From 522b59bb97c7e5651f370b5a3d83be11f4f11a65 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Jun 07 2006 17:43:10 +0000
Subject: patch from dan Tue, 06 Jun 2006 22:50:46 -0400


---

diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 245a956..ec5cc93 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -58,6 +58,22 @@ gen_tunable(allow_ftpd_anon_write,false)
 
 ## <desc>
 ## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_cifs,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_nfs,false)
+
+## <desc>
+## <p>
 ## Allow gssd to read temp directory.
 ## </p>
 ## </desc>
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 2010151..00f1b98 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -86,6 +86,25 @@ interface(`rpm_run',`
 
 ########################################
 ## <summary>
+##	Execute the rpm client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_exec',`
+	gen_require(`
+		type rpm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1,rpm_exec_t)
+')
+
+########################################
+## <summary>
 ##	Inherit and use file descriptors from RPM.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 056b35a..3d17e7e 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.3.6)
+policy_module(rpm,1.3.7)
 
 ########################################
 #
@@ -333,6 +333,14 @@ ifdef(`distro_redhat',`
 
 ifdef(`targeted_policy',`
 	unconfined_domain(rpm_script_t)
+
+	optional_policy(`
+		java_domtrans(rpm_script_t)
+	')
+
+	optional_policy(`
+		mono_domtrans(rpm_script_t)
+	')
 ',`
 	optional_policy(`
 		bootloader_domtrans(rpm_script_t)
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 7211dd6..50a988f 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
 
-policy_module(webalizer,1.2.0)
+policy_module(webalizer,1.2.1)
 
 ########################################
 #
@@ -44,6 +44,7 @@ allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
 allow webalizer_t self:unix_dgram_socket sendto;
 allow webalizer_t self:unix_stream_socket connectto;
 allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow webalizer_t webalizer_etc_t:file { getattr read };
 
diff --git a/refpolicy/policy/modules/apps/wine.fc b/refpolicy/policy/modules/apps/wine.fc
index e9898da..aa0daf7 100644
--- a/refpolicy/policy/modules/apps/wine.fc
+++ b/refpolicy/policy/modules/apps/wine.fc
@@ -1 +1,2 @@
-/usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/wine.te b/refpolicy/policy/modules/apps/wine.te
index b9cda46..60aa4cf 100644
--- a/refpolicy/policy/modules/apps/wine.te
+++ b/refpolicy/policy/modules/apps/wine.te
@@ -1,5 +1,5 @@
 
-policy_module(wine,1.1.1)
+policy_module(wine,1.1.2)
 
 ########################################
 #
@@ -21,4 +21,8 @@ ifdef(`targeted_policy',`
 	allow wine_t self:process { execstack execmem };
 	unconfined_domain_noaudit(wine_t)
 	files_execmod_all_files(wine_t)
+
+ 	optional_policy(`
+ 		hal_dbus_chat(wine_t)
+ 	')
 ')
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 53e1db7..0c12508 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -120,11 +120,6 @@ ifdef(`distro_gentoo',`
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-# these two lines are separate because of a
-# sorting issue with the java module
-/usr/lib/jvm/java.*/bin -d		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/jvm/java.*/bin/.*		gen_context(system_u:object_r:bin_t,s0)
-
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -135,6 +130,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:sbin_t,s0)
 /usr/lib(64)?/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mailman/mail(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/nagios/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index 39b6588..854ca0e 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.10)
+policy_module(corecommands,1.3.11)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 643a4a2..ede8c92 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -399,6 +399,26 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
 
 ########################################
 ## <summary>
+##	Get the attributes of directories on
+##	binfmt_misc filesystems. 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_dirs',`
+	gen_require(`
+		type binfmt_misc_t;
+	')
+
+	allow $1 binfmt_misc_t:dir getattr;
+
+')
+
+########################################
+## <summary>
 ##	Register an interpreter for new binary
 ##	file types, using the kernel binfmt_misc
 ##	support.
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index ce37304..17d90fa 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.7)
+policy_module(filesystem,1.3.8)
 
 ########################################
 #
@@ -77,6 +77,10 @@ type nfsd_fs_t;
 fs_type(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
+type oprofilefs_t;
+fs_type(oprofilefs_t)
+genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+
 type ramfs_t;
 fs_type(ramfs_t)
 genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
diff --git a/refpolicy/policy/modules/services/amavis.fc b/refpolicy/policy/modules/services/amavis.fc
index 96f2fcd..31b1ab7 100644
--- a/refpolicy/policy/modules/services/amavis.fc
+++ b/refpolicy/policy/modules/services/amavis.fc
@@ -7,6 +7,6 @@
 /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
-/var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/run/amavis(d)?(/.*)?		gen_context(system_u:object_r:amavis_var_run_t,s0)
 /var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
 /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/refpolicy/policy/modules/services/amavis.if b/refpolicy/policy/modules/services/amavis.if
index 65ca6a7..f236899 100644
--- a/refpolicy/policy/modules/services/amavis.if
+++ b/refpolicy/policy/modules/services/amavis.if
@@ -28,6 +28,76 @@ interface(`amavis_domtrans',`
 
 ########################################
 ## <summary>
+##	Read amavis spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_read_spool_files',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 amavis_spool_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Manage amavis spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_manage_spool_files',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 amavis_spool_t:dir manage_dir_perms;
+	allow $1 amavis_spool_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in the amavis spool directories
+##	with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`amavis_spool_filetrans',`
+	gen_require(`
+		type amavis_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 amavis_spool_t:dir rw_dir_perms;
+	type_transition $1 amavis_spool_t:$3 $2;
+')
+
+########################################
+## <summary>
 ##	Search amavis lib directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te
index 918fa7e..55b4b6b 100644
--- a/refpolicy/policy/modules/services/amavis.te
+++ b/refpolicy/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.0.4)
+policy_module(amavis,1.0.5)
 
 ########################################
 #
@@ -64,6 +64,7 @@ allow amavis_t amavis_quarantine_t:dir create_dir_perms;
 # Spool Files
 allow amavis_t amavis_spool_t:dir manage_dir_perms;
 allow amavis_t amavis_spool_t:file manage_file_perms;
+allow amavis_t amavis_spool_t:sock_file manage_file_perms;
 files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
 
 # tmp files
@@ -93,6 +94,7 @@ files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
 kernel_read_kernel_sysctls(amavis_t)
 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_proc_symlinks(amavis_t)
 kernel_dontaudit_read_system_state(amavis_t)
 
 # find perl
@@ -102,6 +104,8 @@ corecmd_search_sbin(amavis_t)
 corenet_non_ipsec_sendrecv(amavis_t)
 corenet_tcp_sendrecv_all_if(amavis_t)
 corenet_tcp_sendrecv_all_nodes(amavis_t)
+corenet_tcp_bind_all_nodes(amavis_t)
+corenet_udp_bind_all_nodes(amavis_t)
 # amavis uses well-defined ports
 corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
 corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
@@ -111,6 +115,7 @@ corenet_tcp_sendrecv_all_ports(amavis_t)
 corenet_tcp_connect_amavisd_send_port(amavis_t)
 # bind to incoming port
 corenet_tcp_bind_amavisd_recv_port(amavis_t)
+corenet_udp_bind_generic_port(amavis_t)
 
 dev_read_rand(amavis_t)
 dev_read_urand(amavis_t)
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 5c1c23b..69a605f 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -115,6 +115,7 @@ template(`apache_content_template',`
 	seutil_dontaudit_search_config(httpd_$1_script_t)
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+		allow httpd_$1_script_t httpdcontent:file entrypoint;
 		allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
 		allow httpd_$1_script_t httpdcontent:file create_file_perms;
 		allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 138d4bd..5a919e1 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.12)
+policy_module(apache,1.3.13)
 
 #
 # NOTES: 
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 2bb2b31..3a78044 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,1.2.7)
+policy_module(bluetooth,1.2.8)
 
 ########################################
 #
@@ -125,6 +125,8 @@ init_use_script_ptys(bluetooth_t)
 libs_use_ld_so(bluetooth_t)
 libs_use_shared_libs(bluetooth_t)
 
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
 logging_send_syslog_msg(bluetooth_t)
 
 miscfiles_read_localization(bluetooth_t)
@@ -223,6 +225,8 @@ ifdef(`targeted_policy',`
 		xserver_stream_connect_xdm(bluetooth_helper_t)
 		xserver_use_xdm_fds(bluetooth_helper_t)
 		xserver_rw_xdm_pipes(bluetooth_helper_t)
+		# when started via startx 
+		xserver_stream_connect_xdm_xserver(bluetooth_helper_t)
 	')
 ')
 
diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te
index 1f5dee6..76a543a 100644
--- a/refpolicy/policy/modules/services/clamav.te
+++ b/refpolicy/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
 
-policy_module(clamav,1.0.2)
+policy_module(clamav,1.0.3)
 
 ########################################
 #
@@ -39,6 +39,10 @@ type clamscan_t;
 type clamscan_exec_t;
 init_daemon_domain(clamscan_t, clamscan_exec_t)
 
+# tmp files
+type clamscan_tmp_t;
+files_tmp_file(clamscan_tmp_t)
+
 type freshclam_t;
 type freshclam_exec_t;
 init_daemon_domain(freshclam_t, freshclam_exec_t)
@@ -111,6 +115,7 @@ domain_use_interactive_fds(clamd_t)
 
 files_read_etc_files(clamd_t)
 files_read_etc_runtime_files(clamd_t)
+files_search_spool(clamd_t)
 
 init_use_fds(clamd_t)
 init_use_script_ptys(clamd_t)
@@ -118,6 +123,8 @@ init_use_script_ptys(clamd_t)
 libs_use_ld_so(clamd_t)
 libs_use_shared_libs(clamd_t)
 
+logging_send_syslog_msg(clamd_t)
+
 miscfiles_read_localization(clamd_t)
 
 sysnet_dns_name_resolve(clamd_t)
@@ -126,8 +133,14 @@ cron_use_fds(clamd_t)
 cron_use_system_job_fds(clamd_t)
 cron_rw_pipes(clamd_t)
 
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(clamd_t)
+')
+
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
+	amavis_read_spool_files(clamd_t)
+	amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
 ')
 
 ########################################
@@ -214,6 +227,11 @@ allow clamscan_t clamd_etc_t:dir r_dir_perms;
 allow clamscan_t clamd_etc_t:file r_file_perms;
 allow clamscan_t clamd_etc_t:lnk_file { getattr read };
 
+# tmp files
+allow clamscan_t clamscan_tmp_t:file manage_file_perms;
+allow clamscan_t clamscan_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
+
 # var/lib files together with clamd
 allow clamscan_t clamd_var_lib_t:file r_file_perms;
 allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 500d564..932969f 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.3.5)
+policy_module(cups,1.3.6)
 
 ########################################
 #
@@ -74,14 +74,14 @@ files_pid_file(ptal_var_run_t)
 #
 
 # /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 allow cupsd_t self:process { setsched signal_perms };
 allow cupsd_t self:fifo_file rw_file_perms;
 allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
 allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
 allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
 allow cupsd_t self:udp_socket create_socket_perms;
 allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -565,6 +565,7 @@ allow hplip_t self:unix_dgram_socket create_socket_perms;
 allow hplip_t self:unix_stream_socket create_socket_perms;
 allow hplip_t self:tcp_socket create_stream_socket_perms;
 allow hplip_t self:udp_socket create_socket_perms;
+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
 # cjp: raw?
 allow hplip_t self:rawip_socket create_socket_perms;
 
@@ -635,6 +636,7 @@ sysnet_read_config(hplip_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
+userdom_dontaudit_search_all_users_home_content(hplip_t)
 
 lpd_read_config(cupsd_t)
 
@@ -645,11 +647,11 @@ ifdef(`targeted_policy', `
 ')
 
 optional_policy(`
-	mount_send_nfs_client_request(hplip_t)
+	seutil_sigchld_newrole(hplip_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(hplip_t)
+	snmp_read_snmp_var_lib_files(hplip_t)
 ')
 
 optional_policy(`
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 93c7ab0..1e7d332 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.2.3)
+policy_module(dbus,1.2.4)
 
 gen_require(`
 	class dbus { send_msg acquire_svc };
@@ -38,6 +38,7 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
 allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
 allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
 # Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index 630e27c..166d4dc 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.2.3)
+policy_module(dovecot,1.2.4)
 
 ########################################
 #
@@ -42,6 +42,7 @@ allow dovecot_t self:fifo_file rw_file_perms;
 allow dovecot_t self:tcp_socket create_stream_socket_perms;
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
 
 domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 allow dovecot_t dovecot_auth_t:fd use;
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 4c67576..a36c4dd 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.2.4)
+policy_module(ftp,1.2.5)
 
 ########################################
 #
@@ -139,7 +139,25 @@ ifdef(`targeted_policy',`
 
 tunable_policy(`allow_ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
-') 
+')
+
+tunable_policy(`allow_ftpd_use_cifs',`
+	fs_read_cifs_files(ftpd_t)
+	fs_read_cifs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+	fs_manage_cifs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs',`
+	fs_read_nfs_files(ftpd_t)
+	fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+	fs_manage_nfs_files(ftpd_t)
+')
 
 tunable_policy(`ftp_home_dir',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
@@ -156,6 +174,16 @@ tunable_policy(`ftp_home_dir',`
 	')
 ')
 
+tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+	fs_manage_nfs_files(ftpd_t)
+	fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+	fs_manage_cifs_files(ftpd_t)
+	fs_read_cifs_symlinks(ftpd_t)
+')
+
 tunable_policy(`ftpd_is_daemon',`
 	allow ftpd_t ftpd_lock_t:file create_file_perms;
 	files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
@@ -163,16 +191,6 @@ tunable_policy(`ftpd_is_daemon',`
 	corenet_tcp_bind_ftp_port(ftpd_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
-	fs_read_nfs_files(ftpd_t)
-	fs_read_nfs_symlinks(ftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
-	fs_read_cifs_files(ftpd_t)
-	fs_read_cifs_symlinks(ftpd_t)
-')
-
 optional_policy(`
 	corecmd_exec_shell(ftpd_t)
 
diff --git a/refpolicy/policy/modules/services/ldap.fc b/refpolicy/policy/modules/services/ldap.fc
index 6deab74..8ee84ac 100644
--- a/refpolicy/policy/modules/services/ldap.fc
+++ b/refpolicy/policy/modules/services/ldap.fc
@@ -6,5 +6,6 @@
 /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
 /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
 
+/var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index d62804f..315dffb 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
 
-policy_module(ldap,1.2.2)
+policy_module(ldap,1.2.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 4edf487..d0e51f3 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
 
-policy_module(mysql,1.2.2)
+policy_module(mysql,1.2.3)
 
 ########################################
 #
@@ -32,7 +32,7 @@ files_tmp_file(mysqld_tmp_t)
 
 allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms };
+allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file { read write };
 allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/networkmanager.fc b/refpolicy/policy/modules/services/networkmanager.fc
index 4a08a63..e198e69 100644
--- a/refpolicy/policy/modules/services/networkmanager.fc
+++ b/refpolicy/policy/modules/services/networkmanager.fc
@@ -1,4 +1,5 @@
 
 /usr/(s)?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /var/run/NetworkManager.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 6d54fec..64d10e5 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.3.2)
+policy_module(networkmanager,1.3.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 5fbc7ff..1b44ce8 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.4)
+policy_module(nscd,1.2.5)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -131,3 +131,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(nscd_t)
 ')
+
+optional_policy(`
+	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+	xen_append_log(nscd_t)
+')
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index f19233c..7769803 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.1.3)
+policy_module(pegasus,1.1.4)
 
 ########################################
 #
@@ -30,7 +30,7 @@ files_pid_file(pegasus_var_run_t)
 # Local policy
 #
 
-allow pegasus_t self:capability { dac_override net_bind_service audit_write }; 
+allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write }; 
 dontaudit pegasus_t self:capability sys_tty_config;
 allow pegasus_t self:process signal;
 allow pegasus_t self:fifo_file rw_file_perms;
@@ -48,6 +48,8 @@ allow pegasus_t pegasus_data_t:file create_file_perms;
 allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
 type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
 
+can_exec(pegasus_t,pegasus_exec_t)
+
 allow pegasus_t pegasus_mof_t:dir r_dir_perms;
 allow pegasus_t pegasus_mof_t:file r_file_perms;
 allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
@@ -65,6 +67,7 @@ kernel_read_kernel_sysctls(pegasus_t)
 kernel_read_fs_sysctls(pegasus_t)
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
+kernel_read_net_sysctls(pegasus_t)
 
 corenet_non_ipsec_sendrecv(pegasus_t)
 corenet_tcp_sendrecv_all_if(pegasus_t)
@@ -111,6 +114,7 @@ hostname_exec(pegasus_t)
 init_use_fds(pegasus_t)
 init_use_script_ptys(pegasus_t)
 init_rw_utmp(pegasus_t)
+init_stream_connect_script(pegasus_t)
 
 libs_use_ld_so(pegasus_t)
 libs_use_shared_libs(pegasus_t)
@@ -138,6 +142,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rpm_exec(pegasus_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(pegasus_t)
 	seutil_dontaudit_read_config(pegasus_t)
 ')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 15167e7..612ba91 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.6)
+policy_module(postfix,1.2.7)
 
 ########################################
 #
@@ -290,7 +290,7 @@ mta_read_config(postfix_local_t)
 
 optional_policy(`
 #	for postalias
-	mailman_read_data_files(postfix_local_t)
+	mailman_manage_data_files(postfix_local_t)
 ')
 
 optional_policy(`
diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te
index 85b204a..928ad8e 100644
--- a/refpolicy/policy/modules/services/pyzor.te
+++ b/refpolicy/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
 
-policy_module(pyzor,1.0.2)
+policy_module(pyzor,1.0.3)
 
 ########################################
 #
@@ -31,10 +31,24 @@ files_type(pyzor_var_lib_t)
 # Pyzor local policy
 #
 
+allow pyzor_t self:udp_socket create_socket_perms;
+
 allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
 allow pyzor_t pyzor_var_lib_t:file r_file_perms;
 files_search_var_lib(pyzor_t)
 
+kernel_read_kernel_sysctls(pyzor_t)  
+kernel_read_system_state(pyzor_t)
+
+corecmd_list_bin(pyzor_t)
+corecmd_getattr_bin_files(pyzor_t)
+
+corenet_udp_sendrecv_all_if(pyzor_t)
+corenet_udp_sendrecv_all_nodes(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
+
+dev_read_urand(pyzor_t)
+
 files_read_etc_files(pyzor_t)
 
 auth_use_nsswitch(pyzor_t)
@@ -46,6 +60,7 @@ miscfiles_read_localization(pyzor_t)
 
 optional_policy(`
 	amavis_manage_lib_files(pyzor_t)
+	amavis_manage_spool_files(pyzor_t)
 ')
 
 optional_policy(`
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 256153b..7364109 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.5)
+policy_module(samba,1.2.6)
 
 #################################
 #
@@ -225,6 +225,7 @@ allow smbd_t winbind_var_run_t:sock_file { read write getattr };
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
 kernel_read_network_state(smbd_t)
+kernel_read_fs_sysctls(smbd_t)
 kernel_read_kernel_sysctls(smbd_t)
 kernel_read_software_raid_state(smbd_t)
 kernel_read_system_state(smbd_t)
@@ -252,6 +253,7 @@ dev_dontaudit_getattr_usbfs_dirs(smbd_t)
 fs_getattr_all_fs(smbd_t)
 fs_get_xattr_fs_quotas(smbd_t)
 fs_search_auto_mountpoints(smbd_t)
+fs_getattr_rpc_dirs(smbd_t)
 
 term_dontaudit_use_console(smbd_t)
 
@@ -328,6 +330,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rpc_search_nfs_state_data(smbd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(smbd_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc
index 260950c..3da7107 100644
--- a/refpolicy/policy/modules/services/spamassassin.fc
+++ b/refpolicy/policy/modules/services/spamassassin.fc
@@ -1,10 +1,12 @@
 
 /usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
 /usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
 
 /usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
+
+/var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 
 ifdef(`strict_policy',`
 HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index 80cab9e..ba0d6e5 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.3.8)
+policy_module(spamassassin,1.3.9)
 
 ########################################
 #
@@ -14,6 +14,9 @@ type spamd_t;
 type spamd_exec_t;
 init_daemon_domain(spamd_t,spamd_exec_t)
 
+type spamd_spool_t;
+files_type(spamd_spool_t)
+
 type spamd_tmp_t;
 files_tmp_file(spamd_tmp_t)
 
@@ -49,6 +52,10 @@ allow spamd_t self:unix_stream_socket connectto;
 allow spamd_t self:tcp_socket create_stream_socket_perms;
 allow spamd_t self:udp_socket create_socket_perms;
 
+allow spamd_t spamd_spool_t:file create_file_perms;
+allow spamd_t spamd_spool_t:dir create_dir_perms;
+files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
+
 allow spamd_t spamd_tmp_t:dir create_dir_perms;
 allow spamd_t spamd_tmp_t:file create_file_perms;
 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -100,6 +107,7 @@ domain_use_interactive_fds(spamd_t)
 files_read_usr_files(spamd_t)
 files_read_etc_files(spamd_t)
 files_read_etc_runtime_files(spamd_t)
+files_search_var_lib(spamd_t)
 
 init_use_fds(spamd_t)
 init_use_script_ptys(spamd_t)
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 6f43494..e0b8511 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -1108,3 +1108,24 @@ interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
 
 	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Connect to xdm_xserver over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_stream_connect_xdm_xserver',`
+	gen_require(`
+		type xdm_xserver_t, xdm_xserver_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 xdm_xserver_tmp_t:sock_file write;
+	allow $1 xdm_xserver_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 2e69e4d..ee6fb5c 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.1.7)
+policy_module(xserver,1.1.8)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index ab0c532..ec49bbf 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -34,8 +34,13 @@ ifdef(`distro_redhat',`
 #
 /lib(/.*)?					gen_context(system_u:object_r:lib_t,s0)
 /lib64(/.*)?					gen_context(system_u:object_r:lib_t,s0)
-/lib(64)?/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
-/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
+/lib/.*\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
+/lib64/.*\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
+/lib/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
+/lib64/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/lib/security/pam_poldi.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/lib64/security/pam_poldi.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_gentoo',`
 /lib32(/.*)?					gen_context(system_u:object_r:lib_t,s0)
@@ -55,6 +60,7 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?jre.*/libawt.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/cisco-vpnclient/lib/libvpnapi.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_gentoo',`
@@ -115,6 +121,7 @@ ifdef(`distro_gentoo',`
 
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_redhat',`
@@ -226,7 +233,14 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/matlab.*/bin/glnx86/libmwlapack.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/acroread/(.*/)?sidecars/*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
 
 #
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 7b12270..2251bf6 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.7)
+policy_module(libraries,1.3.8)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index bfb051c..0ef5e54 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.5)
+policy_module(logging,1.3.6)
 
 ########################################
 #
@@ -123,8 +123,9 @@ allow auditd_t auditd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(auditd_t,auditd_var_run_t,file)
 
 kernel_read_kernel_sysctls(auditd_t)
-kernel_list_proc(auditd_t)
-kernel_read_proc_symlinks(auditd_t)
+# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
+kernel_read_system_state(auditd_t)
 
 dev_read_sysfs(auditd_t)
 
@@ -133,8 +134,11 @@ fs_search_auto_mountpoints(auditd_t)
 
 term_dontaudit_use_console(auditd_t)
 
-# cjp: why?
+# Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
 corecmd_exec_sbin(auditd_t)
+corecmd_exec_bin(auditd_t)
+
 
 domain_use_interactive_fds(auditd_t)
 
diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc
index 47a158f..a505b37 100644
--- a/refpolicy/policy/modules/system/unconfined.fc
+++ b/refpolicy/policy/modules/system/unconfined.fc
@@ -3,3 +3,8 @@
 # /usr/local/bin/appsrv	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
 /usr/bin/vncserver	--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+ifdef(`targeted_policy',`
+/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index ca1438f..41f9db5 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.8)
+policy_module(unconfined,1.3.9)
 
 ########################################
 #
@@ -13,7 +13,12 @@ gen_require(`
 ')
 type unconfined_exec_t;
 init_system_domain(unconfined_t,unconfined_exec_t)
-role system_r types unconfined_t;
+
+ifdef(`targeted_policy',`
+	type unconfined_execmem_t;
+	type unconfined_execmem_exec_t;
+	init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
+')
 
 ########################################
 #
@@ -28,6 +33,8 @@ ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;
 
+	domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
+
 	files_create_boot_flag(unconfined_t)
 
 	init_domtrans_script(unconfined_t)
@@ -174,3 +181,13 @@ ifdef(`targeted_policy',`
 		xserver_domtrans_xdm_xserver(unconfined_t)
 	')
 ')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow unconfined_execmem_t self:process { execstack execmem };
+	unconfined_domain_noaudit(unconfined_execmem_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 99be68c..7aed674 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.26)
+policy_module(userdomain,1.3.27)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -228,6 +228,10 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`
+		consoletype_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
+	optional_policy(`
 		clock_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
diff --git a/refpolicy/policy/modules/system/xen.fc b/refpolicy/policy/modules/system/xen.fc
index 8547b2e..339e7a9 100644
--- a/refpolicy/policy/modules/system/xen.fc
+++ b/refpolicy/policy/modules/system/xen.fc
@@ -16,3 +16,5 @@
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+
+/xen(/.*)?			gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/refpolicy/policy/modules/system/xen.if b/refpolicy/policy/modules/system/xen.if
index 7393a2a..4bb6278 100644
--- a/refpolicy/policy/modules/system/xen.if
+++ b/refpolicy/policy/modules/system/xen.if
@@ -124,6 +124,6 @@ interface(`xen_domtrans_xm',`
 
 	domain_auto_trans($1,xm_exec_t,xm_t)
 	allow xm_t $1:fd use;
-	allow xm_t:$1:fifo_file rw_file_perms;
+	allow xm_t $1:fifo_file rw_file_perms;
 	allow xm_t $1:process sigchld;
 ')
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index c841a99..8d15a08 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.5)
+policy_module(xen,1.0.6)
 
 ########################################
 #
@@ -11,6 +11,10 @@ type xen_devpts_t;
 term_pty(xen_devpts_t);
 files_type(xen_devpts_t);
 
+# Xen Image files
+type xen_image_t; # customizable
+files_type(xen_image_t)
+
 type xend_t;
 type xend_exec_t;
 domain_type(xend_t)
@@ -74,6 +78,9 @@ allow xend_t self:netlink_route_socket r_netlink_socket_perms;
 allow xend_t self:tcp_socket create_stream_socket_perms;
 allow xend_t self:packet_socket create_socket_perms;
 
+allow xend_t xen_image_t:dir r_dir_perms;
+allow xend_t xen_image_t:file r_file_perms;
+
 # pid file
 allow xend_t xend_var_run_t:file manage_file_perms;
 allow xend_t xend_var_run_t:sock_file manage_file_perms;
@@ -89,8 +96,9 @@ logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
 # var/lib files for xend
 allow xend_t xend_var_lib_t:file create_file_perms;
 allow xend_t xend_var_lib_t:sock_file create_file_perms;
+allow xend_t xend_var_lib_t:fifo_file create_file_perms;
 allow xend_t xend_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
 
 # transition to store
 domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
@@ -117,6 +125,7 @@ corenet_non_ipsec_sendrecv(xend_t)
 corenet_tcp_sendrecv_all_if(xend_t)
 corenet_tcp_sendrecv_all_nodes(xend_t)
 corenet_tcp_sendrecv_all_ports(xend_t)
+corenet_tcp_bind_all_nodes(xend_t)
 corenet_tcp_bind_xen_port(xend_t)
 corenet_tcp_bind_soundd_port(xend_t)
 corenet_sendrecv_xen_server_packets(xend_t)
@@ -133,6 +142,8 @@ domain_dontaudit_read_all_domains_state(xend_t)
 files_read_etc_files(xend_t)
 files_read_kernel_symbol_table(xend_t)
 files_read_kernel_img(xend_t)
+files_manage_etc_runtime_files(xend_t)
+files_etc_filetrans_etc_runtime(xend_t,file)
 
 storage_raw_read_fixed_disk(xend_t)
 
@@ -244,11 +255,16 @@ xen_append_log(xenstored_t)
 # xm local policy
 #
 
-allow xm_t self:capability dac_override;
+allow xm_t self:capability { dac_override ipc_lock };
 # internal communication is often done using fifo and unix sockets.
 allow xm_t self:fifo_file { read write };
 allow xm_t self:unix_stream_socket create_stream_socket_perms;
 
+allow xm_t xend_var_lib_t:dir rw_dir_perms;
+allow xm_t xend_var_lib_t:fifo_file create_file_perms;
+allow xm_t xend_var_lib_t:file create_file_perms;
+files_search_var_lib(xm_t)
+
 kernel_read_system_state(xm_t)
 kernel_read_kernel_sysctls(xm_t)
 kernel_read_xen_state(xm_t)
@@ -259,11 +275,16 @@ corecmd_exec_sbin(xm_t)
 
 dev_read_urand(xm_t)
 
+files_read_etc_runtime_files(xm_t)
+files_read_usr_files(xm_t)
+files_list_mnt(xm_t)
 # Some common macros (you might be able to remove some)
 files_read_etc_files(xm_t)
 
 term_use_all_terms(xm_t)
 
+init_rw_script_stream_sockets(xm_t)
+
 libs_use_ld_so(xm_t)
 libs_use_shared_libs(xm_t)