From 955019421b821fbf2c8adf543888b69110341c15 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Feb 06 2006 22:47:46 +0000
Subject: patch from dan Wed, 01 Feb 2006 08:33:30 -0500


---

diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te
index 857b6af..0e963bb 100644
--- a/refpolicy/policy/modules/admin/anaconda.te
+++ b/refpolicy/policy/modules/admin/anaconda.te
@@ -25,7 +25,7 @@ logging_send_syslog_msg(anaconda_t)
 
 modutils_domtrans_insmod(anaconda_t)
 
-unconfined_domain_template(anaconda_t)
+unconfined_domain(anaconda_t)
 
 ifdef(`distro_redhat',`
 	bootloader_create_runtime_file(anaconda_t)
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 7de27d0..07a9e16 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -43,7 +43,7 @@ allow firstboot_t firstboot_rw_t:file create_file_perms;
 files_filetrans_etc(firstboot_t,firstboot_rw_t,file)
 
 # The big hammer
-unconfined_domain_template(firstboot_t) 
+unconfined_domain(firstboot_t) 
 
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index ff0a942..d04e231 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -132,7 +132,7 @@ ifdef(`targeted_policy',`
 	# make more sense here.  also, require
 	# blocks curently do not work in the
 	# else block of optionals
-	unconfined_domain_template(kudzu_t)
+	unconfined_domain(kudzu_t)
 ')
 
 optional_policy(`gpm',`
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 8bc61c8..2f4b613 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -132,7 +132,7 @@ ifdef(`distro_debian', `
 ')
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(logrotate_t)
+	unconfined_domain(logrotate_t)
 ')
 
 optional_policy(`acct',`
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 2052c11..1a22159 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -174,11 +174,11 @@ sysnet_read_config(rpm_t)
 userdom_use_unpriv_users_fd(rpm_t)
 
 ifdef(`distro_redhat',`
-	unconfined_domain_template(rpm_t)
+	unconfined_domain(rpm_t)
 ')
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(rpm_t)
+	unconfined_domain(rpm_t)
 ',`
 	# cjp: these are here to stop type_transition
 	# conflicts since rpm_t is an alias of
@@ -330,11 +330,11 @@ seutil_domtrans_restorecon(rpm_script_t)
 userdom_use_all_users_fd(rpm_script_t)
 
 ifdef(`distro_redhat',`
-	unconfined_domain_template(rpm_script_t)
+	unconfined_domain(rpm_script_t)
 ')
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(rpm_script_t)
+	unconfined_domain(rpm_script_t)
 ',`
 	optional_policy(`bootloader',`
 		bootloader_domtrans(rpm_script_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 3c3ade8..4b9339b 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.2.0)
+policy_module(usermanage,1.2.1)
 
 ########################################
 #
@@ -293,6 +293,9 @@ dev_read_urand(passwd_t)
 fs_getattr_xattr_fs(passwd_t)
 fs_search_auto_mountpoints(passwd_t)
 
+mls_file_write_down(passwd_t)
+mls_file_downgrade(passwd_t)
+
 selinux_get_fs_mount(passwd_t)
 selinux_validate_context(passwd_t)
 selinux_compute_access_vector(passwd_t)
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index a0a06c9..a5a247b 100644
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.0.1)
+policy_module(mono,1.0.2)
 
 ########################################
 #
@@ -19,7 +19,6 @@ domain_entry_file(mono_t,mono_exec_t)
 
 ifdef(`targeted_policy',`
 	allow mono_t self:process { execheap execmem };
-	unconfined_domain_template(mono_t)
+	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
 ')
-
diff --git a/refpolicy/policy/modules/apps/wine.te b/refpolicy/policy/modules/apps/wine.te
index c400c8d..3eec024 100644
--- a/refpolicy/policy/modules/apps/wine.te
+++ b/refpolicy/policy/modules/apps/wine.te
@@ -1,5 +1,5 @@
 
-policy_module(wine,1.0.0)
+policy_module(wine,1.0.1)
 
 ########################################
 #
@@ -19,7 +19,7 @@ domain_entry_file(wine_t,wine_exec_t)
 
 ifdef(`targeted_policy',`
 	allow wine_t self:process { execstack execmem };
-	unconfined_domain_template(wine_t)
+	unconfined_domain_noaudit(wine_t)
 	role system_r types wine_t;
 	allow wine_t file_type:file execmod;
 ')
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 5d45d7a..d4673ac 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -93,7 +93,7 @@ interface(`bootloader_search_boot',`
 		type boot_t;
 	')
 
-	allow $1 boot_t:dir search;
+	allow $1 boot_t:dir search_dir_perms;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index 08f7bdf..362ee03 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -549,16 +549,16 @@ interface(`domain_dontaudit_getattr_all_domains',`
 #
 interface(`domain_read_confined_domains_state',`
 	gen_require(`
-		attribute domain, unconfined_domain;
+		attribute domain, unconfined_domain_type;
 	')
 
 	kernel_search_proc($1)
-	allow $1 { domain -unconfined_domain }:dir r_dir_perms;
-	allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
-	allow $1 { domain -unconfined_domain }:file r_file_perms;
+	allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
+	allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
+	allow $1 { domain -unconfined_domain_type }:file r_file_perms;
 
-	dontaudit $1 unconfined_domain:dir search;
-	dontaudit $1 unconfined_domain:file { getattr read };
+	dontaudit $1 unconfined_domain_type:dir search;
+	dontaudit $1 unconfined_domain_type:file { getattr read };
 ')
 
 ########################################
@@ -571,10 +571,10 @@ interface(`domain_read_confined_domains_state',`
 #
 interface(`domain_getattr_confined_domains',`
 	gen_require(`
-		attribute domain, unconfined_domain;
+		attribute domain, unconfined_domain_type;
 	')
 
-	allow $1 { domain -unconfined_domain }:process getattr;
+	allow $1 { domain -unconfined_domain_type }:process getattr;
 ')
 
 ########################################
@@ -640,10 +640,10 @@ interface(`domain_dontaudit_ptrace_all_domains',`
 #
 interface(`domain_dontaudit_ptrace_confined_domains',`
 	gen_require(`
-		attribute domain, unconfined_domain;
+		attribute domain, unconfined_domain_type;
 	')
 
-	dontaudit $1 { domain -unconfined_domain }:process ptrace;
+	dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
 ')
 
 ########################################
@@ -1070,10 +1070,10 @@ interface(`domain_unconfined',`
 		attribute can_change_process_identity;
 		attribute can_change_process_role;
 		attribute can_change_object_identity;
-		attribute unconfined_domain;
+		attribute unconfined_domain_type;
 	')
 
-	typeattribute $1 unconfined_domain;
+	typeattribute $1 unconfined_domain_type;
 
 	# pass all constraints
 	typeattribute $1 can_change_process_identity;
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index b56c933..6fad4cb 100644
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -13,7 +13,7 @@ attribute domain;
 neverallow domain ~domain:process { transition dyntransition };
 
 # Domains that are unconfined
-attribute unconfined_domain;
+attribute unconfined_domain_type;
 
 # Domains that can set their current context
 # (perform dynamic transitions)
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index fe21fa6..988b22e 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -149,7 +149,7 @@ interface(`fs_unmount_xattr_fs',`
 		type fs_t;
 	')
 
-	allow $1 fs_t:filesystem mount;
+	allow $1 fs_t:filesystem unmount;
 ')
 
 ########################################
@@ -289,7 +289,7 @@ interface(`fs_unmount_autofs',`
 		type autofs_t;
 	')
 
-	allow $1 autofs_t:filesystem mount;
+	allow $1 autofs_t:filesystem unmount;
 ')
 
 ########################################
@@ -856,7 +856,7 @@ interface(`fs_unmount_dos_fs',`
 		type dosfs_t;
 	')
 
-	allow $1 dosfs_t:filesystem mount;
+	allow $1 dosfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -976,7 +976,7 @@ interface(`fs_unmount_iso9660_fs',`
 		type iso9660_t;
 	')
 
-	allow $1 iso9660_t:filesystem mount;
+	allow $1 iso9660_t:filesystem unmount;
 ')
 
 ########################################
@@ -1043,7 +1043,7 @@ interface(`fs_unmount_nfs',`
 		type nfs_t;
 	')
 
-	allow $1 nfs_t:filesystem mount;
+	allow $1 nfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1608,7 +1608,7 @@ interface(`fs_unmount_nfsd_fs',`
 		type nfsd_fs_t;
 	')
 
-	allow $1 nfsd_fs_t:filesystem mount;
+	allow $1 nfsd_fs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1709,7 +1709,7 @@ interface(`fs_unmount_ramfs',`
 		type ramfs_t;
 	')
 
-	allow $1 ramfs_t:filesystem mount;
+	allow $1 ramfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1855,7 +1855,7 @@ interface(`fs_unmount_romfs',`
 		type romfs_t;
 	')
 
-	allow $1 romfs_t:filesystem mount;
+	allow $1 romfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1922,7 +1922,7 @@ interface(`fs_unmount_rpc_pipefs',`
 		type rpc_pipefs_t;
 	')
 
-	allow $1 rpc_pipefs_t:filesystem mount;
+	allow $1 rpc_pipefs_t:filesystem unmount;
 ')
 
 ########################################
@@ -1988,7 +1988,7 @@ interface(`fs_unmount_tmpfs',`
 		type tmpfs_t;
 	')
 
-	allow $1 tmpfs_t:filesystem mount;
+	allow $1 tmpfs_t:filesystem unmount;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 7cfcf64..dd185a6 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.2.0)
+policy_module(filesystem,1.2.1)
 
 ########################################
 #
@@ -134,6 +134,7 @@ genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
 #
 type dosfs_t, noxattrfs;
 fs_type(dosfs_t)
+allow dosfs_t fs_t:filesystem associate;
 genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 340772e..f231a73 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -233,7 +233,7 @@ mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(kernel_t)
+	unconfined_domain(kernel_t)
 ')
 
 tunable_policy(`read_default_t',`
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index f6583d1..0b66165 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.2.0)
+policy_module(mls,1.2.1)
 
 ########################################
 #
@@ -64,6 +64,7 @@ type init_exec_t;
 type initrc_t;
 type initrc_exec_t;
 type login_exec_t;
+type lvm_exec_t;
 type sshd_exec_t;
 type su_exec_t;
 type udev_exec_t;
@@ -86,7 +87,7 @@ range_transition unconfined_t initrc_exec_t s0;
 ')
 
 ifdef(`enable_mls',`
-# run init with maximum MLS range
-range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 ')
diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
index c856938..5765eb2 100644
--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@@ -7,7 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
 
 /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/htdig(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /etc/httpd			-d	gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/httpd/conf.*			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
@@ -28,19 +28,21 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
 /usr/lib(64)?/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 
 /usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ifdef(`distro_suse', `
 /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
-/usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/suexec			--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 
 /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
 
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -59,7 +61,7 @@ ifdef(`distro_debian', `
 
 /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
 
 /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
 /var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 94edaf0..6b13f64 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -611,6 +611,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpd_suexec_t:process sigchld;
 ')
 
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+	domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)
@@ -688,7 +692,7 @@ optional_policy(`mysql',`
 # Apache unconfined script local policy
 #
 
-unconfined_domain_template(httpd_unconfined_script_t)
+unconfined_domain(httpd_unconfined_script_t)
 
 optional_policy(`cron',`
 	cron_system_entry(httpd_t, httpd_exec_t)
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 419d0bd..0e2ba7f 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -183,7 +183,7 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(apmd_t)
 	term_dontaudit_use_generic_ptys(apmd_t)
 	files_dontaudit_read_root_files(apmd_t)
-	unconfined_domain_template(apmd_t)
+	unconfined_domain(apmd_t)
 ')
 
 optional_policy(`automount',`
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index 35ac42c..9ceb565 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount,1.1.0)
+policy_module(automount,1.1.1)
 
 ########################################
 #
@@ -63,7 +63,7 @@ kernel_read_proc_symlinks(automount_t)
 kernel_read_system_state(automount_t)
 kernel_list_proc(automount_t)
 
-bootloader_getattr_boot_dirs(automount_t)
+bootloader_search_boot(automount_t)
 
 corecmd_exec_sbin(automount_t)
 corecmd_exec_bin(automount_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 75a112d..773a27b 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -151,7 +151,7 @@ ifdef(`targeted_policy',`
 	allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
 	files_filetrans_tmp(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
 
-	unconfined_domain_template(crond_t)
+	unconfined_domain(crond_t)
 
 	# cjp: fix this to generic_user interfaces
 	userdom_manage_user_home_subdirs(user,crond_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 9f05ae3..96ddc5b 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.2.2)
+policy_module(hal,1.2.3)
 
 ########################################
 #
@@ -50,7 +50,7 @@ kernel_read_kernel_sysctls(hald_t)
 kernel_read_fs_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 
-bootloader_getattr_boot_dirs(hald_t)
+bootloader_search_boot(hald_t)
 
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 4527f04..883e913 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -149,7 +149,7 @@ optional_policy(`udev',`
 ')
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(inetd_t)
+	unconfined_domain(inetd_t)
 ',`
 	optional_policy(`unconfined',`
 		unconfined_domtrans(inetd_t)
diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te
index 683c658..5bd6bb8 100644
--- a/refpolicy/policy/modules/services/irqbalance.te
+++ b/refpolicy/policy/modules/services/irqbalance.te
@@ -31,6 +31,9 @@ kernel_rw_irq_sysctls(irqbalance_t)
 
 dev_read_sysfs(irqbalance_t)
 
+files_read_etc_files(irqbalance_t)
+files_read_etc_runtime_files(irqbalance_t)
+
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
 
diff --git a/refpolicy/policy/modules/services/networkmanager.fc b/refpolicy/policy/modules/services/networkmanager.fc
index c9ca8fc..4a08a63 100644
--- a/refpolicy/policy/modules/services/networkmanager.fc
+++ b/refpolicy/policy/modules/services/networkmanager.fc
@@ -1,2 +1,4 @@
 
-/usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/(s)?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/var/run/NetworkManager.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index bd00b52..0bb456d 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.2.0)
+policy_module(networkmanager,1.2.1)
 
 ########################################
 #
@@ -24,7 +24,7 @@ allow NetworkManager_t self:process { setcap getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_file_perms;
 allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
 allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index 514119f..7e38643 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.1.2)
+policy_module(procmail,1.1.3)
 
 ########################################
 #
@@ -96,6 +96,7 @@ optional_policy(`postfix',`
 optional_policy(`sendmail',`
 	mta_read_config(procmail_t)
 	sendmail_rw_tcp_sockets(procmail_t)
+	sendmail_rw_unix_stream_sockets(procmail_t)
 ')
 
 optional_policy(`spamassassin',`
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 95bd519..10927ee 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -130,7 +130,7 @@ userdom_spec_domtrans_unpriv_users(remote_login_t)
 mta_getattr_spool(remote_login_t)
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(remote_login_t)
+	unconfined_domain(remote_login_t)
 	unconfined_shell_domtrans(remote_login_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index df3c4cd..6069c54 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -68,7 +68,7 @@ sysnet_read_config(rshd_t)
 userdom_search_all_users_home(rshd_t)
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(rshd_t)
+	unconfined_domain(rshd_t)
 	unconfined_shell_domtrans(rshd_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index be06290..eaf7e9b 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -26,6 +26,10 @@
 ## </param>
 #
 template(`samba_per_userdomain_template',`
+	gen_require(`
+		type smbd_t;
+	')
+
 	tunable_policy(`samba_enable_home_dirs',`
 		userdom_manage_user_home_subdir_files($1,smbd_t)
 		userdom_manage_user_home_subdir_symlinks($1,smbd_t)
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index c5e4bc1..bee09bd 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -52,6 +52,21 @@ interface(`sendmail_rw_tcp_sockets',`
 
 	allow $1 sendmail_t:tcp_socket { read write };
 ')
+########################################
+## <summary>
+##	Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sendmail_rw_unix_stream_sockets',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	allow $1 sendmail_t:unix_stream_socket { read write };
+')
 
 ########################################
 ## <summary>
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index ec350f6..04c215c 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -102,7 +102,7 @@ mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(sendmail_t)
+	unconfined_domain(sendmail_t)
 	term_dontaudit_use_unallocated_ttys(sendmail_t)
 	term_dontaudit_use_generic_ptys(sendmail_t)
 	files_dontaudit_read_root_files(sendmail_t)
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index 8150fe1..6bdea17 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.2.0)
+policy_module(spamassassin,1.2.1)
 
 ########################################
 #
@@ -111,6 +111,7 @@ logging_send_syslog_msg(spamd_t)
 miscfiles_read_localization(spamd_t)
 
 sysnet_read_config(spamd_t)
+sysnet_use_ldap(spamd_t)
 
 userdom_use_unpriv_users_fd(spamd_t)
 userdom_search_unpriv_user_home_dirs(spamd_t)
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 320ce64..5c1ffe8 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -1,7 +1,7 @@
 #
 # HOME_DIR
 #
-ifdef(`strict',`
+ifdef(`strict_policy',`
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
@@ -51,6 +51,9 @@ ifdef(`strict_policy',`
 /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/iceauth		--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/xauth    	--      gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/lib(64)?/qt-.*/etc/settings(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
@@ -64,7 +67,6 @@ ifdef(`strict_policy',`
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-
 /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 0696a34..1b12d7d 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -486,6 +486,27 @@ interface(`xserver_read_xdm_pid',`
 
 ########################################
 ## <summary>
+##	Execute the X server in the XDM X server domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`xserver_domtrans_xdm_xserver',`
+	gen_require(`
+		type xdm_xserver_t, xserver_exec_t;
+	')
+
+	domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
+
+	allow $1 xdm_xserver_t:fd use;
+	allow xdm_xserver_t $1:fd use;
+	allow xdm_xserver_t $1:fifo_file rw_file_perms;
+	allow xdm_xserver_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index e1b5cff..61f38f0 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -57,10 +57,8 @@ files_type(xsession_exec_t)
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
-ifdef(`strict_policy',`
-	xserver_common_domain_template(xdm)
-	init_system_domain(xdm_xserver_t,xserver_exec_t)
-')
+xserver_common_domain_template(xdm)
+init_system_domain(xdm_xserver_t,xserver_exec_t)
 
 optional_policy(`prelink',`
 	prelink_object_file(xkb_var_lib_t)
@@ -300,7 +298,7 @@ ifdef(`strict_policy',`
 
 ifdef(`targeted_policy',`
 	allow xdm_t self:process { execheap execmem };
-	unconfined_domain_template(xdm_t)
+	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
 ')
 
@@ -425,6 +423,13 @@ ifdef(`strict_policy',`
 	') dnl end TODO
 ')
 
+ifdef(`targeted_policy',`
+	allow xdm_xserver_t self:process { execheap execmem };
+
+	unconfined_domain(xdm_xserver_t)
+	unconfined_domtrans(xdm_xserver_t)
+')
+
 ifdef(`TODO',`
 # cjp: TODO: integrate strict policy:
 # init script wants to check if it needs to update windowmanagerlist
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c3f68b9..6a6a1fb 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -169,7 +169,7 @@ ifdef(`distro_redhat',`
 ')
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(init_t)
+	unconfined_domain(init_t)
 ')
 
 optional_policy(`authlogin',`
@@ -456,7 +456,7 @@ ifdef(`distro_redhat',`
 
 ifdef(`targeted_policy',`
 	domain_subj_id_change_exemption(initrc_t)
-	unconfined_domain_template(initrc_t)
+	unconfined_domain(initrc_t)
 ',`
 	# cjp: require doesnt work in optionals :\
 	# this also would result in a type transition
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 9cc4ce7..79c490c 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -88,7 +88,7 @@ ifdef(`hide_broken_symptoms',`
 
 ifdef(`targeted_policy',`
 	allow ldconfig_t lib_t:file r_file_perms;
-	unconfined_domain_template(ldconfig_t) 
+	unconfined_domain(ldconfig_t) 
 ')
 
 optional_policy(`apache',`
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 852815d..56dcfa2 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -171,7 +171,7 @@ userdom_sigchld_all_users(local_login_t)
 mta_getattr_spool(local_login_t)
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(local_login_t)
+	unconfined_domain(local_login_t)
 	unconfined_shell_domtrans(local_login_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 33c10a8..0d7651c 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -14,7 +14,11 @@ type clvmd_var_run_t;
 files_pid_file(clvmd_var_run_t)
 
 type lvm_t;
-type lvm_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type lvm_exec_t;
+')
 init_system_domain(lvm_t,lvm_exec_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 3599408..4313886 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -124,7 +124,7 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 ifdef(`targeted_policy',`
-	unconfined_domain_template(insmod_t)
+	unconfined_domain(insmod_t)
 ')
 
 optional_policy(`hotplug',`
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index fae04ad..6805508 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -163,7 +163,7 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(udev_t)
 	term_dontaudit_use_generic_ptys(udev_t)
 
-	unconfined_domain_template(udev_t)
+	unconfined_domain(udev_t)
 ')
 
 optional_policy(`authlogin',`
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index d7b46c0..bd69ec1 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -2,13 +2,13 @@
 
 ########################################
 ## <summary>
-##	A template to make the specified domain unconfined.
+##	Make the specified domain unconfined.
 ## </summary>
 ## <param name="domain">
 ##	Domain to make unconfined.
 ## </param>
 #
-template(`unconfined_domain_template',`
+interface(`unconfined_domain_noaudit',`
 	gen_require(`
 		class dbus all_dbus_perms;
 		class nscd all_nscd_perms;
@@ -41,14 +41,12 @@ template(`unconfined_domain_template',`
 	tunable_policy(`allow_execheap',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execheap;
-		auditallow $1 self:process execheap;
 	')
 
 	tunable_policy(`allow_execmem',`
 		# Allow making anonymous memory executable, e.g. 
 		# for runtime-code generation or executable stack.
 		allow $1 self:process execmem;
-		auditallow $1 self:process execmem;
 	')
 
 	tunable_policy(`allow_execmem && allow_execstack',`
@@ -103,6 +101,28 @@ template(`unconfined_domain_template',`
 
 ########################################
 ## <summary>
+##	Make the specified domain unconfined and
+##	audit executable memory and executable heap
+##	usage.
+## </summary>
+## <param name="domain">
+##	Domain to make unconfined.
+## </param>
+#
+interface(`unconfined_domain',`
+	unconfined_domain_noaudit($1)
+
+	tunable_policy(`allow_execheap',`
+		auditallow $1 self:process execheap;
+	')
+
+	tunable_policy(`allow_execmem',`
+		auditallow $1 self:process execmem;
+	')
+')
+
+########################################
+## <summary>
 ##	Transition to the unconfined domain.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 0ca10fc..b091fac 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.2.2)
+policy_module(unconfined,1.2.3)
 
 ########################################
 #
@@ -20,7 +20,7 @@ role system_r types unconfined_t;
 # Local policy
 #
 
-unconfined_domain_template(unconfined_t)
+unconfined_domain(unconfined_t)
 
 logging_send_syslog_msg(unconfined_t)
 
@@ -148,4 +148,8 @@ ifdef(`targeted_policy',`
 	optional_policy(`wine',`
 		wine_domtrans(unconfined_t)
 	')
+
+	optional_policy(`xserver',`
+		xserver_domtrans_xdm_xserver(unconfined_t)
+	')
 ')