program/mozilla.fc
+++ b/strict/file_contexts/program/mozilla.fc
@@ -3,10 +3,6 @@ HOME_DIR/\.galeon(/.*)?	system_u:object_r:ROLE_mozilla_home_t
 HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_home_t
 HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_home_t
 HOME_DIR/\.phoenix(/.*)?	system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gconfd(/.*)?		system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gconf(/.*)?		system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/My.Downloads(/.*)?	system_u:object_r:ROLE_mozilla_home_t
 HOME_DIR/\.java(/.*)?		system_u:object_r:ROLE_mozilla_home_t
 /usr/bin/netscape	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla	--	system_u:object_r:mozilla_exec_t
diff --git a/strict/file_contexts/program/mrtg.fc b/strict/file_contexts/program/mrtg.fc
index 9d00476..adfecff 100644
--- a/strict/file_contexts/program/mrtg.fc
+++ b/strict/file_contexts/program/mrtg.fc
@@ -1,6 +1,6 @@
 # mrtg - traffic grapher
 /usr/bin/mrtg		--	system_u:object_r:mrtg_exec_t
-/var/lib/mrtg(/.*)?		system_u:object_r:var_lib_mrtg_t
+/var/lib/mrtg(/.*)?		system_u:object_r:mrtg_var_lib_t
 /var/lock/mrtg(/.*)?		system_u:object_r:mrtg_lock_t
 /etc/mrtg.*			system_u:object_r:mrtg_etc_t
 /etc/mrtg/mrtg\.ok	--	system_u:object_r:mrtg_lock_t
diff --git a/strict/file_contexts/program/nrpe.fc b/strict/file_contexts/program/nrpe.fc
index be74d33..6523cc3 100644
--- a/strict/file_contexts/program/nrpe.fc
+++ b/strict/file_contexts/program/nrpe.fc
@@ -2,6 +2,6 @@
 /usr/bin/nrpe		--	system_u:object_r:nrpe_exec_t
 /etc/nagios/nrpe\.cfg	--	system_u:object_r:nrpe_etc_t
 ifdef(`nagios.te', `', `
-/usr/lib(64)?/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
-/usr/lib(64)?/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib(64)?/netsaint/plugins(/.*)?	system_u:object_r:bin_t
+/usr/lib(64)?/nagios/plugins(/.*)?	system_u:object_r:bin_t
 ')
diff --git a/strict/file_contexts/program/nx_server.fc b/strict/file_contexts/program/nx_server.fc
new file mode 100644
index 0000000..d993646
--- /dev/null
+++ b/strict/file_contexts/program/nx_server.fc
@@ -0,0 +1,5 @@
+# nx
+/opt/NX/bin/nxserver		--	system_u:object_r:nx_server_exec_t
+/opt/NX/var(/.*)?			system_u:object_r:nx_server_var_run_t
+/opt/NX/home/nx/\.ssh(/.*)?		system_u:object_r:nx_server_home_ssh_t
+
diff --git a/strict/file_contexts/program/openvpn.fc b/strict/file_contexts/program/openvpn.fc
index ba84de2..34b2992 100644
--- a/strict/file_contexts/program/openvpn.fc
+++ b/strict/file_contexts/program/openvpn.fc
@@ -1,4 +1,4 @@
 # OpenVPN
 
-/etc/openvpn(/.*)?	--	system_u:object_r:openvpn_etc_t
+/etc/openvpn/.*	--	system_u:object_r:openvpn_etc_t
 /usr/sbin/openvpn	--	system_u:object_r:openvpn_exec_t
diff --git a/strict/file_contexts/program/orbit.fc b/strict/file_contexts/program/orbit.fc
new file mode 100644
index 0000000..4afbc83
--- /dev/null
+++ b/strict/file_contexts/program/orbit.fc
@@ -0,0 +1,3 @@
+/tmp/orbit-USER(-.*)?		-d      system_u:object_r:ROLE_orbit_tmp_t
+/tmp/orbit-USER(-.*)?/linc.*	-s	<<none>>
+/tmp/orbit-USER(-.*)?/bonobo.*  --	system_u:object_r:ROLE_orbit_tmp_t
diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc
index 08b3c69..2a5850b 100644
--- a/strict/file_contexts/program/postfix.fc
+++ b/strict/file_contexts/program/postfix.fc
@@ -2,20 +2,32 @@
 /etc/postfix(/.*)?		system_u:object_r:postfix_etc_t
 ifdef(`distro_redhat', `
 /etc/postfix/aliases.*		system_u:object_r:etc_aliases_t
+/usr/libexec/postfix/.*	--	system_u:object_r:postfix_exec_t
+/usr/libexec/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
+/usr/libexec/postfix/local	--	system_u:object_r:postfix_local_exec_t
+/usr/libexec/postfix/master	--	system_u:object_r:postfix_master_exec_t
+/usr/libexec/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
+/usr/libexec/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
+/usr/libexec/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
+/usr/libexec/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/libexec/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
+/usr/libexec/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
+/usr/libexec/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
+', `
+/usr/lib/postfix/.*	--	system_u:object_r:postfix_exec_t
+/usr/lib/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
+/usr/lib/postfix/local	--	system_u:object_r:postfix_local_exec_t
+/usr/lib/postfix/master	--	system_u:object_r:postfix_master_exec_t
+/usr/lib/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
+/usr/lib/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
+/usr/lib/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
+/usr/lib/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/lib/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
+/usr/lib/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
+/usr/lib/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
 ')
 /etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t
 /etc/postfix/prng_exch	--	system_u:object_r:postfix_prng_t
-/usr/lib(exec)?/postfix/.*	--	system_u:object_r:postfix_exec_t
-/usr/lib(exec)?/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
-/usr/lib(exec)?/postfix/local	--	system_u:object_r:postfix_local_exec_t
-/usr/lib(exec)?/postfix/master	--	system_u:object_r:postfix_master_exec_t
-/usr/lib(exec)?/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
-/usr/lib(exec)?/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
-/usr/lib(exec)?/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
-/usr/lib(exec)?/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
-/usr/lib(exec)?/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
-/usr/lib(exec)?/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
-/usr/lib(exec)?/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
 /usr/sbin/postalias	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postcat	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postdrop	--	system_u:object_r:postfix_postdrop_exec_t
diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc
index 48e5b68..af9d512 100644
--- a/strict/file_contexts/program/pppd.fc
+++ b/strict/file_contexts/program/pppd.fc
@@ -1,17 +1,18 @@
 # pppd
 /usr/sbin/pppd		--	system_u:object_r:pppd_exec_t
+/usr/sbin/pptp 		--	system_u:object_r:pptp_exec_t
 /usr/sbin/ipppd		--	system_u:object_r:pppd_exec_t
 /dev/ppp		-c	system_u:object_r:ppp_device_t
 /dev/pppox.*		-c	system_u:object_r:ppp_device_t
 /dev/ippp.*		-c	system_u:object_r:ppp_device_t
-/var/run/pppd\.tdb	--	system_u:object_r:pppd_var_run_t
+/var/run/pppd[0-9]*\.tdb --	system_u:object_r:pppd_var_run_t
 /var/run/ppp(/.*)?		system_u:object_r:pppd_var_run_t
 /etc/ppp		-d	system_u:object_r:pppd_etc_t
 /etc/ppp/.*		--	system_u:object_r:pppd_etc_rw_t
 /etc/ppp/.*secrets	--	system_u:object_r:pppd_secret_t
 /var/run/(i)?ppp.*pid	--	system_u:object_r:pppd_var_run_t
 /var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
-/var/log/ppp(/.*)?	--	system_u:object_r:pppd_log_t
+/var/log/ppp/.*	--	system_u:object_r:pppd_log_t
 /etc/ppp/ip-down.*	--	system_u:object_r:bin_t
 /etc/ppp/ip-up.*	--	system_u:object_r:bin_t
 /etc/ppp/ipv6-up	--	system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/publicfile.fc b/strict/file_contexts/program/publicfile.fc
new file mode 100644
index 0000000..dc32249
--- /dev/null
+++ b/strict/file_contexts/program/publicfile.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/ftpd			--	system_u:object_r:publicfile_exec_t
+/usr/bin/httpd			--	system_u:object_r:publicfile_exec_t
+/usr/bin/publicfile-conf	--	system_u:object_r:publicfile_exec_t
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)?			system_u:object_r:publicfile_content_t
+
diff --git a/strict/file_contexts/program/pump.fc b/strict/file_contexts/program/pump.fc
deleted file mode 100644
index e69de29..0000000
--- a/strict/file_contexts/program/pump.fc
+++ /dev/null
diff --git a/strict/file_contexts/program/pyzor.fc b/strict/file_contexts/program/pyzor.fc
new file mode 100644
index 0000000..ff62295
--- /dev/null
+++ b/strict/file_contexts/program/pyzor.fc
@@ -0,0 +1,6 @@
+/etc/pyzor(/.*)?			system_u:object_r:pyzor_etc_t
+/usr/bin/pyzor			--	system_u:object_r:pyzor_exec_t
+/usr/bin/pyzord			--	system_u:object_r:pyzord_exec_t
+/var/lib/pyzord(/.*)?			system_u:object_r:pyzor_var_lib_t
+/var/log/pyzord.log		--	system_u:object_r:pyzord_log_t
+HOME_DIR/\.pyzor(/.*)?			system_u:object_r:ROLE_pyzor_home_t
diff --git a/strict/file_contexts/program/razor.fc b/strict/file_contexts/program/razor.fc
new file mode 100644
index 0000000..f3f1346
--- /dev/null
+++ b/strict/file_contexts/program/razor.fc
@@ -0,0 +1,6 @@
+# razor
+/etc/razor(/.*)?		system_u:object_r:razor_etc_t
+/usr/bin/razor.*		system_u:object_r:razor_exec_t
+/var/lib/razor(/.*)?		system_u:object_r:razor_var_lib_t
+/var/log/razor-agent.log	system_u:object_r:razor_log_t
+HOME_DIR/\.razor(/.*)?		system_u:object_r:ROLE_razor_home_t
diff --git a/strict/file_contexts/program/rdisc.fc b/strict/file_contexts/program/rdisc.fc
new file mode 100644
index 0000000..d3f9dcf
--- /dev/null
+++ b/strict/file_contexts/program/rdisc.fc
@@ -0,0 +1,2 @@
+# rdisc
+/sbin/rdisc		system_u:object_r:rdisc_exec_t
diff --git a/strict/file_contexts/program/rhgb.fc b/strict/file_contexts/program/rhgb.fc
index 5f7e63e..118972e 100644
--- a/strict/file_contexts/program/rhgb.fc
+++ b/strict/file_contexts/program/rhgb.fc
@@ -1,2 +1 @@
 /usr/bin/rhgb		--	system_u:object_r:rhgb_exec_t
-/etc/rhgb(/.*)?		-d	system_u:object_r:mnt_t
diff --git a/strict/file_contexts/program/rpcd.fc b/strict/file_contexts/program/rpcd.fc
index 7608974..60bb3f3 100644
--- a/strict/file_contexts/program/rpcd.fc
+++ b/strict/file_contexts/program/rpcd.fc
@@ -1,6 +1,6 @@
 # RPC daemons
 /sbin/rpc\..*		--	system_u:object_r:rpcd_exec_t
-/usr/sbin/rpc\..*	--	system_u:object_r:rpcd_exec_t
+/usr/sbin/rpc.idmapd	--	system_u:object_r:rpcd_exec_t
 /usr/sbin/rpc\.nfsd	--	system_u:object_r:nfsd_exec_t
 /usr/sbin/exportfs	--	system_u:object_r:nfsd_exec_t
 /usr/sbin/rpc\.gssd	--	system_u:object_r:gssd_exec_t
@@ -9,3 +9,4 @@
 /var/run/rpc\.statd\.pid	--	system_u:object_r:rpcd_var_run_t
 /var/run/rpc\.statd(/.*)?	system_u:object_r:rpcd_var_run_t
 /etc/exports		--	system_u:object_r:exports_t
+
diff --git a/strict/file_contexts/program/screen.fc b/strict/file_contexts/program/screen.fc
index f1afcf0..0e6e78d 100644
--- a/strict/file_contexts/program/screen.fc
+++ b/strict/file_contexts/program/screen.fc
@@ -1,5 +1,5 @@
 # screen
 /usr/bin/screen		--	system_u:object_r:screen_exec_t
 HOME_DIR/\.screenrc	--	system_u:object_r:ROLE_screen_ro_home_t
-/var/run/screen/S-[^/]+	-d	system_u:object_r:screen_dir_t
-/var/run/screen/S-[^/]+/.*	<<none>>
+/var/run/screens?/S-[^/]+	-d	system_u:object_r:screen_dir_t
+/var/run/screens?/S-[^/]+/.*	<<none>>
diff --git a/strict/file_contexts/program/slocate.fc b/strict/file_contexts/program/slocate.fc
index 85ea5a4..1796c77 100644
--- a/strict/file_contexts/program/slocate.fc
+++ b/strict/file_contexts/program/slocate.fc
@@ -1,4 +1,4 @@
 # locate - file locater
 /usr/bin/slocate		--	system_u:object_r:locate_exec_t
-/var/lib/slocate(/.*)?			system_u:object_r:var_lib_locate_t
+/var/lib/slocate(/.*)?			system_u:object_r:locate_var_lib_t
 /etc/updatedb\.conf		--	system_u:object_r:locate_etc_t
diff --git a/strict/file_contexts/program/thunderbird.fc b/strict/file_contexts/program/thunderbird.fc
new file mode 100644
index 0000000..ca37346
--- /dev/null
+++ b/strict/file_contexts/program/thunderbird.fc
@@ -0,0 +1,2 @@
+/usr/bin/thunderbird.*			--	system_u:object_r:thunderbird_exec_t
+HOME_DIR/\.thunderbird(/.*)?			system_u:object_r:ROLE_thunderbird_home_t
diff --git a/strict/file_contexts/program/tripwire.fc b/strict/file_contexts/program/tripwire.fc
new file mode 100644
index 0000000..88afc34
--- /dev/null
+++ b/strict/file_contexts/program/tripwire.fc
@@ -0,0 +1,9 @@
+# tripwire
+/etc/tripwire(/.*)?			system_u:object_r:tripwire_etc_t
+/usr/sbin/siggen			system_u:object_r:siggen_exec_t
+/usr/sbin/tripwire			system_u:object_r:tripwire_exec_t
+/usr/sbin/tripwire-setup-keyfiles	system_u:object_r:bin_t
+/usr/sbin/twadmin			system_u:object_r:twadmin_exec_t
+/usr/sbin/twprint			system_u:object_r:twprint_exec_t
+/var/lib/tripwire(/.*)?			system_u:object_r:tripwire_var_lib_t
+/var/lib/tripwire/report(/.*)?		system_u:object_r:tripwire_report_t
diff --git a/strict/file_contexts/program/ucspi-tcp.fc b/strict/file_contexts/program/ucspi-tcp.fc
new file mode 100644
index 0000000..448c1ab
--- /dev/null
+++ b/strict/file_contexts/program/ucspi-tcp.fc
@@ -0,0 +1,3 @@
+#ucspi-tcp
+/usr/bin/tcpserver	--	system_u:object_r:utcpserver_exec_t
+/usr/bin/rblsmtpd	--	system_u:object_r:rblsmtpd_exec_t
diff --git a/strict/file_contexts/program/uptimed.fc b/strict/file_contexts/program/uptimed.fc
index e33489c..f80ccb4 100644
--- a/strict/file_contexts/program/uptimed.fc
+++ b/strict/file_contexts/program/uptimed.fc
@@ -1,4 +1,4 @@
 # uptimed
-/etc/uptimed\.conf	--	system_u:object_r:etc_uptimed_t
+/etc/uptimed\.conf	--	system_u:object_r:uptimed_etc_t
 /usr/sbin/uptimed	--	system_u:object_r:uptimed_exec_t
 /var/spool/uptimed(/.*)?        system_u:object_r:uptimed_spool_t
diff --git a/strict/file_contexts/program/uucpd.fc b/strict/file_contexts/program/uucpd.fc
new file mode 100644
index 0000000..db5a257
--- /dev/null
+++ b/strict/file_contexts/program/uucpd.fc
@@ -0,0 +1,5 @@
+# uucico program
+/usr/sbin/uucico	--	system_u:object_r:uucpd_exec_t
+/var/spool/uucp(/.*)?		system_u:object_r:uucpd_spool_t
+/var/spool/uucppublic(/.*)?	system_u:object_r:uucpd_spool_t
+/var/log/uucp(/.*)?		system_u:object_r:uucpd_log_t
diff --git a/strict/file_contexts/program/vpnc.fc b/strict/file_contexts/program/vpnc.fc
index 497bc20..afaea76 100644
--- a/strict/file_contexts/program/vpnc.fc
+++ b/strict/file_contexts/program/vpnc.fc
@@ -1,3 +1,4 @@
 # vpnc
 /usr/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
 /sbin/vpnc		--	system_u:object_r:vpnc_exec_t
+/etc/vpnc/vpnc-script	--	system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/webalizer.fc b/strict/file_contexts/program/webalizer.fc
index 792d600..5c11bcf 100644
--- a/strict/file_contexts/program/webalizer.fc
+++ b/strict/file_contexts/program/webalizer.fc
@@ -1 +1,3 @@
 #
+/usr/bin/webalizer	--	system_u:object_r:webalizer_exec_t
+/var/lib/webalizer(/.*)		system_u:object_r:webalizer_var_lib_t
diff --git a/strict/file_contexts/program/winbind.fc b/strict/file_contexts/program/winbind.fc
index adfbe8e..9486f91 100644
--- a/strict/file_contexts/program/winbind.fc
+++ b/strict/file_contexts/program/winbind.fc
@@ -8,3 +8,4 @@ ifdef(`samba.te', `', `
 /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
 ')
 /var/cache/samba/winbindd_privileged(/.*)?	system_u:object_r:winbind_var_run_t
+/usr/bin/ntlm_auth --	system_u:object_r:winbind_helper_exec_t
diff --git a/strict/file_contexts/program/xauth.fc b/strict/file_contexts/program/xauth.fc
index 935715e..055fc2f 100644
--- a/strict/file_contexts/program/xauth.fc
+++ b/strict/file_contexts/program/xauth.fc
@@ -1,3 +1,4 @@
 # xauth
 /usr/X11R6/bin/xauth	--	system_u:object_r:xauth_exec_t
+HOME_DIR/\.xauth.*	--	system_u:object_r:ROLE_xauth_home_t
 HOME_DIR/\.Xauthority.* --	system_u:object_r:ROLE_xauth_home_t
diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc
index 5026407..6ee91a1 100644
--- a/strict/file_contexts/program/xdm.fc
+++ b/strict/file_contexts/program/xdm.fc
@@ -3,6 +3,7 @@
 /usr/X11R6/bin/[xgkw]dm	--	system_u:object_r:xdm_exec_t
 /opt/kde3/bin/kdm	--	system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm		--	system_u:object_r:xdm_exec_t
+/usr/bin/gdm-binary	--	system_u:object_r:xdm_exec_t
 /var/[xgk]dm(/.*)?		system_u:object_r:xserver_log_t
 /usr/var/[xgkw]dm(/.*)?		system_u:object_r:xserver_log_t
 /var/log/[kw]dm\.log	--	system_u:object_r:xserver_log_t
diff --git a/strict/file_contexts/program/xserver.fc b/strict/file_contexts/program/xserver.fc
index 3ef0263..3d48a6f 100644
--- a/strict/file_contexts/program/xserver.fc
+++ b/strict/file_contexts/program/xserver.fc
@@ -4,14 +4,14 @@
 /usr/X11R6/bin/XFree86	--	system_u:object_r:xserver_exec_t
 /usr/X11R6/bin/Xorg	--	system_u:object_r:xserver_exec_t
 /usr/X11R6/bin/Xipaq	--	system_u:object_r:xserver_exec_t
-/var/lib/xkb(/.*)?		system_u:object_r:var_lib_xkb_t
-/usr/X11R6/lib/X11/xkb	-d	system_u:object_r:var_lib_xkb_t
-/usr/X11R6/lib/X11/xkb/.* --	system_u:object_r:var_lib_xkb_t
+/var/lib/xkb(/.*)?		system_u:object_r:xkb_var_lib_t
+/usr/X11R6/lib/X11/xkb	-d	system_u:object_r:xkb_var_lib_t
+/usr/X11R6/lib/X11/xkb/.* --	system_u:object_r:xkb_var_lib_t
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
 /var/log/XFree86.*	--	system_u:object_r:xserver_log_t
 /var/log/Xorg.*		--	system_u:object_r:xserver_log_t
 /etc/init\.d/xfree86-common --	system_u:object_r:xserver_exec_t
 /tmp/\.X11-unix		-d	system_u:object_r:xdm_tmp_t
 /tmp/\.X11-unix/.*	-s	<<none>>
-/tmp/\.ICE-unix		-d	system_u:object_r:xdm_xserver_tmp_t
+/tmp/\.ICE-unix		-d	system_u:object_r:ice_tmp_t
 /tmp/\.ICE-unix/.*	-s	<<none>>
diff --git a/strict/file_contexts/program/yam.fc b/strict/file_contexts/program/yam.fc
new file mode 100644
index 0000000..023b740
--- /dev/null
+++ b/strict/file_contexts/program/yam.fc
@@ -0,0 +1,5 @@
+# yam
+/etc/yam.conf		--	system_u:object_r:yam_etc_t
+/usr/bin/yam			system_u:object_r:yam_exec_t
+/var/yam(/.*)?			system_u:object_r:yam_content_t
+/var/www/yam(/.*)?		system_u:object_r:yam_content_t
diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te
index 7e3521a..a363f7b 100644
--- a/strict/macros/program/apache_macros.te
+++ b/strict/macros/program/apache_macros.te
@@ -3,14 +3,12 @@ define(`apache_domain', `
 
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
-ifelse($1, sys, `
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
+type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
 
 # This type is used for .htaccess files
 #
-type httpd_$1_htaccess_t, file_type, sysadmfile;
+type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
 
 # This type is used for executable scripts files
 #
@@ -29,7 +27,6 @@ allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
 allow httpd_$1_script_t httpd_t:fd use;
 allow httpd_$1_script_t httpd_t:process sigchld;
 
-can_network(httpd_$1_script_t)
 allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_$1_script_t usr_t:lnk_file { getattr read };
 
@@ -42,13 +39,19 @@ read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
 allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
 
-allow httpd_$1_script_t { self proc_t }:file { getattr read };
+allow httpd_$1_script_t { self proc_t }:file r_file_perms;
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
 allow httpd_$1_script_t { self proc_t }:lnk_file read;
 
 allow httpd_$1_script_t device_t:dir { getattr search };
 allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
 }
+
+if (httpd_enable_cgi && httpd_can_network_connect) {
+can_network(httpd_$1_script_t)
+allow httpd_$1_script_t port_type:tcp_socket name_connect;
+}
+
 ifdef(`ypbind.te', `
 if (httpd_enable_cgi && allow_ypbind) {
 uncond_can_ypbind(httpd_$1_script_t)
@@ -62,13 +65,6 @@ type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
 type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
-
 #########################################################
 # Permissions for running child processes and scripts
 ##########################################################
@@ -82,9 +78,6 @@ allow httpd_$1_script_t self:fifo_file rw_file_perms;
 
 allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
 
-# for nscd
-dontaudit httpd_$1_script_t var_t:dir search;
-
 ###########################################################################
 # Allow the script interpreters to run the scripts.  So
 # the perl executable will be able to run a perl script
@@ -105,34 +98,58 @@ allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
 # Allow the scripts to read, read/write, append to the specified directories
 # or files
 ############################################################################
-r_dir_file(httpd_$1_script_t, fonts_t)
+read_fonts(httpd_$1_script_t)
 r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
 
 if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-ifelse($1, sys, `
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-can_exec(httpd_t, httpdcontent )
-', `
-can_exec(httpd_$1_script_t, httpdcontent )
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-')
 create_dir_file(httpd_$1_script_t, httpdcontent)
+can_exec(httpd_$1_script_t, httpdcontent)
 }
 
-ifelse($1, sys, `
 #
 # If a user starts a script by hand it gets the proper context
 #
-if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ifdef(`targeted_policy', `', `
+if (httpd_enable_cgi) {
 domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 }
+')
 role sysadm_r types httpd_$1_script_t;
-', `
+
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir  search;
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+# apache should set close-on-exec
+dontaudit  httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+if (httpd_builtin_scripting) {
+r_dir_file(httpd_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_t, httpd_$1_script_rw_t)
+ra_dir_file(httpd_t, httpd_$1_script_ra_t)
+}
+r_dir_file(httpd_t, httpd_$1_content_t)
+
+')
+define(`apache_user_domain', `
+
+apache_domain($1)
+
+typeattribute httpd_$1_content_t $1_file_type;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+}
 
 if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 # If a user starts a script by hand it gets the proper context
@@ -145,11 +162,7 @@ role $1_r types httpd_$1_script_t;
 #########################################
 
 create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-create_dir_file($1_crond_t, httpd_$1_content_t)
 allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-ifdef(`mozilla.te', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
 
 ######################################################################
 # Allow the user to create htaccess files
@@ -172,26 +185,8 @@ ifdef(`nfs_home_dirs', `
 r_dir_file(httpd_$1_script_t, nfs_t)
 ')dnl end if nfs_home_dirs
 }
-')dnl end ifelse sys
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-r_dir_file(httpd_t, httpd_$1_content_t)
-
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-r_dir_file(httpd_t, httpd_$1_script_rw_t)
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit  httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ifdef(`crond.te', `
+create_dir_file($1_crond_t, httpd_$1_content_t)
+')
 
 ')
diff --git a/strict/macros/program/bonobo_macros.te b/strict/macros/program/bonobo_macros.te
new file mode 100644
index 0000000..e76cf3a
--- /dev/null
+++ b/strict/macros/program/bonobo_macros.te
@@ -0,0 +1,119 @@
+#
+# Bonobo
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# bonobo_domain(role_prefix) - invoke per role
+# bonobo_client(app_prefix, role_prefix) - invoke per client app
+# bonobo_connect(type1_prefix, type2_prefix) - 
+# 	connect two bonobo clients, the channel is bidirectional
+
+######################
+
+define(`bonobo_domain', `
+
+# Protect against double inclusion for faster compile
+ifdef(`bonobo_domain_$1', `', `
+define(`bonobo_domain_$1')
+
+# Type for daemon
+type $1_bonobo_t, domain, nscd_client_domain;
+
+# Transition from caller
+domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t)
+role $1_r types $1_bonobo_t;
+
+# Shared libraries, gconv-modules
+uses_shlib($1_bonobo_t)
+allow $1_bonobo_t lib_t:file r_file_perms;
+
+read_locale($1_bonobo_t)
+read_sysctl($1_bonobo_t)
+
+# Session management 
+# FIXME: More specific context is needed for gnome-session
+ice_connect($1_bonobo, $1)
+
+# nsswitch.conf
+allow $1_bonobo_t etc_t:file { read getattr };
+
+# Fork to start apps
+allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal };
+allow $1_bonobo_t self:fifo_file rw_file_perms;
+
+# ??? 
+allow $1_bonobo_t root_t:dir search;
+allow $1_bonobo_t home_root_t:dir search;
+allow $1_bonobo_t $1_home_dir_t:dir search;
+
+# libexec ??? 
+allow $1_bonobo_t bin_t:dir search;
+
+# ORBit sockets for bonobo
+orbit_domain($1_bonobo, $1)
+
+# Bonobo can launch evolution
+ifdef(`evolution.te', `
+domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t)
+domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
+domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t)
+domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
+')
+
+# Bonobo can launch GNOME vfs daemon
+ifdef(`gnome_vfs.te', `
+domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
+')
+  
+# Transition to ROLE_t on bin_t apps
+# FIXME: The goal is to get rid of this rule, as it
+# defeats the purpose of a separate domain. It is only
+# here temporarily, since bonobo runs as ROLE_t by default anyway
+domain_auto_trans($1_bonobo_t, bin_t, $1_t) 
+
+ifdef(`xdm.te', `
+can_pipe_xdm($1_bonobo_t)
+')
+  
+') dnl ifdef bonobo_domain_args
+') dnl bonobo_domain
+
+#####################
+
+define(`bonobo_client', `
+
+# Protect against double inclusion for faster compile
+ifdef(`bonobo_client_$1_$2', `', `
+define(`bonobo_client_$1_$2')
+# Connect over bonobo
+bonobo_connect($1, $2_gconfd, $1)
+ 
+# Create ORBit sockets
+orbit_domain($1, $2)
+
+# Connect to bonobo
+orbit_connect($1, $2_bonobo)
+orbit_connect($2_bonobo, $1)
+
+# Lock /tmp/bonobo-activation-register.lock
+# Stat /tmp/bonobo-activation-server.ior
+# FIXME: this should probably be of type $2_bonobo..
+# Note that this is file, not sock_file
+allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
+
+domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t)
+
+') dnl ifdef bonobo_client_args
+') dnl bonobo_client
+
+#####################
+
+define(`bonobo_connect', `
+
+# FIXME: Should there be a macro for unidirectional conn. ?
+
+orbit_connect($1, $2)
+orbit_connect($2, $1)
+
+') dnl bonobo_connect
diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te
index 6af7ddc..aa9e1e5 100644
--- a/strict/macros/program/cdrecord_macros.te
+++ b/strict/macros/program/cdrecord_macros.te
@@ -40,15 +40,16 @@ r_dir_file($1_cdrecord_t, cifs_t)
 allow $1_cdrecord_t etc_t:file { getattr read };
 
 # allow searching for cdrom-drive
-allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:dir r_dir_perms;
 allow $1_cdrecord_t device_t:lnk_file { getattr read };
 
 # allow cdrecord to write the CD
 allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
 allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
 
-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
 allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-
+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+read_content($1_cdrecord_t, $1)
 ')
 
diff --git a/strict/macros/program/chroot_macros.te b/strict/macros/program/chroot_macros.te
index d06e6f1..47ca86b 100644
--- a/strict/macros/program/chroot_macros.te
+++ b/strict/macros/program/chroot_macros.te
@@ -119,6 +119,7 @@ general_domain_access({ $2_t $2_super_t })
 can_create_pty($2)
 can_create_pty($2_super)
 can_network({ $2_t $2_super_t })
+allow { $2_t $2_super_t } port_type:tcp_socket name_connect;
 allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
 allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
 allow { $2_t $2_super_t } self:capability { dac_override kill };
diff --git a/strict/macros/program/clamav_macros.te b/strict/macros/program/clamav_macros.te
index e5a4a37..bc15930 100644
--- a/strict/macros/program/clamav_macros.te
+++ b/strict/macros/program/clamav_macros.te
@@ -12,6 +12,7 @@
 define(`can_clamd_connect',`
 allow $1_t clamd_var_run_t:dir search;
 allow $1_t clamd_var_run_t:sock_file write;
+allow $1_t clamd_sock_t:sock_file write;
 can_unix_connect($1_t, clamd_t)
 ')
 
diff --git a/strict/macros/program/daemontools_macros.te b/strict/macros/program/daemontools_macros.te
new file mode 100644
index 0000000..94c4f8e
--- /dev/null
+++ b/strict/macros/program/daemontools_macros.te
@@ -0,0 +1,11 @@
+ifdef(`daemontools.te', `
+
+define(`svc_ipc_domain',`
+allow $1 svc_start_t:process sigchld;
+allow $1 svc_start_t:fd use;
+allow $1 svc_start_t:fifo_file { read write getattr };
+allow svc_start_t $1:process signal; 
+')
+
+') dnl ifdef daemontools
+
diff --git a/strict/macros/program/ethereal_macros.te b/strict/macros/program/ethereal_macros.te
new file mode 100644
index 0000000..c546cb4
--- /dev/null
+++ b/strict/macros/program/ethereal_macros.te
@@ -0,0 +1,83 @@
+# DESC - Ethereal  
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#############################################################
+# ethereal_networking(app_prefix) - 
+#	restricted ethereal rules (sysadm only)
+#                               
+
+define(`ethereal_networking', `
+
+# Create various types of sockets
+allow $1_t self:netlink_route_socket create_netlink_socket_perms;
+allow $1_t self:udp_socket create_socket_perms;
+allow $1_t self:packet_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:tcp_socket create_socket_perms;
+
+allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
+
+# Resolve names via DNS
+can_resolve($1_t)
+
+') dnl ethereal_networking
+
+########################################################
+# Ethereal (GNOME) 
+#
+
+define(`ethereal_domain', `
+
+# Type for program
+type $1_ethereal_t, domain, nscd_client_domain;
+
+# Transition from sysadm type
+domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
+role $1_r types $1_ethereal_t;
+
+# Manual transition from userhelper 
+# FIXME: Need to handle the fallback case, which requires userhelper support
+ifdef(`userhelper.te', `
+allow userhelperdomain sysadm_ethereal_t:process { transition siginh rlimitinh noatsecure };
+allow sysadm_ethereal_t userhelperdomain:fd use;
+allow sysadm_ethereal_t userhelperdomain:process sigchld;
+') dnl userhelper
+
+# X, GNOME
+x_client_domain($1_ethereal, $1)
+gnome_application($1_ethereal, $1)
+gnome_file_dialog($1_ethereal, $1)
+
+# Why does it write this?
+ifdef(`snmpd.te', `
+dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
+')
+
+# /home/.ethereal
+home_domain($1, ethereal)
+file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
+
+# Enable restricted networking rules for sysadm - this is shared w/ tethereal
+ifelse($1, `sysadm', `
+ethereal_networking($1_ethereal) 
+
+# Ethereal tries to write to user terminal
+dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
+dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
+', `')
+
+# Store temporary files
+tmp_domain($1_ethereal)
+
+# Re-execute itself (why?)
+can_exec($1_ethereal_t, ethereal_exec_t)
+allow $1_ethereal_t sbin_t:dir search;
+
+# Supress .local denials until properly implemented
+dontaudit $1_ethereal_t $1_home_t:dir search;
+
+# FIXME: policy is incomplete
+
+') dnl ethereal_domain 
diff --git a/strict/macros/program/evolution_macros.te b/strict/macros/program/evolution_macros.te
new file mode 100644
index 0000000..facfe7f
--- /dev/null
+++ b/strict/macros/program/evolution_macros.te
@@ -0,0 +1,234 @@
+#
+# Evolution   
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+################################################
+# evolution_common(app_prefix,role_prefix)
+# 
+define(`evolution_common', `
+
+# Gnome common stuff
+gnome_application($1, $2)
+
+# Stat root
+allow $1_t root_t:dir search;
+
+# Access null device 
+allow $1_t null_device_t:chr_file rw_file_perms;
+
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+dontaudit $1_t $2_home_t:dir r_dir_perms;
+
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+dontaudit $1_t $2_home_t:file r_file_perms;
+
+') dnl evolution_common
+
+#######################################
+# evolution_data_server(role_prefix) 
+#
+
+define(`evolution_data_server', `
+
+# Type for daemon
+type $1_evolution_server_t, domain, nscd_client_domain;
+
+# Transition from user type
+if (! disable_evolution_trans) {
+domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
+}
+role $1_r types $1_evolution_server_t;
+
+# Evolution common stuff
+evolution_common($1_evolution_server, $1)
+
+# Access evolution home
+home_domain_access($1_evolution_server_t, $1, evolution)
+
+# Talks to exchange
+bonobo_connect($1_evolution_server, $1_evolution_exchange)
+
+can_exec($1_evolution_server_t, shell_exec_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+allow $1_evolution_server_t usr_t:file r_file_perms;
+can_resolve($1_evolution_server_t)
+can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
+allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
+
+# Talk to ldap (address book)
+can_network_client_tcp($1_evolution_server_t, ldap_port_t)
+allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
+
+# Look in /etc/pki
+allow $1_evolution_server_t cert_t:dir r_dir_perms;
+
+') dnl evolution_data_server
+
+#######################################
+# evolution_webcal(role_prefix)
+#
+
+define(`evolution_webcal', `
+
+# Type for program
+type $1_evolution_webcal_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+role $1_r types $1_evolution_webcal_t;
+
+# X/evolution common stuff
+x_client_domain($1_evolution_webcal, $1)
+evolution_common($1_evolution_webcal, $1)
+
+# Search home directory (?)
+allow $1_evolution_webcal_t $1_home_dir_t:dir search;
+
+# Networking capability - connect to website and handle ics link
+# FIXME: is this necessary ?
+can_resolve($1_evolution_webcal_t);
+can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
+allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
+  
+') dnl evolution_webcal
+
+#######################################
+# evolution_alarm(role_prefix)
+#
+define(`evolution_alarm', `
+
+# Type for program
+type $1_evolution_alarm_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
+role $1_r types $1_evolution_alarm_t;
+
+# Common evolution stuff, X
+evolution_common($1_evolution_alarm, $1)
+x_client_domain($1_evolution_alarm, $1)
+
+# Connect to exchange, e-d-s
+bonobo_connect($1_evolution_alarm, $1_evolution_server) 
+bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
+
+# Access evolution home
+home_domain_access($1_evolution_alarm_t, $1, evolution)
+
+') dnl evolution_alarm
+
+########################################
+# evolution_exchange(role_prefix)
+#
+define(`evolution_exchange', `
+
+# Type for program
+type $1_evolution_exchange_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
+role $1_r types $1_evolution_exchange_t;
+
+# Common evolution stuff, X
+evolution_common($1_evolution_exchange, $1)
+x_client_domain($1_evolution_exchange, $1)
+
+# Access evolution home
+home_domain_access($1_evolution_exchange_t, $1, evolution)
+
+# /tmp/.exchange-$USER
+tmp_domain($1_evolution_exchange)
+ 
+# Allow netstat
+allow $1_evolution_exchange_t bin_t:dir search; 
+can_exec($1_evolution_exchange_t, bin_t)
+r_dir_file($1_evolution_exchange_t, proc_net_t)
+allow $1_evolution_exchange_t sysctl_net_t:dir search;
+allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
+
+# Clock applet talks to exchange (FIXME: Needs policy)
+bonobo_connect($1, $1_evolution_exchange)
+
+# FIXME: policy incomplete
+
+') dnl evolution_exchange
+
+#######################################
+# evolution_domain(role_prefix)
+#
+
+define(`evolution_domain', `
+
+# Type for program
+type $1_evolution_t, domain, nscd_client_domain, privlog; 
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
+role $1_r types $1_evolution_t;
+
+# X, mail, evolution common stuff 
+x_client_domain($1_evolution, $1)
+mail_client_domain($1_evolution, $1)
+gnome_file_dialog($1_evolution, $1)
+evolution_common($1_evolution, $1)
+
+# Connect to e-d-s, exchange, alarm
+bonobo_connect($1_evolution, $1_evolution_server)
+bonobo_connect($1_evolution, $1_evolution_exchange)
+bonobo_connect($1_evolution, $1_evolution_alarm)
+
+# Access .evolution
+home_domain($1, evolution)
+
+# Store passwords in .gnome2_private
+gnome_private_store($1_evolution, $1) 
+
+# Run various programs
+allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
+allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
+
+### Junk mail filtering (start spamd)
+ifdef(`spamd.te', `
+# Start the spam daemon
+domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
+role $1_r types spamd_t;
+
+# Write pid file and socket in ~/.evolution/cache/tmp
+file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
+
+# Allow evolution to signal the daemon
+# FIXME: Now evolution can read spamd temp files
+allow $1_evolution_t spamd_tmp_t:file r_file_perms;
+allow $1_evolution_t spamd_t:process signal;
+dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
+') dnl spamd.te
+
+### Junk mail filtering (start spamc)
+ifdef(`spamc.te', `
+domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
+
+# Allow connection to spamd socket above
+allow $1_spamc_t $1_evolution_home_t:dir search;
+') dnl spamc.te
+
+### Junk mail filtering (start spamassassin) 
+ifdef(`spamassassin.te', `
+domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
+') dnl spamassasin.te
+
+') dnl evolution_domain
+
+#################################
+#  evolution_domains(role_prefix) 
+
+define(`evolution_domains', `
+evolution_domain($1)
+evolution_data_server($1)
+evolution_webcal($1)
+evolution_alarm($1)
+evolution_exchange($1)
+') dnl end evolution_domains
diff --git a/strict/macros/program/fontconfig_macros.te b/strict/macros/program/fontconfig_macros.te
new file mode 100644
index 0000000..7f4a56d
--- /dev/null
+++ b/strict/macros/program/fontconfig_macros.te
@@ -0,0 +1,52 @@
+#
+# Fontconfig related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# fontconfig_domain(role_prefix) - create fontconfig domain
+#
+# read_fonts(domain, role_prefix) - 
+#         allow domain to read fonts, optionally per/user
+#  
+
+define(`fontconfig_domain', `
+
+type $1_fonts_t, file_type, $1_file_type, sysadmfile;
+type $1_fonts_config_t, file_type, $1_file_type, sysadmfile;
+type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
+
+create_dir_file($1_t, $1_fonts_t)
+allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom };
+
+create_dir_file($1_t, $1_fonts_config_t)
+allow $1_t $1_fonts_config_t:file { relabelto relabelfrom };
+
+# For startup relabel
+allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
+') dnl fontconfig_domain
+
+####################
+
+define(`read_fonts', `
+
+# Read global fonts and font config
+r_dir_file($1, fonts_t)
+r_dir_file($1, etc_t)
+
+ifelse(`$2', `', `', `
+
+# Manipulate the global font cache
+create_dir_file($1, $2_fonts_cache_t)
+
+# Read per user fonts and font config
+r_dir_file($1, $2_fonts_t)
+r_dir_file($1, $2_fonts_config_t)
+
+# There are some fonts in .gnome2
+ifdef(`gnome.te', `
+allow $1 $2_gnome_settings_t:dir { getattr search };
+')
+
+') dnl ifelse
+') dnl read_fonts
diff --git a/strict/macros/program/gconf_macros.te b/strict/macros/program/gconf_macros.te
new file mode 100644
index 0000000..5f34ea7
--- /dev/null
+++ b/strict/macros/program/gconf_macros.te
@@ -0,0 +1,57 @@
+#
+# GConfd daemon  
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#######################################
+# gconfd_domain(role_prefix)
+#
+
+define(`gconfd_domain', `
+
+# Type for daemon
+type $1_gconfd_t, domain, nscd_client_domain, privlog;
+
+gnome_application($1_gconfd, $1)
+
+# Transition from user type
+domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t)
+role $1_r types $1_gconfd_t;
+
+allow $1_gconfd_t self:process { signal getsched };
+
+# Access .gconfd and .gconf
+home_domain($1, gconfd)
+file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir)
+
+# Access /etc/gconf
+r_dir_file($1_gconfd_t, gconf_etc_t)
+
+# /tmp/gconfd-USER
+tmp_domain($1_gconfd)
+
+ifdef(`xdm.te', `
+can_pipe_xdm($1_gconfd_t)
+allow xdm_t $1_gconfd_t:process signal;
+')
+
+') dnl gconf_domain
+
+#####################################
+# gconf_client(prefix, role_prefix)
+#
+
+define(`gconf_client', `
+
+# Launch the daemon if necessary
+domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t)
+
+# Connect over bonobo
+bonobo_connect($1, $2_gconfd)
+
+# Read lock/ior
+allow $1_t $2_gconfd_tmp_t:dir { getattr search };
+allow $1_t $2_gconfd_tmp_t:file { getattr read }; 
+
+') dnl gconf_client 
diff --git a/strict/macros/program/gnome_macros.te b/strict/macros/program/gnome_macros.te
new file mode 100644
index 0000000..5d31af5
--- /dev/null
+++ b/strict/macros/program/gnome_macros.te
@@ -0,0 +1,115 @@
+#
+# GNOME related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# gnome_domain(role_prefix) - create GNOME domain (run for each role)
+# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps
+# gnome_file_dialog(role_prefix) - gnome file dialog rules
+# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private
+
+define(`gnome_domain', `
+
+# Types for .gnome2 and .gnome2_private.
+# For backwards compatibility, allow unrestricted
+# access from ROLE_t. However, content inside
+# *should* be labeled per application eventually.
+# For .gnome2_private, use the private_store macro below. 
+
+type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
+create_dir_file($1_t, $1_gnome_settings_t)
+allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto };
+
+type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile;
+create_dir_file($1_t, $1_gnome_secret_t)
+allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto };
+
+# GConf domain
+gconfd_domain($1)
+gconf_client($1, $1)
+
+# Bonobo-activation-server
+bonobo_domain($1)
+bonobo_client($1, $1)
+
+# GNOME vfs daemon
+gnome_vfs_domain($1)
+gnome_vfs_client($1, $1)
+
+# ICE is necessary for session management
+ice_domain($1, $1)
+
+')
+
+#################################
+
+define(`gnome_application', `
+
+# If launched from a terminal
+access_terminal($1_t, $2)
+
+# Forking is generally okay
+allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork };
+allow $1_t self:fifo_file rw_file_perms;
+
+# Shlib, locale, sysctl, proc
+uses_shlib($1_t)
+read_locale($1_t)
+read_sysctl($1_t)
+
+allow $1_t { self proc_t }:dir { search read getattr };
+allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
+
+# Most gnome apps use bonobo
+bonobo_client($1, $2)
+
+# Within-process bonobo-activation of components
+bonobo_connect($1, $1)
+
+# Session management happens over ICE
+# FIXME: More specific context is needed for gnome-session
+ice_connect($1, $2)
+
+# Most talk to GConf
+gconf_client($1, $2)
+
+# Allow getattr/read/search of .gnome2 and .gnome2_private
+# Reading files should *not* be allowed - instead, more specific
+# types should be created to handle such requests
+allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms;
+
+# Access /etc/mtab, /etc/nsswitch.conf
+allow $1_t etc_t:file { read getattr };
+allow $1_t etc_runtime_t:file { read getattr };
+
+# Themes, gtkrc
+allow $1_t usr_t:{ file lnk_file } r_file_perms;
+
+') dnl gnome_application
+
+################################
+
+define(`gnome_file_dialog', `
+
+# GNOME Open/Save As dialogs 
+dontaudit_getattr($1_t)
+dontaudit_search_dir($1_t)
+
+# Bonobo connection to gnome_vfs daemon
+bonobo_connect($1, $2_gnome_vfs)
+ 
+') dnl gnome_file_dialog
+
+################################
+
+define(`gnome_private_store', `
+
+# Type for storing secret data
+# (different from home, not directly accessible from ROLE_t)
+type $1_secret_t, file_type, $2_file_type, sysadmfile;
+
+# Put secret files in .gnome2_private
+file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file);
+allow $2_t $1_secret_t:file unlink;
+
+') dnl gnome_private_store
diff --git a/strict/macros/program/gnome_vfs_macros.te b/strict/macros/program/gnome_vfs_macros.te
new file mode 100644
index 0000000..8ff5c28
--- /dev/null
+++ b/strict/macros/program/gnome_vfs_macros.te
@@ -0,0 +1,55 @@
+#
+# GNOME VFS daemon  
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#######################################
+# gnome_vfs_domain(role_prefix)
+#
+
+define(`gnome_vfs_domain', `
+
+# Type for daemon
+type $1_gnome_vfs_t, domain, nscd_client_domain;
+
+# GNOME, dbus
+gnome_application($1_gnome_vfs, $1)
+dbusd_client(system, $1_gnome_vfs)
+allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
+ifdef(`hald.te', `
+allow $1_gnome_vfs_t hald_t:dbus send_msg;
+allow hald_t $1_gnome_vfs_t:dbus send_msg;
+')
+
+# Transition from user type
+domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
+role $1_r types $1_gnome_vfs_t; 
+
+# Stat top level directories on mount_points (check free space?)
+allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr;
+
+# Search path to /home (??)
+allow $1_gnome_vfs_t home_root_t:dir search;
+allow $1_gnome_vfs_t $1_home_dir_t:dir search;
+
+# Search path to rpc_pipefs mount point (??)
+allow $1_gnome_vfs_t var_lib_nfs_t:dir search;
+allow $1_gnome_vfs_t var_lib_t:dir search;
+
+# Search libexec (??)
+allow $1_gnome_vfs_t bin_t:dir search;
+can_exec($1_gnome_vfs_t, bin_t)
+
+') dnl gnome_vfs_domain
+
+#####################################
+# gnome_vfs_client(prefix, role_prefix)
+#
+
+define(`gnome_vfs_client', `
+
+# Connect over bonobo
+bonobo_connect($1, $2_gnome_vfs)
+
+') dnl gnome_vfs_client 
diff --git a/strict/macros/program/ice_macros.te b/strict/macros/program/ice_macros.te
new file mode 100644
index 0000000..b373496
--- /dev/null
+++ b/strict/macros/program/ice_macros.te
@@ -0,0 +1,38 @@
+#
+# ICE related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# ice_domain(prefix, role) - create ICE sockets
+# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets 
+
+define(`ice_domain', `
+ifdef(`$1_ice_tmp_t_defined',`', `
+define(`$1_ice_tmp_t_defined')
+
+# Type for ICE sockets
+type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile;
+file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t)
+
+# Create the sockets
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# FIXME: How does iceauth tie in?
+
+')
+')
+
+# FIXME: Should this be bidirectional?
+# Adding only unidirectional for now.
+
+define(`ice_connect', `
+
+# Read .ICEauthority file
+allow $1_t $2_iceauth_home_t:file { read getattr };
+
+can_unix_connect($1_t, $2_t)
+allow $1_t ice_tmp_t:dir r_dir_perms;
+allow $1_t $2_ice_tmp_t:sock_file { read write };
+allow $1_t $2_t:unix_stream_socket { read write };
+')
diff --git a/strict/macros/program/iceauth_macros.te b/strict/macros/program/iceauth_macros.te
new file mode 100644
index 0000000..cc7e804
--- /dev/null
+++ b/strict/macros/program/iceauth_macros.te
@@ -0,0 +1,40 @@
+#
+# Macros for iceauth domains.
+#
+# Author:  Ivan Gyurdiev <gyurdiev@redhat.com>
+#
+# iceauth_domain(domain_prefix)
+
+define(`iceauth_domain',`
+
+# Program type
+type $1_iceauth_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t)
+role $1_r types $1_iceauth_t;
+
+# Store .ICEauthority files
+home_domain($1, iceauth)
+file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file)
+
+# Supress xdm trying to restore .ICEauthority permissions
+ifdef(`xdm.te', `
+dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
+')
+
+# /root
+allow $1_iceauth_t root_t:dir search;
+
+# Terminal output
+access_terminal($1_iceauth_t, $1)
+
+uses_shlib($1_iceauth_t)
+
+# ??? 
+allow $1_iceauth_t etc_t:dir search;
+allow $1_iceauth_t usr_t:dir search;
+
+# FIXME: policy is incomplete
+
+')dnl end xauth_domain macro
diff --git a/strict/macros/program/java_macros.te b/strict/macros/program/java_macros.te
index b7c2be4..874d6dc 100644
--- a/strict/macros/program/java_macros.te
+++ b/strict/macros/program/java_macros.te
@@ -4,7 +4,7 @@
 # Macros for javaplugin (java plugin) domains.
 #
 #
-# javaplugin_domain(domain_prefix, user)
+# javaplugin_domain(domain_prefix, role)
 #
 # Define a derived domain for the javaplugin program when executed by
 # a web browser.  
@@ -29,9 +29,9 @@ allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
 
 # This domain is granted permissions common to most domains (including can_net)
 can_network_client($1_javaplugin_t)
+allow $1_javaplugin_t port_type:tcp_socket name_connect;
 can_ypbind($1_javaplugin_t)
 allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow $1_javaplugin_t self:fifo_file rw_file_perms;
 allow $1_javaplugin_t etc_runtime_t:file { getattr read };
 allow $1_javaplugin_t fs_t:filesystem getattr;
@@ -41,44 +41,24 @@ allow $1_javaplugin_t self:lnk_file read;
 allow $1_javaplugin_t self:file { getattr read };
 
 read_sysctl($1_javaplugin_t)
+allow $1_javaplugin_t sysctl_vm_t:dir search;
 
 tmp_domain($1_javaplugin)
-r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
+read_fonts($1_javaplugin_t, $2)
+r_dir_file($1_javaplugin_t,{ usr_t etc_t })
 
 # Search bin directory under javaplugin for javaplugin executable
 allow $1_javaplugin_t bin_t:dir search;
 can_exec($1_javaplugin_t, java_exec_t)
 
-# Allow connections to X server.
-ifdef(`xserver.te', `
-
-ifdef(`xdm.te', `
-# for when /tmp/.X11-unix is created by the system
-allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
-allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
-allow $1_javaplugin_t xdm_tmp_t:dir search;
-allow $1_javaplugin_t xdm_tmp_t:sock_file write;
-')
-
-ifdef(`startx.te', `
-# for when /tmp/.X11-unix is created by the X server
-allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
-
-# for /tmp/.X0-lock
-allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
-
-allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
-can_unix_connect($1_javaplugin_t, $2_xserver_t)
-')dnl end startx
-
-can_unix_connect($1_javaplugin_t, xdm_xserver_t)
-allow xdm_xserver_t $1_javaplugin_t:fd use;
-allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
-dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
-
-')dnl end xserver
+# libdeploy.so legacy
+allow $1_javaplugin_t texrel_shlib_t:file execmod;
+if (allow_execmem) {
+allow $1_javaplugin_t self:process execmem;
+}
 
-allow $1_javaplugin_t self:shm create_shm_perms;
+# Connect to X server
+x_client_domain($1_javaplugin, $2) 
 
 uses_shlib($1_javaplugin_t)
 read_locale($1_javaplugin_t)
diff --git a/strict/macros/program/mail_client_macros.te b/strict/macros/program/mail_client_macros.te
new file mode 100644
index 0000000..90b9b1d
--- /dev/null
+++ b/strict/macros/program/mail_client_macros.te
@@ -0,0 +1,63 @@
+#
+# Shared macro for mail clients
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+########################################
+# mail_client_domain(client, role_prefix)
+#
+
+define(`mail_client_domain', `
+
+# Allow netstat
+# Startup shellscripts
+allow $1_t bin_t:dir r_dir_perms;
+allow $1_t bin_t:lnk_file r_file_perms;
+can_exec($1_t, bin_t)
+r_dir_file($1_t, proc_net_t)
+allow $1_t sysctl_net_t:dir search;
+
+# Allow DNS
+can_resolve($1_t)
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+can_ypbind($1_t)
+can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
+allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
+
+# Allow printing the mail
+ifdef(`cups.te',`
+allow $1_t cupsd_etc_t:dir r_dir_perms;
+allow $1_t cupsd_rw_etc_t:file r_file_perms;
+')
+ifdef(`lpr.te', `
+domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
+')
+
+# Attachments
+read_content($1_t, $2, mail)
+
+# Save mail
+write_untrusted($1_t, $2)
+
+# Encrypt mail
+ifdef(`gpg.te', `
+domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
+allow $1_t $2_gpg_t:process signal;
+')
+
+# Start links in web browser
+ifdef(`mozilla.te', `
+can_exec($1_t, shell_exec_t)
+domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
+') 
+ifdef(`dbusd.te', `
+dbusd_client(system, $1)
+dbusd_client($2, $1)
+allow $1_t $2_dbusd_t:dbus send_msg;
+ifdef(`cups.te', `
+allow cupsd_t $1_t:dbus send_msg;
+') 
+') 
+')
diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te
index c53ab4f..3980122 100644
--- a/strict/macros/program/mozilla_macros.te
+++ b/strict/macros/program/mozilla_macros.te
@@ -15,123 +15,136 @@
 # The type declaration for the executable type for this program is
 # provided separately in domains/program/mozilla.te. 
 #
+
+# FIXME: Rules were removed to centralize policy in a gnome_app macro
+# A similar thing might be necessary for mozilla compiled without GNOME
+# support (is this possible?). 
+
 define(`mozilla_domain',`
-x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
 
-# Configuration
+type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
+
+# Type transition
+if (! disable_mozilla_trans) {
+domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
+}
+role $1_r types $1_mozilla_t;
+
+# X access, Home files
 home_domain($1, mozilla)
+x_client_domain($1_mozilla, $1)
+
+# GNOME integration
+ifdef(`gnome.te', `
+gnome_application($1_mozilla, $1)
+gnome_file_dialog($1_mozilla, $1)
+')
 
-# Allow mozilla to browse files
-file_browse_domain($1_mozilla_t)
+# Look for plugins 
+allow $1_mozilla_t bin_t:dir { getattr read search };
+
+# Browse the web, connect to printer
+can_resolve($1_mozilla_t)
+can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } )
+allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect;
+
+# Should not need other ports
+dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind };
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
+dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
 
 # Unrestricted inheritance from the caller.
 allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
 allow $1_mozilla_t $1_t:process signull;
 
-# Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_t:process signal_perms;
+
+# Access /proc, sysctl
+allow $1_mozilla_t proc_t:dir search;
+allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t proc_t:lnk_file read;
+allow $1_mozilla_t sysctl_net_t:dir search;
+allow $1_mozilla_t sysctl_t:dir search;
 
-allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
+# /var/lib
+allow $1_mozilla_t var_lib_t:dir search;
 allow $1_mozilla_t var_lib_t:file { getattr read };
-allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
+
+# Self permissions
 allow $1_mozilla_t self:socket create_socket_perms;
 allow $1_mozilla_t self:file { getattr read };
+allow $1_mozilla_t self:sem create_sem_perms;
 
-# for bash
+# for bash - old mozilla binary
+can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, shell_exec_t)
+can_exec($1_mozilla_t, bin_t)
+allow $1_mozilla_t bin_t:lnk_file read;
 allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t devpts_t:dir r_dir_perms;
-allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t self:dir search;
+allow $1_mozilla_t self:lnk_file read;
 r_dir_file($1_mozilla_t, proc_net_t)
 
-allow $1_mozilla_t { var_t var_lib_t }:dir search;
-
 # interacting with gstreamer
 r_dir_file($1_mozilla_t, var_t)
 
-# Write files to tmp
-tmp_domain($1_mozilla)
+# Uploads, local html
+read_content($1_mozilla_t, $1, mozilla) 
 
-# Execute downloaded programs.
-can_exec($1_mozilla_t, $1_mozilla_tmp_t)
+# Save web pages
+write_untrusted($1_mozilla_t, $1)
 
-# Use printer
-ifdef(`lpr.te', `
-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
-
-# Print document
-allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
-
-# Suppress history.fop denial
-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
-
-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
-dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
-')
-
-# ORBit sockets
-file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
-can_unix_connect($1_t, $1_mozilla_t)
-allow $1_t $1_mozilla_tmp_t:sock_file write;
-allow $1_mozilla_t $1_tmp_t:file { read write lock };
-allow $1_mozilla_t $1_tmp_t:sock_file { read write };
-dontaudit $1_mozilla_t $1_tmp_t:dir setattr;
-
-# Allow mozilla to read user home content
-if (mozilla_readhome || mozilla_writehome) {
-r_dir_file($1_mozilla_t, $1_home_t)
-} else {
-dontaudit $1_mozilla_t $1_home_t:dir setattr;
-dontaudit $1_mozilla_t $1_home_t:file setattr;
-}
+# Mozpluggerrc
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
 
-if (mozilla_writehome) {
-file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_home_t)
-allow $1_mozilla_t $1_home_t:dir setattr;
-allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
-} dnl end if writehome
+######### Java plugin
+ifdef(`java.te', `
+javaplugin_domain($1_mozilla, $1)
+') dnl java.te
 
-allow $1_mozilla_t $1_t:unix_stream_socket connectto;
-allow $1_mozilla_t sysctl_net_t:dir search;
-allow $1_mozilla_t sysctl_t:dir search;
+######### Print web content
 ifdef(`cups.te', `
 allow $1_mozilla_t cupsd_etc_t:dir search;
 allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
 ')
-allow $1_mozilla_t $1_t:tcp_socket { read write };
-
-allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
-dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
-# Mozilla tries to delete .fonts.cache-1
-dontaudit $1_mozilla_t $1_home_t:file unlink;
-allow $1_mozilla_t self:sem create_sem_perms;
-
-# Java plugin
-ifdef(`java.te', `
-javaplugin_domain($1_mozilla, $1)
-')
+ifdef(`lpr.te', `
+domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
+dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+') dnl if lpr.te
 
-# Mplayer plugin
+######### Launch mplayer
 ifdef(`mplayer.te', `
 domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+')dnl end if mplayer.te  
 
-# Read mozilla content in /tmp
-r_dir_file($1_mplayer_t, $1_mozilla_tmp_t);
+######### Launch email client, and make webcal links work
+ifdef(`evolution.te', `
+domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
+domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+') dnl if evolution.te
 
-# FIXME: why does it need this?
-dontaudit $1_mplayer_t $1_mozilla_home_t:file write;
-allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
-')dnl end if mplayer.te  
+ifdef(`thunderbird.te', `
+domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
+') dnl if evolution.te
 
 if (allow_execmem) {
-allow $1_mozilla_t self:process { execmem };
+allow $1_mozilla_t self:process { execmem execstack };
 }
-if (allow_execmod) {
 allow $1_mozilla_t texrel_shlib_t:file execmod;
-}
+
 dbusd_client(system, $1_mozilla)
+ifdef(`apache.te', `
+ifelse($1, sysadm, `', `
+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
+')
+')
 
 ')dnl end mozilla macro
 
diff --git a/strict/macros/program/mplayer_macros.te b/strict/macros/program/mplayer_macros.te
index 323edca..6d06757 100644
--- a/strict/macros/program/mplayer_macros.te
+++ b/strict/macros/program/mplayer_macros.te
@@ -6,15 +6,19 @@
 # mplayer_domains(user) declares domains for mplayer, gmplayer,
 # and mencoder
 
-##############################################
-#    mplayer_common(user, mplayer domain)    #
-##############################################
+#####################################################
+#    mplayer_common(role_prefix, mplayer_domain)    #
+#####################################################
 
 define(`mplayer_common',`
 
 # Read global config
 r_dir_file($1_$2_t, mplayer_etc_t)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_$2_t)
+allow $1_t $1_$2_t:process signal_perms;
+
 # Read data in /usr/share (fonts, icons..)
 r_dir_file($1_$2_t, usr_t)
 
@@ -40,8 +44,8 @@ allow $1_$2_t self:process execmem;
 
 if (allow_execmod) {
 allow $1_$2_t zero_device_t:chr_file execmod;
-allow $1_$2_t texrel_shlib_t:file execmod;
 }
+allow $1_$2_t texrel_shlib_t:file execmod;
 
 # Access to DVD/CD/V4L
 allow $1_$2_t device_t:dir r_dir_perms;
@@ -58,64 +62,94 @@ allow $1_$2_t sound_device_t:chr_file execute;
 }
 ')
 
-############################
-#  mplayer_domain(user)    #
-############################
+###################################
+#  mplayer_domain(role_prefix)    #
+###################################
 
 define(`mplayer_domain',`
 
-# Derive from X client domain
-x_client_domain($1, `mplayer', `')
+type $1_mplayer_t, domain, nscd_client_domain;
 
-# Mplayer configuration here
-home_domain($1, mplayer)
+# Type transition
+domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
+role $1_r types $1_mplayer_t;
 
-# Allow mplayer to browse files
-file_browse_domain($1_mplayer_t)
+# Home access, X access
+home_domain($1, mplayer)
+x_client_domain($1_mplayer, $1)
 
 # Mplayer common stuff
 mplayer_common($1, mplayer)
 
-# Audio
+# Fork 
+allow $1_mplayer_t self:process { fork signal_perms getsched };
+allow $1_mplayer_t self:fifo_file rw_file_perms;
+
+# Audio, alsa.conf
 allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+allow $1_mplayer_t etc_t:file { getattr read };
+r_dir_file($1_mplayer_t, alsa_etc_rw_t);
 
 # RTC clock 
 allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
 
-# Read home directory content
-r_dir_file($1_mplayer_t, $1_home_t);
-
 # Legacy domain issues
 if (allow_mplayer_execstack) {
 allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
 }
 
+#======gmplayer gui==========#
+# File dialogs
+dontaudit_getattr($1_mplayer_t)
+dontaudit_read_dir($1_mplayer_t)
+dontaudit_search_dir($1_mplayer_t)
+
+# Unfortunately the ancient file dialog starts in /
+allow $1_mplayer_t home_root_t:dir read;
+
+# Read /etc/mtab
+allow $1_mplayer_t etc_runtime_t:file { read getattr };
+
+# Run bash/sed (??) 
+allow $1_mplayer_t bin_t:dir search;
+allow $1_mplayer_t bin_t:lnk_file read;
+can_exec($1_mplayer_t, bin_t)
+can_exec($1_mplayer_t, shell_exec_t)
+#============================#
+
+# Read songs
+read_content($1_mplayer_t, $1)
+
 ') dnl end mplayer_domain
 
-############################
-#  mencoder_domain(user)   #
-############################
+###################################
+#  mencoder_domain(role_prefix)   #
+###################################
 
 define(`mencoder_domain',`
 
-# FIXME: privhome temporarily removed...
 type $1_mencoder_t, domain;
 
-# Transition
+# Type transition
 domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
-can_exec($1_mencoder_t, mencoder_exec_t)
 role $1_r types $1_mencoder_t;
 
-# Read home config
+# Access mplayer home domain
 home_domain_access($1_mencoder_t, $1, mplayer)
 
 # Mplayer common stuff
 mplayer_common($1, mencoder)
 
+# Read content to encode
+read_content($1_mencoder_t, $1)
+
+# Save encoded files
+write_trusted($1_mencoder_t, $1)
+
 ') dnl end mencoder_domain
 
 #############################
-#  mplayer_domains(user)    #
+#  mplayer_domains(role)    #
 #############################
 
 define(`mplayer_domains', `
diff --git a/strict/macros/program/orbit_macros.te b/strict/macros/program/orbit_macros.te
new file mode 100644
index 0000000..b2dd5d1
--- /dev/null
+++ b/strict/macros/program/orbit_macros.te
@@ -0,0 +1,44 @@
+#
+# ORBit related types 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# orbit_domain(prefix, role_prefix) - create ORBit sockets
+# orbit_connect(type1_prefix, type2_prefix) 
+#	- allow communication through ORBit sockets from type1 to type2 
+
+define(`orbit_domain', `
+
+# Protect against double inclusion for speed and correctness
+ifdef(`orbit_domain_$1_$2', `', `
+define(`orbit_domain_$1_$2')
+
+# Relabel directory (startup script)
+allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
+
+# Type for ORBit sockets
+type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
+file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
+allow $1_t tmp_t:dir { read search getattr };
+
+# Create the sockets
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# Use random device(s)
+allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
+
+# Why do they do that?
+dontaudit $1_t $2_orbit_tmp_t:dir setattr;
+
+') dnl ifdef orbit_domain_args
+') dnl orbit_domain
+
+##########################
+
+define(`orbit_connect', `
+
+can_unix_connect($1_t, $2_t)
+allow $1_t $2_orbit_tmp_t:sock_file write;
+
+') dnl orbit_connect
diff --git a/strict/macros/program/pyzor_macros.te b/strict/macros/program/pyzor_macros.te
new file mode 100644
index 0000000..36b4c54
--- /dev/null
+++ b/strict/macros/program/pyzor_macros.te
@@ -0,0 +1,69 @@
+#
+# Pyzor - Pyzor is a collaborative, networked system to detect and
+#         block spam using identifying digests of messages.
+#
+# Author:  David Hampton <hampton@employees.org>
+#
+
+##########
+# common definitions for pyzord and all flavors of pyzor
+##########
+define(`pyzor_base_domain',`
+
+# Networking
+can_network_client_tcp($1_t, http_port_t);
+can_network_udp($1_t, pyzor_port_t);
+can_resolve($1_t);
+
+general_proc_read_access($1_t)
+
+tmp_domain($1)
+
+allow $1_t bin_t:dir { getattr search };
+allow $1_t bin_t:file getattr;
+allow $1_t lib_t:file { getattr read };
+allow $1_t { var_t var_lib_t var_run_t }:dir search;
+uses_shlib($1_t)
+
+# Python does a getattr on this file
+allow $1_t pyzor_exec_t:file getattr;
+
+# mktemp and other randoms
+allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+# Allow access to various files in the /etc/directory including mtab
+# and nsswitch
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+')
+
+
+#
+# Define a user domain for a pyzor
+#
+# Note: expects to be called with an argument of user, sysadm
+
+define(`pyzor_domain',`
+type $1_pyzor_t, domain, privlog, nscd_client_domain;
+role $1_r types $1_pyzor_t;
+domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)
+
+pyzor_base_domain($1_pyzor)
+
+# Per-user config/data files
+home_domain($1, pyzor)
+file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir)
+
+# System config files
+r_dir_file($1_pyzor_t, pyzor_etc_t)
+
+# System data files
+r_dir_file($1_pyzor_t, pyzor_var_lib_t);
+
+allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow pyzor to be run by hand.  Needed by any action other than
+# invocation from a spam filter.
+allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_pyzor_t sshd_t:fd use;
+')
diff --git a/strict/macros/program/razor_macros.te b/strict/macros/program/razor_macros.te
new file mode 100644
index 0000000..ca681f7
--- /dev/null
+++ b/strict/macros/program/razor_macros.te
@@ -0,0 +1,75 @@
+#
+# Razor - Razor is a collaborative, networked system to detect and
+#         block spam using identifying digests of messages.
+#
+# Author:  David Hampton <hampton@employees.org>
+#
+
+##########
+# common definitions for razord and all flavors of razor
+##########
+define(`razor_base_domain',`
+
+# Razor is one executable and several symlinks
+allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
+
+# Networking
+can_network_client_tcp($1_t, razor_port_t)
+can_resolve($1_t);
+
+general_proc_read_access($1_t)
+
+# Read system config file
+r_dir_file($1_t, razor_etc_t)
+
+# Update razor common files
+file_type_auto_trans($1_t, var_log_t, razor_log_t, file)
+create_dir_file($1_t, razor_log_t)
+allow $1_t var_lib_t:dir search;
+create_dir_file($1_t, razor_var_lib_t)
+
+allow $1_t bin_t:dir { getattr search };
+allow $1_t bin_t:file getattr;
+allow $1_t lib_t:file { getattr read };
+allow $1_t { var_t var_run_t }:dir search;
+uses_shlib($1_t)
+
+# Razor forks other programs to do part of its work.
+general_domain_access($1_t)
+can_exec($1_t, bin_t)
+
+# mktemp and other randoms
+allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+# Allow access to various files in the /etc/directory including mtab
+# and nsswitch
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+')
+
+
+#
+# Define a user domain for a razor
+#
+# Note: expects to be called with an argument of user, sysadm
+
+define(`razor_domain',`
+type $1_razor_t, domain, privlog, nscd_client_domain;
+role $1_r types $1_razor_t;
+domain_auto_trans($1_t, razor_exec_t, $1_razor_t)
+
+razor_base_domain($1_razor)
+
+# Per-user config/data files
+home_domain($1, razor)
+file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir)
+
+tmp_domain($1_razor)
+
+allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow razor to be run by hand.  Needed by any action other than
+# invocation from a spam filter.
+allow $1_razor_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_razor_t sshd_t:fd use;
+')
diff --git a/strict/macros/program/screen_macros.te b/strict/macros/program/screen_macros.te
index ebfc619..e81a90a 100644
--- a/strict/macros/program/screen_macros.te
+++ b/strict/macros/program/screen_macros.te
@@ -21,7 +21,7 @@ undefine(`screen_domain')
 ifdef(`screen.te', `
 define(`screen_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_screen_t, domain, privlog, privfd;
+type $1_screen_t, domain, privlog, privfd, nscd_client_domain;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
@@ -81,6 +81,7 @@ dontaudit $1_screen_t shadow_t:file read;
 
 allow $1_screen_t tmp_t:dir search;
 can_network($1_screen_t)
+allow $1_screen_t port_type:tcp_socket name_connect;
 can_ypbind($1_screen_t)
 
 # get stats
diff --git a/strict/macros/program/slocate_macros.te b/strict/macros/program/slocate_macros.te
index acd6195..115022b 100644
--- a/strict/macros/program/slocate_macros.te
+++ b/strict/macros/program/slocate_macros.te
@@ -25,7 +25,7 @@ allow $1_locate_t self:process signal;
 
 allow $1_locate_t etc_t:file { getattr read };
 allow $1_locate_t self:unix_stream_socket create_socket_perms;
-r_dir_file($1_locate_t,var_lib_locate_t)
+r_dir_file($1_locate_t,locate_var_lib_t)
 allow $1_locate_t var_lib_t:dir search;
 
 # Transition from the user domain to this domain.
diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te
index 2ded42a..d7678f5 100644
--- a/strict/macros/program/spamassassin_macros.te
+++ b/strict/macros/program/spamassassin_macros.te
@@ -29,7 +29,7 @@ ifdef(`using_spamassassin',`
 # Note: most of this should really be in a generic macro like
 # base_user_program($1, foo)
 define(`spamassassin_program_domain',`
-type $1_$2_t, domain, privlog;
+type $1_$2_t, domain, privlog $3;
 domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
 
 role $1_r types $1_$2_t;
@@ -44,7 +44,6 @@ allow $1_$2_t etc_runtime_t:file r_file_perms;
 uses_shlib($1_$2_t)
 read_locale($1_$2_t)
 dontaudit $1_$2_t var_t:dir search;
-allow $1_$2_t $1_home_dir_t:dir r_dir_perms;
 tmp_domain($1_$2)
 allow $1_$2_t privfd:fd use;
 allow $1_$2_t userpty_type:chr_file rw_file_perms;
@@ -76,16 +75,20 @@ spamassassin_program_domain($1, spamassassin)
 allow $1_spamassassin_t lib_t:file rx_file_perms;
 # Ignore perl digging in /proc and /var.
 dontaudit $1_spamassassin_t proc_t:dir search;
+dontaudit $1_spamassassin_t proc_t:lnk_file read;
 dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
 
 # For ~/.spamassassin
 home_domain($1, spamassassin)
+file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir)
 
 spamassassin_agent_privs($1_spamassassin_t, $1)
 
-# set tunable if you have spamassassin do DNS lookups
+can_resolve($1_spamassassin_t)
+# set tunable if you give spamassassin full network access.
 if (spamassasin_can_network) {
 can_network($1_spamassassin_t)
+allow $1_spamassassin_t port_type:tcp_socket name_connect;
 }
 if (spamassasin_can_network && allow_ypbind) {
 uncond_can_ypbind($1_spamassassin_t)
@@ -94,13 +97,16 @@ uncond_can_ypbind($1_spamassassin_t)
 # Define the domain for /usr/bin/spamc
 #
 ifdef(`spamc.te',`
-spamassassin_program_domain($1, spamc)
+spamassassin_program_domain($1, spamc, `, nscd_client_domain')
 can_network($1_spamc_t)
+allow $1_spamc_t port_type:tcp_socket name_connect;
 can_ypbind($1_spamc_t)
 
 # Allow connecting to a local spamd
 ifdef(`spamd.te',`
 can_tcp_connect($1_spamc_t, spamd_t)
+can_unix_connect($1_spamc_t, spamd_t)
+allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
 ') dnl endif spamd.te
 ') dnl endif spamc.te
 
diff --git a/strict/macros/program/thunderbird_macros.te b/strict/macros/program/thunderbird_macros.te
new file mode 100644
index 0000000..b84e41d
--- /dev/null
+++ b/strict/macros/program/thunderbird_macros.te
@@ -0,0 +1,62 @@
+#
+# Thunderbird
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+#######################################
+# thunderbird_domain(role_prefix)
+#
+
+# FIXME: Rules were removed to centralize policy in a gnome_app macro
+# A similar thing might be necessary for mozilla compiled without GNOME
+# support (is this possible?).
+
+define(`thunderbird_domain', `
+
+# Type for program
+type $1_thunderbird_t, domain, nscd_client_domain;
+
+# Transition from user type
+if (! disable_thunderbird_trans) {
+domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t)
+}
+role $1_r types $1_thunderbird_t;
+
+# FIXME: Why does it try to do that?
+dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
+
+# Why is thunderbird looking in .mozilla ?
+# FIXME: there are legitimate uses of invoking the browser - about -> release notes
+dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
+
+# .kde/....gtkrc
+# FIXME: support properly 
+dontaudit $1_thunderbird_t $1_home_t:file { getattr read };
+
+# X, mail common stuff
+x_client_domain($1_thunderbird, $1)
+mail_client_domain($1_thunderbird, $1)
+
+allow $1_thunderbird_t fs_t:filesystem getattr;
+
+# GNOME support
+ifdef(`gnome.te', `
+gnome_application($1_thunderbird, $1)
+gnome_file_dialog($1_thunderbird, $1)
+allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
+')
+
+# Access ~/.thunderbird
+home_domain($1, thunderbird)
+
+# RSS feeds
+can_network_client_tcp($1_thunderbird_t, http_port_t) 
+allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
+
+allow $1_thunderbird_t self:process { execheap execstack };
+if (allow_execmem) {
+allow $1_thunderbird_t self:process execmem;
+}
+
+')
diff --git a/strict/macros/program/tvtime_macros.te b/strict/macros/program/tvtime_macros.te
index acb45b1..d965ae1 100644
--- a/strict/macros/program/tvtime_macros.te
+++ b/strict/macros/program/tvtime_macros.te
@@ -19,16 +19,37 @@ undefine(`tvtime_domain')
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 
+# Type transition
+type $1_tvtime_t, domain, nscd_client_domain;
+domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
+role $1_r types $1_tvtime_t;
+
+# X access, Home files
 home_domain($1, tvtime)
-x_client_domain($1, tvtime)
+file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir)
+x_client_domain($1_tvtime, $1)
+
+uses_shlib($1_tvtime_t)
+read_locale($1_tvtime_t)
+read_sysctl($1_tvtime_t)
+access_terminal($1_tvtime_t, $1)
+
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_tvtime_t)
+allow $1_t $1_tvtime_t:process signal_perms;
+
+# Read /etc/tvtime
+allow $1_tvtime_t etc_t:file { getattr read };
+
+# Tmp files
+tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
 
 allow $1_tvtime_t urandom_device_t:chr_file read;
 allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
 allow $1_tvtime_t kernel_t:system ipc_info;
-allow $1_tvtime_t sound_device_t:chr_file read;
+allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
 allow $1_tvtime_t $1_home_t:dir { getattr read search };
 allow $1_tvtime_t $1_home_t:file { getattr read };
-tmp_domain($1_tvtime)
 allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
 allow $1_tvtime_t self:process setsched;
 allow $1_tvtime_t usr_t:file { getattr read };
diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te
index 654b794..9b87775 100644
--- a/strict/macros/program/uml_macros.te
+++ b/strict/macros/program/uml_macros.te
@@ -91,6 +91,7 @@ allow $1_uml_t $1_t:unix_dgram_socket sendto;
 
 # Use the network.
 can_network($1_uml_t)
+allow $1_uml_t port_type:tcp_socket name_connect;
 can_ypbind($1_uml_t)
 
 # for xterm
diff --git a/strict/macros/program/vmware_macros.te b/strict/macros/program/vmware_macros.te
index b306f08..bb0914a 100644
--- a/strict/macros/program/vmware_macros.te
+++ b/strict/macros/program/vmware_macros.te
@@ -28,11 +28,6 @@ type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
 # The user file type for the VMWare configuration files
 type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
 
-# for compatibility with older policy versions
-typealias $1_vmware_t alias vmware_$1_t;
-typealias $1_vmware_file_t alias vmware_$1_file_t;
-typealias $1_vmware_conf_t alias vmware_$1_conf_t;
-
 #############################################################
 # User rules for running VMWare
 #
diff --git a/strict/macros/program/x_client_macros.te b/strict/macros/program/x_client_macros.te
index aef31ad..adce9f0 100644
--- a/strict/macros/program/x_client_macros.te
+++ b/strict/macros/program/x_client_macros.te
@@ -1,5 +1,5 @@
 #
-# Macros for X client programs ($2 etc)
+# Macros for X client programs 
 #
 
 #
@@ -8,152 +8,87 @@
 # and Timothy Fraser 
 #
 
+# Allows clients to write to the X server's shm 
+bool allow_write_xshm false;
+
 define(`xsession_domain', `
 
 # Connect to xserver
 can_unix_connect($1_t, $2_xserver_t)
 
-# /tmp/.ICE_unix
-allow $1_t $2_xserver_tmp_t:dir search;
-allow $1_t $2_xserver_tmp_t:sock_file rw_file_perms;
-
-# Stat /tmp/.X0-lock
-allow $1_t $2_xserver_tmp_t:file getattr;
+# Read /tmp/.X0-lock
+allow $1_t $2_xserver_tmp_t:file { getattr read };
 
 # Signal Xserver
 allow $1_t $2_xserver_t:process signal;
 
-# Use file descriptors created by each other.
-allow $1_t $2_xserver_t:fd use;
+# Xserver read/write client shm
 allow $2_xserver_t $1_t:fd use;
-
-# Xserver read/write parent shm
 allow $2_xserver_t $1_t:shm rw_shm_perms;
 allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
 
-# Parent read xserver shm
+# Client read xserver shm
+allow $1_t $2_xserver_t:fd use;
 allow $1_t $2_xserver_t:shm r_shm_perms;
 allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+
+# Client write xserver shm
+if (allow_write_xshm) {
+allow $1_t $2_xserver_t:shm rw_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
+}
+
 ')
 
 #
-# x_client_domain(domain_prefix)
-#
-# Define a derived domain for an X program when executed by
-# a user domain.  
-#
-# The type declaration for the executable type for this program ($2_exec_t)
-# must be provided separately!
+# x_client_domain(client, role)
 #
-# The first parameter is the base name for the domain/role (EG user or sysadm)
-# The second parameter is the program name (EG $2)
-# The third parameter is the attributes for the domain (if any)
+# Defines common X access rules for the client domain
 #
 define(`x_client_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_$2_t, domain, nscd_client_domain $3;
-
-ifelse(index(`$3', `transitionbool'), -1, `
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-', `
-# Only do it once
-ifelse($1, user, `
-bool disable_$2 false;
-')
-# Transition from the user domain to the derived domain.
-if (! disable_$2) {
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-}
-')
 
-# The user role is authorized for this domain.
-role $1_r types $1_$2_t;
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network($1_$2_t)
-can_ypbind($1_$2_t)
-allow $1_$2_t self:process { fork signal_perms getsched };
-allow $1_$2_t self:unix_dgram_socket create_socket_perms;
-allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow $1_$2_t self:fifo_file rw_file_perms;
-allow $1_$2_t etc_runtime_t:file { getattr read };
-allow $1_$2_t etc_t:lnk_file read;
-allow $1_$2_t fs_t:filesystem getattr;
-access_terminal($1_$2_t, $1)
-read_locale($1_$2_t)
-r_dir_file($1_$2_t, readable_t)
-allow $1_$2_t proc_t:dir search;
-allow $1_$2_t proc_t:lnk_file read;
-allow $1_$2_t self:dir search;
-allow $1_$2_t self:lnk_file read;
-read_sysctl($1_$2_t)
+# Create socket to communicate with X server
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
+# Read .Xauthority file
 ifdef(`xauth.te',`
-allow $1_$2_t $1_xauth_home_t:file { getattr read };
+allow $1_t home_root_t:dir { search getattr };
+allow $1_t $2_home_dir_t:dir { search getattr };
+allow $1_t $2_xauth_home_t:file { getattr read };
 ')
 
-# Allow the user domain to send any signal to the $2 process.
-allow $1_t $1_$2_t:process signal_perms;
-
-# Allow the user domain to read the /proc/PID directory for 
-# the $2 process.
-allow $1_t $1_$2_t:dir r_dir_perms;
-allow $1_t $1_$2_t:notdevfile_class_set r_file_perms;
-
-# Allow use of /dev/zero by ld.so.
-allow $1_$2_t device_t:dir search;
-allow $1_$2_t zero_device_t:chr_file rw_file_perms;
-allow $1_$2_t zero_device_t:chr_file x_file_perms;
-
-# allow using shared libraries and running programs
-uses_shlib($1_$2_t)
-allow $1_$2_t { bin_t sbin_t }:dir search;
-allow $1_$2_t bin_t:lnk_file read;
-can_exec($1_$2_t, { shell_exec_t bin_t })
-allow $1_$2_t etc_t:file { getattr read };
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;')
-allow $1_$2_t privfd:fd use;
-
 # for .xsession-errors
-dontaudit $1_$2_t $1_home_t:file write;
+dontaudit $1_t $2_home_t:file write;
 
 # for X over a ssh tunnel
 ifdef(`ssh.te', `
-can_tcp_connect($1_$2_t, sshd_t)
+can_tcp_connect($1_t, sshd_t)
 ')
 
-# Read the home directory, e.g. for .Xauthority and to get to config files
-allow $1_$2_t home_root_t:dir { search getattr };
-
 # Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1_$2)
-
-allow $1_$2_t self:shm create_shm_perms;
+tmpfs_domain($1)
+allow $1_t self:shm create_shm_perms;
 
 # allow X client to read all font files
-r_dir_file($1_$2_t, fonts_t)
+read_fonts($1_t, $2)
 
 # Allow connections to X server.
 ifdef(`xserver.te', `
-allow $1_$2_t tmp_t:dir search;
+allow $1_t tmp_t:dir search;
 
 ifdef(`xdm.te', `
-xsession_domain($1_$2, xdm)
+xsession_domain($1, xdm)
 
 # for when /tmp/.X11-unix is created by the system
-allow $1_$2_t xdm_t:fifo_file rw_file_perms;
-allow $1_$2_t xdm_tmp_t:dir search;
-allow $1_$2_t xdm_tmp_t:sock_file { read write };
-allow $1_$2_t xdm_t:fd use;
-dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+can_pipe_xdm($1_t)
+allow $1_t xdm_tmp_t:dir search;
+allow $1_t xdm_tmp_t:sock_file { read write };
+dontaudit $1_t xdm_t:tcp_socket { read write };
 ')
 
 ifdef(`startx.te', `
-xsession_domain($1_$2, $1)
+xsession_domain($1, $2)
 ')dnl end startx
 
 ')dnl end xserver
diff --git a/strict/macros/program/xauth_macros.te b/strict/macros/program/xauth_macros.te
index 405f151..ca7a5ee 100644
--- a/strict/macros/program/xauth_macros.te
+++ b/strict/macros/program/xauth_macros.te
@@ -24,6 +24,7 @@ type $1_xauth_t, domain;
 allow $1_xauth_t self:process signal;
 
 home_domain($1, xauth)
+file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file)
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
diff --git a/strict/macros/program/xdm_macros.te b/strict/macros/program/xdm_macros.te
new file mode 100644
index 0000000..404b877
--- /dev/null
+++ b/strict/macros/program/xdm_macros.te
@@ -0,0 +1,11 @@
+########################################
+#
+# can_pipe_xdm(domain)
+#
+# Allow communication to xdm over a pipe
+#
+
+define(`can_pipe_xdm', `
+allow $1 xdm_t:fd use;
+allow $1 xdm_t:fifo_file { getattr read write ioctl };
+') dnl can_pipe_xdm
diff --git a/strict/macros/program/xserver_macros.te b/strict/macros/program/xserver_macros.te
index adbe7f7..e2eaf82 100644
--- a/strict/macros/program/xserver_macros.te
+++ b/strict/macros/program/xserver_macros.te
@@ -52,20 +52,19 @@ can_exec($1_xserver_t, xserver_exec_t)
 
 uses_shlib($1_xserver_t)
 
-if (allow_execmod) {
 allow $1_xserver_t texrel_shlib_t:file execmod;
-}
 
 can_network($1_xserver_t)
+allow $1_xserver_t port_type:tcp_socket name_connect;
 can_ypbind($1_xserver_t)
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
 
 # for access within the domain
 general_domain_access($1_xserver_t)
 
-if (allow_execmem) {
 allow $1_xserver_t self:process execmem;
-}
+# Until the X module loader is fixed.
+allow $1_xserver_t self:process execheap;
 
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
@@ -76,6 +75,12 @@ role system_r types xdm_xserver_t;
 allow xdm_xserver_t init_t:fd use;
 
 dontaudit xdm_xserver_t home_dir_type:dir { read search };
+
+# Read all global and per user fonts
+read_fonts($1_xserver_t, sysadm)
+read_fonts($1_xserver_t, staff)
+read_fonts($1_xserver_t, user)
+
 ', `
 # The user role is authorized for this domain.
 role $1_r types $1_xserver_t;
@@ -89,12 +94,13 @@ allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
 
 can_unix_connect($1_t, $1_xserver_t)
 
+# Read fonts
+read_fonts($1_xserver_t, $1)
+
 # Access the home directory.
 allow $1_xserver_t home_root_t:dir search;
 allow $1_xserver_t $1_home_dir_t:dir { getattr search };
-if (allow_xserver_home_fonts) {
-r_dir_file($1_xserver_t, $1_home_t)
-}
+
 ifdef(`xauth.te', `
 domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
 allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -171,8 +177,6 @@ allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
 ifdef(`xdm.te', `
 allow $1_t xdm_tmp_t:sock_file unlink;
 allow $1_xserver_t xdm_var_run_t:dir search;
-# for /tmp/.ICE-unix
-file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
 ')
 
 # Signal the user domain.
@@ -258,10 +262,8 @@ allow $1_xserver_t pam_var_console_t:dir search;
 dontaudit $1_xserver_t selinux_config_t:dir search;
 
 allow $1_xserver_t var_lib_t:dir search;
-rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
+rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
 
-# for fonts
-r_dir_file($1_xserver_t, fonts_t)
 ')dnl end macro definition
 
 ', `
diff --git a/strict/mls b/strict/mls
index 3126db6..5f50906 100644
--- a/strict/mls
+++ b/strict/mls
@@ -160,16 +160,16 @@ category c127;
 # Each MLS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0 . c127;
-level s1:c0 . c127;
-level s2:c0 . c127;
-level s3:c0 . c127;
-level s4:c0 . c127;
-level s5:c0 . c127;
-level s6:c0 . c127;
-level s7:c0 . c127;
-level s8:c0 . c127;
-level s9:c0 . c127;
+level s0:c0.c127;
+level s1:c0.c127;
+level s2:c0.c127;
+level s3:c0.c127;
+level s4:c0.c127;
+level s5:c0.c127;
+level s6:c0.c127;
+level s7:c0.c127;
+level s8:c0.c127;
+level s9:c0.c127;
 
 
 #
@@ -217,7 +217,7 @@ level s9:c0 . c127;
 mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	( l2 eq h2 );
 
-# new file labels must be dominated by the relabeling subject's clearance
+# new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
 	( h1 dom h2 );
 
@@ -257,10 +257,10 @@ mlsconstrain dir { add_name remove_name reparent rmdir }
 # these access vectors have no MLS restrictions
 # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
 #
-# file { execute_no_trans entrypoint }
+# { file chr_file } { execute_no_trans entrypoint execmod }
 
 # the file upgrade/downgrade rule
-mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
 	((( l1 eq l2 ) or
 	  (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
 	  (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
@@ -272,7 +272,7 @@ mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
 
 # create can also require the upgrade/downgrade checks if the creating process
 # has used setfscreate (note that both the high and low level of the object
-# default to the process' sensitivity level)
+# default to the process sensitivity level)
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
 	((( l1 eq l2 ) or
 	  (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
@@ -290,7 +290,7 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
 # MLS policy for the filesystem class
 #
 
-# new filesystem labels must be dominated by the relabeling subject's clearance
+# new filesystem labels must be dominated by the relabeling subject clearance
 mlsconstrain filesystem relabelto
 	( h1 dom h2 );
 
@@ -316,7 +316,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 # MLS policy for the socket classes
 #
 
-# new socket labels must be dominated by the relabeling subject's clearance
+# new socket labels must be dominated by the relabeling subject clearance
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
 	( h1 dom h2 );
 
@@ -326,32 +326,24 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
-mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
-	(( l1 dom l2 ) or
-	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
-	 ( t1 == mlsnetread ));
-
 mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
-	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
-
-mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
 	((( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
 # these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #
 # { tcp_socket udp_socket rawip_socket } node_bind
 #
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
 #
 
@@ -411,21 +403,20 @@ mlsconstrain msg send
 
 
 #
-# MLS policy for the node class
+# MLS policy for the network object classes
 #
 
-# these access vectors have no MLS restrictions
-# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
-
-
+# the netif/node "read" ops (implicit single level socket doing the read)
+#                           (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+	(( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
 
-
-#
-# MLS policy for the netif class
-#
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+	(( l1 dom l2 ) and ( l1 domby h2 ));
 
 # these access vectors have no MLS restrictions
-# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+# { netif node } { enforce_dest }
 
 
 
@@ -457,7 +448,7 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
 	 ( t1 == mlsprocwrite ));
 
 # these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
 
 
 
@@ -739,4 +730,3 @@ mlsconstrain xextension use
 
 # these access vectors have no MLS restrictions
 # association { sendto recvfrom }
-
diff --git a/strict/net_contexts b/strict/net_contexts
index acf0301..49f6862 100644
--- a/strict/net_contexts
+++ b/strict/net_contexts
@@ -28,7 +28,7 @@ portcon tcp 19 system_u:object_r:inetd_child_port_t
 portcon udp 19 system_u:object_r:inetd_child_port_t
 portcon tcp 37 system_u:object_r:inetd_child_port_t
 portcon udp 37 system_u:object_r:inetd_child_port_t
-portcon tcp 113 system_u:object_r:inetd_child_port_t
+portcon tcp 113 system_u:object_r:auth_port_t
 portcon tcp 512 system_u:object_r:inetd_child_port_t
 portcon tcp 543 system_u:object_r:inetd_child_port_t
 portcon tcp 544 system_u:object_r:inetd_child_port_t
diff --git a/strict/users b/strict/users
index dac2092..19e6842 100644
--- a/strict/users
+++ b/strict/users
@@ -47,4 +47,4 @@ user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
 #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
 
 # sample for regular user
-#user jdoe roles { user_r }; 
+#user jdoe roles { user_r };