diff --git a/policy-20071130.patch b/policy-20071130.patch
index a7b0072..2a31a44 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1486,7 +1486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-03-17 15:26:30.000000000 -0400
@@ -0,0 +1,275 @@
+
+## policy for kismet
@@ -1721,7 +1721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+
+ kismet_domtrans($1)
+ role $2 types kismet_t;
-+ dontaudit kismet_t $3:chr_file rw_term_perms;
++ allow kismet_t $3:chr_file rw_term_perms;
+')
+
+
@@ -4405,7 +4405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/mono.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/mono.te 2008-03-17 17:40:05.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
@@ -7247,7 +7247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-04 17:23:42.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-17 11:22:13.000000000 -0400
@@ -1266,6 +1266,24 @@
########################################
@@ -7425,7 +7425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-03-06 10:50:35.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-03-17 09:11:52.000000000 -0400
@@ -310,6 +310,25 @@
########################################
@@ -7655,7 +7655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.3.1/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-03-17 11:03:50.000000000 -0400
@@ -25,6 +25,8 @@
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -7685,6 +7685,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
# iso9660_t is the type for CD filesystems
+@@ -231,6 +239,9 @@
+ genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
++genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
++
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-27 16:58:04.000000000 -0500
@@ -8743,7 +8753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-11 19:28:21.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-17 11:11:53.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10346,7 +10356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.3.1/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te 2008-03-17 08:41:36.000000000 -0400
@@ -32,19 +32,22 @@
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
@@ -10372,7 +10382,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
-@@ -110,6 +113,8 @@
+@@ -92,6 +95,7 @@
+ dev_rw_usbfs(bluetooth_t)
+ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_read_urand(bluetooth_t)
++dev_rw_input_dev(bluetooth_t)
+
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+@@ -110,6 +114,8 @@
files_read_etc_runtime_files(bluetooth_t)
files_read_usr_files(bluetooth_t)
@@ -10381,7 +10399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
libs_use_ld_so(bluetooth_t)
libs_use_shared_libs(bluetooth_t)
-@@ -118,19 +123,18 @@
+@@ -118,19 +124,18 @@
miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
@@ -10533,14 +10551,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+/etc/rc.d/init.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.3.1/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/clamav.if 2008-02-26 08:29:22.000000000 -0500
-@@ -91,3 +91,97 @@
++++ serefpolicy-3.3.1/policy/modules/services/clamav.if 2008-03-17 09:22:39.000000000 -0400
+@@ -91,3 +91,116 @@
domtrans_pattern($1,clamscan_exec_t,clamscan_t)
')
+
+########################################
+##
++## Execute clamscan without a transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`clamav_exec_clamscan',`
++ gen_require(`
++ type clamscan_exec_t;
++ ')
++
++ can_exec($1,clamscan_exec_t)
++
++')
++
++########################################
++##
+## Execute clamav server in the clamav domain.
+##
+##
@@ -12632,7 +12669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-02-26 14:09:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-17 09:13:14.000000000 -0400
@@ -9,6 +9,7 @@
#
# Delcarations
@@ -12684,15 +12721,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
-@@ -65,6 +80,7 @@
+@@ -65,6 +80,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
++fs_dontaudit_list_nfs(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -81,7 +97,6 @@
+@@ -81,7 +98,6 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -12700,7 +12738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
domain_use_interactive_fds(system_dbusd_t)
-@@ -91,6 +106,8 @@
+@@ -91,6 +107,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -12709,7 +12747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +138,20 @@
+@@ -121,9 +139,20 @@
')
optional_policy(`
@@ -14075,7 +14113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-06 16:54:16.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-17 09:28:06.000000000 -0400
@@ -18,6 +18,9 @@
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -14086,6 +14124,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
########################################
#
# fail2ban local policy
+@@ -25,7 +28,7 @@
+
+ allow fail2ban_t self:process signal;
+ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+-allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
++allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # log files
+ allow fail2ban_t fail2ban_log_t:dir setattr;
@@ -33,8 +36,9 @@
logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
@@ -14097,9 +14144,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
kernel_read_system_state(fail2ban_t)
-@@ -47,14 +51,23 @@
+@@ -46,15 +50,25 @@
+ domain_use_interactive_fds(fail2ban_t)
files_read_etc_files(fail2ban_t)
++files_read_etc_runtime_files(fail2ban_t)
files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
@@ -14122,7 +14171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
optional_policy(`
apache_read_log(fail2ban_t)
')
-@@ -64,5 +77,11 @@
+@@ -64,5 +78,11 @@
')
optional_policy(`
@@ -15655,8 +15704,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.3.1/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/lpd.fc 2008-02-26 08:29:22.000000000 -0500
-@@ -22,6 +22,8 @@
++++ serefpolicy-3.3.1/policy/modules/services/lpd.fc 2008-03-17 09:33:24.000000000 -0400
+@@ -22,11 +22,15 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
@@ -15665,8 +15714,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
#
-@@ -30,3 +32,4 @@
+ # /var
+ #
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
++/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
+
@@ -16250,7 +16301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-03-17 11:21:36.000000000 -0400
@@ -25,26 +25,33 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -16288,22 +16339,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
-@@ -62,8 +69,11 @@
+@@ -61,9 +68,11 @@
+ files_pid_filetrans(munin_t,munin_var_run_t,file)
kernel_read_system_state(munin_t)
- kernel_read_kernel_sysctls(munin_t)
+-kernel_read_kernel_sysctls(munin_t)
+kernel_read_network_state(munin_t)
-+kernel_read_sysctl(munin_t)
++kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,11 +83,15 @@
+@@ -73,27 +82,36 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
++corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
+corenet_tcp_bind_all_nodes(munin_t)
@@ -16316,7 +16369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
-@@ -86,14 +100,17 @@
+ files_read_usr_files(munin_t)
++files_list_spool(munin_t)
+
fs_getattr_all_fs(munin_t)
fs_search_auto_mountpoints(munin_t)
@@ -16335,7 +16390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-@@ -108,7 +125,19 @@
+@@ -108,7 +126,20 @@
')
optional_policy(`
@@ -16348,6 +16403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+')
+
+optional_policy(`
++ mysql_read_config(munin_t)
+ mysql_stream_connect(munin_t)
+')
+
@@ -16356,7 +16412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -118,3 +147,9 @@
+@@ -118,3 +149,9 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -16377,7 +16433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2008-03-17 11:21:07.000000000 -0400
@@ -157,3 +157,74 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
@@ -17751,7 +17807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-03-17 17:34:40.000000000 -0400
@@ -0,0 +1,189 @@
+
+## policy for polkit_auth
@@ -18292,7 +18348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-03-17 09:23:03.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -18363,7 +18419,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -285,6 +306,8 @@
+@@ -280,11 +301,14 @@
+
+ optional_policy(`
+ clamav_search_lib(postfix_local_t)
++ clamav_exec_clamscan(postfix_local_t)
+ ')
+
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
@@ -18372,7 +18434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -295,8 +318,7 @@
+@@ -295,8 +319,7 @@
#
# Postfix map local policy
#
@@ -18382,7 +18444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +368,6 @@
+@@ -346,8 +369,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -18391,7 +18453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -360,6 +380,11 @@
+@@ -360,6 +381,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -18403,7 +18465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix pickup local policy
-@@ -392,6 +417,10 @@
+@@ -392,6 +418,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -18414,7 +18476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
procmail_domtrans(postfix_pipe_t)
')
-@@ -400,6 +429,10 @@
+@@ -400,6 +430,10 @@
')
optional_policy(`
@@ -18425,7 +18487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -532,9 +565,6 @@
+@@ -532,9 +566,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -18435,7 +18497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +587,10 @@
+@@ -557,6 +588,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -18446,7 +18508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix virtual local policy
-@@ -584,3 +618,4 @@
+@@ -584,3 +619,4 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -23068,7 +23130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.3.1/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/squid.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/squid.te 2008-03-17 14:58:21.000000000 -0400
@@ -31,12 +31,15 @@
type squid_var_run_t;
files_pid_file(squid_var_run_t)
@@ -23111,7 +23173,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
selinux_dontaudit_getattr_dir(squid_t)
-@@ -148,11 +155,7 @@
+@@ -128,6 +135,7 @@
+ files_getattr_home_dir(squid_t)
+
+ auth_use_nsswitch(squid_t)
++auth_domtrans_chkpwd(squid_t)
+
+ libs_use_ld_so(squid_t)
+ libs_use_shared_libs(squid_t)
+@@ -148,11 +156,7 @@
')
optional_policy(`
@@ -23124,7 +23194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
')
optional_policy(`
-@@ -167,7 +170,12 @@
+@@ -167,7 +171,12 @@
udev_read_db(squid_t)
')
@@ -26131,7 +26201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-11 17:52:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-17 08:59:58.000000000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -26152,7 +26222,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
-@@ -122,6 +128,12 @@
+@@ -111,7 +117,8 @@
+ term_use_all_user_ttys(pam_t)
+ term_use_all_user_ptys(pam_t)
+
+-init_dontaudit_rw_utmp(pam_t)
++init_read_utmp(pam_t)
++init_dontaudit_write_utmp(pam_t)
+
+ files_read_etc_files(pam_t)
+
+@@ -122,6 +129,12 @@
userdom_use_unpriv_users_fds(pam_t)
@@ -26165,7 +26245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
-@@ -282,6 +294,11 @@
+@@ -282,6 +295,11 @@
')
')
@@ -26177,7 +26257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# updpwd local policy
-@@ -297,8 +314,10 @@
+@@ -297,8 +315,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
@@ -26189,7 +26269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-@@ -359,11 +378,6 @@
+@@ -359,11 +379,6 @@
')
optional_policy(`
@@ -28401,8 +28481,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-03-17 17:40:17.000000000 -0400
+@@ -0,0 +1,50 @@
+policy_module(qemu,1.0.0)
+
+##
@@ -28450,6 +28530,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
+allow qemu_unconfined_t self:process { execstack execmem };
+
+
++optional_policy(`
++ xserver_xdm_rw_shm(qemu_unconfined_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-02-26 08:29:22.000000000 -0500
@@ -33358,8 +33441,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-05 18:05:21.000000000 -0500
-@@ -0,0 +1,162 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-17 17:37:52.000000000 -0400
+@@ -0,0 +1,179 @@
+
+policy_module(virt,1.0.0)
+
@@ -33443,6 +33526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+corecmd_exec_bin(virtd_t)
++corecmd_exec_shell(virtd_t)
+
+corenet_all_recvfrom_unlabeled(virtd_t)
+corenet_all_recvfrom_netlabel(virtd_t)
@@ -33457,6 +33541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+corenet_rw_tun_tap_dev(virtd_t)
+
+dev_read_sysfs(virtd_t)
++dev_read_rand(virtd_t)
+
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
@@ -33467,7 +33552,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+# Init script handling
+domain_use_interactive_fds(virtd_t)
+
++files_read_usr_files(virtd_t)
+files_read_etc_files(virtd_t)
++files_read_usr_files(virtd_t)
+files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+
@@ -33478,9 +33565,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+miscfiles_read_certs(virtd_t)
+
+auth_use_nsswitch(virtd_t)
-+
+logging_send_syslog_msg(virtd_t)
+
++userdom_read_all_users_state(virtd_t)
++
+optional_policy(`
+ brctl_domtrans(virtd_t)
+')
@@ -33492,6 +33580,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+ ')
+
+ optional_policy(`
++ consolekit_dbus_chat(virtd_t)
++ ')
++
++ optional_policy(`
+ hal_dbus_chat(virtd_t)
+ ')
+')
@@ -33507,6 +33599,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+')
+
+optional_policy(`
++ polkit_domtrans_auth(virtd_t)
++')
++
++optional_policy(`
+ qemu_domtrans(virtd_t)
+ qemu_read_state(virtd_t)
+ qemu_signal(virtd_t)
@@ -33522,6 +33618,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+ xen_stream_connect_xenstore(virtd_t)
+')
+
++allow virtd_t unconfined_t:dir { getattr search };
++allow virtd_t unconfined_t:file read;
++allow virtd_t unconfined_t:process getattr;
++allow virtd_t usr_t:file read;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/xen.if 2008-02-26 08:29:22.000000000 -0500