diff --git a/booleans-mls.conf b/booleans-mls.conf
index ed149cd..4367df5 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -231,3 +231,8 @@ xserver_object_manager = true
 # System uses init upstart program
 # 
 init_upstart = true
+
+#
+# Allow sysadm to become security admin.
+#
+allow_sysadm_manage_security = false
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index c966911..7cb5de0 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -274,4 +274,5 @@ nscd_use_shm = true
 # Allow fenced domain to connect to the network using TCP.
 #
 fenced_can_network_connect=false
+
 virt_use_sysfs = true
diff --git a/policy-F13.patch b/policy-F13.patch
index e72ea26..1c933f8 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -7988,8 +7988,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2011-03-16 09:27:13.618107000 +0000
-@@ -0,0 +1,477 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2011-04-04 18:36:33.935000001 +0000
+@@ -0,0 +1,478 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -8141,6 +8141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +files_read_usr_files(sandbox_domain)
 +files_read_var_files(sandbox_domain)
 +files_dontaudit_search_all_dirs(sandbox_domain)
++files_dontaudit_list_all_mountpoints(sandbox_x_domain)
 +
 +miscfiles_read_localization(sandbox_domain)
 +
@@ -10011,16 +10012,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc	2011-02-08 15:55:14.029796002 +0000
-@@ -17,6 +17,7 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc	2011-04-04 18:46:56.678000001 +0000
+@@ -17,8 +17,10 @@
  /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
  /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 +/dev/crash			-c	gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
  /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dlm.*          -c  gen_context(system_u:object_r:dlm_control_device_t,s0)
  /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -70,6 +71,7 @@
+ /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -70,6 +72,7 @@
  /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
  /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
@@ -10028,7 +10032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
  /dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
  /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
-@@ -108,10 +110,12 @@
+@@ -108,10 +111,12 @@
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
  /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -10041,7 +10045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -163,6 +167,7 @@
+@@ -163,6 +168,7 @@
  
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -10049,7 +10053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  
-@@ -186,3 +191,8 @@
+@@ -186,3 +192,8 @@
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
  ')
@@ -13413,7 +13417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
 +dev_node(virtio_device_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.19/policy/modules/roles/auditadm.te
 --- nsaserefpolicy/policy/modules/roles/auditadm.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/auditadm.te	2011-02-07 16:38:06.752796002 +0000
++++ serefpolicy-3.7.19/policy/modules/roles/auditadm.te	2011-04-05 18:03:01.248000002 +0000
 @@ -23,16 +23,21 @@
  
  domain_kill_all_domains(auditadm_t)
@@ -13436,6 +13440,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad
  optional_policy(`
  	consoletype_exec(auditadm_t)
  ')
+@@ -43,6 +48,7 @@
+ 
+ optional_policy(`
+ 	screen_role_template(auditadm, auditadm_r, auditadm_t)
++	allow auditadm_screen_t self:capability { dac_read_search dac_override };
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.19/policy/modules/roles/guest.te
 --- nsaserefpolicy/policy/modules/roles/guest.te	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/roles/guest.te	2010-10-01 13:18:58.000000000 +0000
@@ -13463,7 +13475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.7.19/policy/modules/roles/secadm.te
 --- nsaserefpolicy/policy/modules/roles/secadm.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/secadm.te	2010-05-28 07:42:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/roles/secadm.te	2011-04-05 18:02:34.478000001 +0000
 @@ -10,6 +10,8 @@
  
  userdom_unpriv_user_template(secadm)
@@ -13473,6 +13485,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
  
  ########################################
  #
+@@ -58,6 +60,7 @@
+ 
+ optional_policy(`
+ 	screen_role_template(secadm, secadm_r, secadm_t)
++	allow secadm_screen_t self:capability { dac_read_search dac_override };
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/roles/staff.te	2011-02-07 16:38:37.088796001 +0000
@@ -13680,8 +13700,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te	2011-03-08 15:16:37.182413000 +0000
-@@ -28,17 +28,31 @@
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te	2011-04-05 19:09:49.889000002 +0000
+@@ -13,6 +13,13 @@
+ ## </desc>
+ gen_tunable(allow_ptrace, false)
+ 
++## <desc>
++## <p>
++## Allow sysadm to become security admin. 
++## </p>
++## </desc>
++gen_tunable(allow_sysadm_manage_security, false)
++
+ role sysadm_r;
+ 
+ userdom_admin_user_template(sysadm)
+@@ -28,17 +35,31 @@
  
  corecmd_exec_shell(sysadm_t)
  
@@ -13713,7 +13747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -56,6 +70,7 @@
+@@ -56,12 +77,25 @@
  	logging_manage_audit_log(sysadm_t)
  	logging_manage_audit_config(sysadm_t)
  	logging_run_auditctl(sysadm_t, sysadm_r)
@@ -13721,7 +13755,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  tunable_policy(`allow_ptrace',`
-@@ -70,7 +85,9 @@
+ 	domain_ptrace_all_domains(sysadm_t)
+ ')
+ 
++ifdef(`enable_mls',`
++    tunable_policy(`allow_sysadm_manage_security',`
++        userdom_security_admin_template(sysadm_t, sysadm_r)
++
++        logging_manage_audit_log(sysadm_t)
++        logging_manage_audit_config(sysadm_t)
++        logging_run_auditctl(sysadm_t, sysadm_r)
++        logging_run_auditd(sysadm_t, sysadm_r)
++        logging_stream_connect_syslog(sysadm_t)
++    ')
++')
++
+ optional_policy(`
+ 	amanda_run_recover(sysadm_t, sysadm_r)
+ ')
+@@ -70,7 +104,9 @@
  	apache_run_helper(sysadm_t, sysadm_r)
  	#apache_run_all_scripts(sysadm_t, sysadm_r)
  	#apache_domtrans_sys_script(sysadm_t)
@@ -13732,7 +13784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -98,17 +115,25 @@
+@@ -98,17 +134,25 @@
  	bind_run_ndc(sysadm_t, sysadm_r)
  ')
  
@@ -13758,7 +13810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +151,18 @@
+@@ -126,16 +170,18 @@
  	consoletype_run(sysadm_t, sysadm_r)
  ')
  
@@ -13779,7 +13831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -165,9 +192,11 @@
+@@ -165,9 +211,11 @@
  	ethereal_run_tethereal(sysadm_t, sysadm_r)
  ')
  
@@ -13791,7 +13843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +206,7 @@
+@@ -177,6 +225,7 @@
  	fstools_run(sysadm_t, sysadm_r)
  ')
  
@@ -13799,7 +13851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  optional_policy(`
  	games_role(sysadm_r, sysadm_t)
  ')
-@@ -192,6 +222,7 @@
+@@ -192,6 +241,7 @@
  optional_policy(`
  	gpg_role(sysadm_r, sysadm_t)
  ')
@@ -13807,7 +13859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +236,13 @@
+@@ -205,6 +255,13 @@
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -13821,7 +13873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -212,12 +250,18 @@
+@@ -212,12 +269,18 @@
  ')
  
  optional_policy(`
@@ -13840,7 +13892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +271,11 @@
+@@ -227,9 +290,11 @@
  	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
@@ -13852,7 +13904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +298,10 @@
+@@ -252,8 +317,10 @@
  
  optional_policy(`
  	mount_run(sysadm_t, sysadm_r)
@@ -13863,7 +13915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  optional_policy(`
  	mozilla_role(sysadm_r, sysadm_t)
  ')
-@@ -261,6 +309,7 @@
+@@ -261,6 +328,7 @@
  optional_policy(`
  	mplayer_role(sysadm_r, sysadm_t)
  ')
@@ -13871,7 +13923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	mta_role(sysadm_r, sysadm_t)
-@@ -275,6 +324,10 @@
+@@ -275,6 +343,10 @@
  ')
  
  optional_policy(`
@@ -13882,7 +13934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	netutils_run(sysadm_t, sysadm_r)
  	netutils_run_ping(sysadm_t, sysadm_r)
  	netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -308,8 +361,14 @@
+@@ -308,8 +380,14 @@
  ')
  
  optional_policy(`
@@ -13897,7 +13949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +378,11 @@
+@@ -319,9 +397,11 @@
  	raid_domtrans_mdadm(sysadm_t)
  ')
  
@@ -13909,7 +13961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +392,11 @@
+@@ -331,9 +411,11 @@
  	rpm_run(sysadm_t, sysadm_r)
  ')
  
@@ -13921,7 +13973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	rsync_exec(sysadm_t)
-@@ -346,6 +409,7 @@
+@@ -346,6 +428,7 @@
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -13929,7 +13981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -358,11 +422,18 @@
+@@ -358,8 +441,14 @@
  ')
  
  optional_policy(`
@@ -13944,11 +13996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	ssh_role_template(sysadm, sysadm_r, sysadm_t)
-+	ssh_run_keygen(sysadm_t, sysadm_r)
- ')
- 
- optional_policy(`
-@@ -382,9 +453,11 @@
+@@ -382,9 +471,11 @@
  	sysnet_run_dhcpc(sysadm_t, sysadm_r)
  ')
  
@@ -13960,7 +14008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,23 +466,31 @@
+@@ -393,23 +484,31 @@
  	tripwire_run_twprint(sysadm_t, sysadm_r)
  ')
  
@@ -13992,7 +14040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	unprivuser_role_change(sysadm_r)
  ')
  
-@@ -417,9 +498,11 @@
+@@ -417,9 +516,11 @@
  	usbmodules_run(sysadm_t, sysadm_r)
  ')
  
@@ -14004,7 +14052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +510,15 @@
+@@ -427,9 +528,15 @@
  	usermanage_run_useradd(sysadm_t, sysadm_r)
  ')
  
@@ -14020,7 +14068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  optional_policy(`
  	vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +529,30 @@
+@@ -440,13 +547,30 @@
  ')
  
  optional_policy(`
@@ -23891,7 +23939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2011-02-07 13:53:03.122796000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2011-03-25 10:21:14.947630001 +0000
 @@ -9,6 +9,9 @@
  type dovecot_exec_t;
  init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -24102,7 +24150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -263,15 +320,30 @@
+@@ -263,15 +320,34 @@
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
  tunable_policy(`use_nfs_home_dirs',`
@@ -24132,6 +24180,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +	# Handle sieve scripts
 +	allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
 +	sendmail_domtrans(dovecot_deliver_t)
++')
++
++optional_policy(`
++    postfix_rw_master_pipes(dovecot_deliver_t)
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc
 --- nsaserefpolicy/policy/modules/services/exim.fc	2010-04-13 18:44:37.000000000 +0000
@@ -24377,7 +24429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  /var/log/proftpd(/.*)?		gen_context(system_u:object_r:xferlog_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.19/policy/modules/services/ftp.if
 --- nsaserefpolicy/policy/modules/services/ftp.if	2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ftp.if	2011-03-16 14:35:12.605107001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ftp.if	2011-04-05 17:51:09.974000002 +0000
 @@ -1,5 +1,43 @@
  ## <summary>File transfer protocol service</summary>
  
@@ -24413,10 +24465,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
 +#
 +interface(`ftp_initrc_domtrans',`
 +    gen_require(`
-+        type ftp_initrc_exec_t;
++        type ftpd_initrc_exec_t;
 +    ')
 +
-+    init_labeled_script_domtrans($1, ftp_initrc_exec_t)
++    init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
 +')
 +
  ########################################
@@ -27745,8 +27797,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.19/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/mta.if	2010-09-09 09:00:37.000000000 +0000
-@@ -144,6 +144,30 @@
++++ serefpolicy-3.7.19/policy/modules/services/mta.if	2011-04-05 17:24:03.168000001 +0000
+@@ -104,6 +104,7 @@
+ 
+ 	optional_policy(`
+ 		postfix_domtrans_user_mail_handler($1_mail_t)
++		postfix_rw_master_pipes($1_mail_t)
+ 	')
+ 
+ 	optional_policy(`
+@@ -144,6 +145,30 @@
  	')
  ')
  
@@ -27777,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ########################################
  ## <summary>
  ##	Role access for mta
-@@ -176,6 +200,26 @@
+@@ -176,6 +201,26 @@
  	allow mta_user_agent $2:fifo_file { read write };
  ')
  
@@ -27804,7 +27864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ########################################
  ## <summary>
  ##	Make the specified domain usable for a mail server.
-@@ -220,6 +264,25 @@
+@@ -220,6 +265,25 @@
  	application_executable_file($1)
  ')
  
@@ -27830,7 +27890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ########################################
  ## <summary>
  ##	Make the specified type by a system MTA.
-@@ -335,6 +398,7 @@
+@@ -335,6 +399,7 @@
  		# apache should set close-on-exec
  		apache_dontaudit_rw_stream_sockets($1)
  		apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -27838,7 +27898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	')
  ')
  
-@@ -356,11 +420,35 @@
+@@ -356,11 +421,35 @@
  	')
  
  	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
@@ -27874,7 +27934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  ########################################
-@@ -390,12 +478,51 @@
+@@ -390,12 +479,51 @@
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -27930,7 +27990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  ########################################
-@@ -454,7 +581,8 @@
+@@ -454,7 +582,8 @@
  		type etc_mail_t;
  	')
  
@@ -27940,7 +28000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  ########################################
-@@ -678,7 +806,7 @@
+@@ -678,7 +807,7 @@
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
  	allow $1 mail_spool_t:file setattr;
@@ -27949,7 +28009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -765,6 +893,25 @@
+@@ -765,6 +894,25 @@
  
  #######################################
  ## <summary>
@@ -30224,16 +30284,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.7.19/policy/modules/services/nslcd.te
 --- nsaserefpolicy/policy/modules/services/nslcd.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/nslcd.te	2010-05-28 07:42:00.000000000 +0000
-@@ -35,6 +35,8 @@
++++ serefpolicy-3.7.19/policy/modules/services/nslcd.te	2011-04-05 17:30:55.685000002 +0000
+@@ -1,4 +1,3 @@
+-
+ policy_module(nslcd, 1.0.1)
+ 
+ ########################################
+@@ -17,7 +16,7 @@
+ files_pid_file(nslcd_var_run_t)
+ 
+ type nslcd_conf_t;
+-files_type(nslcd_conf_t)
++files_config_file(nslcd_conf_t)
+ 
+ ########################################
+ #
+@@ -25,7 +24,7 @@
+ #
+ 
+ allow nslcd_t self:capability { setgid setuid dac_override };
+-allow nslcd_t self:process signal;
++allow nslcd_t self:process { setsched signal };
+ allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+ 
+ allow nslcd_t nslcd_conf_t:file read_file_perms;
+@@ -35,10 +34,16 @@
  manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
  files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
  
 +kernel_read_system_state(nslcd_t)
 +
  files_read_etc_files(nslcd_t)
++files_read_usr_symlinks(nslcd_t)
++files_list_tmp(nslcd_t)
  
  auth_use_nsswitch(nslcd_t)
+ 
+ logging_send_syslog_msg(nslcd_t)
+ 
+ miscfiles_read_localization(nslcd_t)
++
++userdom_read_user_tmp_files(nslcd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.if serefpolicy-3.7.19/policy/modules/services/ntop.if
 --- nsaserefpolicy/policy/modules/services/ntop.if	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/services/ntop.if	2010-06-28 12:35:14.000000000 +0000
@@ -31349,8 +31440,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te
 --- nsaserefpolicy/policy/modules/services/piranha.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/piranha.te	2011-03-16 13:12:36.310107001 +0000
-@@ -0,0 +1,308 @@
++++ serefpolicy-3.7.19/policy/modules/services/piranha.te	2011-04-05 14:22:50.182000001 +0000
+@@ -0,0 +1,309 @@
 +
 +policy_module(piranha,1.0.0)
 +
@@ -31456,6 +31547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +#cjp: adds luci.ini file
 +#bug: 684198
 +create_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++allow piranha_web_t  piranha_web_conf_t:file write;
 +
 +piranha_pulse_initrc_domtrans(piranha_web_t)
 +
@@ -32553,7 +32645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if	2011-01-19 10:28:09.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if	2011-04-05 17:25:44.234000001 +0000
 @@ -35,7 +35,7 @@
  	role system_r types postfix_$1_t;
  
@@ -32661,7 +32753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  ## <summary>
  ##	Execute the master postfix program in the
-@@ -368,6 +415,25 @@
+@@ -368,6 +415,43 @@
  	can_exec($1, postfix_master_exec_t)
  ')
  
@@ -32684,10 +32776,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +    stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
 +')
 +
++#######################################
++## <summary>
++##  Allow read/write postfix master pipes
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`postfix_rw_master_pipes',`
++	gen_require(`
++		type postfix_master_t;
++	')
++
++	allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;;
++')
++
  ########################################
  ## <summary>
  ##	Create a named socket in a postfix private directory.
-@@ -378,7 +444,7 @@
+@@ -378,7 +462,7 @@
  ##	</summary>
  ## </param>
  #
@@ -32696,7 +32806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	gen_require(`
  		type postfix_private_t;
  	')
-@@ -389,6 +455,25 @@
+@@ -389,6 +473,25 @@
  
  ########################################
  ## <summary>
@@ -32722,7 +32832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ##	Execute the master postfix program in the
  ##	postfix_master domain.
  ## </summary>
-@@ -418,10 +503,10 @@
+@@ -418,10 +521,10 @@
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -32735,20 +32845,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	files_search_spool($1)
  ')
  
-@@ -437,11 +522,30 @@
+@@ -437,15 +540,34 @@
  #
  interface(`postfix_list_spool',`
  	gen_require(`
 -		type postfix_spool_t;
 +		attribute postfix_spool_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 postfix_spool_t:dir list_dir_perms;
 +	allow $1 postfix_spool_type:dir list_dir_perms;
-+	files_search_spool($1)
-+')
-+
-+########################################
-+## <summary>
+ 	files_search_spool($1)
+ ')
+ 
+ ########################################
+ ## <summary>
 +##	Getattr postfix mail spool files.
 +## </summary>
 +## <param name="domain">
@@ -32760,15 +32871,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +interface(`postfix_getattr_spool_files',`
 +	gen_require(`
 +		attribute postfix_spool_type;
- 	')
- 
--	allow $1 postfix_spool_t:dir list_dir_perms;
- 	files_search_spool($1)
++	')
++
++	files_search_spool($1)
 +	getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
- ')
- 
- ########################################
-@@ -456,16 +560,16 @@
++')
++
++########################################
++## <summary>
+ ##	Read postfix mail spool files.
+ ## </summary>
+ ## <param name="domain">
+@@ -456,16 +578,16 @@
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -32788,7 +32902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -475,11 +579,11 @@
+@@ -475,11 +597,11 @@
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -32802,7 +32916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  ########################################
-@@ -500,3 +604,164 @@
+@@ -500,3 +622,164 @@
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -34238,7 +34352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.19/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/procmail.te	2010-05-28 07:42:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/procmail.te	2011-04-05 17:26:40.034000001 +0000
 @@ -11,6 +11,9 @@
  application_domain(procmail_t, procmail_exec_t)
  role system_r types procmail_t;
@@ -34296,18 +34410,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  
  ifdef(`hide_broken_symptoms',`
  	mta_dontaudit_rw_queue(procmail_t)
-@@ -128,6 +134,10 @@
- ')
- 
- optional_policy(`
-+	nagios_search_spool(procmail_t)
+@@ -125,6 +131,11 @@
+ 	postfix_read_spool_files(procmail_t)
+ 	postfix_read_local_state(procmail_t)
+ 	postfix_read_master_state(procmail_t)
++	postfix_rw_master_pipes(procmail_t)
 +')
 +
 +optional_policy(`
- 	pyzor_domtrans(procmail_t)
- 	pyzor_signal(procmail_t)
++	nagios_search_spool(procmail_t)
  ')
-@@ -136,8 +146,8 @@
+ 
+ optional_policy(`
+@@ -136,8 +147,8 @@
  	mta_read_config(procmail_t)
  	sendmail_domtrans(procmail_t)
  	sendmail_signal(procmail_t)
@@ -34857,8 +34972,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.19/policy/modules/services/qpidd.te
 --- nsaserefpolicy/policy/modules/services/qpidd.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/qpidd.te	2010-11-11 15:21:18.000000000 +0000
-@@ -0,0 +1,63 @@
++++ serefpolicy-3.7.19/policy/modules/services/qpidd.te	2011-04-05 17:56:25.905000001 +0000
+@@ -0,0 +1,69 @@
 +policy_module(qpidd,1.0.0)
 +
 +########################################
@@ -34922,6 +35037,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
 +optional_policy(`
 +	corosync_stream_connect(qpidd_t)
 +') 
++
++optional_policy(`
++	matahari_manage_lib_files(qpidd_t)
++	matahari_manage_pid_files(qpidd_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.7.19/policy/modules/services/radius.if
 --- nsaserefpolicy/policy/modules/services/radius.if	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/services/radius.if	2010-09-16 13:25:26.000000000 +0000
@@ -35276,8 +35397,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te
 --- nsaserefpolicy/policy/modules/services/rgmanager.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te	2011-02-17 10:06:36.528796002 +0000
-@@ -0,0 +1,227 @@
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te	2011-04-04 18:04:08.629000001 +0000
+@@ -0,0 +1,229 @@
 +
 +policy_module(rgmanager, 1.0.0)
 +
@@ -35398,6 +35519,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +
 +mount_domtrans(rgmanager_t)
 +
++userdom_kill_all_users(rgmanager_t)
++
 +tunable_policy(`rgmanager_can_network_connect',`
 +        corenet_tcp_connect_all_ports(rgmanager_t)
 +')
@@ -37240,7 +37363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te	2011-03-16 14:07:00.624107001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/samba.te	2011-04-04 12:21:57.257000002 +0000
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -37307,7 +37430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  #
 -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
 +
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
  dontaudit smbd_t self:capability sys_tty_config;
  allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow smbd_t self:process setrlimit;
@@ -38726,7 +38849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.19/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te	2011-01-18 14:53:51.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te	2011-03-25 10:21:51.149630001 +0000
 @@ -20,6 +20,35 @@
  ## </desc>
  gen_tunable(spamd_enable_home_dirs, true)
@@ -38865,7 +38988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  miscfiles_read_localization(spamc_t)
  
  # cjp: this should probably be removed:
-@@ -256,27 +328,40 @@
+@@ -256,27 +328,41 @@
  
  sysnet_read_config(spamc_t)
  
@@ -38900,6 +39023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +	postfix_domtrans_postdrop(spamc_t)
 +	postfix_search_spool(spamc_t)
 +	postfix_rw_local_pipes(spamc_t)
++	postfix_rw_master_pipes(spamc_t)
  ')
  
  optional_policy(`
@@ -38912,7 +39036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  ')
  
  ########################################
-@@ -288,7 +373,7 @@
+@@ -288,7 +374,7 @@
  # setuids to the user running spamc.  Comment this if you are not
  # using this ability.
  
@@ -38921,7 +39045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -304,10 +389,17 @@
+@@ -304,10 +390,17 @@
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
@@ -38940,7 +39064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -316,10 +408,12 @@
+@@ -316,10 +409,12 @@
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -38954,7 +39078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
  
  kernel_read_all_sysctls(spamd_t)
-@@ -369,22 +463,27 @@
+@@ -369,22 +464,27 @@
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -38986,7 +39110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  	fs_manage_cifs_files(spamd_t)
  ')
  
-@@ -397,16 +496,22 @@
+@@ -397,16 +497,22 @@
  ')
  
  optional_policy(`
@@ -39013,7 +39137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  ')
  
  optional_policy(`
-@@ -415,10 +520,6 @@
+@@ -415,10 +521,6 @@
  ')
  
  optional_policy(`
@@ -39024,7 +39148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  	postfix_read_config(spamd_t)
  ')
  
-@@ -433,6 +534,10 @@
+@@ -433,6 +535,10 @@
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -39035,7 +39159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  ')
  
  optional_policy(`
-@@ -445,5 +550,9 @@
+@@ -445,5 +551,9 @@
  ')
  
  optional_policy(`
@@ -39152,7 +39276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if	2011-03-18 14:50:44.915630000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if	2011-04-05 14:59:32.532000001 +0000
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -39199,16 +39323,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	kernel_read_kernel_sysctls($1_ssh_t)
  	kernel_read_system_state($1_ssh_t)
-@@ -116,6 +113,8 @@
+@@ -116,7 +113,10 @@
  	corenet_tcp_sendrecv_all_ports($1_ssh_t)
  	corenet_tcp_connect_ssh_port($1_ssh_t)
  	corenet_sendrecv_ssh_client_packets($1_ssh_t)
 +	corenet_tcp_bind_generic_node($1_ssh_t)
 +	corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
  
++	dev_read_rand($1_ssh_t)
  	dev_read_urand($1_ssh_t)
  
-@@ -181,16 +180,16 @@
+ 	fs_getattr_all_fs($1_ssh_t)
+@@ -181,16 +181,16 @@
  	type $1_var_run_t;
  	files_pid_file($1_var_run_t)
  
@@ -39228,7 +39354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	term_create_pty($1_t, $1_devpts_t)
  
  	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-@@ -206,6 +205,7 @@
+@@ -206,6 +206,7 @@
  
  	kernel_read_kernel_sysctls($1_t)
  	kernel_read_network_state($1_t)
@@ -39236,7 +39362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	corenet_all_recvfrom_unlabeled($1_t)
  	corenet_all_recvfrom_netlabel($1_t)
-@@ -221,7 +221,12 @@
+@@ -221,7 +222,12 @@
  	corenet_udp_bind_generic_node($1_t)
  	corenet_tcp_bind_ssh_port($1_t)
  	corenet_tcp_connect_all_ports($1_t)
@@ -39249,11 +39375,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	fs_dontaudit_getattr_all_fs($1_t)
  
-@@ -234,21 +239,27 @@
+@@ -234,21 +240,30 @@
  	corecmd_getattr_bin_files($1_t)
  
  	domain_interactive_fd($1_t)
 +	domain_dyntrans_type($1_t)
++
++	dev_read_rand($1_t)
++	dev_read_urand($1_t)
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
@@ -39279,7 +39408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_read_nfs_files($1_t)
  		fs_read_nfs_symlinks($1_t)
-@@ -265,9 +276,16 @@
+@@ -265,9 +280,16 @@
  
  	optional_policy(`
  		files_read_var_lib_symlinks($1_t)
@@ -39297,7 +39426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  ########################################
-@@ -290,6 +308,7 @@
+@@ -290,6 +312,7 @@
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -39305,7 +39434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  #
  template(`ssh_role_template',`
  	gen_require(`
-@@ -327,7 +346,7 @@
+@@ -327,7 +350,7 @@
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -39314,7 +39443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	# for rsync
  	allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +357,7 @@
+@@ -338,6 +361,7 @@
  	manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
  	manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
  	userdom_search_user_home_dirs($1_t)
@@ -39322,7 +39451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	##############################
  	#
-@@ -359,7 +379,7 @@
+@@ -359,7 +383,7 @@
  	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
  
  	# Allow the user shell to signal the ssh program.
@@ -39331,7 +39460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	# allow ps to show ssh
  	ps_process_pattern($3, $1_ssh_agent_t)
-@@ -388,6 +408,7 @@
+@@ -388,6 +412,7 @@
  	logging_send_syslog_msg($1_ssh_agent_t)
  
  	miscfiles_read_localization($1_ssh_agent_t)
@@ -39339,7 +39468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	seutil_dontaudit_read_config($1_ssh_agent_t)
  
-@@ -395,10 +416,8 @@
+@@ -395,10 +420,8 @@
  	userdom_use_user_terminals($1_ssh_agent_t)
  
  	# for the transition back to normal privs upon exec
@@ -39351,7 +39480,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_ssh_agent_t)
-@@ -475,7 +494,7 @@
+@@ -419,6 +442,10 @@
+ 	')
+ 
+ 	optional_policy(`
++		ssh_run_keygen($3,$2)
++	')
++
++	optional_policy(`
+ 		xserver_use_xdm_fds($1_ssh_agent_t)
+ 		xserver_rw_xdm_pipes($1_ssh_agent_t)
+ 	')
+@@ -475,7 +502,7 @@
  		type sshd_t;
  	')
  
@@ -39360,7 +39500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  ########################################
  ## <summary>
-@@ -492,7 +511,7 @@
+@@ -492,7 +519,7 @@
  		type sshd_t;
  	')
  
@@ -39369,7 +39509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  ########################################
-@@ -582,6 +601,25 @@
+@@ -582,6 +609,25 @@
  	domtrans_pattern($1, sshd_exec_t, sshd_t)
  ')
  
@@ -39395,7 +39535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ########################################
  ## <summary>
  ##	Execute the ssh client in the caller domain.
-@@ -616,7 +654,7 @@
+@@ -616,7 +662,7 @@
  		type sshd_key_t;
  	')
  
@@ -39404,7 +39544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	files_search_pids($1)
  ')
  
-@@ -678,6 +716,32 @@
+@@ -678,6 +724,32 @@
  	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
  ')
  
@@ -39437,7 +39577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ########################################
  ## <summary>
  ##	Read ssh server keys
-@@ -693,7 +757,51 @@
+@@ -693,7 +765,51 @@
  		type sshd_key_t;
  	')
  
@@ -39490,7 +39630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  #######################################
-@@ -714,3 +822,67 @@
+@@ -714,3 +830,67 @@
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -39560,7 +39700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-03-18 14:51:36.890630000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-04-05 18:18:38.404000001 +0000
 @@ -34,13 +34,12 @@
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
@@ -39630,16 +39770,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  kernel_read_kernel_sysctls(ssh_t)
  kernel_read_system_state(ssh_t)
-@@ -139,6 +139,8 @@
+@@ -139,7 +139,10 @@
  corenet_tcp_sendrecv_all_ports(ssh_t)
  corenet_tcp_connect_ssh_port(ssh_t)
  corenet_sendrecv_ssh_client_packets(ssh_t)
 +corenet_tcp_bind_generic_node(ssh_t)
 +corenet_tcp_bind_all_unreserved_ports(ssh_t)
  
++dev_read_rand(ssh_t)
  dev_read_urand(ssh_t)
  
-@@ -170,8 +172,10 @@
+ fs_getattr_all_fs(ssh_t)
+@@ -170,8 +173,13 @@
  userdom_search_user_home_dirs(ssh_t)
  # Write to the user domain tty.
  userdom_use_user_terminals(ssh_t)
@@ -39648,10 +39790,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  userdom_read_user_tmp_files(ssh_t)
 +userdom_write_user_tmp_files(ssh_t)
 +userdom_read_user_home_content_symlinks(ssh_t)
++# 692457
++userdom_search_admin_dir(sshd_t)
++userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
  
  tunable_policy(`allow_ssh_keysign',`
  	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -180,6 +184,11 @@
+@@ -180,6 +188,11 @@
  	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
  ')
  
@@ -39663,7 +39808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(ssh_t)
  	fs_manage_nfs_files(ssh_t)
-@@ -201,54 +210,6 @@
+@@ -201,54 +214,6 @@
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -39718,7 +39863,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -282,36 +243,39 @@
+@@ -260,6 +225,7 @@
+ 
+ 	allow ssh_keysign_t sshd_key_t:file { getattr read };
+ 
++	dev_read_rand(ssh_keysign_t)
+ 	dev_read_urand(ssh_keysign_t)
+ 
+ 	files_read_etc_files(ssh_keysign_t)
+@@ -282,36 +248,39 @@
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
  
@@ -39767,7 +39920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -319,10 +283,27 @@
+@@ -319,10 +288,27 @@
  ')
  
  optional_policy(`
@@ -39795,7 +39948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -333,10 +314,18 @@
+@@ -333,10 +319,18 @@
  ')
  
  optional_policy(`
@@ -39815,7 +39968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ifdef(`TODO',`
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
-@@ -368,6 +357,7 @@
+@@ -368,6 +362,7 @@
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -39823,18 +39976,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  dontaudit ssh_keygen_t self:capability sys_tty_config;
  allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
  
-@@ -376,6 +366,10 @@
+@@ -376,14 +371,21 @@
  allow ssh_keygen_t sshd_key_t:file manage_file_perms;
  files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
  
 +manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
 +manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
 +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 +
  kernel_read_kernel_sysctls(ssh_keygen_t)
  
  fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -384,6 +378,7 @@
+ 
+ dev_read_sysfs(ssh_keygen_t)
++dev_read_rand(ssh_keygen_t)
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
@@ -39842,11 +39998,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  domain_use_interactive_fds(ssh_keygen_t)
  
-@@ -397,6 +392,11 @@
+@@ -397,6 +399,12 @@
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 +userdom_search_admin_dir(ssh_keygen_t)
++userdom_search_user_home_dirs(ssh_keygen_t)
 +
 +optional_policy(`
 +    nscd_socket_use(ssh_keygen_t)
@@ -43358,7 +43515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if	2011-03-16 12:49:39.669107002 +0000
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if	2011-04-05 18:00:56.165000001 +0000
 @@ -41,7 +41,6 @@
  ## </param>
  #
@@ -43495,10 +43652,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
  
-@@ -738,6 +792,27 @@
+@@ -733,7 +787,28 @@
+ 	')
  
- #######################################
- ## <summary>
+ 	logging_search_logs($1)
+-	allow $1 faillog_t:file rw_file_perms;
++	rw_files_pattern($1, faillog_t, faillog_t)
++')
++
++#######################################
++## <summary>
 +##  Manage the login failure log.
 +## </summary>
 +## <param name="domain">
@@ -43516,13 +43679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +	logging_search_logs($1)
 +    allow $1 faillog_t:dir manage_dir_perms;
 +    allow $1 faillog_t:file manage_file_perms;
-+')
-+
-+#######################################
-+## <summary>
- ##	Read the last logins log.
- ## </summary>
- ## <param name="domain">
+ ')
+ 
+ #######################################
 @@ -1500,6 +1575,8 @@
  #
  interface(`auth_use_nsswitch',`
@@ -45866,7 +46025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  	domain_system_change_exemption($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/logging.te	2011-03-25 09:50:43.190630001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/logging.te	2011-04-04 17:54:44.654000002 +0000
 @@ -20,6 +20,11 @@
  files_security_file(auditd_log_t)
  files_security_mountpoint(auditd_log_t)
@@ -45887,7 +46046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  type syslogd_initrc_exec_t;
  init_script_file(syslogd_initrc_exec_t)
-@@ -180,6 +186,8 @@
+@@ -180,10 +186,13 @@
  logging_domtrans_dispatcher(auditd_t)
  logging_signal_dispatcher(auditd_t)
  
@@ -45896,7 +46055,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  miscfiles_read_localization(auditd_t)
  
  mls_file_read_all_levels(auditd_t)
-@@ -235,7 +243,12 @@
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_socket_write_all_levels(auditd_t)
+ 
+ seutil_dontaudit_read_config(auditd_t)
+ 
+@@ -235,7 +244,12 @@
  files_read_etc_files(audisp_t)
  files_read_etc_runtime_files(audisp_t)
  
@@ -45909,7 +46073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  logging_send_syslog_msg(audisp_t)
  
-@@ -245,6 +258,10 @@
+@@ -245,6 +259,10 @@
  
  optional_policy(`
  	dbus_system_bus_client(audisp_t)
@@ -45920,7 +46084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ')
  
  ########################################
-@@ -252,8 +269,15 @@
+@@ -252,8 +270,15 @@
  # Audit remote logger local policy
  #
  
@@ -45936,10 +46100,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  corenet_all_recvfrom_unlabeled(audisp_remote_t)
  corenet_all_recvfrom_netlabel(audisp_remote_t)
  corenet_tcp_sendrecv_generic_if(audisp_remote_t)
-@@ -266,6 +290,15 @@
+@@ -266,6 +291,17 @@
  
  files_read_etc_files(audisp_remote_t)
  
++mls_socket_write_all_levels(audisp_remote_t)
++
 +auth_use_nsswitch(audisp_remote_t)
 +auth_dontaudit_write_login_records(audisp_remote_t)   
 +
@@ -45952,7 +46118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  logging_send_syslog_msg(audisp_remote_t)
  
  miscfiles_read_localization(audisp_remote_t)
-@@ -339,10 +372,10 @@
+@@ -339,10 +375,10 @@
  # chown fsetid for syslog-ng
  # sys_admin for the integrated klog of syslog-ng and metalog
  # cjp: why net_admin!
@@ -45965,7 +46131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -372,8 +405,10 @@
+@@ -372,8 +408,10 @@
  manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
  files_search_var_lib(syslogd_t)
  
@@ -45978,7 +46144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
  # manage pid file
  manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -491,6 +526,10 @@
+@@ -491,6 +529,10 @@
  ')
  
  optional_policy(`
@@ -47522,7 +47688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te	2011-01-20 11:32:53.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te	2011-04-04 18:39:17.712000002 +0000
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -47588,7 +47754,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  miscfiles_read_localization(load_policy_t)
  
-@@ -191,15 +205,6 @@
+@@ -184,6 +198,7 @@
+ 
+ userdom_use_user_terminals(load_policy_t)
+ userdom_use_all_users_fds(load_policy_t)
++userdom_dontaudit_read_user_tmp_files(load_policy_t)
+ 
+ ifdef(`distro_ubuntu',`
+ 	optional_policy(`
+@@ -191,15 +206,6 @@
  	')
  ')
  
@@ -47604,7 +47778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ########################################
  #
  # Newrole local policy
-@@ -217,7 +222,7 @@
+@@ -217,7 +223,7 @@
  allow newrole_t self:msg { send receive };
  allow newrole_t self:unix_dgram_socket sendto;
  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -47613,7 +47787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  read_files_pattern(newrole_t, default_context_t, default_context_t)
  read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -235,6 +240,7 @@
+@@ -235,6 +241,7 @@
  domain_sigchld_interactive_fds(newrole_t)
  
  files_read_etc_files(newrole_t)
@@ -47621,7 +47795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  files_read_var_files(newrole_t)
  files_read_var_symlinks(newrole_t)
  
-@@ -261,25 +267,30 @@
+@@ -261,25 +268,30 @@
  term_getattr_unallocated_ttys(newrole_t)
  term_dontaudit_use_unallocated_ttys(newrole_t)
  
@@ -47658,7 +47832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(newrole_t)
-@@ -313,6 +324,8 @@
+@@ -313,6 +325,8 @@
  kernel_rw_pipes(restorecond_t)
  kernel_read_system_state(restorecond_t)
  
@@ -47667,7 +47841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  fs_relabelfrom_noxattr_fs(restorecond_t)
  fs_dontaudit_list_nfs(restorecond_t)
  fs_getattr_xattr_fs(restorecond_t)
-@@ -336,6 +349,8 @@
+@@ -336,6 +350,8 @@
  
  seutil_libselinux_linked(restorecond_t)
  
@@ -47676,7 +47850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -354,7 +369,7 @@
+@@ -354,7 +370,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -47685,7 +47859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +390,8 @@
+@@ -375,6 +391,8 @@
  
  mls_rangetrans_source(run_init_t)
  
@@ -47694,7 +47868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  selinux_validate_context(run_init_t)
  selinux_compute_access_vector(run_init_t)
  selinux_compute_create_context(run_init_t)
-@@ -383,7 +400,6 @@
+@@ -383,7 +401,6 @@
  
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
@@ -47702,7 +47876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  auth_dontaudit_read_shadow(run_init_t)
  
  init_spec_domtrans_script(run_init_t)
-@@ -406,6 +422,15 @@
+@@ -406,6 +423,15 @@
  	')
  ')
  
@@ -47718,7 +47892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -421,61 +446,22 @@
+@@ -421,61 +447,22 @@
  # semodule local policy
  #
  
@@ -47788,7 +47962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -484,12 +470,24 @@
+@@ -484,12 +471,24 @@
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -47813,7 +47987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -499,112 +497,54 @@
+@@ -499,112 +498,54 @@
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
@@ -48881,8 +49055,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.19/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/unconfined.if	2010-05-28 07:42:00.000000000 +0000
-@@ -12,14 +12,13 @@
++++ serefpolicy-3.7.19/policy/modules/system/unconfined.if	2011-04-04 18:43:35.363000001 +0000
+@@ -12,27 +12,28 @@
  #
  interface(`unconfined_domain_noaudit',`
  	gen_require(`
@@ -48894,11 +49068,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  	# Use any Linux capability.
 -	allow $1 self:capability *;
+-	allow $1 self:fifo_file manage_fifo_file_perms;
 +	allow $1 self:capability all_capabilities;
- 	allow $1 self:fifo_file manage_fifo_file_perms;
++	allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
  
  	# Transition to myself, to make get_ordered_context_list happy.
-@@ -27,12 +26,14 @@
+ 	allow $1 self:process transition;
  
  	# Write access is for setting attributes under /proc/self/attr.
  	allow $1 self:file rw_file_perms;
@@ -49633,7 +49808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2011-03-08 15:28:55.169413000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2011-04-04 18:03:06.029000001 +0000
 @@ -30,8 +30,9 @@
  	')
  
@@ -51239,7 +51414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3111,3 +3500,743 @@
+@@ -3111,3 +3500,761 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -51983,6 +52158,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	allow $1 user_tmp_t:file delete_file_perms;
 +')
++
++######################################
++## <summary>
++## Send kill signals to all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_kill_all_users',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:process sigkill;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/system/userdomain.te	2011-03-16 14:09:58.953107001 +0000
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d1c2f4e..b2756a9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 102%{?dist}
+Release: 103%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,17 @@ exit 0
 %endif
 
 %changelog
+* Tue Apr 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-103
+- Add allow_sysadm_manage_security boolean
+- Add label for /dev/dlm.*
+- Allow auditadm_screen_t and secadm_screen_t dac_override capability
+- SSH_USE_STRONG_RNG is 1 which requires /dev/random
+- Fix auth_rw_faillog definition
+- Allow procmail and system_mail_t to user fifo_file passed into it from postfix_master
+- Fixes for nslcd policy
+- Allow qpidd to manage pid and lib matahari files
+- Allow rgmanager to send the kill signal to all users
+
 * Fri Mar 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-102
 - Add support for a new cluster service - foghorn
 - Add /var/spool/audit support for new version of audit