diff --git a/policy-20070501.patch b/policy-20070501.patch
index 233296f..77479b4 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -483,7 +483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  selinux_get_enforce_mode(logrotate_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.6.4/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/logwatch.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/logwatch.te	2007-06-18 12:01:25.000000000 -0400
 @@ -30,7 +30,6 @@
  allow logwatch_t self:process signal;
  allow logwatch_t self:fifo_file rw_file_perms;
@@ -492,7 +492,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  
  manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
  manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
-@@ -63,6 +62,8 @@
+@@ -42,6 +41,9 @@
+ manage_files_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
+ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+ 
++init_read_utmp(logwatch_t)
++init_dontaudit_write_utmp(logwatch_t)
++
+ kernel_read_fs_sysctls(logwatch_t)
+ kernel_read_kernel_sysctls(logwatch_t)
+ kernel_read_system_state(logwatch_t)
+@@ -63,6 +65,8 @@
  files_search_mnt(logwatch_t)
  files_dontaudit_search_home(logwatch_t)
  files_dontaudit_search_boot(logwatch_t)
@@ -501,7 +511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  
  fs_getattr_all_fs(logwatch_t)
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
-@@ -83,8 +84,6 @@
+@@ -83,8 +87,6 @@
  
  selinux_dontaudit_getattr_dir(logwatch_t)
  
@@ -510,7 +520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
  userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
  
-@@ -95,6 +94,10 @@
+@@ -95,6 +97,10 @@
  ')
  
  optional_policy(`
@@ -521,7 +531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  	avahi_dontaudit_search_pid(logwatch_t)
  ')
  
-@@ -116,14 +119,6 @@
+@@ -116,14 +122,6 @@
  ')
  
  optional_policy(`
@@ -536,7 +546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
  	ntp_domtrans(logwatch_t)
  ')
  
-@@ -133,4 +128,5 @@
+@@ -133,4 +131,5 @@
  
  optional_policy(`
  	samba_read_log(logwatch_t)
@@ -872,8 +882,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.6.4/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/usermanage.te	2007-06-18 10:18:55.000000000 -0400
-@@ -184,7 +184,7 @@
++++ serefpolicy-2.6.4/policy/modules/admin/usermanage.te	2007-06-19 09:05:35.000000000 -0400
+@@ -99,6 +99,7 @@
+ dev_read_urand(chfn_t)
+ 
+ auth_domtrans_chk_passwd(chfn_t)
++auth_domtrans_upd_passwd(chfn_t)
+ auth_dontaudit_read_shadow(chfn_t)
+ 
+ # allow checking if a shell is executable
+@@ -184,7 +185,7 @@
  # Groupadd local policy
  #
  
@@ -882,7 +900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  dontaudit groupadd_t self:capability { fsetid sys_tty_config };
  allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow groupadd_t self:process { setrlimit setfscreate };
-@@ -198,7 +198,6 @@
+@@ -198,7 +199,6 @@
  allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
  allow groupadd_t self:unix_dgram_socket sendto;
  allow groupadd_t self:unix_stream_socket connectto;
@@ -890,7 +908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  fs_getattr_xattr_fs(groupadd_t)
  fs_search_auto_mountpoints(groupadd_t)
-@@ -231,6 +230,7 @@
+@@ -231,6 +231,7 @@
  corecmd_exec_bin(groupadd_t)
  
  logging_send_syslog_msg(groupadd_t)
@@ -898,7 +916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  miscfiles_read_localization(groupadd_t)
  
-@@ -252,8 +252,13 @@
+@@ -252,8 +253,13 @@
  ')
  
  optional_policy(`
@@ -912,7 +930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  ')
  
  ########################################
-@@ -261,7 +266,7 @@
+@@ -261,7 +267,7 @@
  # Passwd local policy
  #
  
@@ -921,7 +939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
  allow passwd_t self:fd use;
-@@ -271,7 +276,6 @@
+@@ -271,7 +277,6 @@
  allow passwd_t self:unix_stream_socket create_stream_socket_perms;
  allow passwd_t self:unix_dgram_socket sendto;
  allow passwd_t self:unix_stream_socket connectto;
@@ -929,7 +947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  allow passwd_t self:shm create_shm_perms;
  allow passwd_t self:sem create_sem_perms;
  allow passwd_t self:msgq create_msgq_perms;
-@@ -324,6 +328,7 @@
+@@ -324,6 +329,7 @@
  libs_use_shared_libs(passwd_t)
  
  logging_send_syslog_msg(passwd_t)
@@ -937,7 +955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  miscfiles_read_localization(passwd_t)
  
-@@ -343,6 +348,7 @@
+@@ -343,6 +349,7 @@
  
  optional_policy(`
  	nscd_socket_use(passwd_t)
@@ -945,7 +963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  ')
  
  ########################################
-@@ -396,6 +402,8 @@
+@@ -396,6 +403,8 @@
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
  
@@ -954,7 +972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  # allow vipw to exec the editor
  corecmd_exec_bin(sysadm_passwd_t)
  corecmd_exec_shell(sysadm_passwd_t)
-@@ -412,6 +420,7 @@
+@@ -412,6 +421,7 @@
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -962,7 +980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  libs_use_ld_so(sysadm_passwd_t)
  libs_use_shared_libs(sysadm_passwd_t)
-@@ -433,6 +442,7 @@
+@@ -433,6 +443,7 @@
  
  optional_policy(`
  	nscd_socket_use(sysadm_passwd_t)
@@ -970,7 +988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  ')
  
  ########################################
-@@ -440,7 +450,7 @@
+@@ -440,7 +451,7 @@
  # Useradd local policy
  #
  
@@ -979,7 +997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -454,7 +464,6 @@
+@@ -454,7 +465,6 @@
  allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
@@ -987,7 +1005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
-@@ -500,6 +509,7 @@
+@@ -500,6 +510,7 @@
  libs_use_shared_libs(useradd_t)
  
  logging_send_syslog_msg(useradd_t)
@@ -995,7 +1013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  miscfiles_read_localization(useradd_t)
  
-@@ -508,6 +518,9 @@
+@@ -508,6 +519,9 @@
  seutil_read_default_contexts(useradd_t)
  seutil_domtrans_semanage(useradd_t)
  seutil_domtrans_restorecon(useradd_t)
@@ -1005,7 +1023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  userdom_use_unpriv_users_fds(useradd_t)
  # for when /root is the cwd
-@@ -521,11 +534,26 @@
+@@ -521,11 +535,26 @@
  mta_manage_spool(useradd_t)
  
  optional_policy(`
@@ -1322,6 +1340,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if s
  ')
  
  ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-2.6.4/policy/modules/apps/userhelper.if
+--- nsaserefpolicy/policy/modules/apps/userhelper.if	2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/apps/userhelper.if	2007-06-19 09:05:14.000000000 -0400
+@@ -131,6 +131,7 @@
+ 	term_use_all_user_ptys($1_userhelper_t)
+ 
+ 	auth_domtrans_chk_passwd($1_userhelper_t)
++	auth_domtrans_upd_passwd($1_userhelper_t)
+ 	auth_manage_pam_pid($1_userhelper_t)
+ 	auth_manage_var_auth($1_userhelper_t)
+ 	auth_search_pam_console_data($1_userhelper_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-05-07 14:51:04.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc	2007-06-18 10:18:55.000000000 -0400
@@ -2631,7 +2660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-06-19 09:08:16.000000000 -0400
 @@ -47,6 +47,13 @@
  ## Allow http daemon to tcp connect
  ## </p>
@@ -2720,7 +2749,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ifdef(`targeted_policy',`
  	term_dontaudit_use_unallocated_ttys(httpd_t)
  	term_dontaudit_use_generic_ptys(httpd_t)
-@@ -389,6 +426,14 @@
+@@ -382,6 +419,7 @@
+ #
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+ 	auth_domtrans_chk_passwd(httpd_t)
++	auth_domtrans_upd_passwd(httpd_t)
+ ')
+ ')
+ 
+@@ -389,6 +427,14 @@
  	corenet_tcp_connect_all_ports(httpd_t)
  ')
  
@@ -2735,7 +2772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_can_network_connect_db',`
  	# allow httpd to connect to mysql/posgresql
  	corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -416,6 +461,10 @@
+@@ -416,6 +462,10 @@
  	allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
  ')
  
@@ -2746,7 +2783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
  
-@@ -433,11 +482,21 @@
+@@ -433,11 +483,21 @@
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -2768,7 +2805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -668,6 +727,12 @@
+@@ -668,6 +728,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -2781,7 +2818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -706,7 +771,8 @@
+@@ -706,7 +772,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -2791,7 +2828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,6 +786,8 @@
+@@ -720,6 +787,8 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -2800,7 +2837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file { getattr append };
  ')
-@@ -730,11 +798,21 @@
+@@ -730,11 +799,21 @@
  	')
  ')
  
@@ -2822,7 +2859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -788,3 +866,19 @@
+@@ -788,3 +867,19 @@
  	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
  	term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
  ')
@@ -2885,8 +2922,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te	2007-06-18 10:24:44.000000000 -0400
-@@ -24,6 +24,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te	2007-06-19 09:29:01.000000000 -0400
+@@ -16,6 +16,9 @@
+ type apcupsd_log_t;
+ logging_log_file(apcupsd_log_t)
+ 
++type apcupsd_tmp_t;
++files_tmp_file(apcupsd_tmp_t)
++
+ type apcupsd_var_run_t;
+ files_pid_file(apcupsd_var_run_t)
+ 
+@@ -24,6 +27,7 @@
  # apcupsd local policy
  #
  
@@ -2894,7 +2941,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
  allow apcupsd_t self:fifo_file rw_file_perms;
  allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
  allow apcupsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,13 +39,16 @@
+@@ -35,16 +39,23 @@
+ manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
+ logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
+ 
++manage_files_pattern(apcupsd_t,apcupsd_tmp_t,apcupsd_tmp_t)
++files_tmp_filetrans(apcupsd_t,apcupsd_tmp_t,file)
++
  manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
  files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
  
@@ -2910,10 +2963,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 -#corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
 +corenet_tcp_bind_apcupsd_port(apcupsd_t)
 +corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
++corenet_tcp_connect_apcupsd_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
-@@ -54,6 +58,12 @@
+@@ -54,6 +65,12 @@
  files_read_etc_files(apcupsd_t)
  files_search_locks(apcupsd_t)
  
@@ -2926,7 +2980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
  libs_use_ld_so(apcupsd_t)
  libs_use_shared_libs(apcupsd_t)
  
-@@ -61,7 +71,35 @@
+@@ -61,7 +78,39 @@
  
  miscfiles_read_localization(apcupsd_t)
  
@@ -2940,6 +2994,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 +term_dontaudit_use_generic_ptys(apcupsd_t)
 +
 +optional_policy(`
++	hostname_exec(apcupsd_t)
++')
++
++optional_policy(`
 +	mta_send_mail(apcupsd_t)
  ')
 +
@@ -3086,8 +3144,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/bind.te	2007-06-18 10:18:55.000000000 -0400
-@@ -236,6 +236,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/bind.te	2007-06-18 12:03:41.000000000 -0400
+@@ -119,6 +119,10 @@
+ corenet_sendrecv_rndc_server_packets(named_t)
+ corenet_sendrecv_rndc_client_packets(named_t)
+ 
++#dnsmasq 
++corenet_tcp_bind_dhcpd_port(named_t)
++corenet_udp_bind_dhcpd_port(named_t)
++
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+ 
+@@ -236,6 +240,7 @@
  corenet_tcp_sendrecv_all_nodes(ndc_t)
  corenet_tcp_sendrecv_all_ports(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
@@ -3172,6 +3241,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +	unconfined_ptrace(consolekit_t)
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-2.6.4/policy/modules/services/courier.te
+--- nsaserefpolicy/policy/modules/services/courier.te	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/courier.te	2007-06-19 09:01:34.000000000 -0400
+@@ -58,6 +58,7 @@
+ files_getattr_tmp_dirs(courier_authdaemon_t)
+ 
+ auth_domtrans_chk_passwd(courier_authdaemon_t)
++auth_domtrans_upd_passwd(courier_authdaemon_t)
+ 
+ libs_read_lib_files(courier_authdaemon_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.6.4/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/cron.fc	2007-06-18 10:18:55.000000000 -0400
@@ -3293,7 +3373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  		# fcron wants an instant update of a crontab change for the administrator
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.te	2007-06-18 11:40:38.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cron.te	2007-06-19 13:05:07.000000000 -0400
 @@ -42,6 +42,9 @@
  type cron_log_t;
  logging_log_file(cron_log_t)
@@ -3364,15 +3444,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  domain_use_interactive_fds(crond_t)
  
  files_read_etc_files(crond_t)
-@@ -152,6 +168,7 @@
+@@ -152,6 +168,8 @@
  libs_use_shared_libs(crond_t)
  
  logging_send_syslog_msg(crond_t)
 +logging_send_audit_msg(crond_t)
++logging_set_loginuid(crond_t)
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
-@@ -165,6 +182,12 @@
+@@ -165,6 +183,12 @@
  
  mta_send_mail(crond_t)
  
@@ -3385,7 +3466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ifdef(`distro_debian',`
  	optional_policy(`
  		# Debian logcheck has the home dir set to its cache
-@@ -185,34 +208,9 @@
+@@ -185,34 +209,9 @@
  	locallogin_link_keys(crond_t)
  ')
  
@@ -3423,7 +3504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  tunable_policy(`fcron_crond', `
  	allow crond_t system_cron_spool_t:file manage_file_perms;
-@@ -232,11 +230,7 @@
+@@ -232,11 +231,7 @@
  ')
  
  optional_policy(`
@@ -3436,7 +3517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -258,17 +252,26 @@
+@@ -258,17 +253,26 @@
  # System cron process domain
  #
  
@@ -3463,7 +3544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# cjp: why?
  	squid_domtrans(system_crond_t)
  ')
-@@ -369,7 +372,7 @@
+@@ -369,7 +373,7 @@
  	init_read_utmp(system_crond_t)
  	init_dontaudit_rw_utmp(system_crond_t)
  	# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -3472,7 +3553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  	libs_use_ld_so(system_crond_t)
  	libs_use_shared_libs(system_crond_t)
-@@ -428,6 +431,10 @@
+@@ -428,6 +432,10 @@
  	')
  
  	optional_policy(`
@@ -3496,7 +3577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.te	2007-06-19 09:01:44.000000000 -0400
 @@ -93,8 +93,6 @@
  # generic socket here until appletalk socket is available in kernels
  allow cupsd_t self:socket create_socket_perms;
@@ -3518,7 +3599,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  dev_rw_printer(cupsd_t)
  dev_read_urand(cupsd_t)
-@@ -214,6 +214,7 @@
+@@ -177,6 +177,7 @@
+ term_search_ptys(cupsd_t)
+ 
+ auth_domtrans_chk_passwd(cupsd_t)
++auth_domtrans_upd_passwd(cupsd_t)
+ auth_dontaudit_read_pam_pid(cupsd_t)
+ 
+ # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+@@ -214,6 +215,7 @@
  libs_read_lib_files(cupsd_t)
  
  logging_send_syslog_msg(cupsd_t)
@@ -3526,7 +3615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  miscfiles_read_localization(cupsd_t)
  # invoking ghostscript needs to read fonts
-@@ -223,6 +224,7 @@
+@@ -223,6 +225,7 @@
  
  sysnet_read_config(cupsd_t)
  
@@ -3534,7 +3623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
  userdom_dontaudit_search_all_users_home_content(cupsd_t)
  
-@@ -284,6 +286,10 @@
+@@ -284,6 +287,10 @@
  ')
  
  optional_policy(`
@@ -3545,7 +3634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	nscd_socket_use(cupsd_t)
  ')
  
-@@ -294,6 +300,10 @@
+@@ -294,6 +301,10 @@
  ')
  
  optional_policy(`
@@ -3558,7 +3647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.6.4/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cvs.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cvs.te	2007-06-19 09:01:50.000000000 -0400
 @@ -16,6 +16,7 @@
  type cvs_t;
  type cvs_exec_t;
@@ -3567,6 +3656,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
  role system_r types cvs_t;
  
  type cvs_data_t; # customizable
+@@ -67,6 +68,7 @@
+ fs_getattr_xattr_fs(cvs_t)
+ 
+ auth_domtrans_chk_passwd(cvs_t)
++auth_domtrans_upd_passwd(cvs_t)
+ 
+ corecmd_exec_bin(cvs_t)
+ corecmd_exec_shell(cvs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.6.4/policy/modules/services/cyrus.te
 --- nsaserefpolicy/policy/modules/services/cyrus.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/cyrus.te	2007-06-18 10:18:55.000000000 -0400
@@ -3741,7 +3838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.6.4/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dhcp.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dhcp.te	2007-06-18 12:03:07.000000000 -0400
 @@ -119,6 +119,8 @@
  	dbus_system_bus_client_template(dhcpd,dhcpd_t)
  	dbus_connect_system_bus(dhcpd_t)
@@ -3975,8 +4072,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ftp.te	2007-06-18 10:18:55.000000000 -0400
-@@ -168,6 +168,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/ftp.te	2007-06-19 09:01:13.000000000 -0400
+@@ -156,6 +156,7 @@
+ 
+ auth_use_nsswitch(ftpd_t)
+ auth_domtrans_chk_passwd(ftpd_t)
++auth_domtrans_upd_passwd(ftpd_t)
+ # Append to /var/log/wtmp.
+ auth_append_login_records(ftpd_t)
+ #kerberized ftp requires the following
+@@ -168,6 +169,7 @@
  libs_use_shared_libs(ftpd_t)
  
  logging_send_syslog_msg(ftpd_t)
@@ -3984,7 +4089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  
  miscfiles_read_localization(ftpd_t)
  miscfiles_read_public_files(ftpd_t)
-@@ -223,10 +224,15 @@
+@@ -223,10 +225,15 @@
  	userdom_manage_all_users_home_content_dirs(ftpd_t)
  	userdom_manage_all_users_home_content_files(ftpd_t)
  	userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -4487,6 +4592,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  ##	Allow domain to read mailman archive files.
  ## </summary>
  ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-2.6.4/policy/modules/services/mailman.te
+--- nsaserefpolicy/policy/modules/services/mailman.te	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mailman.te	2007-06-19 09:02:05.000000000 -0400
+@@ -96,6 +96,7 @@
+ kernel_read_proc_symlinks(mailman_queue_t)
+ 
+ auth_domtrans_chk_passwd(mailman_queue_t)
++auth_domtrans_upd_passwd(mailman_queue_t)
+ 
+ files_dontaudit_search_pids(mailman_queue_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-2.6.4/policy/modules/services/mailscanner.fc
 --- nsaserefpolicy/policy/modules/services/mailscanner.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/services/mailscanner.fc	2007-06-18 10:18:55.000000000 -0400
@@ -5150,7 +5266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.6.4/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/pegasus.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/pegasus.te	2007-06-19 09:02:12.000000000 -0400
 @@ -38,8 +38,6 @@
  allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
  allow pegasus_t self:tcp_socket create_stream_socket_perms;
@@ -5160,10 +5276,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
  allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
  allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
-@@ -96,13 +94,12 @@
+@@ -96,13 +94,13 @@
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
++auth_domtrans_upd_passwd(pegasus_t)
 +auth_read_shadow(pegasus_t)
  
  domain_use_interactive_fds(pegasus_t)
@@ -5176,7 +5293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
  files_read_var_lib_symlinks(pegasus_t)
  
  hostname_exec(pegasus_t)
-@@ -116,6 +113,7 @@
+@@ -116,6 +114,7 @@
  miscfiles_read_localization(pegasus_t)
  
  sysnet_read_config(pegasus_t)
@@ -5184,7 +5301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
  
  userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
  userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
-@@ -129,6 +127,7 @@
+@@ -129,6 +128,7 @@
  
  optional_policy(`
  	logging_send_syslog_msg(pegasus_t)
@@ -5192,6 +5309,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-2.6.4/policy/modules/services/portslave.te
+--- nsaserefpolicy/policy/modules/services/portslave.te	2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/portslave.te	2007-06-19 09:02:18.000000000 -0400
+@@ -84,6 +84,7 @@
+ 
+ auth_rw_login_records(portslave_t)
+ auth_domtrans_chk_passwd(portslave_t)
++auth_domtrans_upd_passwd(portslave_t)
+ 
+ init_rw_utmp(portslave_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.6.4/policy/modules/services/postfix.fc
 --- nsaserefpolicy/policy/modules/services/postfix.fc	2007-05-07 14:50:57.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/postfix.fc	2007-06-18 10:18:55.000000000 -0400
@@ -5527,8 +5655,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-2.6.4/policy/modules/services/radius.te
 --- nsaserefpolicy/policy/modules/services/radius.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/radius.te	2007-06-18 10:18:55.000000000 -0400
-@@ -130,3 +130,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/radius.te	2007-06-19 09:02:24.000000000 -0400
+@@ -81,6 +81,7 @@
+ 
+ auth_read_shadow(radiusd_t)
+ auth_domtrans_chk_passwd(radiusd_t)
++auth_domtrans_upd_passwd(radiusd_t)
+ 
+ corecmd_exec_bin(radiusd_t)
+ corecmd_exec_shell(radiusd_t)
+@@ -130,3 +131,7 @@
  optional_policy(`
  	udev_read_db(radiusd_t)
  ')
@@ -5549,8 +5685,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
  xserver_kill_xdm_xserver(rhgb_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.6.4/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ricci.te	2007-06-18 11:07:45.000000000 -0400
-@@ -328,6 +328,10 @@
++++ serefpolicy-2.6.4/policy/modules/services/ricci.te	2007-06-19 09:02:30.000000000 -0400
+@@ -137,6 +137,7 @@
+ files_create_boot_flag(ricci_t)
+ 
+ auth_domtrans_chk_passwd(ricci_t)
++auth_domtrans_upd_passwd(ricci_t)
+ auth_append_login_records(ricci_t)
+ 
+ init_dontaudit_stream_connect_script(ricci_t)
+@@ -328,6 +329,10 @@
  ')
  
  optional_policy(`
@@ -5812,6 +5956,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  tunable_policy(`nfs_export_all_ro',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-2.6.4/policy/modules/services/rshd.te
+--- nsaserefpolicy/policy/modules/services/rshd.te	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/rshd.te	2007-06-19 09:02:43.000000000 -0400
+@@ -44,6 +44,7 @@
+ selinux_compute_user_contexts(rshd_t)
+ 
+ auth_domtrans_chk_passwd(rshd_t)
++auth_domtrans_upd_passwd(rshd_t)
+ 
+ corecmd_read_bin_symlinks(rshd_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.6.4/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2007-05-07 14:50:57.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/rsync.te	2007-06-18 10:18:55.000000000 -0400
@@ -6101,7 +6256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te	2007-06-19 09:03:00.000000000 -0400
 @@ -28,6 +28,35 @@
  ## </desc>
  gen_tunable(samba_share_nfs,false)
@@ -6196,7 +6351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  dev_read_sysfs(smbd_t)
  dev_read_urand(smbd_t)
  dev_getattr_mtrr_dev(smbd_t)
-@@ -265,11 +300,13 @@
+@@ -265,11 +300,14 @@
  fs_get_xattr_fs_quotas(smbd_t)
  fs_search_auto_mountpoints(smbd_t)
  fs_getattr_rpc_dirs(smbd_t)
@@ -6204,13 +6359,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  auth_use_nsswitch(smbd_t)
  auth_domtrans_chk_passwd(smbd_t)
++auth_domtrans_upd_passwd(smbd_t)
  
  domain_use_interactive_fds(smbd_t)
 +domain_dontaudit_list_all_domains_state(smbd_t)
  
  files_list_var_lib(smbd_t)
  files_read_etc_files(smbd_t)
-@@ -296,6 +333,12 @@
+@@ -296,6 +334,12 @@
  userdom_dontaudit_use_unpriv_user_fds(smbd_t)
  userdom_use_unpriv_users_fds(smbd_t)
  
@@ -6223,7 +6379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ifdef(`hide_broken_symptoms', `
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -319,6 +362,10 @@
+@@ -319,6 +363,10 @@
  ')
  
  optional_policy(`
@@ -6234,7 +6390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	cups_read_rw_config(smbd_t)
  	cups_stream_connect(smbd_t)
  ')
-@@ -339,6 +386,23 @@
+@@ -339,6 +387,23 @@
  	udev_read_db(smbd_t)
  ')
  
@@ -6258,7 +6414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # nmbd Local policy
-@@ -352,7 +416,7 @@
+@@ -352,7 +417,7 @@
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -6267,7 +6423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow nmbd_t self:tcp_socket create_stream_socket_perms;
  allow nmbd_t self:udp_socket create_socket_perms;
  allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -362,9 +426,12 @@
+@@ -362,9 +427,12 @@
  files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
  
  read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
@@ -6281,7 +6437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
  create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
  allow nmbd_t samba_log_t:dir setattr;
-@@ -391,6 +458,7 @@
+@@ -391,6 +459,7 @@
  corenet_udp_bind_nmbd_port(nmbd_t)
  corenet_sendrecv_nmbd_server_packets(nmbd_t)
  corenet_sendrecv_nmbd_client_packets(nmbd_t)
@@ -6289,7 +6445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  dev_read_sysfs(nmbd_t)
  dev_getattr_mtrr_dev(nmbd_t)
-@@ -457,6 +525,7 @@
+@@ -457,6 +526,7 @@
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
@@ -6297,7 +6453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow smbmount_t samba_var_t:dir rw_dir_perms;
  manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
  manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
-@@ -514,7 +583,7 @@
+@@ -514,7 +584,7 @@
  userdom_use_sysadm_ttys(smbmount_t)
  
  optional_policy(`
@@ -6306,7 +6462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
  
  optional_policy(`
-@@ -534,7 +603,6 @@
+@@ -534,7 +604,6 @@
  allow swat_t self:process signal_perms;
  allow swat_t self:fifo_file rw_file_perms;
  allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -6314,7 +6470,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t self:tcp_socket create_stream_socket_perms;
  allow swat_t self:udp_socket create_socket_perms;
  allow swat_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -625,6 +693,8 @@
+@@ -588,6 +657,7 @@
+ fs_getattr_xattr_fs(swat_t)
+ 
+ auth_domtrans_chk_passwd(swat_t)
++auth_domtrans_upd_passwd(swat_t)
+ 
+ libs_use_ld_so(swat_t)
+ libs_use_shared_libs(swat_t)
+@@ -625,6 +695,8 @@
  # Winbind local policy
  #
  
@@ -6323,7 +6487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process signal_perms;
  allow winbind_t self:fifo_file { read write };
-@@ -634,10 +704,15 @@
+@@ -634,10 +706,15 @@
  allow winbind_t self:tcp_socket create_stream_socket_perms;
  allow winbind_t self:udp_socket create_socket_perms;
  
@@ -6339,7 +6503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
  filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
  
-@@ -645,6 +720,8 @@
+@@ -645,6 +722,8 @@
  manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
  manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
  
@@ -6348,7 +6512,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
  manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
  
-@@ -736,6 +813,7 @@
+@@ -683,6 +762,7 @@
+ fs_search_auto_mountpoints(winbind_t)
+ 
+ auth_domtrans_chk_passwd(winbind_t)
++auth_domtrans_upd_passwd(winbind_t)
+ 
+ domain_use_interactive_fds(winbind_t)
+ 
+@@ -736,6 +816,7 @@
  read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
  read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
  
@@ -6356,7 +6528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow winbind_helper_t samba_var_t:dir search;
  
  stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -764,3 +842,23 @@
+@@ -764,3 +845,23 @@
  	squid_read_log(winbind_helper_t)
  	squid_append_log(winbind_helper_t)
  ')
@@ -6745,6 +6917,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
          udev_read_db(tftpd_t)
  ')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-2.6.4/policy/modules/services/uwimap.te
+--- nsaserefpolicy/policy/modules/services/uwimap.te	2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/uwimap.te	2007-06-19 09:03:07.000000000 -0400
+@@ -63,6 +63,7 @@
+ fs_search_auto_mountpoints(imapd_t)
+ 
+ auth_domtrans_chk_passwd(imapd_t)
++auth_domtrans_upd_passwd(imapd_t)
+ 
+ libs_use_ld_so(imapd_t)
+ libs_use_shared_libs(imapd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-2.6.4/policy/modules/services/w3c.fc
 --- nsaserefpolicy/policy/modules/services/w3c.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/services/w3c.fc	2007-06-18 10:18:55.000000000 -0400
@@ -6930,7 +7113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if	2007-06-19 09:04:26.000000000 -0400
 @@ -27,11 +27,9 @@
  	domain_type($1_chkpwd_t)
  	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@@ -7016,7 +7199,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	# for SSP/ProPolice
  	dev_read_urand($1)
  
-@@ -211,9 +212,11 @@
+@@ -207,13 +208,16 @@
+ 	mls_fd_share_all_levels($1)
+ 
+ 	auth_domtrans_chk_passwd($1)
++	auth_domtrans_upd_passwd($1)
+ 	auth_dontaudit_read_shadow($1)
  	auth_read_login_records($1)
  	auth_append_login_records($1)
  	auth_rw_lastlog($1)
@@ -7029,7 +7217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	init_rw_utmp($1)
  
  	logging_send_syslog_msg($1)
-@@ -221,6 +224,7 @@
+@@ -221,6 +225,7 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -7037,7 +7225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	tunable_policy(`allow_polyinstantiation',`
  		files_polyinstantiate_all($1)
  	')
-@@ -320,10 +324,6 @@
+@@ -320,10 +325,6 @@
  		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
  	')
  
@@ -7048,7 +7236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	corecmd_search_bin($1)
  	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
  
-@@ -357,6 +357,37 @@
+@@ -357,6 +358,37 @@
  
  ########################################
  ## <summary>
@@ -7086,7 +7274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ##	Get the attributes of the shadow passwords file.
  ## </summary>
  ## <param name="domain">
-@@ -1391,3 +1422,114 @@
+@@ -1391,3 +1423,114 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -7762,7 +7950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc	2007-06-19 08:52:19.000000000 -0400
 @@ -81,8 +81,8 @@
  /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -7791,6 +7979,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -254,6 +257,8 @@
+ /usr/lib(64)?/libdivxdecore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libdivxencore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
++/usr/lib(64)?/libdvdcss\.so.*  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ # vmware 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/libraries.te	2007-06-18 10:18:55.000000000 -0400
@@ -8332,7 +8529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-06-19 09:43:34.000000000 -0400
 @@ -9,6 +9,13 @@
  ifdef(`targeted_policy',`
  ## <desc>
@@ -8387,9 +8584,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  	')
  ')
  
-@@ -205,3 +222,53 @@
+@@ -204,4 +221,58 @@
+ ifdef(`targeted_policy',`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
++	optional_policy(`
++		hal_dbus_chat(unconfined_mount_t)
++	')
++
  ')
 +
 +########################################
@@ -8757,6 +8959,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ')
 +
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-2.6.4/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.if	2007-06-18 15:37:29.000000000 -0400
+@@ -520,6 +520,9 @@
+ 
+ 	files_search_etc($1)
+ 	allow $1 net_conf_t:file read_file_perms;
++
++	# LDAP Configuration using encrypted requires
++	dev_read_urand($1)
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.4/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te	2007-06-18 10:18:55.000000000 -0400
@@ -8971,7 +9186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-06-19 09:42:56.000000000 -0400
 @@ -6,6 +6,15 @@
  # Declarations
  #
@@ -9806,8 +10021,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.6.4/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/xen.if	2007-06-18 10:18:55.000000000 -0400
-@@ -72,12 +72,35 @@
++++ serefpolicy-2.6.4/policy/modules/system/xen.if	2007-06-19 11:35:35.000000000 -0400
+@@ -72,12 +72,34 @@
  	')
  
  	logging_search_logs($1)
@@ -9833,9 +10048,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
 +	')
 +
 +	logging_search_logs($1)
-+	allow $1 xend_var_log_t:dir create_dir_perms;
-+	allow $1 xend_var_log_t:file create_file_perms;
-+	dontaudit $1 xend_var_log_t:file write;
++	manage_dirs_pattern($1,xend_var_log_t,xend_var_log_t)
++	manage_files_pattern($1,xend_var_log_t,xend_var_log_t)
 +')
 +
 +########################################
@@ -9843,7 +10057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
  ##	Do not audit attempts to read and write
  ##	Xen unix domain stream sockets.  These
  ##	are leaked file descriptors.
-@@ -151,3 +174,25 @@
+@@ -151,3 +173,25 @@
  
  	domtrans_pattern($1,xm_exec_t,xm_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 754d929..6cdaea1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif
 
 %changelog
+* Tue Jun 19 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-18
+- Fix udev for xen again
+- Allow cron to set loginuid
+
 * Thu Jun 14 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-17
 - Allow udev to manage xen logs