diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 1c43a96..ed1af2d 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -140,7 +140,11 @@ samba_enable_home_dirs = false
 
 # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
 # 
-squid_connect_any = false
+squid_connect_any = true
+
+# Allow privoxy to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+privoxy_connect_any = true
 
 # Support NFS home directories
 # 
diff --git a/modules-minimum.conf b/modules-minimum.conf
index 99288a5..35181dc 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -633,6 +633,12 @@ hddtemp = module
 # 
 policykit = module
 
+# Layer: services
+# Module: puppet
+#
+#  A network tool for managing many disparate systems
+# 
+puppet = module
 
 # Layer: apps
 # Module: ptchown
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 99288a5..35181dc 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -633,6 +633,12 @@ hddtemp = module
 # 
 policykit = module
 
+# Layer: services
+# Module: puppet
+#
+#  A network tool for managing many disparate systems
+# 
+puppet = module
 
 # Layer: apps
 # Module: ptchown
diff --git a/policy-F13.patch b/policy-F13.patch
index 3c569cd..b3a36ce 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -7601,7 +7601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.7/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te	2010-01-14 15:44:55.000000000 -0500
 @@ -29,6 +29,7 @@
  fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
@@ -9798,7 +9798,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.7/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/roles/xguest.te	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/roles/xguest.te	2010-01-14 13:49:32.000000000 -0500
+@@ -15,7 +15,7 @@
+ 
+ ## <desc>
+ ## <p>
+-## Allow xguest to configure Network Manager
++## Allow xguest to configure Network Manager and connect to apache ports
+ ## </p>
+ ## </desc>
+ gen_tunable(xguest_connect_network, true)
 @@ -30,11 +30,29 @@
  role xguest_r;
  
@@ -10092,7 +10101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.7/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/abrt.te	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/abrt.te	2010-01-14 16:10:21.000000000 -0500
 @@ -33,12 +33,24 @@
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
@@ -14895,7 +14904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.7/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/cups.fc	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/cups.fc	2010-01-14 09:44:37.000000000 -0500
 @@ -13,10 +13,14 @@
  /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -14944,7 +14953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.7/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/cups.te	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/cups.te	2010-01-14 09:43:53.000000000 -0500
 @@ -23,6 +23,9 @@
  type cupsd_initrc_exec_t;
  init_script_file(cupsd_initrc_exec_t)
@@ -16180,10 +16189,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
 +	policykit_dbus_chat_auth(fprintd_t)
  ')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.7/policy/modules/services/ftp.if
+--- nsaserefpolicy/policy/modules/services/ftp.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.7/policy/modules/services/ftp.if	2010-01-14 14:06:25.000000000 -0500
+@@ -115,6 +115,44 @@
+ 	role $2 types ftpdctl_t;
+ ')
+ 
++#######################################
++## <summary>
++##  Allow domain dyntransition to sftpd domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd',`
++    gen_require(`
++        type sftpd_t;
++    ')
++
++	allow $1 sftpd_t:process dyntransition;
++	allow sftpd_t $1:process sigchld;
++')
++
++#######################################
++## <summary>
++##  Allow domain dyntransition to sftpd_anon domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd_anon',`
++    gen_require(`
++        type sftpd_anon_t;
++    ')
++
++	allow $1 sftpd_anon_t:process dyntransition;
++	allow sftpd_anon_t $1:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.7/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/ftp.te	2010-01-11 09:53:58.000000000 -0500
-@@ -41,6 +41,13 @@
++++ serefpolicy-3.7.7/policy/modules/services/ftp.te	2010-01-14 16:27:16.000000000 -0500
+@@ -41,11 +41,51 @@
  
  ## <desc>
  ## <p>
@@ -16197,7 +16254,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  ## Allow ftp to read and write files in the user home directories
  ## </p>
  ## </desc>
-@@ -78,12 +85,20 @@
+ gen_tunable(ftp_home_dir, false)
+ 
++## <desc>
++## <p>
++## Allow anon internal-sftp to upload files, used for 
++## public file transfer services. Directories must be labeled
++## public_content_rw_t.
++## </p>
++## </desc>
++gen_tunable(sftpd_anon_write, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to login to local users and 
++## read/write all files on the system, governed by DAC.
++## </p>
++## </desc>
++gen_tunable(sftpd_full_access, false)
++
++## <desc>
++## <p>
++## Allow interlnal-sftp to read and write files 
++## in the user ssh home directories.
++## </p>
++## </desc>
++gen_tunable(sftpd_write_ssh_home, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to read and write files 
++## in the user home directories
++## </p>
++## </desc>
++gen_tunable(sftpd_enable_homedirs, false)
++
+ type ftpd_t;
+ type ftpd_exec_t;
+ init_daemon_domain(ftpd_t, ftpd_exec_t)
+@@ -78,12 +118,28 @@
  type xferlog_t;
  logging_log_file(xferlog_t)
  
@@ -16209,6 +16304,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
 +	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
 +')
 +
++type sftpd_t;
++domain_type(sftpd_t)
++role system_r types sftpd_t;
++
++type sftpd_anon_t;
++domain_type(sftpd_anon_t)
++role system_r types sftpd_anon_t;
++
  ########################################
  #
  # ftpd local policy
@@ -16219,7 +16322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  dontaudit ftpd_t self:capability sys_tty_config;
  allow ftpd_t self:process signal_perms;
  allow ftpd_t self:process { getcap setcap setsched setrlimit };
-@@ -92,6 +107,8 @@
+@@ -92,6 +148,8 @@
  allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
  allow ftpd_t self:tcp_socket create_stream_socket_perms;
  allow ftpd_t self:udp_socket create_socket_perms;
@@ -16228,7 +16331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  
  allow ftpd_t ftpd_etc_t:file read_file_perms;
  
-@@ -121,8 +138,7 @@
+@@ -121,8 +179,7 @@
  allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
  
  # Create and modify /var/log/xferlog.
@@ -16238,7 +16341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  logging_log_filetrans(ftpd_t, xferlog_t, file)
  
  kernel_read_kernel_sysctls(ftpd_t)
-@@ -160,6 +176,7 @@
+@@ -160,6 +217,7 @@
  
  fs_search_auto_mountpoints(ftpd_t)
  fs_getattr_all_fs(ftpd_t)
@@ -16246,7 +16349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  
  auth_use_nsswitch(ftpd_t)
  auth_domtrans_chk_passwd(ftpd_t)
-@@ -219,10 +236,14 @@
+@@ -219,10 +277,14 @@
  	# allow access to /home
  	files_list_home(ftpd_t)
  	userdom_read_user_home_content_files(ftpd_t)
@@ -16265,7 +16368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -258,7 +279,26 @@
+@@ -258,7 +320,26 @@
  ')
  
  optional_policy(`
@@ -16293,7 +16396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  ')
  
  optional_policy(`
-@@ -270,6 +310,14 @@
+@@ -270,6 +351,14 @@
  ')
  
  optional_policy(`
@@ -16308,26 +16411,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  	seutil_sigchld_newrole(ftpd_t)
  ')
  
+@@ -294,3 +383,74 @@
+ files_read_etc_files(ftpdctl_t)
+ 
+ userdom_use_user_terminals(ftpdctl_t)
++
++########################################
++#
++# sftpd-anon local policy
++#
++files_read_etc_files(sftpd_anon_t)
++
++miscfiles_read_public_files(sftpd_anon_t)
++
++tunable_policy(`sftpd_anon_write',`
++    miscfiles_manage_public_files(sftpd_anon_t)
++')
++
++########################################
++#
++# sftpd local policy
++#
++files_read_etc_files(sftpd_t)
++
++# allow read access to /home by default
++userdom_read_user_home_content_files(sftpd_t)
++userdom_read_user_home_content_symlinks(sftpd_t)
++userdom_dontaudit_list_admin_dir(sftpd_t)
++
++tunable_policy(`sftpd_full_access',`
++    allow sftpd_t self:capability { dac_override dac_read_search };
++    fs_read_noxattr_fs_files(sftpd_t)
++    auth_manage_all_files_except_shadow(sftpd_t)
++')
++
++tunable_policy(`sftpd_write_ssh_home',`
++    ssh_manage_user_home_files(sftpd_t)
++')
++
++tunable_policy(`sftpd_enable_homedirs',`
++	allow sftpd_t self:capability { dac_override dac_read_search };
++
++	# allow access to /home
++	files_list_home(sftpd_t)
++	userdom_read_user_home_content_files(sftpd_t)
++	userdom_manage_user_home_content(sftpd_t)
++
++	auth_read_all_dirs_except_shadow(sftpd_t)
++	auth_read_all_files_except_shadow(sftpd_t)
++	auth_read_all_symlinks_except_shadow(sftpd_t)
++', `
++   # Needed for permissive mode, to make sure everything gets labeled correctly
++   userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
++')
++
++tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
++	fs_manage_nfs_dirs(sftpd_t)
++	fs_manage_nfs_files(sftpd_t)
++	fs_manage_nfs_symlinks(sftpd_t)
++')
++
++tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
++	fs_manage_cifs_dirs(sftpd_t)
++	fs_manage_cifs_files(sftpd_t)
++	fs_manage_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_read_cifs_files(sftpd_t)
++	fs_read_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_read_nfs_files(sftpd_t)
++	fs_read_nfs_symlinks(ftpd_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.7/policy/modules/services/git.fc
 --- nsaserefpolicy/policy/modules/services/git.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/git.fc	2010-01-11 09:53:58.000000000 -0500
-@@ -1,3 +1,9 @@
- /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
++++ serefpolicy-3.7.7/policy/modules/services/git.fc	2010-01-14 15:37:45.000000000 -0500
+@@ -1,3 +1,12 @@
+-/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
 -/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
- /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++HOME_DIR/public_git(/.*)?			gen_context(system_u:object_r:gitd_session_content_t, s0)
++HOME_DIR/\.gitconfig		--		gen_context(system_u:object_r:gitd_session_content_t, s0)
 +
-+/srv/git(/.*)?					gen_context(system_u:object_r:git_data_t, s0)
++/srv/git(/.*)?					gen_context(system_u:object_r:gitd_system_content_t, s0)
 +
 +/usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t, s0)
 +
-+# Conflict with Fedora cgit fc spec.
-+/var/lib/git(/.*)?				gen_context(system_u:object_r:git_data_t, s0)
++/var/cache/cgit(/.*)?				gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
++/var/www/cgi-bin/cgit		--		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/var/lib/git(/.*)?				gen_context(system_u:object_r:gitd_system_content_t, s0)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.7/policy/modules/services/git.if
 --- nsaserefpolicy/policy/modules/services/git.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/git.if	2010-01-11 09:53:58.000000000 -0500
-@@ -1 +1,285 @@
++++ serefpolicy-3.7.7/policy/modules/services/git.if	2010-01-14 16:07:07.000000000 -0500
+@@ -1 +1,535 @@
 -## <summary>GIT revision control system</summary>
-+## <summary>Git daemon is a really simple server for Git repositories.</summary>
++## <summary>Git - Fast Version Control System.</summary>
 +## <desc>
 +##	<p>
 +##		A really simple TCP git daemon that normally listens on
@@ -16335,27 +16518,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##		connection asking for a service, and will serve that
 +##		service if it is enabled.
 +##	</p>
-+##	<p>
-+##		It verifies that the directory has the magic file
-+##		git-daemon-export-ok, and it will refuse to export any
-+##		git directory that has not explicitly been marked for
-+##		export this way (unless the --export-all parameter is
-+##		specified). If you pass some directory paths as
-+##		git-daemon arguments, you can further restrict the
-+##		offers to a whitelist comprising of those.
-+##	</p>
-+##	<p>
-+##		By default, only upload-pack service is enabled, which
-+##		serves git-fetch-pack and git-ls-remote clients, which
-+##		are invoked from git-fetch, git-pull, and git-clone.
-+##	</p>
-+##	<p>
-+##		This is ideally suited for read-only updates, i.e.,
-+##		pulling from git repositories.
-+##	</p>
-+##	<p>
-+##		An upload-archive also exists to serve git-archive.
-+##	</p>
 +## </desc>
 +
 +#######################################
@@ -16373,73 +16535,174 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	</summary>
 +## </param>
 +#
-+interface(`git_session_role', `
++interface(`git_session_role',`
 +	gen_require(`
-+		type gitd_session_t, gitd_exec_t, git_home_t;
++		type gitd_session_t, gitd_exec_t;
 +	')
 +
 +	########################################
 +	#
-+	# Git daemon session data declarations.
++	# Git daemon session shared declarations.
 +	#
 +
-+	## <desc>
-+	## <p>
-+	## Allow transitions to the Git daemon
-+	## session domain.
-+	## </p>
-+	## </desc>
-+	gen_tunable(gitd_session_transition, false)
-+
 +	role $1 types gitd_session_t;
 +
 +	########################################
 +	#
-+	# Git daemon session data policy.
++	# Git daemon session shared policy.
 +	#
 +
-+	tunable_policy(`gitd_session_transition', `
-+		domtrans_pattern($2, gitd_exec_t, gitd_session_t)
-+	', `
-+		can_exec($2, gitd_exec_t)
-+	')
++	domtrans_pattern($2, gitd_exec_t, gitd_session_t)
 +
 +	allow $2 gitd_session_t:process { ptrace signal_perms };
 +	ps_process_pattern($2, gitd_session_t)
++')
 +
-+	exec_files_pattern($2, git_home_t, git_home_t)
-+	manage_dirs_pattern($2, git_home_t, git_home_t)
-+	manage_files_pattern($2, git_home_t, git_home_t)
++########################################
++## <summary>
++##	Create a set of derived types for Git
++##	daemon shared repository content.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving type names.
++##	</summary>
++## </param>
++#
++template(`git_content_template',`
 +
-+	relabel_dirs_pattern($2, git_home_t, git_home_t)
-+	relabel_files_pattern($2, git_home_t, git_home_t)
++	gen_require(`
++		attribute gitd_system_content;
++		attribute gitd_content;
++	')
++
++	########################################
++	#
++	# Git daemon content shared declarations.
++	#
++
++	type gitd_$1_content_t, gitd_system_content, gitd_content;
++	files_type(gitd_$1_content_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow the specified domain to execute
-+##	Git daemon data files.
++##	Create a set of derived types for Git
++##	daemon shared repository roles.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving type names.
++##	</summary>
++## </param>
++#
++template(`git_role_template',`
++
++	gen_require(`
++		class context contains;
++		role system_r;
++	')
++
++	########################################
++	#
++	# Git daemon role shared declarations.
++	#
++
++	attribute $1_usertype;
++
++	type $1_t;
++	userdom_unpriv_usertype($1, $1_t)
++	domain_type($1_t)
++
++	role $1_r types $1_t;
++	allow system_r $1_r;
++
++	########################################
++	#
++	# Git daemon role shared policy.
++	#
++
++	allow $1_t self:context contains;
++	allow $1_t self:fifo_file rw_fifo_file_perms;
++
++	corecmd_exec_bin($1_t)
++	corecmd_bin_entry_type($1_t)
++	corecmd_shell_entry_type($1_t)
++
++	domain_interactive_fd($1_t)
++	domain_user_exemption_target($1_t)
++
++	kernel_read_system_state($1_t)
++
++	files_read_etc_files($1_t)
++	files_dontaudit_search_home($1_t)
++
++	miscfiles_read_localization($1_t)
++
++	git_rwx_generic_system_content($1_t)
++
++	ssh_rw_stream_sockets($1_t)
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_exec_cifs_files($1_t)
++		fs_manage_cifs_dirs($1_t)
++		fs_manage_cifs_files($1_t)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_exec_nfs_files($1_t)
++		fs_manage_nfs_dirs($1_t)
++		fs_manage_nfs_files($1_t)
++	')
++
++	optional_policy(`
++		nscd_read_pid($1_t)
++	')
++')
++
++#######################################
++## <summary>
++##	Allow specified domain access to the
++##	specified Git daemon content.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
++## <param name="object">
++##	<summary>
++##	Type of the object that access is allowed to.
++##	</summary>
++## </param>
 +#
-+interface(`git_execute_data_files', `
++interface(`git_content_delegation',`
 +	gen_require(`
-+		type git_data_t;
++		type $1, $2;
 +	')
 +
-+	exec_files_pattern($1, git_data_t, git_data_t)
++	exec_files_pattern($1, $2, $2)
++	manage_dirs_pattern($1, $2, $2)
++	manage_files_pattern($1, $2, $2)
 +	files_search_var($1)
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
 +##	Allow the specified domain to manage
-+##	Git daemon data content.
++##	and execute all Git daemon content.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16448,20 +16711,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +## </param>
 +## <rolecap/>
 +#
-+interface(`git_manage_data_content', `
++interface(`git_rwx_all_content',`
 +	gen_require(`
-+		type git_data_t;
++		attribute gitd_content;
 +	')
 +
-+	manage_dirs_pattern($1, git_data_t, git_data_t)
-+	manage_files_pattern($1, git_data_t, git_data_t)
++	exec_files_pattern($1, gitd_content, gitd_content)
++	manage_dirs_pattern($1, gitd_content, gitd_content)
++	manage_files_pattern($1, gitd_content, gitd_content)
++	userdom_search_user_home_dirs($1)
 +	files_search_var($1)
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
 +##	Allow the specified domain to manage
-+##	Git daemon home content.
++##	and execute all Git daemon system content.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16470,20 +16759,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +## </param>
 +## <rolecap/>
 +#
-+interface(`git_manage_home_content', `
++interface(`git_rwx_all_system_content',`
 +	gen_require(`
-+		type git_home_t;
++		attribute gitd_system_content;
 +	')
 +
-+	manage_dirs_pattern($1, git_home_t, git_home_t)
-+	manage_files_pattern($1, git_home_t, git_home_t)
-+	files_search_home($1)
++	exec_files_pattern($1, gitd_system_content, gitd_system_content)
++	manage_dirs_pattern($1, gitd_system_content, gitd_system_content)
++	manage_files_pattern($1, gitd_system_content, gitd_system_content)
++	files_search_var($1)
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	Allow the specified domain to read
-+##	Git daemon home content.
++##	Allow the specified domain to manage
++##	and execute Git daemon generic system content.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16492,20 +16794,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +## </param>
 +## <rolecap/>
 +#
-+interface(`git_read_home_content', `
++interface(`git_rwx_generic_system_content',`
 +	gen_require(`
-+		type git_home_t;
++		type gitd_system_content_t;
 +	')
 +
-+	list_dirs_pattern($1, git_home_t, git_home_t)
-+	read_files_pattern($1, git_home_t, git_home_t)
-+	files_search_home($1)
++	exec_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++	manage_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
++	manage_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++	files_search_var($1)
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_exec_cifs_files($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_exec_nfs_files($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
 +##	Allow the specified domain to read
-+##	Git daemon data content.
++##	all Git daemon content files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16514,20 +16829,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +## </param>
 +## <rolecap/>
 +#
-+interface(`git_read_data_content', `
++interface(`git_read_all_content_files',`
 +	gen_require(`
-+		type git_data_t;
++		attribute gitd_content;
 +	')
 +
-+	list_dirs_pattern($1, git_data_t, git_data_t)
-+	read_files_pattern($1, git_data_t, git_data_t)
++	list_dirs_pattern($1, gitd_content, gitd_content)
++	read_files_pattern($1, gitd_content, gitd_content)
++	userdom_search_user_home_dirs($1)
 +	files_search_var($1)
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	Allow the specified domain to relabel
-+##	Git daemon data content.
++##	Allow the specified domain to read
++##	Git daemon session content files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16536,20 +16872,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +## </param>
 +## <rolecap/>
 +#
-+interface(`git_relabel_data_content', `
++interface(`git_read_session_content_files',`
 +	gen_require(`
-+		type git_data_t;
++		type gitd_session_content_t;
 +	')
 +
-+	relabel_dirs_pattern($1, git_data_t, git_data_t)
-+	relabel_files_pattern($1, git_data_t, git_data_t)
-+	files_search_var($1)
++	list_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t)
++	read_files_pattern($1, gitd_session_content_t, gitd_session_content_t)
++	userdom_search_user_home_dirs($1)
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	Allow the specified domain to relabel
-+##	Git daemon home content.
++##	Allow the specified domain to read
++##	all Git daemon system content files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16558,114 +16904,203 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +## </param>
 +## <rolecap/>
 +#
-+interface(`git_relabel_home_content', `
++interface(`git_read_all_system_content_files',`
 +	gen_require(`
-+		type git_home_t;
++		attribute gitd_system_content;
 +	')
 +
-+	relabel_dirs_pattern($1, git_home_t, git_home_t)
-+	relabel_files_pattern($1, git_home_t, git_home_t)
-+	files_search_home($1)
++	list_dirs_pattern($1, gitd_system_content, gitd_system_content)
++	read_files_pattern($1, gitd_system_content, gitd_system_content)
++	files_search_var($1)
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate an
-+##	Git daemon system environment
++##	Allow the specified domain to read
++##	Git daemon generic system content files.
 +## </summary>
-+## <param name="userdomain_prefix">
++## <param name="domain">
 +##	<summary>
-+##	Prefix of the domain. Example, user would be
-+##	the prefix for the user_t domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
++#
++interface(`git_read_generic_system_content_files',`
++	gen_require(`
++		type gitd_system_content_t;
++	')
++
++	list_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
++	read_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++	files_search_var($1)
++
++	tunable_policy(`gitd_system_use_cifs',`
++		fs_list_cifs($1)
++		fs_read_cifs_files($1)
++	')
++
++	tunable_policy(`gitd_system_use_nfs',`
++		fs_list_nfs($1)
++		fs_read_nfs_files($1)
++	')
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to relabel
++##	all Git daemon content.
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
++## <rolecap/>
++#
++interface(`git_relabel_all_content',`
++	gen_require(`
++		attribute gitd_content;
++	')
++
++	relabel_dirs_pattern($1, gitd_content, gitd_content)
++	relabel_files_pattern($1, gitd_content, gitd_content)
++	userdom_search_user_home_dirs($1)
++	files_search_var($1)
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to relabel
++##	all Git daemon system content.
++## </summary>
++## <param name="domain">
 +##	<summary>
-+##	The role to be allowed to manage the Git daemon domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
-+interface(`git_system_admin', `
++interface(`git_relabel_all_system_content',`
 +	gen_require(`
-+		type gitd_t, gitd_exec_t;
++		attribute gitd_system_content;
 +	')
 +
-+	allow $1 gitd_t:process { getattr ptrace signal_perms };
-+	ps_process_pattern($1, gitd_t)
-+
-+	kernel_search_proc($1)
++	relabel_dirs_pattern($1, gitd_system_content, gitd_system_content)
++	relabel_files_pattern($1, gitd_system_content, gitd_system_content)
++	files_search_var($1)
++')
 +
-+	manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
++########################################
++## <summary>
++##	Allow the specified domain to relabel
++##	Git daemon generic system content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_generic_system_content',`
++	gen_require(`
++		type gitd_system_content_t;
++	')
 +
-+	# This will not work since git-shell needs to execute gitd content thus public content files.
-+	# There is currently no clean way to execute public content files.
-+	# miscfiles_manage_public_files($1)
++	relabel_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
++	relabel_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++	files_search_var($1)
++')
 +
-+	git_manage_data_content($1)
-+	git_relabel_data_content($1)
++########################################
++## <summary>
++##	Allow the specified domain to relabel
++##	Git daemon session content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_session_content',`
++	gen_require(`
++		type gitd_session_content_t;
++	')
 +
-+	seutil_domtrans_setfiles($1)
++	relabel_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t)
++	relabel_files_pattern($1, gitd_session_content_t, gitd_session_content_t)
++	userdom_search_user_home_dirs($1)
 +')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.7/policy/modules/services/git.te
 --- nsaserefpolicy/policy/modules/services/git.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/git.te	2010-01-11 09:53:58.000000000 -0500
-@@ -1,9 +1,173 @@
++++ serefpolicy-3.7.7/policy/modules/services/git.te	2010-01-14 16:12:14.000000000 -0500
+@@ -1,9 +1,181 @@
  
- policy_module(git, 1.0)
- 
-+attribute gitd_type;
-+attribute git_content_type;
-+
-+########################################
-+#
-+# Git daemon system private declarations.
-+#
+-policy_module(git, 1.0)
++policy_module(gitd, 1.0.3)
 +
 +## <desc>
 +## <p>
 +## Allow Git daemon system to search home directories.
 +## </p>
 +## </desc>
-+gen_tunable(git_system_enable_homedirs, false)
++gen_tunable(gitd_system_enable_homedirs, false)
 +
 +## <desc>
 +## <p>
 +## Allow Git daemon system to access cifs file systems.
 +## </p>
 +## </desc>
-+gen_tunable(git_system_use_cifs, false)
++gen_tunable(gitd_system_use_cifs, false)
 +
 +## <desc>
 +## <p>
 +## Allow Git daemon system to access nfs file systems.
 +## </p>
 +## </desc>
-+gen_tunable(git_system_use_nfs, false)
++gen_tunable(gitd_system_use_nfs, false)
 +
 +########################################
 +#
 +# Git daemon global private declarations.
 +#
++
++attribute gitd_domains;
++attribute gitd_system_content;
++attribute gitd_content;
++
 +type gitd_exec_t;
 +
-+type gitd_t, gitd_type;
-+inetd_service_domain(gitd_t, gitd_exec_t)
-+role system_r types gitd_t;
++########################################
++#
++# Git daemon system private declarations.
++#
 +
-+type git_data_t, git_content_type;
-+files_type(git_data_t)
++type gitd_system_t, gitd_domains;
++inetd_service_domain(gitd_system_t, gitd_exec_t)
++role system_r types gitd_system_t;
 +
-+permissive gitd_t;
++type gitd_system_content_t, gitd_system_content, gitd_content;
++files_type(gitd_system_content_t)
++typealias gitd_system_content_t alias git_data_t;
 +
 +########################################
 +#
-+# Git daemon session session private declarations.
++# Git daemon session private declarations.
 +#
 +
 +## <desc>
@@ -16674,87 +17109,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +## tcp sockets to all unreserved ports.
 +## </p>
 +## </desc>
-+gen_tunable(git_session_bind_all_unreserved_ports, false)
++gen_tunable(gitd_session_bind_all_unreserved_ports, false)
 +
-+type gitd_session_t, gitd_type;
++type gitd_session_t, gitd_domains;
 +application_domain(gitd_session_t, gitd_exec_t)
 +ubac_constrained(gitd_session_t)
 +
-+type git_home_t, git_content_type;
-+userdom_user_home_content(git_home_t)
-+
-+permissive gitd_session_t;
++type gitd_session_content_t, gitd_content;
++userdom_user_home_content(gitd_session_content_t)
 +
 +########################################
 +#
 +# Git daemon global private policy.
 +#
 +
-+allow gitd_type self:fifo_file rw_fifo_file_perms;
-+allow gitd_type self:tcp_socket create_socket_perms;
-+allow gitd_type self:udp_socket create_socket_perms;
-+allow gitd_type self:unix_dgram_socket create_socket_perms;
++allow gitd_domains self:fifo_file rw_fifo_file_perms;
++allow gitd_domains self:netlink_route_socket create_netlink_socket_perms;
++allow gitd_domains self:tcp_socket { create_socket_perms listen };
++allow gitd_domains self:udp_socket create_socket_perms;
++allow gitd_domains self:unix_dgram_socket create_socket_perms;
++
++corenet_all_recvfrom_netlabel(gitd_domains)
++corenet_all_recvfrom_unlabeled(gitd_domains)
 +
-+corenet_all_recvfrom_netlabel(gitd_type)
-+corenet_all_recvfrom_unlabeled(gitd_type)
++corenet_tcp_bind_generic_node(gitd_domains)
 +
-+corenet_tcp_sendrecv_all_if(gitd_type)
-+corenet_tcp_sendrecv_all_nodes(gitd_type)
-+corenet_tcp_sendrecv_all_ports(gitd_type)
++corenet_tcp_sendrecv_generic_if(gitd_domains)
++corenet_tcp_sendrecv_generic_node(gitd_domains)
++corenet_tcp_sendrecv_generic_port(gitd_domains)
 +
-+corenet_tcp_bind_all_nodes(gitd_type)
-+corenet_tcp_bind_git_port(gitd_type)
++corenet_tcp_bind_git_port(gitd_domains)
++corenet_sendrecv_git_server_packets(gitd_domains)
 +
-+corecmd_exec_bin(gitd_type)
++corecmd_exec_bin(gitd_domains)
 +
-+files_read_etc_files(gitd_type)
-+files_read_usr_files(gitd_type)
++files_read_etc_files(gitd_domains)
++files_read_usr_files(gitd_domains)
 +
-+fs_search_auto_mountpoints(gitd_type)
++fs_search_auto_mountpoints(gitd_domains)
 +
-+kernel_read_system_state(gitd_type)
++kernel_read_system_state(gitd_domains)
 +
-+logging_send_syslog_msg(gitd_type)
++auth_use_nsswitch(gitd_domains)
 +
-+auth_use_nsswitch(gitd_type)
++logging_send_syslog_msg(gitd_domains)
 +
-+miscfiles_read_localization(gitd_type)
++miscfiles_read_localization(gitd_domains)
 +
 +########################################
 +#
 +# Git daemon system repository private policy.
 +#
 +
-+list_dirs_pattern(gitd_t, git_content_type, git_content_type)
-+read_files_pattern(gitd_t, git_content_type, git_content_type)
-+files_search_var(gitd_t)
++list_dirs_pattern(gitd_system_t, gitd_content, gitd_content)
++read_files_pattern(gitd_system_t, gitd_content, gitd_content)
++files_search_var(gitd_system_t)
 +
-+# This will not work since git-shell needs to execute gitd content thus public content files.
-+# There is currently no clean way to execute public content files.
-+# miscfiles_read_public_files(gitd_t)
-+
-+tunable_policy(`git_system_enable_homedirs', `
-+	userdom_search_user_home_dirs(gitd_t)
++tunable_policy(`gitd_system_enable_homedirs', `
++	userdom_search_user_home_dirs(gitd_system_t)
 +')
 +
-+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
-+	fs_list_nfs(gitd_t)
-+	fs_read_nfs_files(gitd_t)
++tunable_policy(`gitd_system_enable_homedirs && use_nfs_home_dirs', `
++	fs_list_nfs(gitd_system_t)
++	fs_read_nfs_files(gitd_system_t)
 +')
 +
-+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
-+	fs_list_cifs(gitd_t)
-+	fs_read_cifs_files(gitd_t)
++tunable_policy(`gitd_system_enable_homedirs && use_samba_home_dirs', `
++	fs_list_cifs(gitd_system_t)
++	fs_read_cifs_files(gitd_system_t)
 +')
 +
-+tunable_policy(`git_system_use_cifs', `
-+	fs_list_cifs(gitd_t)
-+	fs_read_cifs_files(gitd_t)
++tunable_policy(`gitd_system_use_cifs', `
++	fs_list_cifs(gitd_system_t)
++	fs_read_cifs_files(gitd_system_t)
 +')
 +
-+tunable_policy(`git_system_use_nfs', `
-+	fs_list_nfs(gitd_t)
-+	fs_read_nfs_files(gitd_t)
++tunable_policy(`gitd_system_use_nfs', `
++	fs_list_nfs(gitd_system_t)
++	fs_read_nfs_files(gitd_system_t)
 +')
 +
 +########################################
@@ -16762,13 +17194,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +# Git daemon session repository private policy.
 +#
 +
-+list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
-+read_files_pattern(gitd_session_t, git_home_t, git_home_t)
++list_dirs_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t)
++read_files_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t)
 +userdom_search_user_home_dirs(gitd_session_t)
 +
 +userdom_use_user_terminals(gitd_session_t)
 +
-+tunable_policy(`git_session_bind_all_unreserved_ports', `
++tunable_policy(`gitd_session_bind_all_unreserved_ports', `
 +	corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
 +')
 +
@@ -16782,14 +17214,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	fs_read_cifs_files(gitd_session_t)
 +')
 +
++########################################
++#
++# cgi git Declarations
++#
++
++optional_policy(`
++	apache_content_template(git)
++	git_read_session_content_files(httpd_git_script_t)
++')
+ 
  ########################################
  #
 -# Declarations
-+# cgi git Declarations
++# Git-shell private policy.
  #
  
- apache_content_template(git)
-+git_read_data_content(httpd_git_script_t)
+-apache_content_template(git)
++git_role_template(git_shell)
++gen_user(git_shell_u, user, git_shell_r, s0, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.7/policy/modules/services/gpsd.te
 --- nsaserefpolicy/policy/modules/services/gpsd.te	2010-01-07 14:53:53.000000000 -0500
 +++ serefpolicy-3.7.7/policy/modules/services/gpsd.te	2010-01-11 09:53:58.000000000 -0500
@@ -21251,6 +21694,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.7/policy/modules/services/puppet.te
+--- nsaserefpolicy/policy/modules/services/puppet.te	2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/puppet.te	2010-01-14 10:36:57.000000000 -0500
+@@ -17,6 +17,7 @@
+ type puppet_t;
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
++permissive puppet_t;
+ 
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+@@ -39,6 +40,7 @@
+ type puppetmaster_t;
+ type puppetmaster_exec_t;
+ init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
++permissive puppetmaster_t;
+ 
+ type puppetmaster_initrc_exec_t;
+ init_script_file(puppetmaster_initrc_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.7/policy/modules/services/pyzor.fc
 --- nsaserefpolicy/policy/modules/services/pyzor.fc	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.7/policy/modules/services/pyzor.fc	2010-01-11 09:53:58.000000000 -0500
@@ -24969,54 +25431,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.7/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/ssh.te	2010-01-11 09:53:58.000000000 -0500
-@@ -8,6 +8,31 @@
- 
- ## <desc>
- ## <p>
-+## Allow sftp to upload files, used for public file
-+## transfer services. Directories must be labeled
-+## public_content_rw_t.
-+## </p>
-+## </desc>
-+gen_tunable(allow_sftpd_anon_write, false)
-+
-+## <desc>
-+## <p>
-+## Allow sftp to login to local users and 
-+## read/write all files on the system, governed by DAC.
-+## </p>
-+## </desc>
-+gen_tunable(allow_sftpd_full_access, false)
-+
-+## <desc>
-+## <p>
-+## Allow interlnal-sftp to read and write files 
-+## in the user ssh home directories.
-+## </p>
-+## </desc>
-+gen_tunable(sftpd_ssh_home_dir, false)
-+
-+## <desc>
-+## <p>
- ## allow host key based authentication
- ## </p>
- ## </desc>
-@@ -41,6 +66,13 @@
++++ serefpolicy-3.7.7/policy/modules/services/ssh.te	2010-01-14 14:12:19.000000000 -0500
+@@ -41,6 +41,9 @@
  files_tmp_file(sshd_tmp_t)
  files_poly_parent(sshd_tmp_t)
  
 +type sshd_tmpfs_t;
 +files_tmpfs_file(sshd_tmpfs_t)
 +
-+type sftpd_t;
-+domain_type(sftpd_t)
-+role system_r types sftpd_t;
-+
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -75,7 +107,7 @@
+@@ -75,7 +78,7 @@
  ubac_constrained(ssh_tmpfs_t)
  
  type home_ssh_t;
@@ -25025,7 +25451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
  files_type(home_ssh_t)
  userdom_user_home_content(home_ssh_t)
-@@ -95,8 +127,7 @@
+@@ -95,8 +98,7 @@
  allow ssh_t self:sem create_sem_perms;
  allow ssh_t self:msgq create_msgq_perms;
  allow ssh_t self:msg { send receive };
@@ -25035,7 +25461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  # Read the ssh key file.
  allow ssh_t sshd_key_t:file read_file_perms;
-@@ -115,6 +146,7 @@
+@@ -115,6 +117,7 @@
  manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t)
  manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
  userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
@@ -25043,7 +25469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  # Allow the ssh program to communicate with ssh-agent.
  stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -126,11 +158,13 @@
+@@ -126,11 +129,13 @@
  read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
  
  # ssh servers can read the user keys and config
@@ -25060,7 +25486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  corenet_all_recvfrom_unlabeled(ssh_t)
  corenet_all_recvfrom_netlabel(ssh_t)
-@@ -139,6 +173,8 @@
+@@ -139,6 +144,8 @@
  corenet_tcp_sendrecv_all_ports(ssh_t)
  corenet_tcp_connect_ssh_port(ssh_t)
  corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -25069,7 +25495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  dev_read_urand(ssh_t)
  
-@@ -160,19 +196,19 @@
+@@ -160,19 +167,19 @@
  logging_send_syslog_msg(ssh_t)
  logging_read_generic_logs(ssh_t)
  
@@ -25092,7 +25518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  tunable_policy(`allow_ssh_keysign',`
  	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -194,18 +230,7 @@
+@@ -194,18 +201,7 @@
  # for port forwarding
  tunable_policy(`user_tcp_server',`
  	corenet_tcp_bind_ssh_port(ssh_t)
@@ -25112,7 +25538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -294,6 +319,8 @@
+@@ -294,6 +290,8 @@
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
  
@@ -25121,7 +25547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
  manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
  manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -310,16 +337,30 @@
+@@ -310,27 +308,50 @@
  corenet_tcp_bind_xserver_port(sshd_t)
  corenet_sendrecv_xserver_server_packets(sshd_t)
  
@@ -25140,21 +25566,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 -	userdom_spec_domtrans_all_users(sshd_t)
  	userdom_signal_all_users(sshd_t)
 -',`
-+')
+-	userdom_spec_domtrans_unpriv_users(sshd_t)
+-	userdom_signal_unpriv_users(sshd_t)
+ ')
+ 
++userdom_spec_domtrans_unpriv_users(sshd_t)
++userdom_signal_unpriv_users(sshd_t)
 +
- 	userdom_spec_domtrans_unpriv_users(sshd_t)
- 	userdom_signal_unpriv_users(sshd_t)
+ optional_policy(`
+ 	daemontools_service_domain(sshd_t, sshd_exec_t)
+ ')
+ 
+ optional_policy(`
++	kerberos_keytab_template(sshd, sshd_t)
++')
 +
 +optional_policy(`
-+	kerberos_keytab_template(sshd, sshd_t)
++	ftp_dyntransition_sftpd(sshd_t)
++	ftp_dyntransition_sftpd_anon(sshd_t)
 +')
 +
 +optional_policy(`
 +	gitosis_manage_var_lib(sshd_t)
- ')
- 
- optional_policy(`
-@@ -331,6 +372,10 @@
++')
++
++optional_policy(`
+ 	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
  ')
  
  optional_policy(`
@@ -25165,7 +25602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -341,10 +386,18 @@
+@@ -341,10 +362,18 @@
  ')
  
  optional_policy(`
@@ -25185,7 +25622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ifdef(`TODO',`
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
-@@ -400,18 +453,63 @@
+@@ -400,15 +429,13 @@
  init_use_fds(ssh_keygen_t)
  init_use_script_ptys(ssh_keygen_t)
  
@@ -25203,56 +25640,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	seutil_sigchld_newrole(ssh_keygen_t)
  ')
  
- optional_policy(`
- 	udev_read_db(ssh_keygen_t)
- ')
-+
-+#######################################
-+#
-+# sftp Local policy
-+#
-+
-+allow ssh_server sftpd_t:process dyntransition;
-+
-+ssh_sigchld(sftpd_t)
-+
-+files_read_all_files(sftpd_t)
-+files_read_all_symlinks(sftpd_t)
-+
-+fs_read_noxattr_fs_files(sftpd_t)
-+fs_read_nfs_files(sftpd_t)
-+fs_read_cifs_files(sftpd_t)
-+
-+# allow access to /home by default
-+userdom_manage_user_home_content_dirs(sftpd_t)
-+userdom_manage_user_home_content_files(sftpd_t)
-+userdom_manage_user_home_content_symlinks(sftpd_t)
-+
-+userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
-+
-+tunable_policy(`allow_sftpd_anon_write',`
-+    miscfiles_manage_public_files(sftpd_t)
-+')
-+
-+tunable_policy(`allow_sftpd_full_access',`
-+    allow sftpd_t self:capability { dac_override dac_read_search };
-+    fs_read_noxattr_fs_files(sftpd_t)
-+    auth_manage_all_files_except_shadow(sftpd_t)
-+')
-+
-+tunable_policy(`sftpd_ssh_home_dir',`
-+    ssh_manage_user_home_files(sftpd_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+    fs_manage_nfs_dirs(sftpd_t)
-+    fs_manage_nfs_files(sftpd_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+    fs_manage_cifs_dirs(sftpd_t)
-+    fs_manage_cifs_files(sftpd_t)
-+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.7/policy/modules/services/sssd.if
 --- nsaserefpolicy/policy/modules/services/sssd.if	2010-01-07 14:53:53.000000000 -0500
 +++ serefpolicy-3.7.7/policy/modules/services/sssd.if	2010-01-11 09:53:58.000000000 -0500
@@ -25849,8 +26236,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.7/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/virt.fc	2010-01-11 09:53:58.000000000 -0500
-@@ -8,5 +8,18 @@
++++ serefpolicy-3.7.7/policy/modules/services/virt.fc	2010-01-12 10:28:03.000000000 -0500
+@@ -4,9 +4,26 @@
+ /etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
+ /etc/rc\.d/init\.d/libvirtd --	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+ 
++/etc/xen		-d	gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/xen/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/xen/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
++/etc/xen/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
+ /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
  
  /var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
  /var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
@@ -26574,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.7/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/xserver.fc	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/xserver.fc	2010-01-14 09:21:39.000000000 -0500
 @@ -3,12 +3,21 @@
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -26609,16 +27004,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  #
  # /opt
  #
-@@ -47,8 +51,6 @@
+@@ -47,21 +51,22 @@
  # /tmp
  #
  
 -/tmp/\.ICE-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 -/tmp/\.ICE-unix/.*	-s	<<none>>
  /tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
- /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
- /tmp/\.X11-unix/.*	-s	<<none>>
-@@ -58,10 +60,14 @@
+-/tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.X11-unix/.*	-s	<<none>>
++/tmp/\.X11-unix(/.*)?			gen_context(system_u:object_r:xdm_tmp_t,s0)
+ 
+ #
+ # /usr
  #
  
  /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -26633,7 +27031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
  ifdef(`distro_debian', `
-@@ -89,17 +95,37 @@
+@@ -89,17 +94,37 @@
  
  /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
@@ -26676,7 +27074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +/var/lib/nxserver/home/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.7/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/services/xserver.if	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/xserver.if	2010-01-14 14:21:14.000000000 -0500
 @@ -19,7 +19,7 @@
  interface(`xserver_restricted_role',`
  	gen_require(`
@@ -26686,7 +27084,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  		type iceauth_t, iceauth_exec_t, iceauth_home_t;
  		type xauth_t, xauth_exec_t, xauth_home_t;
  	')
-@@ -56,6 +56,13 @@
+@@ -45,6 +45,7 @@
+ 	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ 
+ 	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
++	allow $2 xserver_tmp_t:sock_file unlink;
+ 	files_search_tmp($2)
+ 
+ 	# Communicate via System V shared memory.
+@@ -56,6 +57,13 @@
  
  	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
  
@@ -26700,7 +27106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	allow $2 iceauth_home_t:file read_file_perms;
  
  	domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +78,10 @@
+@@ -71,9 +79,10 @@
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
  	allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -26713,7 +27119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# Client read xserver shm
  	allow $2 xserver_t:fd use;
-@@ -96,7 +104,6 @@
+@@ -96,7 +105,6 @@
  	miscfiles_read_fonts($2)
  
  	xserver_common_x_domain_template(user, $2)
@@ -26721,7 +27127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xserver_xsession_entry_type($2)
  	xserver_dontaudit_write_log($2)
  	xserver_stream_connect_xdm($2)
-@@ -104,6 +111,7 @@
+@@ -104,6 +112,7 @@
  	xserver_read_xdm_pid($2)
  	# gnome-session creates socket under /tmp/.ICE-unix/
  	xserver_create_xdm_tmp_sockets($2)
@@ -26729,7 +27135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	# Needed for escd, remove if we get escd policy
  	xserver_manage_xdm_tmp_files($2)
  
-@@ -162,7 +170,6 @@
+@@ -162,7 +171,6 @@
  	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
  	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
  	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -26737,7 +27143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  #######################################
-@@ -197,7 +204,7 @@
+@@ -197,7 +205,7 @@
  	allow $1 xserver_t:process signal;
  
  	# Read /tmp/.X0-lock
@@ -26746,7 +27152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# Client read xserver shm
  	allow $1 xserver_t:fd use;
-@@ -260,12 +267,12 @@
+@@ -260,12 +268,12 @@
  	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -26762,7 +27168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	allow $1 xdm_tmp_t:dir search;
  	allow $1 xdm_tmp_t:sock_file { read write };
  	dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -445,6 +452,7 @@
+@@ -445,6 +453,7 @@
  	xserver_use_user_fonts($2)
  
  	xserver_read_xdm_tmp_files($2)
@@ -26770,7 +27176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# X object manager
  	xserver_object_types_template($1)
-@@ -514,6 +522,12 @@
+@@ -514,6 +523,12 @@
  	')
  
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -26783,7 +27189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -567,6 +581,7 @@
+@@ -567,6 +582,7 @@
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -26791,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -774,7 +789,7 @@
+@@ -774,7 +790,7 @@
  	')
  
  	files_search_pids($1)
@@ -26800,7 +27206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1219,3 +1234,329 @@
+@@ -1219,3 +1235,329 @@
  	typeattribute $1 x_domain;
  	typeattribute $1 xserver_unconfined_type;
  ')
@@ -28404,6 +28810,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
  
  dev_read_sysfs(getty_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.7/policy/modules/system/hotplug.te
+--- nsaserefpolicy/policy/modules/system/hotplug.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.7/policy/modules/system/hotplug.te	2010-01-14 09:14:35.000000000 -0500
+@@ -125,6 +125,10 @@
+ ')
+ 
+ optional_policy(`
++	brctl_domtrans(hotplug_t)
++')
++
++optional_policy(`
+ 	consoletype_exec(hotplug_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.7/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.7/policy/modules/system/init.fc	2010-01-11 09:53:58.000000000 -0500
@@ -28432,7 +28852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
  # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.7/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/system/init.if	2010-01-11 10:12:28.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/init.if	2010-01-14 10:25:44.000000000 -0500
 @@ -162,6 +162,7 @@
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
@@ -28690,7 +29110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.7/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/system/init.te	2010-01-11 10:27:23.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/init.te	2010-01-14 15:15:41.000000000 -0500
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -28756,7 +29176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -189,6 +208,18 @@
+@@ -189,6 +208,22 @@
  ')
  
  optional_policy(`
@@ -28764,6 +29184,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +')
 +
 +optional_policy(`
++	dbus_system_bus_client(init_t)
++')
++
++optional_policy(`
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
@@ -28775,7 +29199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	nscd_socket_use(init_t)
  ')
  
-@@ -202,9 +233,10 @@
+@@ -202,9 +237,10 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28787,7 +29211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  # Allow IPC with self
  allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +249,8 @@
+@@ -217,7 +253,8 @@
  term_create_pty(initrc_t, initrc_devpts_t)
  
  # Going to single user mode
@@ -28797,7 +29221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  can_exec(initrc_t, init_script_file_type)
  
-@@ -230,10 +263,16 @@
+@@ -230,10 +267,16 @@
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28816,7 +29240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
  
  init_write_initctl(initrc_t)
-@@ -246,13 +285,19 @@
+@@ -246,13 +289,19 @@
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -28838,7 +29262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  corenet_all_recvfrom_unlabeled(initrc_t)
  corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +317,66 @@
+@@ -272,16 +321,66 @@
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
@@ -28906,7 +29330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -291,7 +386,7 @@
+@@ -291,7 +390,7 @@
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -28915,7 +29339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -306,14 +401,15 @@
+@@ -306,14 +405,15 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -28933,7 +29357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  files_exec_etc_files(initrc_t)
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
-@@ -324,48 +420,16 @@
+@@ -324,48 +424,16 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -28986,7 +29410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  logging_send_syslog_msg(initrc_t)
  logging_manage_generic_logs(initrc_t)
  logging_read_all_logs(initrc_t)
-@@ -374,19 +438,22 @@
+@@ -374,19 +442,22 @@
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -29010,7 +29434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
  
-@@ -422,16 +489,12 @@
+@@ -422,16 +493,12 @@
  	# init scripts touch this
  	clock_dontaudit_write_adjtime(initrc_t)
  
@@ -29028,7 +29452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	optional_policy(`
  		arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +513,9 @@
+@@ -450,11 +517,9 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -29041,7 +29465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	# These seem to be from the initrd
  	# during device initialization:
  	dev_create_generic_dirs(initrc_t)
-@@ -464,6 +525,7 @@
+@@ -464,6 +529,7 @@
  	storage_raw_read_fixed_disk(initrc_t)
  	storage_raw_write_fixed_disk(initrc_t)
  
@@ -29049,7 +29473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
  	# wants to read /.fonts directory
-@@ -492,15 +554,26 @@
+@@ -492,15 +558,26 @@
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -29076,7 +29500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -515,6 +588,33 @@
+@@ -515,6 +592,33 @@
  	')
  ')
  
@@ -29110,7 +29534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +667,19 @@
+@@ -567,10 +671,19 @@
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29130,7 +29554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -590,6 +699,10 @@
+@@ -590,6 +703,10 @@
  ')
  
  optional_policy(`
@@ -29141,7 +29565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	dev_read_usbfs(initrc_t)
  
  	# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +759,20 @@
+@@ -646,20 +763,20 @@
  ')
  
  optional_policy(`
@@ -29168,7 +29592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -668,6 +781,7 @@
+@@ -668,6 +785,7 @@
  
  	mysql_stream_connect(initrc_t)
  	mysql_write_log(initrc_t)
@@ -29176,7 +29600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -700,7 +814,6 @@
+@@ -700,7 +818,6 @@
  ')
  
  optional_policy(`
@@ -29184,7 +29608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -722,8 +835,6 @@
+@@ -722,8 +839,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29193,7 +29617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -736,13 +847,16 @@
+@@ -736,13 +851,16 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -29210,7 +29634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -751,6 +865,7 @@
+@@ -751,6 +869,7 @@
  
  optional_policy(`
  	udev_rw_db(initrc_t)
@@ -29218,7 +29642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -758,7 +873,17 @@
+@@ -758,7 +877,17 @@
  ')
  
  optional_policy(`
@@ -29236,7 +29660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -768,6 +893,21 @@
+@@ -768,6 +897,21 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29258,7 +29682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -793,3 +933,31 @@
+@@ -793,3 +937,31 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -31384,7 +31808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.7/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/selinuxutil.te	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/selinuxutil.te	2010-01-14 10:26:10.000000000 -0500
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -31442,7 +31866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ########################################
  #
  # Checkpolicy local policy
-@@ -191,15 +204,6 @@
+@@ -177,6 +190,7 @@
+ 
+ init_use_script_fds(load_policy_t)
+ init_use_script_ptys(load_policy_t)
++init_write_script_pipes(load_policy_t)
+ 
+ miscfiles_read_localization(load_policy_t)
+ 
+@@ -191,15 +205,6 @@
  	')
  ')
  
@@ -31458,7 +31890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ########################################
  #
  # Newrole local policy
-@@ -217,7 +221,7 @@
+@@ -217,7 +222,7 @@
  allow newrole_t self:msg { send receive };
  allow newrole_t self:unix_dgram_socket sendto;
  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -31467,7 +31899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  read_files_pattern(newrole_t, default_context_t, default_context_t)
  read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -270,12 +274,14 @@
+@@ -270,12 +275,14 @@
  init_rw_utmp(newrole_t)
  init_use_fds(newrole_t)
  
@@ -31482,7 +31914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # for some PAM modules and for cwd
  userdom_dontaudit_search_user_home_content(newrole_t)
  userdom_search_user_home_dirs(newrole_t)
-@@ -313,6 +319,8 @@
+@@ -313,6 +320,8 @@
  kernel_rw_pipes(restorecond_t)
  kernel_read_system_state(restorecond_t)
  
@@ -31491,7 +31923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  fs_relabelfrom_noxattr_fs(restorecond_t)
  fs_dontaudit_list_nfs(restorecond_t)
  fs_getattr_xattr_fs(restorecond_t)
-@@ -336,6 +344,8 @@
+@@ -336,6 +345,8 @@
  
  seutil_libselinux_linked(restorecond_t)
  
@@ -31500,7 +31932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -354,7 +364,7 @@
+@@ -354,7 +365,7 @@
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -31509,7 +31941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +393,6 @@
+@@ -383,7 +394,6 @@
  
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
@@ -31517,7 +31949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  auth_dontaudit_read_shadow(run_init_t)
  
  init_spec_domtrans_script(run_init_t)
-@@ -406,6 +415,10 @@
+@@ -406,6 +416,10 @@
  	')
  ')
  
@@ -31528,7 +31960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -421,61 +434,22 @@
+@@ -421,61 +435,22 @@
  # semodule local policy
  #
  
@@ -31598,7 +32030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -484,12 +458,23 @@
+@@ -484,12 +459,23 @@
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -31622,7 +32054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -499,111 +484,43 @@
+@@ -499,111 +485,43 @@
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
@@ -32288,7 +32720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.7/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/unconfined.if	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/unconfined.if	2010-01-13 14:39:35.000000000 -0500
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -32360,7 +32792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	')
  
  	optional_policy(`
-@@ -111,16 +123,16 @@
+@@ -111,16 +123,15 @@
  ## </param>
  #
  interface(`unconfined_domain',`
@@ -32373,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	tunable_policy(`allow_execheap',`
  		auditallow $1 self:process execheap;
  	')
- 
+-
 -# Turn off this audit for FC5
 -#	tunable_policy(`allow_execmem',`
 -#		auditallow $1 self:process execmem;
@@ -32381,7 +32813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -173,411 +185,3 @@
+@@ -173,411 +184,3 @@
  	refpolicywarn(`$0($1) has been deprecated.')
  ')
  
@@ -33027,12 +33459,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.7/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc	2010-01-11 09:53:58.000000000 -0500
-@@ -1,4 +1,10 @@
++++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc	2010-01-14 09:22:34.000000000 -0500
+@@ -1,4 +1,11 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 -
++/tmp/\.ICE-unix(/.*)?		gen_context(system_u:object_r:user_tmp_t,s0)
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 +/dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
@@ -35549,7 +35982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.7/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/system/xen.te	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/xen.te	2010-01-12 10:27:16.000000000 -0500
 @@ -85,6 +85,7 @@
  type xenconsoled_t;
  type xenconsoled_exec_t;
@@ -35602,7 +36035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  storage_raw_read_fixed_disk(xenstored_t)
  storage_raw_write_fixed_disk(xenstored_t)
  storage_raw_read_removable_device(xenstored_t)
-@@ -421,6 +431,12 @@
+@@ -421,7 +431,14 @@
  xen_stream_connect_xenstore(xm_t)
  
  optional_policy(`
@@ -35613,9 +36046,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 +
 +optional_policy(`
  	virt_manage_images(xm_t)
++	virt_manage_config(xm_t)
  	virt_stream_connect(xm_t)
  ')
-@@ -438,6 +454,8 @@
+ 
+@@ -438,6 +455,8 @@
  	fs_manage_xenfs_dirs(xm_ssh_t)
  	fs_manage_xenfs_files(xm_ssh_t)
  
@@ -35626,7 +36061,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  	files_search_mnt(xend_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.7/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt	2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt	2010-01-14 09:16:41.000000000 -0500
+@@ -28,7 +28,7 @@
+ #
+ # All socket classes.
+ #
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+ 
+ 
+ #
 @@ -199,12 +199,14 @@
  #
  define(`getattr_file_perms',`{ getattr }')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 91386ed..0b0225e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -455,6 +455,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-2
+- Turn on puppet policy
+- Update to dgrift git policy
+
 * Mon Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-1
 - Move users file to selection by spec file.
 - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t