diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 8c7ae70..c03493e 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -45,6 +45,10 @@ gen_tunable(run_ssh_inetd,false)
 ## user domains.
 gen_bool(secure_mode,false)
 
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+gen_tunable(squid_connect_any,false)
+
 ## Allow ssh logins as sysadm_r:sysadm_t
 gen_tunable(ssh_sysadm_login,false)
 
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index eefeb83..7dc2c5f 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -6,7 +6,7 @@ policy_module(consoletype, 1.0)
 # Declarations
 #
 
-type consoletype_t;
+type consoletype_t; #, mlsfileread, mlsfilewrite
 type consoletype_exec_t;
 init_domain(consoletype_t,consoletype_exec_t)
 init_system_domain(consoletype_t,consoletype_exec_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 8674b74..d2a0172 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -53,6 +53,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
 corenet_udp_sendrecv_all_ports(netutils_t)
 corenet_tcp_bind_all_nodes(netutils_t)
 corenet_udp_bind_all_nodes(netutils_t)
+corenet_tcp_connect_all_ports(netutils_t)
 
 fs_getattr_xattr_fs(netutils_t)
 
diff --git a/refpolicy/policy/modules/admin/usermanage.fc b/refpolicy/policy/modules/admin/usermanage.fc
index b27c4f8..6afac6e 100644
--- a/refpolicy/policy/modules/admin/usermanage.fc
+++ b/refpolicy/policy/modules/admin/usermanage.fc
@@ -10,6 +10,7 @@
 /usr/lib(64)?/cracklib_dict.* -- context_template(system_u:object_r:crack_db_t,s0)
 
 /usr/sbin/crack_[a-z]*	--	context_template(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/cracklib-[a-z]* --	context_template(system_u:object_r:crack_exec_t,s0)
 /usr/sbin/gpasswd	--	context_template(system_u:object_r:groupadd_exec_t,s0)
 /usr/sbin/groupadd	--	context_template(system_u:object_r:groupadd_exec_t,s0)
 /usr/sbin/groupdel	--	context_template(system_u:object_r:groupadd_exec_t,s0)
@@ -24,4 +25,6 @@
 /usr/sbin/vigr		--	context_template(system_u:object_r:admin_passwd_exec_t,s0)
 /usr/sbin/vipw		--	context_template(system_u:object_r:admin_passwd_exec_t,s0)
 
+/usr/share/cracklib(/.*)?	context_template(system_u:object_r:crack_db_t,s0)
+
 /var/cache/cracklib(/.*)?	context_template(system_u:object_r:crack_db_t,s0)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 72a6365..8f6ed38 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -288,6 +288,7 @@ allow passwd_t self:unix_dgram_socket create_socket_perms;
 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow passwd_t self:unix_dgram_socket sendto;
 allow passwd_t self:unix_stream_socket connectto;
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow passwd_t self:shm create_shm_perms;
 allow passwd_t self:sem create_sem_perms;
 allow passwd_t self:msgq create_msgq_perms;
diff --git a/refpolicy/policy/modules/apps/gpg.fc b/refpolicy/policy/modules/apps/gpg.fc
index 03d0676..bc435de 100644
--- a/refpolicy/policy/modules/apps/gpg.fc
+++ b/refpolicy/policy/modules/apps/gpg.fc
@@ -1,9 +1,10 @@
 
-/usr/bin/gpg		--	context_template(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg(2)?	--	context_template(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	context_template(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/kgpg		--	context_template(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/pinentry.*	--	context_template(system_u:object_r:pinentry_exec_t,s0)
 
+/usr/lib/gnupg/.*	--	context_template(system_u:object_r:gpg_exec_t,s0)
 /usr/lib/gnupg/gpgkeys.* --	context_template(system_u:object_r:gpg_helper_exec_t,s0)
 
 HOME_DIR/\.gnupg(/.+)?		context_template(system_u:object_r:ROLE_gpg_secret_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 582e9d9..c1e59f0 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -36,9 +36,21 @@ sid port context_template(system_u:object_r:port_t,s0)
 #
 type reserved_port_t, port_type, reserved_port_type;
 
+network_port(afs_bos, udp,7007,s0)
+network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
+network_port(afs_ka, udp,7004,s0)
+network_port(afs_pt, udp,7002,s0)
+network_port(afs_vl, udp,7003,s0)
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(amavisd_recv, tcp,10024,s0)
+network_port(amavisd_send, tcp,10025,s0)
+network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
 dnl network_port(biff) # no defined portcon in current strict
+network_port(clamd, tcp,3310,s0)
+network_port(clockspeed, udp,4041,s0)
+network_port(cvs, tcp,2401,s0, udp,2401,s0)
+network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dbskkd, tcp,1178,s0)
 network_port(dhcpc, udp,68,s0)
 network_port(dhcpd, udp,67,s0)
@@ -47,43 +59,64 @@ network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(fingerd, tcp,79,s0)
 network_port(ftp_data, tcp,20,s0)
 network_port(ftp, tcp,21,s0)
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
-network_port(http, tcp,80,s0, tcp,443,s0)
+network_port(giftd, tcp,1213,s0)
+network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
+network_port(hplip, tcp,50000,s0, tcp,50002,s0)
 dnl network_port(i18n_input) # no defined portcon in current strict
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
+network_port(imaze, tcp,5323,s0, udp,5323,s0)
+network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
 network_port(innd, tcp,119,s0)
 network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ircd, tcp,6667,s0)
+network_port(isakmp, udp,500,s0)
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+network_port(jabber_interserver, tcp,5269,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
 network_port(mail, tcp,2000,s0)
+network_port(monopd, tcp,1234,s0)
 network_port(mysqld, tcp,3306,s0)
+network_port(nessus, tcp,1241,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
 network_port(ntp, udp,123,s0)
-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0)
+network_port(openvpn, udp,5000,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
+network_port(postgrey, tcp,60000,s0)
 network_port(printer, tcp,515,s0)
+network_port(ptal, tcp,5703,s0)
 network_port(pxe, udp,4011,s0)
+network_port(pyzor, udp,24441,s0)
 network_port(radacct, udp,1646,s0, udp,1813,s0)
 network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(razor, tcp,2703,s0)
+network_port(rndc, tcp,953,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(spamd, tcp,783,s0)
 network_port(ssh, tcp,22,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0)
 dnl network_port(stunnel) # no defined portcon in current strict
 network_port(swat, tcp,901,s0)
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
+network_port(transproxy, tcp,8081,s0)
+network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
 network_port(zebra, tcp,2601,s0)
+network_port(zope, tcp,8021,s0)
 
 # Defaults for reserved ports.  Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 0ba3697..d7f7e7f 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -59,6 +59,11 @@ type cpu_device_t, device_node;
 fs_associate(cpu_device_t)
 fs_associate_tmpfs(cpu_device_t)
 
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_node;
+fs_associate(crypt_device_t)
+fs_associate_tmpfs(crypt_device_t)
+
 type dri_device_t, device_node;
 fs_associate(dri_device_t)
 fs_associate_tmpfs(dri_device_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 37aa654..62a4f36 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -40,14 +40,29 @@ type bdev_t, filesystem_type;
 genfscon bdev / context_template(system_u:object_r:bdev_t,s0)
 
 type binfmt_misc_fs_t, filesystem_type;
+files_mountpoint(binfmt_misc_fs_t)
 genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
 
+type debugfs_t, filesystem_type;
+allow debugfs_t self:filesystem associate;
+
 type eventpollfs_t, filesystem_type;
 genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
 
 type futexfs_t, filesystem_type;
 genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
 
+type hugetlbfs_t, filesystem_type;
+files_mountpoint(hugetlbfs_t)
+allow hugetlbfs_t self:filesystem associate;
+
+type inotifyfs_t, filesystem_type;
+allow inotifyfs_t self:filesystem associate;
+
+type mqueue_t, filesystem_type;
+files_mountpoint(mqueue_t)
+allow mqueue_t self:filesystem associate;
+
 type nfsd_fs_t, filesystem_type;
 genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
 
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 41dec5e..e74c2d2 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -70,6 +70,23 @@ interface(`kernel_sigchld',`
 
 ########################################
 ## <summary>
+##	Send a generic signal to kernel threads.
+## </summary>
+## <param name="domain">
+##	The type of the process sending the signal.
+## </param>
+#
+interface(`kernel_signal',`
+	gen_require(`
+		type kernel_t;
+		class process signal;
+	')
+
+	allow kernel_t $1:process signal;
+')
+
+########################################
+## <summary>
 ##	Allows the kernel to share state information with
 ##	the caller.
 ## </summary>
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 53b52a2..90f51a0 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -38,7 +38,7 @@ dev_node(devtty_t)
 #
 # ptmx_t is the type for /dev/ptmx.
 #
-type ptmx_t;
+type ptmx_t; #, mlstrustedobject;
 dev_node(ptmx_t)
 
 #
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 7217d1f..162e9f8 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -19,10 +19,13 @@ files_pid_file(hald_var_run_t)
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
 dontaudit hald_t self:capability sys_tty_config;
 allow hald_t self:fifo_file rw_file_perms;
-allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow hald_t self:unix_dgram_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:tcp_socket create_stream_socket_perms;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
 
 allow hald_t hald_tmp_t:dir create_dir_perms;
 allow hald_t hald_tmp_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index a2d8d7e..e55e70d 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -120,6 +120,7 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
+r_dir_file(slapd_t, cert_t)
 optional_policy(`rhgb.te',`
 	rhgb_domain(slapd_t)
 ')
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 43c01dc..6ed8241 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -65,6 +65,7 @@ corenet_tcp_sendrecv_all_ports(nscd_t)
 corenet_udp_sendrecv_all_ports(nscd_t)
 corenet_tcp_bind_all_nodes(nscd_t)
 corenet_udp_bind_all_nodes(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
 
 selinux_get_fs_mount(nscd_t)
 selinux_validate_context(nscd_t)
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 638dbe4..0460f88 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -72,6 +72,7 @@ corenet_udp_sendrecv_all_ports(ntpd_t)
 corenet_tcp_bind_all_nodes(ntpd_t)
 corenet_udp_bind_all_nodes(ntpd_t)
 corenet_udp_bind_ntp_port(ntpd_t)
+corenet_tcp_connect_ntp_port(ntpd_t)
 
 dev_read_sysfs(ntpd_t)
 # for SSP
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index 85c9c8c..be80b85 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -58,6 +58,7 @@ corenet_tcp_bind_all_nodes(portmap_t)
 corenet_udp_bind_all_nodes(portmap_t)
 corenet_tcp_bind_portmap_port(portmap_t)
 corenet_udp_bind_portmap_port(portmap_t)
+corenet_tcp_connect_all_ports(portmap_t)
 # portmap binds to arbitary ports
 corenet_tcp_bind_generic_port(portmap_t)
 corenet_udp_bind_generic_port(portmap_t)
@@ -158,6 +159,9 @@ allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
 allow portmap_helper_t self:udp_socket create_socket_perms;
 
+allow portmap_helper_t portmap_var_run_t:file create_file_perms;
+files_create_pid(portmap_helper_t,portmap_var_run_t)
+
 corenet_tcp_sendrecv_all_if(portmap_helper_t)
 corenet_udp_sendrecv_all_if(portmap_helper_t)
 corenet_raw_sendrecv_all_if(portmap_helper_t)
@@ -172,6 +176,7 @@ corenet_tcp_bind_reserved_port(portmap_helper_t)
 corenet_udp_bind_reserved_port(portmap_helper_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+corenet_tcp_connect_all_ports(portmap_helper_t)
 
 files_read_etc_files(portmap_helper_t)
 files_rw_generic_pids(portmap_helper_t)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 36ee8a5..1160bb8 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -6,7 +6,7 @@ policy_module(privoxy,1.0)
 # Declarations
 #
 
-type privoxy_t;
+type privoxy_t; # web_client_domain
 type privoxy_exec_t;
 init_daemon_domain(privoxy_t,privoxy_exec_t)
 
@@ -36,16 +36,11 @@ kernel_list_proc(privoxy_t)
 kernel_read_proc_symlinks(privoxy_t)
 
 corenet_tcp_sendrecv_all_if(privoxy_t)
-corenet_udp_sendrecv_all_if(privoxy_t)
 corenet_raw_sendrecv_all_if(privoxy_t)
 corenet_tcp_sendrecv_all_nodes(privoxy_t)
-corenet_udp_sendrecv_all_nodes(privoxy_t)
 corenet_raw_sendrecv_all_nodes(privoxy_t)
 corenet_tcp_sendrecv_all_ports(privoxy_t)
-corenet_udp_sendrecv_all_ports(privoxy_t)
-# cjp: this really should be specified!
-corenet_tcp_bind_generic_port(privoxy_t)
-corenet_udp_bind_generic_port(privoxy_t)
+corenet_tcp_bind_http_cache_port(privoxy_t)
 
 dev_read_sysfs(privoxy_t)
 
@@ -83,6 +78,10 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(privoxy_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(privoxy_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(privoxy_t)
 ')
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index 14986b8..717ac4a 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -29,8 +29,7 @@ corenet_raw_sendrecv_all_nodes(rshd_t)
 corenet_tcp_sendrecv_all_nodes(rshd_t)
 corenet_tcp_sendrecv_all_ports(rshd_t)
 corenet_tcp_bind_all_nodes(rshd_t)
-corenet_tcp_bind_reserved_port(rshd_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(rshd_t)
+corenet_tcp_bind_rsh_port(rshd_t)
 
 dev_read_urand(rshd_t)
 
@@ -83,10 +82,6 @@ optional_policy(`kerberos.te',`
 	kerberos_use(rshd_t)
 ')
 
-optional_policy(`nis.te',`
-	nis_use_ypbind(rshd_t)
-')
-
 ifdef(`TODO',`
 optional_policy(`rlogind.te', `
 	allow rshd_t rlogind_tmp_t:file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 12d6c19..10fc119 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -88,7 +88,5 @@ optional_policy(`nscd.te',`
 ')
 
 ifdef(`TODO',`
-ifdef(`ftpd.te', `
 r_dir_file(rsync_t, ftpd_anon_t)
-')
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index 90d85a1..5e8fcb9 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -78,6 +78,9 @@ corenet_tcp_bind_all_nodes(squid_t)
 corenet_udp_bind_all_nodes(squid_t)
 corenet_tcp_bind_http_cache_port(squid_t)
 corenet_udp_bind_http_cache_port(squid_t)
+corenet_tcp_connect_ftp_port(squid_t)
+corenet_tcp_connect_gopher_port(squid_t)
+corenet_tcp_connect_http_port(squid_t)
 
 dev_read_sysfs(squid_t)
 dev_read_urand(squid_t)
@@ -126,6 +129,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(squid_t)
 ')
 
+tunable_policy(`squid_connect_any',`
+	corenet_tcp_connect_all_ports(squid_t)
+')
+
 optional_policy(`logrotate.te',`
 	allow squid_t self:capability kill;
 	cron_use_fd(squid_t)
@@ -161,6 +168,11 @@ optional_policy(`rhgb.te',`
 ifdef(`apache.te',`
 can_tcp_connect(squid_t, httpd_t)
 ')
+r_dir_file(squid_t, cert_t)
+ifdef(`winbind.te', `
+domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+')
 #squid requires the following when run in diskd mode, the recommended setting
 allow squid_t tmpfs_t:file { read write };
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index b18be62..e1c29eb 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -388,7 +388,7 @@ template(`ssh_per_userdomain_template',`
 ## </param>
 #
 template(`ssh_server_template', `
-	type $1_t, ssh_server;
+	type $1_t, ssh_server; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
 	domain_type($1_t)
 	role system_r types $1_t;
 
@@ -428,6 +428,7 @@ template(`ssh_server_template', `
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_tcp_bind_all_nodes($1_t)
 	corenet_udp_bind_all_nodes($1_t)
+	corenet_tcp_connect_all_ports($1_t)
 
 	dev_read_urand($1_t)
 
@@ -498,6 +499,10 @@ template(`ssh_server_template', `
 		init_use_script_pty($1_t)
 	')
 
+	optional_policy(`kerberos.te',`
+		kerberos_use($1_t)
+	')
+
 	optional_policy(`mount.te', `
 		mount_send_nfs_client_request($1_t)
 	')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index d0f55e4..46dbce6 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -22,7 +22,7 @@ logging_log_file(lastlog_t)
 type login_exec_t;
 files_type(login_exec_t)
 
-type pam_console_t;
+type pam_console_t; #, mlsfileread
 type pam_console_exec_t;
 init_system_domain(pam_console_t,pam_console_exec_t)
 role system_r types pam_console_t;
@@ -142,8 +142,9 @@ allow pam_console_t pam_var_console_t:file r_file_perms;
 allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
 
 kernel_read_kernel_sysctl(pam_console_t)
-kernel_read_system_state(pam_console_t)
 kernel_use_fd(pam_console_t)
+# Read /proc/meminfo
+kernel_read_system_state(pam_console_t)
 
 dev_read_sysfs(pam_console_t)
 dev_getattr_apm_bios(pam_console_t)
@@ -173,6 +174,7 @@ storage_getattr_scsi_generic(pam_console_t)
 storage_setattr_scsi_generic(pam_console_t)
 
 term_use_console(pam_console_t)
+term_setattr_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
 
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 7a47a58..5166326 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -40,6 +40,7 @@ ifdef(`targeted_policy',`
 # /sbin
 #
 /sbin(/.*)?			context_template(system_u:object_r:sbin_t,s0)
+/sbin/mkfs\.cramfs	--	context_template(system_u:object_r:sbin_t,s0)
 /sbin/insmod_ksymoops_clean --	context_template(system_u:object_r:sbin_t,s0)
 
 #
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
index ce34937..3430a3c 100644
--- a/refpolicy/policy/modules/system/files.fc
+++ b/refpolicy/policy/modules/system/files.fc
@@ -5,6 +5,14 @@
 /.*				context_template(system_u:object_r:default_t,s0)
 /			-d	context_template(system_u:object_r:root_t,s0)
 /\.journal			<<none>>
+ifdef(`distro_redhat',`
+/\.autofsck		--	context_template(system_u:object_r:etc_runtime_t,s0)
+/\.autorelabel		--	context_template(system_u:object_r:etc_runtime_t,s0)
+/fastboot 		--	context_template(system_u:object_r:etc_runtime_t,s0)
+/forcefsck 		--	context_template(system_u:object_r:etc_runtime_t,s0)
+/fsckoptions 		--	context_template(system_u:object_r:etc_runtime_t,s0)
+/poweroff		--	context_template(system_u:object_r:etc_runtime_t,s0)
+')
 
 #
 # /boot
@@ -32,6 +40,9 @@
 /etc/nologin.*		--	context_template(system_u:object_r:etc_runtime_t,s0)
 
 /etc/init\.d/functions	--	context_template(system_u:object_r:etc_t,s0)
+ifdef(`distro_suse',`
+/etc/init\.d/\.depend.*	--	context_template(system_u:object_r:etc_runtime_t,s0)
+')
 
 /etc/ipsec\.d/examples(/.*)?	context_template(system_u:object_r:etc_t,s0)
 
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index e9d0adb..94c867c 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -51,7 +51,7 @@ sid file context_template(system_u:object_r:file_t,s0)
 # home_root_t is the type for the directory where user home directories
 # are created
 #
-type home_root_t, file_type, mountpoint;
+type home_root_t, file_type, mountpoint; #, polyparent
 fs_associate(home_root_t)
 fs_associate_noxattr(home_root_t)
 
@@ -84,7 +84,7 @@ fs_associate_noxattr(readable_t)
 #
 # root_t is the type for rootfs and the root directory.
 #
-type root_t, file_type, mountpoint;
+type root_t, file_type, mountpoint; #, polyparent
 fs_associate(root_t)
 fs_associate_noxattr(root_t)
 kernel_rootfs_mountpoint(root_t)
@@ -93,14 +93,14 @@ genfscon rootfs / context_template(system_u:object_r:root_t,s0)
 #
 # src_t is the type of files in the system src directories.
 #
-type src_t, file_type;
+type src_t, file_type, mountpoint;
 fs_associate(src_t)
 fs_associate_noxattr(src_t)
 
 #
 # tmp_t is the type of the temporary directories
 #
-type tmp_t, file_type, tmpfile, mountpoint;
+type tmp_t, file_type, tmpfile, mountpoint; #, polydir
 fs_associate(tmp_t)
 fs_associate_noxattr(tmp_t)
 
diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc
index f24fd8c..90f772d 100644
--- a/refpolicy/policy/modules/system/fstools.fc
+++ b/refpolicy/policy/modules/system/fstools.fc
@@ -1,6 +1,7 @@
 /sbin/blockdev		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/cfdisk		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/dosfsck		--	context_template(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dump		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/dumpe2fs		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/e2fsck		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/e2label		--	context_template(system_u:object_r:fsadm_exec_t,s0)
@@ -21,6 +22,7 @@
 /sbin/parted		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/partprobe		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/partx		--	context_template(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidautorun	--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/raidstart		--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/reiserfs(ck|tune)	--	context_template(system_u:object_r:fsadm_exec_t,s0)
 /sbin/resize.*fs	--	context_template(system_u:object_r:fsadm_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/getty.fc b/refpolicy/policy/modules/system/getty.fc
index 77a3b5b..6dcaaca 100644
--- a/refpolicy/policy/modules/system/getty.fc
+++ b/refpolicy/policy/modules/system/getty.fc
@@ -2,3 +2,7 @@
 /etc/mgetty(/.*)?		context_template(system_u:object_r:getty_etc_t,s0)
 
 /sbin/.*getty		--	context_template(system_u:object_r:getty_exec_t,s0)
+
+/var/log/mgetty\.log.*	--	context_template(system_u:object_r:getty_log_t,s0)
+
+/var/run/mgetty\.pid.*	--	context_template(system_u:object_r:getty_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 3956bc6..c403848 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -15,33 +15,43 @@ type getty_etc_t;
 typealias getty_etc_t alias etc_getty_t;
 files_type(getty_etc_t)
 
+type getty_lock_t;
+files_lock_file(getty_lock_t)
+
 type getty_log_t;
 logging_log_file(getty_log_t)
 
 type getty_tmp_t;
 files_tmp_file(getty_tmp_t)
 
+type getty_var_run_t;
+files_pid_file(getty_var_run_t)
+
 ########################################
 #
 # Getty local policy
 #
 
 # Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
-# fbgetty needs fsetid for some reason
-#allow getty_t self:capability fsetid;
-
+allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
 allow getty_t self:process { getpgid getsession };
 
 allow getty_t getty_etc_t:dir r_dir_perms;
 allow getty_t getty_etc_t:file r_file_perms;
 files_create_etc_config(getty_t,getty_etc_t,{ file dir })
 
+allow getty_t getty_lock_t:file create_file_perms;
+files_create_lock(getty_t,getty_lock_t)
+
+allow getty_t getty_log_t:file { getattr append setattr };
+
 allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
 allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
 files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
 
-allow getty_t getty_log_t:file { getattr append setattr };
+allow getty_t getty_var_run_t:file create_file_perms;
+allow getty_t getty_var_run_t:dir create_dir_perms;
+files_create_pid(getty_t,getty_var_run_t)
 
 dev_read_sysfs(getty_t)
 
@@ -58,9 +68,9 @@ term_setattr_console(getty_t)
 auth_rw_login_records(getty_t)
 
 corecmd_search_bin(getty_t)
+corecmd_search_sbin(getty_t)
 
 files_rw_generic_pids(getty_t)
-files_manage_generic_locks(getty_t)
 files_read_etc_runtime_files(getty_t)
 files_read_etc_files(getty_t)
 
@@ -75,3 +85,12 @@ locallogin_domtrans(getty_t)
 logging_send_syslog_msg(getty_t)
 
 miscfiles_read_localization(getty_t)
+
+ifdef(`TODO',`
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index 7a0983f..c85ca5a 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -55,8 +55,10 @@ ifdef(`distro_gentoo', `
 /var/run/setmixer_flag	--	context_template(system_u:object_r:initrc_var_run_t,s0)
 
 ifdef(`distro_suse', `
-/var/run/sysconfig(/.*)?	context_template(system_u:object_r:initrc_var_run_t,s0)
+/var/run/bootsplashctl	-p	context_template(system_u:object_r:initrc_var_run_t,s0)
 /var/run/keymap		--	context_template(system_u:object_r:initrc_var_run_t,s0)
 /var/run/numlock-on	--	context_template(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setleds-on	--	context_template(system_u:object_r:initrc_var_run_t,s0)
+/var/run/sysconfig(/.*)?	context_template(system_u:object_r:initrc_var_run_t,s0)
 ')
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c9fa5c7..ad8c451 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -15,7 +15,7 @@ attribute direct_init_entry;
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t; #, mlsrangetrans, mlsfileread, mlsfilewrite;
 domain_type(init_t)
 role system_r types init_t;
 
@@ -37,10 +37,10 @@ files_pid_file(init_var_run_t)
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type initctl_t;
+type initctl_t; #, mlstrustedobject;
 files_type(initctl_t)
 
-type initrc_t;
+type initrc_t; #, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
 domain_type(initrc_t)
 role system_r types initrc_t;
 
@@ -79,6 +79,8 @@ allow init_t self:fifo_file rw_file_perms;
 # Re-exec itself
 allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
 
+allow init_t initrc_t:unix_stream_socket connectto;
+
 # For /var/run/shutdown.pid.
 allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
 files_create_pid(init_t,init_var_run_t)
@@ -162,6 +164,10 @@ optional_policy(`userdomain.te',`
 	userdom_shell_domtrans_sysadm(init_t)
 ')
 
+ifdef(`TODO',`
+allow init_t ramfs_t:sock_file write;
+')
+
 ########################################
 #
 # Init script local policy
@@ -201,12 +207,8 @@ kernel_read_ring_buffer(initrc_t)
 kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
-dev_read_sysfs(initrc_t)
-dev_rw_sysfs(initrc_t)
 kernel_read_all_sysctl(initrc_t)
 kernel_rw_all_sysctl(initrc_t)
-selinux_get_enforce_mode(initrc_t)
-dev_list_usbfs(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
 
@@ -222,11 +224,14 @@ corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_bind_all_nodes(initrc_t)
 corenet_udp_bind_all_nodes(initrc_t)
+corenet_tcp_connect_all_ports(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
+dev_rw_sysfs(initrc_t)
+dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_snd_mixer_dev(initrc_t)
@@ -244,6 +249,8 @@ fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
 
+selinux_get_enforce_mode(initrc_t)
+
 storage_getattr_fixed_disk(initrc_t)
 storage_setattr_fixed_disk(initrc_t)
 storage_setattr_removable_device(initrc_t)
@@ -307,7 +314,7 @@ libs_use_shared_libs(initrc_t)
 libs_exec_lib_files(initrc_t)
 
 logging_send_syslog_msg(initrc_t)
-logging_rw_generic_logs(initrc_t)
+logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 
@@ -527,6 +534,11 @@ role system_r types initrc_su_t;
 ifdef(`distro_redhat', `
 	# readahead asks for these
 	allow initrc_t var_lib_nfs_t:file r_file_perms;
+
+	file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
+	allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+	allow initrc_t self:capability sys_admin;
+	allow initrc_t device_t:dir create;
 ')
 
 ifdef(`targeted_policy',`
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index a592aae..4c3c744 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -238,9 +238,13 @@ interface(`logging_write_generic_logs',`
 	allow $1 var_log_t:file { getattr write };
 ')
 
-#######################################
-#
-# logging_rw_generic_logs(domain)
+########################################
+## <summary>
+##	Read and write generic log files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`logging_rw_generic_logs',`
 	gen_require(`
@@ -253,3 +257,24 @@ interface(`logging_rw_generic_logs',`
 	allow $1 var_log_t:dir r_dir_perms;
 	allow $1 var_log_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	generic log files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`logging_manage_generic_logs',`
+	gen_require(`
+		type var_log_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir rw_dir_perms;
+	allow $1 var_log_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 3090e0a..039d8ea 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -18,10 +18,10 @@ init_daemon_domain(auditd_t,auditd_exec_t)
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
 
-type devlog_t;
+type devlog_t; #, mlstrustedobject;
 files_type(devlog_t)
 
-type klogd_t;
+type klogd_t; #, mlsfileread
 type klogd_exec_t;
 init_daemon_domain(klogd_t,klogd_exec_t)
 
@@ -155,7 +155,8 @@ miscfiles_read_localization(klogd_t)
 # syslogd local policy
 #
 
-allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
+# cjp: why net_admin!
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin };
 dontaudit syslogd_t self:capability sys_tty_config;
 allow syslogd_t self:process signal_perms;
 
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 47cfa64..db203f9 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -32,14 +32,12 @@ files_tmp_file(lvm_tmp_t)
 #
 
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
+allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
-
 allow lvm_t self:process { sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
-
-allow lvm_t self:file r_file_perms;
+allow lvm_t self:file rw_file_perms;
 allow lvm_t self:fifo_file rw_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
 
@@ -122,7 +120,6 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t)
 
 domain_use_wide_inherit_fd(lvm_t)
 
-files_search_var(lvm_t)
 files_read_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)
 files_dontaudit_getattr_pid_dir(lvm_t)
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index 61e7674..9b9ab9a 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -7,12 +7,6 @@ policy_module(miscfiles,1.0)
 #
 
 #
-# catman_t is the type for /var/catman.
-#
-type catman_t;
-files_tmp_file(catman_t)
-
-#
 # cert_t is the type of files in the system certs directories.
 #
 type cert_t;
@@ -26,6 +20,18 @@ type fonts_t;
 files_type(fonts_t)
 
 #
+# Type for anonymous FTP data, used by ftp and rsync
+#
+type ftpd_anon_t; #, customizable;
+files_type(ftpd_anon_t)
+
+#
+# type for /tmp/.ICE-unix
+#
+type ice_tmp_t;
+files_tmp_file(ice_tmp_t)
+
+#
 # locale_t is the type for system localization
 #
 type locale_t;
@@ -34,7 +40,7 @@ files_type(locale_t)
 #
 # man_t is the type for the man directories.
 #
-type man_t;
+type man_t alias catman_t;
 files_type(man_t)
 
 #
@@ -48,3 +54,7 @@ files_type(test_file_t)
 #
 type tetex_data_t;
 files_tmp_file(tetex_data_t)
+
+ifdef(`TODO',`
+allow customizable self:filesystem associate;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index c58e7af..5a0665c 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -6,7 +6,7 @@ policy_module(raid,1.0)
 # Declarations
 #
 
-type mdadm_t;
+type mdadm_t; # privmail
 type mdadm_exec_t;
 init_daemon_domain(mdadm_t,mdadm_exec_t)
 role system_r types mdadm_t;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 1a74046..f55425c 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -65,7 +65,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
 type policy_src_t;
 files_type(policy_src_t)
 
-type restorecon_t, can_relabelto_binary_policy;
+type restorecon_t, can_relabelto_binary_policy; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
 type restorecon_exec_t;
 domain_obj_id_change_exempt(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
@@ -280,7 +280,6 @@ kernel_read_system_state(restorecon_t)
 dev_rw_generic_file(restorecon_t)
 
 fs_getattr_xattr_fs(restorecon_t)
-fs_list_all(restorecon_t)
 
 selinux_get_fs_mount(restorecon_t)
 selinux_validate_context(restorecon_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
index b3f389a..98904af 100644
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ b/refpolicy/policy/modules/system/sysnetwork.fc
@@ -43,6 +43,7 @@
 #
 /var/lib/dhcp3?		-d	context_template(system_u:object_r:dhcp_state_t,s0)
 /var/lib/dhcp3?/dhclient.*	context_template(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpcd(/.*)?		context_template(system_u:object_r:dhcpc_state_t,s0)
 
 /var/run/dhclient.*\.pid --	context_template(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhclient.*\.leases --	context_template(system_u:object_r:dhcpc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 7c3ec48..a11919c 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -6,7 +6,7 @@ policy_module(udev,1.0)
 # Declarations
 #
 
-type udev_t;
+type udev_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
 type udev_exec_t;
 type udev_helper_exec_t;
 kernel_userland_entry(udev_t,udev_exec_t)
@@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t)
 # Local policy
 #
 
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice };
 allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
@@ -42,6 +42,7 @@ allow udev_t self:fifo_file rw_file_perms;
 allow udev_t self:unix_stream_socket { listen accept };
 allow udev_t self:unix_dgram_socket sendto;
 allow udev_t self:unix_stream_socket connectto;
+allow udev_t self:netlink_kobject_uevent_socket { create bind read };
 allow udev_t self:shm create_shm_perms;
 allow udev_t self:sem create_sem_perms;
 allow udev_t self:msgq create_msgq_perms;
@@ -72,6 +73,7 @@ kernel_read_modprobe_sysctl(udev_t)
 kernel_read_kernel_sysctl(udev_t)
 kernel_rw_unix_dgram_socket(udev_t)
 kernel_sendto_unix_dgram_socket(udev_t)
+kernel_signal(udev_t)
 
 dev_read_sysfs(udev_t)
 dev_manage_dev_nodes(udev_t)
diff --git a/strict/domains/misc/local.te b/strict/domains/misc/local.te
new file mode 100644
index 0000000..cedba3c
--- /dev/null
+++ b/strict/domains/misc/local.te
@@ -0,0 +1,5 @@
+# Local customization of existing policy should be done in this file.  
+# If you are creating brand new policy for a new "target" domain, you
+# need to create a type enforcement (.te) file in domains/program
+# and a file context (.fc) file in file_context/program.
+
diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te
index 9836ce4..f3f2c28 100644
--- a/strict/domains/program/consoletype.te
+++ b/strict/domains/program/consoletype.te
@@ -11,7 +11,7 @@
 # consoletype_t is the domain for the consoletype program.
 # consoletype_exec_t is the type of the corresponding program.
 #
-type consoletype_t, domain;
+type consoletype_t, domain, mlsfileread, mlsfilewrite;
 type consoletype_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types consoletype_t;
@@ -57,6 +57,7 @@ allow consoletype_t tmpfs_t:chr_file rw_file_perms;
 ifdef(`firstboot.te', `
 allow consoletype_t firstboot_t:fifo_file write;
 ')
+dontaudit consoletype_t proc_t:dir search;
 dontaudit consoletype_t proc_t:file read;
 dontaudit consoletype_t root_t:file read;
 allow consoletype_t crond_t:fifo_file { read getattr ioctl };
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index 10f8a4d..c19a2d8 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -37,7 +37,7 @@ allow mta_user_agent system_crond_t:fd use;
 
 # read files in /etc
 allow system_crond_t etc_t:file r_file_perms;
-allow system_crond_t etc_runtime_t:file read;
+allow system_crond_t etc_runtime_t:file { getattr read };
 
 allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
 
diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te
index fc8a2bb..c060211 100644
--- a/strict/domains/program/getty.te
+++ b/strict/domains/program/getty.te
@@ -23,22 +23,13 @@ allow getty_t self:process { getpgid getsession };
 allow getty_t self:unix_dgram_socket create_socket_perms;
 allow getty_t self:unix_stream_socket create_socket_perms;
 
-# to allow w to display everyone...
-bool user_ttyfile_stat false;
-if (user_ttyfile_stat) {
-allow userdomain ttyfile:chr_file getattr;
-}
-
 # Use capabilities.
 allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
 
-# fbgetty needs fsetid for some reason
-#allow getty_t self:capability fsetid;
-
 read_locale(getty_t)
 
 # Run login in local_login_t domain.
-allow getty_t bin_t:dir search;
+allow getty_t { sbin_t bin_t }:dir search;
 domain_auto_trans(getty_t, login_exec_t, local_login_t)
 
 # Write to /var/run/utmp.
@@ -55,5 +46,15 @@ allow getty_t ttyfile:chr_file { setattr rw_file_perms };
 # for error condition handling
 allow getty_t fs_t:filesystem getattr;
 
-rw_dir_create_file(getty_t, var_lock_t)
+lock_domain(getty)
 r_dir_file(getty_t, sysfs_t)
+# for mgetty
+var_run_domain(getty)
+allow getty_t self:capability { fowner fsetid };
+
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 2bdd0b5..ed84911 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -15,7 +15,7 @@ daemon_domain(hald, `, fs_domain, nscd_client_domain')
 can_exec_any(hald_t)
 
 allow hald_t { etc_t etc_runtime_t }:file { getattr read };
-allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow hald_t self:unix_dgram_socket create_socket_perms;
 
 ifdef(`dbusd.te', `
@@ -30,6 +30,10 @@ allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t usr_t:file { getattr read };
 allow hald_t bin_t:file getattr;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
 can_network_server(hald_t)
diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te
index 3fb67de..185e0ba 100644
--- a/strict/domains/program/init.te
+++ b/strict/domains/program/init.te
@@ -14,11 +14,11 @@
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
 role system_r types init_t;
 uses_shlib(init_t);
 type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs;
+type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
 
 # for init to determine whether SE Linux is active so it can know whether to
 # activate it
@@ -82,6 +82,7 @@ allow init_t self:process { fork sigchld };
 # Modify utmp.
 allow init_t var_run_t:file rw_file_perms;
 allow init_t initrc_var_run_t:file { setattr rw_file_perms };
+can_unix_connect(init_t, initrc_t)
 
 # For /var/run/shutdown.pid.
 var_run_domain(init)
@@ -133,6 +134,7 @@ allow init_t lib_t:file { getattr read };
 
 allow init_t devtty_t:chr_file { read write };
 allow init_t ramfs_t:dir search;
+allow init_t ramfs_t:sock_file write;
 r_dir_file(init_t, sysfs_t)
 
 r_dir_file(init_t, selinux_config_t)
diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te
index 86e09cc..f6e248e 100644
--- a/strict/domains/program/initrc.te
+++ b/strict/domains/program/initrc.te
@@ -12,11 +12,12 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);
 can_network(initrc_t)
+allow initrc_t port_type:tcp_socket name_connect;
 can_ypbind(initrc_t)
 type initrc_exec_t, file_type, sysadmfile, exec_type;
 
@@ -130,7 +131,7 @@ allow initrc_t ld_so_cache_t:file rw_file_perms;
 # Update /var/log/wtmp and /var/log/dmesg.
 allow initrc_t wtmp_t:file { setattr rw_file_perms };
 allow initrc_t var_log_t:dir rw_dir_perms;
-allow initrc_t var_log_t:file { setattr rw_file_perms };
+allow initrc_t var_log_t:file create_file_perms;
 allow initrc_t lastlog_t:file { setattr rw_file_perms };
 allow initrc_t logfile:file { read append };
 
@@ -194,10 +195,8 @@ file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
 allow initrc_t tmpfs_t:chr_file rw_file_perms;
 allow initrc_t tmpfs_t:dir r_dir_perms;
 
-ifdef(`distro_redhat', ` 
 # Allow initrc domain to set the enforcing flag.
 can_setenforce(initrc_t)
-')
 
 #
 # readahead asks for these
@@ -208,6 +207,11 @@ allow initrc_t var_lib_nfs_t:file { getattr read };
 # for /halt /.autofsck and other flag files
 file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
 
+file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
+allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+allow initrc_t self:capability sys_admin;
+allow initrc_t device_t:dir create;
+
 ')dnl end distro_redhat
 
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -287,10 +291,6 @@ allow initrc_t device_t:lnk_file unlink;
 
 r_dir_file(initrc_t,selinux_config_t)
 
-ifdef(`distro_redhat', `
-#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
-')
-
 ifdef(`unlimitedRC', `
 unconfined_domain(initrc_t) 
 ')
diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te
index b7efff1..42a136e 100644
--- a/strict/domains/program/klogd.te
+++ b/strict/domains/program/klogd.te
@@ -8,7 +8,7 @@
 #
 # Rules for the klogd_t domain.
 #
-daemon_domain(klogd, `, privmem')
+daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
 
 tmp_domain(klogd)
 allow klogd_t proc_t:dir r_dir_perms;
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
index f2cf061..7ed0722 100644
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@@ -18,7 +18,6 @@ type lvm_vg_t, file_type, sysadmfile;
 type lvm_metadata_t, file_type, sysadmfile;
 type lvm_control_t, device_type, dev_fs;
 etcdir_domain(lvm)
-allow lvm_t var_t:dir search;
 lock_domain(lvm)
 allow lvm_t lvm_lock_t:dir rw_dir_perms;
 
@@ -35,7 +34,7 @@ allow lvm_t self:fifo_file rw_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
 
 r_dir_file(lvm_t, proc_t)
-allow lvm_t self:file r_file_perms;
+allow lvm_t self:file rw_file_perms;
 
 # Read system variables in /proc/sys
 read_sysctl(lvm_t)
@@ -65,7 +64,7 @@ tmp_domain(lvm)
 allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
 
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
+allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
 
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
 file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
diff --git a/strict/domains/program/mdadm.te b/strict/domains/program/mdadm.te
index 91de77c..47f82e2 100644
--- a/strict/domains/program/mdadm.te
+++ b/strict/domains/program/mdadm.te
@@ -3,7 +3,7 @@
 # Author: Colin Walters <walters@redhat.com>
 #
 
-daemon_base_domain(mdadm, `, fs_domain')
+daemon_base_domain(mdadm, `, fs_domain, privmail')
 role sysadm_r types mdadm_t;
 
 allow initrc_t mdadm_var_run_t:file create_file_perms;
diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te
index c314eee..9b13fd4 100644
--- a/strict/domains/program/netutils.te
+++ b/strict/domains/program/netutils.te
@@ -16,11 +16,14 @@ role sysadm_r types netutils_t;
 
 uses_shlib(netutils_t)
 can_network(netutils_t)
+allow netutils_t port_type:tcp_socket name_connect;
 can_ypbind(netutils_t)
 tmp_domain(netutils)
 
 domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+')
 
 # Inherit and use descriptors from init.
 allow netutils_t { userdomain init_t }:fd use;
diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te
index 74db228..40ffbbc 100644
--- a/strict/domains/program/nscd.te
+++ b/strict/domains/program/nscd.te
@@ -23,6 +23,7 @@ daemon_domain(nscd, `, userspace_objmgr')
 allow nscd_t etc_t:file r_file_perms;
 allow nscd_t etc_t:lnk_file read;
 can_network_client(nscd_t)
+allow nscd_t port_type:tcp_socket name_connect;
 can_ypbind(nscd_t)
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te
index 1598c23..2b7480c 100644
--- a/strict/domains/program/ntpd.te
+++ b/strict/domains/program/ntpd.te
@@ -10,7 +10,6 @@
 #
 daemon_domain(ntpd, `, nscd_client_domain')
 type ntp_drift_t, file_type, sysadmfile;
-type ntp_port_t, port_type, reserved_port_type;
 
 type ntpdate_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
@@ -25,7 +24,7 @@ allow ntpd_t ntp_drift_t:dir rw_dir_perms;
 allow ntpd_t ntp_drift_t:file create_file_perms;
 
 # for SSP
-allow ntpd_t urandom_device_t:chr_file read;
+allow ntpd_t urandom_device_t:chr_file { getattr read };
 
 allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
 dontaudit ntpd_t self:capability { net_admin };
@@ -41,6 +40,7 @@ allow ntpd_t etc_t:file { read getattr };
 
 # Use the network.
 can_network(ntpd_t)
+allow ntpd_t ntp_port_t:tcp_socket name_connect;
 can_ypbind(ntpd_t)
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
@@ -83,4 +83,5 @@ ifdef(`winbind.te', `
 allow ntpd_t winbind_var_run_t:dir r_dir_perms;
 allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
 ')
-
+# For clock devices like wwvb1
+allow ntpd_t device_t:lnk_file read;
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
index 7270442..cbb84af 100644
--- a/strict/domains/program/pamconsole.te
+++ b/strict/domains/program/pamconsole.te
@@ -3,17 +3,23 @@
 #
 # pam_console_apply
 
-daemon_base_domain(pam_console, `, nscd_client_domain')
+daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread')
 
 type pam_var_console_t, file_type, sysadmfile;
 
 allow pam_console_t etc_t:file { getattr read ioctl };
 allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
 
+# Read /etc/mtab
+allow pam_console_t etc_runtime_t:file { read getattr };
+
+# Read /proc/meminfo
+allow pam_console_t proc_t:file { read getattr };
+
 allow pam_console_t self:capability { chown fowner fsetid };
 
 # Allow access to /dev/console through the fd:
-allow pam_console_t console_device_t:chr_file { read write };
+allow pam_console_t console_device_t:chr_file { read write setattr };
 allow pam_console_t { kernel_t init_t }:fd use;
 
 # for /var/run/console.lock checking
@@ -36,7 +42,6 @@ ifdef(`hotplug.te', `
 dontaudit pam_console_t hotplug_etc_t:dir search;
 allow pam_console_t hotplug_t:fd use;
 ')
-allow pam_console_t proc_t:file read;
 ifdef(`xdm.te', `
 allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te
index efae37c..e984320 100644
--- a/strict/domains/program/passwd.te
+++ b/strict/domains/program/passwd.te
@@ -145,6 +145,7 @@ dontaudit sysadm_passwd_t devpts_t:dir search;
 
 # make sure that getcon succeeds
 allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file read;
+allow passwd_t userdomain:file { getattr read };
 allow passwd_t userdomain:process getattr;
 
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te
index 134b200..adc364d 100644
--- a/strict/domains/program/portmap.te
+++ b/strict/domains/program/portmap.te
@@ -14,12 +14,11 @@
 daemon_domain(portmap, `, nscd_client_domain')
 
 can_network(portmap_t)
+allow portmap_t port_type:tcp_socket name_connect;
 can_ypbind(portmap_t)
 allow portmap_t self:unix_dgram_socket create_socket_perms;
 allow portmap_t self:unix_stream_socket create_stream_socket_perms;
 
-type portmap_port_t, port_type, reserved_port_type;
-
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
@@ -60,11 +59,13 @@ domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
 dontaudit portmap_helper_t self:capability { net_admin };
 allow portmap_helper_t self:capability { net_bind_service };
 allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)
+allow portmap_helper_t port_type:tcp_socket name_connect;
 can_ypbind(portmap_helper_t)
 dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
 allow portmap_helper_t etc_t:file { getattr read };
-dontaudit portmap_helper_t userdomain:fd use;
+dontaudit portmap_helper_t { userdomain privfd }:fd use;
 allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
 dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te
index 7d62e01..26ac65b 100644
--- a/strict/domains/program/postfix.te
+++ b/strict/domains/program/postfix.te
@@ -9,7 +9,6 @@
 type postfix_var_run_t, file_type, sysadmfile, pidfile;
 
 type postfix_etc_t, file_type, sysadmfile;
-typealias postfix_etc_t alias etc_postfix_t;
 type postfix_exec_t, file_type, sysadmfile, exec_type;
 type postfix_public_t, file_type, sysadmfile;
 type postfix_private_t, file_type, sysadmfile;
@@ -120,6 +119,7 @@ allow postfix_master_t postfix_private_t:dir rw_dir_perms;
 allow postfix_master_t postfix_private_t:sock_file create_file_perms;
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
+allow postfix_master_t port_type:tcp_socket name_connect;
 can_ypbind(postfix_master_t)
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
@@ -155,6 +155,7 @@ domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
 allow postfix_$1_t self:capability { setuid setgid dac_override };
 can_network_client(postfix_$1_t)
+allow postfix_$1_t port_type:tcp_socket name_connect;
 can_ypbind(postfix_$1_t)
 ')
 
@@ -179,6 +180,7 @@ allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
 # for OpenSSL certificates
 r_dir_file(postfix_smtpd_t,usr_t)
 allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
+allow postfix_smtpd_t self:file { getattr read };
 
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
@@ -345,5 +347,6 @@ allow postfix_map_t self:capability setgid;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 dontaudit postfix_map_t var_t:dir search;
 can_network_server(postfix_map_t)
+allow postfix_map_t port_type:tcp_socket name_connect;
 allow postfix_local_t mail_spool_t:dir { remove_name };
 allow postfix_local_t mail_spool_t:file { unlink };
diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te
index 5762592..9e94026 100644
--- a/strict/domains/program/privoxy.te
+++ b/strict/domains/program/privoxy.te
@@ -8,7 +8,7 @@
 #
 # Rules for the privoxy_t domain.
 #
-daemon_domain(privoxy)
+daemon_domain(privoxy, `, web_client_domain')
 
 logdir_domain(privoxy)
 
@@ -17,7 +17,8 @@ allow privoxy_t self:capability net_bind_service;
 
 # Use the network.
 can_network(privoxy_t)
-allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
+can_ypbind(privoxy_t)
+allow privoxy_t http_cache_port_t:tcp_socket name_bind;
 allow privoxy_t etc_t:file { getattr read };
 allow privoxy_t self:capability { setgid setuid };
 allow privoxy_t self:unix_stream_socket create_socket_perms ;
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
index fb014d7..058dcd1 100644
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@@ -12,7 +12,7 @@
 #
 # needs auth_write attribute because it has relabelfrom/relabelto
 # access to shadow_t
-type restorecon_t, domain, privlog, privowner, auth_write, change_context;
+type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
 type restorecon_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types restorecon_t;
@@ -48,10 +48,9 @@ allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom rel
 allow restorecon_t ptyfile:chr_file getattr;
 
 allow restorecon_t fs_t:filesystem getattr;
-allow restorecon_t fs_type:dir r_dir_perms;
 
-allow restorecon_t etc_runtime_t:file read;
-allow restorecon_t etc_t:file read;
+allow restorecon_t etc_runtime_t:file { getattr read };
+allow restorecon_t etc_t:file { getattr read };
 allow restorecon_t proc_t:file { getattr read };
 dontaudit restorecon_t proc_t:lnk_file { getattr read };
 
@@ -60,4 +59,3 @@ allow restorecon_t kernel_t:fd use;
 allow restorecon_t kernel_t:fifo_file { read write };
 allow restorecon_t kernel_t:unix_dgram_socket { read write };
 r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
-
diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te
index 0c896cf..d6fa1c5 100644
--- a/strict/domains/program/rlogind.te
+++ b/strict/domains/program/rlogind.te
@@ -35,3 +35,4 @@ allow rlogind_t self:file { getattr read };
 allow rlogind_t default_t:dir search;
 typealias rlogind_port_t alias rlogin_port_t;
 read_sysctl(rlogind_t);
+allow rlogind_t krb5_keytab_t:file { getattr read };
diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te
index 33006bd..39976c5 100644
--- a/strict/domains/program/rshd.te
+++ b/strict/domains/program/rshd.te
@@ -23,10 +23,7 @@ allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chow
 
 # Use the network.
 can_network_server(rshd_t)
-allow rshd_t reserved_port_t:tcp_socket name_bind;
-dontaudit rshd_t reserved_port_type:tcp_socket name_bind;
-
-can_ypbind(rshd_t)
+allow rshd_t rsh_port_t:tcp_socket name_bind;
 
 allow rshd_t etc_t:file { getattr read };
 read_locale(rshd_t)
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
index 1090463..6bac7b7 100644
--- a/strict/domains/program/rsync.te
+++ b/strict/domains/program/rsync.te
@@ -14,6 +14,4 @@
 inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
-ifdef(`ftpd.te', `
 r_dir_file(rsync_t, ftpd_anon_t)
-')
diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te
index 8cca78e..dd9e416 100644
--- a/strict/domains/program/slapd.te
+++ b/strict/domains/program/slapd.te
@@ -58,3 +58,4 @@ read_sysctl(slapd_t)
 allow slapd_t usr_t:file { read getattr };
 allow slapd_t urandom_device_t:chr_file { getattr read };
 allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+r_dir_file(slapd_t, cert_t)
diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te
index 06d411d..bf7d01d 100644
--- a/strict/domains/program/squid.te
+++ b/strict/domains/program/squid.te
@@ -12,7 +12,7 @@
 ifdef(`apache.te',`
 can_tcp_connect(squid_t, httpd_t)
 ')
-
+bool squid_connect_any false;
 daemon_domain(squid, `, web_client_domain, nscd_client_domain')
 type squid_conf_t, file_type, sysadmfile;
 general_domain_access(squid_t)
@@ -53,12 +53,15 @@ ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
 
 # Use the network
 can_network(squid_t)
+if (squid_connect_any) {
+allow squid_t port_type:tcp_socket name_connect;
+} 
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t http_cache_port_t:tcp_socket name_bind;
-allow squid_t http_cache_port_t:udp_socket name_bind;
+allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
+allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
 # also allow exec()ing itself
@@ -74,3 +77,8 @@ allow squid_t urandom_device_t:chr_file { getattr read };
 
 #squid requires the following when run in diskd mode, the recommended setting
 allow squid_t tmpfs_t:file { read write };
+r_dir_file(squid_t, cert_t)
+ifdef(`winbind.te', `
+domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+')
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index a1eb5ec..ee4dcf1 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -23,7 +23,7 @@ define(`sshd_program_domain', `
 # privowner is for changing the identity on the terminal device
 # privfd is for passing the terminal file handle to the user process
 # auth_chkpwd is for running unix_chkpwd and unix_verify.
-type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain;
+type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
 can_exec($1_t, sshd_exec_t)
 r_dir_file($1_t, self)
 role system_r types $1_t;
@@ -67,6 +67,8 @@ allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
+can_kerberos($1_t)
 
 allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
@@ -145,10 +147,8 @@ sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
 sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
 }
 
-ifdef(`use_x_ports', `
 # for X forwarding
 allow sshd_t xserver_port_t:tcp_socket name_bind;
-')
 
 r_dir_file(sshd_t, selinux_config_t)
 sshd_program_domain(sshd_extern)
diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te
index 76d518e..33d1e20 100644
--- a/strict/domains/program/syslogd.te
+++ b/strict/domains/program/syslogd.te
@@ -14,9 +14,9 @@
 # by syslogd.
 #
 ifdef(`klogd.te', `
-daemon_domain(syslogd)
+daemon_domain(syslogd, `, privkmsg')
 ', `
-daemon_domain(syslogd, `, privmem')
+daemon_domain(syslogd, `, privmem, privkmsg')
 ')
 
 # can_network is for the UDP socket
@@ -25,7 +25,7 @@ can_ypbind(syslogd_t)
 
 r_dir_file(syslogd_t, sysfs_t)
 
-type devlog_t, file_type, sysadmfile, dev_fs;
+type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
 
 # if something can log to syslog they should be able to log to the console
 allow privlog console_device_t:chr_file { ioctl read write getattr };
@@ -36,7 +36,7 @@ tmp_domain(syslogd)
 allow syslogd_t etc_t:file r_file_perms;
 
 # Use capabilities.
-allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
+allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
 
 # Modify/create log files.
 create_append_log_file(syslogd_t, var_log_t)
@@ -94,7 +94,6 @@ allow syslogd_t { device_t file_t }:sock_file unlink;
 allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
 
 # Allow name_bind for remote logging
-type syslogd_port_t, port_type, reserved_port_type;
 allow syslogd_t syslogd_port_t:udp_socket name_bind;
 #
 # /initrd is not umounted before minilog starts
@@ -103,5 +102,4 @@ dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir search;
 dontaudit syslogd_t unlabeled_t:file read;
 dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:capability net_admin;
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
index eae23a2..fb70a35 100644
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@@ -9,7 +9,7 @@
 #
 # udev_exec_t is the type of the udev executable.
 #
-daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner')
+daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
 
 general_domain_access(udev_t)
 
@@ -33,6 +33,7 @@ allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
+allow udev_t self:netlink_kobject_uevent_socket { create bind read }; 
 allow udev_t device_t:sock_file create_file_perms;
 allow udev_t device_t:lnk_file create_lnk_perms;
 allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
@@ -70,6 +71,7 @@ can_setfscreate(udev_t)
 
 allow udev_t kernel_t:fd use;
 allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
+allow udev_t kernel_t:process signal;
 
 allow udev_t initrc_var_run_t:file r_file_perms;
 dontaudit udev_t initrc_var_run_t:file write;
diff --git a/strict/domains/program/xfs.te b/strict/domains/program/xfs.te
index 0c9e93f..04302cd 100644
--- a/strict/domains/program/xfs.te
+++ b/strict/domains/program/xfs.te
@@ -37,9 +37,8 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
 allow xfs_t self:unix_stream_socket create_stream_socket_perms;
 allow xfs_t self:unix_dgram_socket create_socket_perms;
 
-# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
-allow xfs_t fonts_t:dir search;
-allow xfs_t fonts_t:file { getattr read };
+# Read fonts
+read_fonts(xfs_t)
 
 # Unlink the xfs socket.
 allow initrc_t xfs_tmp_t:dir rw_dir_perms;
diff --git a/strict/file_contexts/program/amavis.fc b/strict/file_contexts/program/amavis.fc
index 12a2064..366da33 100644
--- a/strict/file_contexts/program/amavis.fc
+++ b/strict/file_contexts/program/amavis.fc
@@ -4,3 +4,5 @@
 /var/log/amavisd\.log 		--	system_u:object_r:amavisd_log_t
 /var/lib/amavis(/.*)?	 		system_u:object_r:amavisd_lib_t
 /var/run/amavis(/.*)?	 		system_u:object_r:amavisd_var_run_t
+/var/amavis(/.*)?	 		system_u:object_r:amavisd_lib_t
+/var/virusmails(/.*)?	 		system_u:object_r:amavisd_quarantine_t
diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc
index 4fe5dac..444c3f0 100644
--- a/strict/file_contexts/program/apache.fc
+++ b/strict/file_contexts/program/apache.fc
@@ -1,6 +1,7 @@
 # apache
 HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
 /var/www(/.*)?			system_u:object_r:httpd_sys_content_t
+/srv/([^/]*/)?www(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/www/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
 /usr/lib/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
 /var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_exec_t
@@ -15,7 +16,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
 /usr/lib(64)?/apache(/.*)?		system_u:object_r:httpd_modules_t
 /usr/lib(64)?/apache2/modules(/.*)?	system_u:object_r:httpd_modules_t
 /usr/lib(64)?/httpd(/.*)?		system_u:object_r:httpd_modules_t
-/usr/sbin/httpd		--	system_u:object_r:httpd_exec_t
+/usr/sbin/httpd(\.worker)?	--	system_u:object_r:httpd_exec_t
 /usr/sbin/apache(2)?	--	system_u:object_r:httpd_exec_t
 /usr/sbin/suexec	--	system_u:object_r:httpd_suexec_exec_t
 /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
@@ -36,7 +37,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
 /var/run/gcache_port	-s	system_u:object_r:httpd_var_run_t
 ifdef(`distro_suse', `
 # suse puts shell scripts there :-(
-/usr/share/apache2/[^/]*       --      system_u:object_r:bin_t
+/usr/share/apache2/[^/]*	--	system_u:object_r:bin_t
+/usr/sbin/httpd2-.*		--	system_u:object_r:httpd_exec_t
 ')
 /var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
 /var/spool/squirrelmail(/.*)?	system_u:object_r:squirrelmail_spool_t
@@ -44,3 +46,9 @@ ifdef(`distro_suse', `
 /usr/share/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/lib/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
 /etc/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
+/var/spool/gosa(/.*)?		system_u:object_r:httpd_sys_script_rw_t
+ifdef(`targeted_policy', `', `
+/var/spool/cron/apache		-- 	system_u:object_r:user_cron_spool_t
+')
+/usr/sbin/apachectl		-- 	system_u:object_r:initrc_exec_t
+
diff --git a/strict/file_contexts/program/apmd.fc b/strict/file_contexts/program/apmd.fc
index da3c93a..9e6ce0d 100644
--- a/strict/file_contexts/program/apmd.fc
+++ b/strict/file_contexts/program/apmd.fc
@@ -1,9 +1,12 @@
 # apmd
 /usr/sbin/apmd		--	system_u:object_r:apmd_exec_t
 /usr/sbin/acpid		--	system_u:object_r:apmd_exec_t
+/usr/sbin/powersaved	--	system_u:object_r:apmd_exec_t
 /usr/bin/apm		--	system_u:object_r:apm_exec_t
 /var/run/apmd\.pid	--	system_u:object_r:apmd_var_run_t
 /var/run/\.?acpid\.socket	-s	system_u:object_r:apmd_var_run_t
+/var/run/powersaved\.pid	--	system_u:object_r:apmd_var_run_t
+/var/run/powersave_socket	-s	system_u:object_r:apmd_var_run_t
 /var/log/acpid		--	system_u:object_r:apmd_log_t
 ifdef(`distro_suse', `
 /var/lib/acpi(/.*)?		system_u:object_r:apmd_var_lib_t
diff --git a/strict/file_contexts/program/crack.fc b/strict/file_contexts/program/crack.fc
index fac9bd6..7d99136 100644
--- a/strict/file_contexts/program/crack.fc
+++ b/strict/file_contexts/program/crack.fc
@@ -1,4 +1,6 @@
 # crack - for password checking
+/usr/sbin/cracklib-[a-z]*	--	system_u:object_r:crack_exec_t
 /usr/sbin/crack_[a-z]*	--	system_u:object_r:crack_exec_t
 /var/cache/cracklib(/.*)?	system_u:object_r:crack_db_t
 /usr/lib(64)?/cracklib_dict.* --	system_u:object_r:crack_db_t
+/usr/share/cracklib(/.*)?	system_u:object_r:crack_db_t
diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc
index 4085e1d..1390839 100644
--- a/strict/file_contexts/program/dhcpc.fc
+++ b/strict/file_contexts/program/dhcpc.fc
@@ -6,6 +6,7 @@
 /sbin/dhcpcd		--	system_u:object_r:dhcpc_exec_t
 /sbin/dhclient.*	--	system_u:object_r:dhcpc_exec_t
 /var/lib/dhcp(3)?/dhclient.*	system_u:object_r:dhcpc_state_t
+/var/lib/dhcpcd(/.*)?		system_u:object_r:dhcpc_state_t
 /var/run/dhclient.*\.pid --	system_u:object_r:dhcpc_var_run_t
 /var/run/dhclient.*\.leases --	system_u:object_r:dhcpc_var_run_t
 # pump
diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc
index f755f4a..5d42601 100644
--- a/strict/file_contexts/program/fsadm.fc
+++ b/strict/file_contexts/program/fsadm.fc
@@ -1,6 +1,7 @@
 # fs admin utilities
 /sbin/fsck.*		--	system_u:object_r:fsadm_exec_t
 /sbin/mkfs.*		--	system_u:object_r:fsadm_exec_t
+/sbin/mkfs\.cramfs	--	system_u:object_r:sbin_t
 /sbin/e2fsck		--	system_u:object_r:fsadm_exec_t
 /sbin/mkdosfs		--	system_u:object_r:fsadm_exec_t
 /sbin/dosfsck		--	system_u:object_r:fsadm_exec_t
@@ -19,9 +20,11 @@
 /sbin/parted		--	system_u:object_r:fsadm_exec_t
 /sbin/tune2fs		--	system_u:object_r:fsadm_exec_t
 /sbin/dumpe2fs		--	system_u:object_r:fsadm_exec_t
+/sbin/dump		--	system_u:object_r:fsadm_exec_t
 /sbin/swapon.*		--	system_u:object_r:fsadm_exec_t
 /sbin/hdparm		--	system_u:object_r:fsadm_exec_t
 /sbin/raidstart		--	system_u:object_r:fsadm_exec_t
+/sbin/raidautorun	--	system_u:object_r:fsadm_exec_t
 /sbin/mkraid		--	system_u:object_r:fsadm_exec_t
 /sbin/blockdev		--	system_u:object_r:fsadm_exec_t
 /sbin/losetup.*		--	system_u:object_r:fsadm_exec_t
diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc
index 0260197..6865fc5 100644
--- a/strict/file_contexts/program/ftpd.fc
+++ b/strict/file_contexts/program/ftpd.fc
@@ -13,3 +13,4 @@
 /var/log/xferreport.*	--	system_u:object_r:xferlog_t
 /etc/cron\.monthly/proftpd --	system_u:object_r:ftpd_exec_t
 /var/ftp(/.*)?			system_u:object_r:ftpd_anon_t
+/srv/([^/]*/)?ftp(/.*)?		system_u:object_r:ftpd_anon_t
diff --git a/strict/file_contexts/program/getty.fc b/strict/file_contexts/program/getty.fc
index f908221..0da4b32 100644
--- a/strict/file_contexts/program/getty.fc
+++ b/strict/file_contexts/program/getty.fc
@@ -1,3 +1,5 @@
 # getty
 /sbin/.*getty		--	system_u:object_r:getty_exec_t
 /etc/mgetty(/.*)?		system_u:object_r:getty_etc_t
+/var/run/mgetty\.pid.*	--	system_u:object_r:getty_var_run_t
+/var/log/mgetty\.log.*	--	system_u:object_r:getty_log_t
diff --git a/strict/file_contexts/program/gpg.fc b/strict/file_contexts/program/gpg.fc
index 1cc9508..650df0c 100644
--- a/strict/file_contexts/program/gpg.fc
+++ b/strict/file_contexts/program/gpg.fc
@@ -1,5 +1,7 @@
 # gpg
 HOME_DIR/\.gnupg(/.+)?	system_u:object_r:ROLE_gpg_secret_t
-/usr/bin/gpg		--	system_u:object_r:gpg_exec_t
+/usr/bin/gpg(2)?		--	system_u:object_r:gpg_exec_t
 /usr/bin/kgpg		--	system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/gpgkeys.*	--	system_u:object_r:gpg_helper_exec_t
+/usr/lib/gnupg/.*	--	system_u:object_r:gpg_exec_t
+/usr/lib/gnupg/gpgkeys.*	--  system_u:object_r:gpg_helper_exec_t
+
diff --git a/strict/file_contexts/program/iceauth.fc b/strict/file_contexts/program/iceauth.fc
new file mode 100644
index 0000000..31bf1f3
--- /dev/null
+++ b/strict/file_contexts/program/iceauth.fc
@@ -0,0 +1,3 @@
+# iceauth
+/usr/X11R6/bin/iceauth	--      system_u:object_r:iceauth_exec_t
+HOME_DIR/\.ICEauthority.* --      system_u:object_r:ROLE_iceauth_home_t
diff --git a/strict/file_contexts/program/initrc.fc b/strict/file_contexts/program/initrc.fc
index b23d55e..45ea6cf 100644
--- a/strict/file_contexts/program/initrc.fc
+++ b/strict/file_contexts/program/initrc.fc
@@ -19,6 +19,9 @@ ifdef(`distro_suse', `
 /var/run/sysconfig(/.*)?	system_u:object_r:initrc_var_run_t
 /var/run/keymap		--	system_u:object_r:initrc_var_run_t
 /var/run/numlock-on	--	system_u:object_r:initrc_var_run_t
+/var/run/setleds-on	--	system_u:object_r:initrc_var_run_t
+/var/run/bootsplashctl	-p	system_u:object_r:initrc_var_run_t
+/etc/init\.d/\.depend.*	--	system_u:object_r:etc_runtime_t
 ')
 
 ifdef(`distro_gentoo', `
@@ -35,5 +38,11 @@ ifdef(`distro_gentoo', `
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
 ifdef(`distro_redhat', `
 /halt			--	system_u:object_r:etc_runtime_t
+/fastboot 		--	system_u:object_r:etc_runtime_t
+/fsckoptions 		--	system_u:object_r:etc_runtime_t
+/forcefsck 		--	system_u:object_r:etc_runtime_t
+/poweroff		--	system_u:object_r:etc_runtime_t
 /\.autofsck		--	system_u:object_r:etc_runtime_t
+/\.autorelabel		--	system_u:object_r:etc_runtime_t
 ')
+
diff --git a/strict/mls b/strict/mls
index 5f50906..ef20c21 100644
--- a/strict/mls
+++ b/strict/mls
@@ -730,3 +730,4 @@ mlsconstrain xextension use
 
 # these access vectors have no MLS restrictions
 # association { sendto recvfrom }
+
diff --git a/strict/net_contexts b/strict/net_contexts
index 49f6862..fd10f9b 100644
--- a/strict/net_contexts
+++ b/strict/net_contexts
@@ -17,7 +17,6 @@
 # protocol number context
 # protocol low-high context
 #
-ifdef(`inetd.te', `
 portcon tcp 7 system_u:object_r:inetd_child_port_t
 portcon udp 7 system_u:object_r:inetd_child_port_t
 portcon tcp 9 system_u:object_r:inetd_child_port_t
@@ -37,42 +36,47 @@ portcon udp 891 system_u:object_r:inetd_child_port_t
 portcon tcp 892 system_u:object_r:inetd_child_port_t
 portcon udp 892 system_u:object_r:inetd_child_port_t
 portcon tcp 2105 system_u:object_r:inetd_child_port_t
-')
-ifdef(`ftpd.te', `
 portcon tcp 20 system_u:object_r:ftp_data_port_t
 portcon tcp 21 system_u:object_r:ftp_port_t
-')
-ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
-ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
-ifdef(`mta.te', `
+portcon tcp 22 system_u:object_r:ssh_port_t
+portcon tcp 23 system_u:object_r:telnetd_port_t
+
 portcon tcp 25 system_u:object_r:smtp_port_t
 portcon tcp 465 system_u:object_r:smtp_port_t
 portcon tcp 587 system_u:object_r:smtp_port_t
-')
-ifdef(`use_dns', `
+
+portcon udp 500 system_u:object_r:isakmp_port_t
 portcon udp 53 system_u:object_r:dns_port_t
 portcon tcp 53 system_u:object_r:dns_port_t
-')
-ifdef(`use_dhcpd', `portcon udp 67  system_u:object_r:dhcpd_port_t')
-ifdef(`dhcpc.te', `portcon udp 68  system_u:object_r:dhcpc_port_t')
-ifdef(`tftpd.te', `portcon udp 69  system_u:object_r:tftp_port_t')
-ifdef(`fingerd.te', `portcon tcp 79  system_u:object_r:fingerd_port_t')
-ifdef(`apache.te', `
+
+portcon udp 67  system_u:object_r:dhcpd_port_t
+portcon udp 68  system_u:object_r:dhcpc_port_t
+portcon udp 70 system_u:object_r:gopher_port_t
+portcon tcp 70 system_u:object_r:gopher_port_t
+
+portcon udp 69  system_u:object_r:tftp_port_t
+portcon tcp 79  system_u:object_r:fingerd_port_t
+
 portcon tcp 80  system_u:object_r:http_port_t
 portcon tcp 443  system_u:object_r:http_port_t
-')
-ifdef(`use_pop', `
+portcon tcp 488  system_u:object_r:http_port_t
+portcon tcp 8008  system_u:object_r:http_port_t
+
 portcon tcp 106 system_u:object_r:pop_port_t
 portcon tcp 109 system_u:object_r:pop_port_t
 portcon tcp 110 system_u:object_r:pop_port_t
-')
-ifdef(`portmap.te', `
+portcon tcp 143 system_u:object_r:pop_port_t
+portcon tcp 220 system_u:object_r:pop_port_t
+portcon tcp 993 system_u:object_r:pop_port_t
+portcon tcp 995 system_u:object_r:pop_port_t
+portcon tcp 1109 system_u:object_r:pop_port_t
+
 portcon udp 111 system_u:object_r:portmap_port_t
 portcon tcp 111 system_u:object_r:portmap_port_t
-')
-ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
-ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
-ifdef(`samba.te', `
+
+portcon tcp 119 system_u:object_r:innd_port_t
+portcon udp 123 system_u:object_r:ntp_port_t
+
 portcon tcp 137 system_u:object_r:smbd_port_t
 portcon udp 137 system_u:object_r:nmbd_port_t
 portcon tcp 138 system_u:object_r:smbd_port_t
@@ -80,39 +84,26 @@ portcon udp 138 system_u:object_r:nmbd_port_t
 portcon tcp 139 system_u:object_r:smbd_port_t
 portcon udp 139 system_u:object_r:nmbd_port_t
 portcon tcp 445 system_u:object_r:smbd_port_t
-')
-ifdef(`use_pop', `
-portcon tcp 143 system_u:object_r:pop_port_t
-portcon tcp 220 system_u:object_r:pop_port_t
-')
-ifdef(`snmpd.te', `
+
 portcon udp 161 system_u:object_r:snmp_port_t
 portcon udp 162 system_u:object_r:snmp_port_t
 portcon tcp 199 system_u:object_r:snmp_port_t
-')
-ifdef(`comsat.te', `
 portcon udp 512 system_u:object_r:comsat_port_t
-')
-ifdef(`slapd.te', `
+
 portcon tcp 389 system_u:object_r:ldap_port_t
 portcon udp 389 system_u:object_r:ldap_port_t
 portcon tcp 636 system_u:object_r:ldap_port_t
 portcon udp 636 system_u:object_r:ldap_port_t
-')
-ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
-ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
-ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
-ifdef(`syslogd.te', `
+
+portcon tcp 513 system_u:object_r:rlogind_port_t
+portcon tcp 514 system_u:object_r:rsh_port_t
+
+portcon tcp 515 system_u:object_r:printer_port_t
 portcon udp 514 system_u:object_r:syslogd_port_t
-')
-ifdef(`ktalkd.te', `
 portcon udp 517 system_u:object_r:ktalkd_port_t
 portcon udp 518 system_u:object_r:ktalkd_port_t
-')
-ifdef(`cups.te', `
 portcon tcp 631 system_u:object_r:ipp_port_t
 portcon udp 631 system_u:object_r:ipp_port_t
-')
 portcon tcp 88 system_u:object_r:kerberos_port_t
 portcon udp 88 system_u:object_r:kerberos_port_t
 portcon tcp 464 system_u:object_r:kerberos_admin_port_t
@@ -122,66 +113,57 @@ portcon tcp 750 system_u:object_r:kerberos_port_t
 portcon udp 750 system_u:object_r:kerberos_port_t
 portcon tcp 4444 system_u:object_r:kerberos_master_port_t
 portcon udp 4444 system_u:object_r:kerberos_master_port_t
-ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
-ifdef(`rsync.te', `
+portcon tcp 783 system_u:object_r:spamd_port_t
+portcon tcp 540 system_u:object_r:uucpd_port_t
+portcon tcp 2401 system_u:object_r:cvs_port_t
+portcon udp 2401 system_u:object_r:cvs_port_t
 portcon tcp 873 system_u:object_r:rsync_port_t
 portcon udp 873 system_u:object_r:rsync_port_t
-')
-ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
-ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
-ifdef(`use_pop', `
-portcon tcp 993 system_u:object_r:pop_port_t
-portcon tcp 995 system_u:object_r:pop_port_t
-portcon tcp 1109 system_u:object_r:pop_port_t
-')
-ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
-ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-ifdef(`radius.te', `
+portcon tcp 901 system_u:object_r:swat_port_t
+portcon tcp 953 system_u:object_r:rndc_port_t
+portcon tcp 1213 system_u:object_r:giftd_port_t
+portcon tcp 1241 system_u:object_r:nessus_port_t
+portcon tcp 1234 system_u:object_r:monopd_port_t
 portcon udp 1645 system_u:object_r:radius_port_t
 portcon udp 1646 system_u:object_r:radacct_port_t
 portcon udp 1812 system_u:object_r:radius_port_t
 portcon udp 1813 system_u:object_r:radacct_port_t
-')
-ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
-ifdef(`gatekeeper.te', `
 portcon udp 1718 system_u:object_r:gatekeeper_port_t
 portcon udp 1719 system_u:object_r:gatekeeper_port_t
 portcon tcp 1721 system_u:object_r:gatekeeper_port_t
 portcon tcp 7000 system_u:object_r:gatekeeper_port_t
-')
-ifdef(`asterisk.te', `
+portcon tcp 2040 system_u:object_r:afs_fs_port_t
+portcon udp 7000 system_u:object_r:afs_fs_port_t
+portcon udp 7002 system_u:object_r:afs_pt_port_t
+portcon udp 7003 system_u:object_r:afs_vl_port_t
+portcon udp 7004 system_u:object_r:afs_ka_port_t
+portcon udp 7005 system_u:object_r:afs_fs_port_t
+portcon udp 7007 system_u:object_r:afs_bos_port_t
 portcon tcp 1720 system_u:object_r:asterisk_port_t
 portcon udp 2427 system_u:object_r:asterisk_port_t
 portcon udp 2727 system_u:object_r:asterisk_port_t
 portcon udp 4569 system_u:object_r:asterisk_port_t
 portcon udp 5060 system_u:object_r:asterisk_port_t
-')
 portcon tcp 2000 system_u:object_r:mail_port_t
-ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
-ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
-ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
-ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t')
-ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t')
-ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t')
-ifdef(`imazesrv.te',`
+portcon tcp 2601 system_u:object_r:zebra_port_t
+portcon tcp 2628 system_u:object_r:dict_port_t
+portcon tcp 3306 system_u:object_r:mysqld_port_t
+portcon tcp 3632 system_u:object_r:distccd_port_t
+portcon udp 4011 system_u:object_r:pxe_port_t
+portcon udp 5000 system_u:object_r:openvpn_port_t
 portcon tcp 5323 system_u:object_r:imaze_port_t
 portcon udp 5323 system_u:object_r:imaze_port_t
-')
-ifdef(`howl.te', `
 portcon tcp 5335 system_u:object_r:howl_port_t
 portcon udp 5353 system_u:object_r:howl_port_t
-')
-ifdef(`jabberd.te', `
 portcon tcp 5222 system_u:object_r:jabber_client_port_t
 portcon tcp 5223 system_u:object_r:jabber_client_port_t
 portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
-')
-ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
-ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
-ifdef(`xdm.te', `
+portcon tcp 5432 system_u:object_r:postgresql_port_t
+portcon tcp 5666 system_u:object_r:inetd_child_port_t
+portcon tcp 5703 system_u:object_r:ptal_port_t
+portcon tcp 50000 system_u:object_r:hplip_port_t
+portcon tcp 50002 system_u:object_r:hplip_port_t
 portcon tcp 5900  system_u:object_r:vnc_port_t 
-')
-ifdef(`use_x_ports', `
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t
 portcon tcp 6002  system_u:object_r:xserver_port_t
@@ -202,29 +184,34 @@ portcon tcp 6016  system_u:object_r:xserver_port_t
 portcon tcp 6017  system_u:object_r:xserver_port_t
 portcon tcp 6018  system_u:object_r:xserver_port_t
 portcon tcp 6019  system_u:object_r:xserver_port_t
-')
-ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
-ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t')
-ifdef(`sound-server.te', `
+portcon tcp 6667 system_u:object_r:ircd_port_t
 portcon tcp 8000 system_u:object_r:soundd_port_t
 # 9433 is for YIFF
 portcon tcp 9433 system_u:object_r:soundd_port_t
-')
-ifdef(`use_http_cache', `
 portcon tcp 3128  system_u:object_r:http_cache_port_t
 portcon tcp 8080  system_u:object_r:http_cache_port_t
 portcon udp 3130  system_u:object_r:http_cache_port_t
-')
-ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
-ifdef(`amanda.te', `
+# 8118 is for privoxy
+portcon tcp 8118  system_u:object_r:http_cache_port_t
+
+portcon udp 4041 system_u:object_r:clockspeed_port_t
+portcon tcp 8081 system_u:object_r:transproxy_port_t
 portcon udp 10080 system_u:object_r:amanda_port_t
 portcon tcp 10080 system_u:object_r:amanda_port_t
 portcon udp 10081 system_u:object_r:amanda_port_t
 portcon tcp 10081 system_u:object_r:amanda_port_t
 portcon tcp 10082 system_u:object_r:amanda_port_t
 portcon tcp 10083 system_u:object_r:amanda_port_t
-')
-ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
+portcon tcp 60000 system_u:object_r:postgrey_port_t
+
+portcon tcp 10024 system_u:object_r:amavisd_recv_port_t
+portcon tcp 10025 system_u:object_r:amavisd_send_port_t
+portcon tcp 3310 system_u:object_r:clamd_port_t
+portcon udp 6276 system_u:object_r:dcc_port_t
+portcon udp 6277 system_u:object_r:dcc_port_t
+portcon udp 24441 system_u:object_r:pyzor_port_t
+portcon tcp 2703 system_u:object_r:razor_port_t
+portcon tcp 8021 system_u:object_r:zope_port_t
 
 # Defaults for reserved ports.  Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise 
diff --git a/strict/types/device.te b/strict/types/device.te
index 35836e2..ffa6c11 100644
--- a/strict/types/device.te
+++ b/strict/types/device.te
@@ -10,7 +10,7 @@
 #
 # device_t is the type of /dev.
 #
-type device_t, file_type, dev_fs;
+type device_t, file_type, mount_point, dev_fs;
 
 #
 # null_device_t is the type of /dev/null.
@@ -154,3 +154,10 @@ type cpu_device_t, device_type, dev_fs;
 
 # for other device nodes such as the NVidia binary-only driver
 type xserver_misc_device_t, device_type, dev_fs;
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_type, dev_fs;
+
+
+
+
diff --git a/strict/types/devpts.te b/strict/types/devpts.te
index b50cd55..56b8dde 100644
--- a/strict/types/devpts.te
+++ b/strict/types/devpts.te
@@ -10,12 +10,12 @@
 #
 # ptmx_t is the type for /dev/ptmx.
 #
-type ptmx_t, sysadmfile, device_type, dev_fs;
+type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
 
 #
 # devpts_t is the type of the devpts file system and 
 # the type of the root directory of the file system.
 #
-type devpts_t, fs_type;
+type devpts_t, mount_point, fs_type;
 
 
diff --git a/strict/types/file.te b/strict/types/file.te
index 0df034a..d6bc8a9 100644
--- a/strict/types/file.te
+++ b/strict/types/file.te
@@ -23,37 +23,37 @@ type fs_t, fs_type;
 type eventpollfs_t, fs_type;
 type futexfs_t, fs_type;
 type bdev_t, fs_type;
-type usbfs_t, fs_type;
+type usbfs_t, mount_point, fs_type;
 type nfsd_fs_t, fs_type;
 type rpc_pipefs_t, fs_type;
-type binfmt_misc_fs_t, fs_type;
+type binfmt_misc_fs_t, mount_point, fs_type;
 
 #
 # file_t is the default type of a file that has not yet been
 # assigned an extended attribute (EA) value (when using a filesystem
 # that supports EAs).
 #
-type file_t, file_type, sysadmfile;
+type file_t, file_type, mount_point, sysadmfile;
 
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration
 # other than the generic /.* specification.
-type default_t, file_type, sysadmfile;
+type default_t, file_type, mount_point, sysadmfile;
 
 #
 # root_t is the type for the root directory.
 #
-type root_t, file_type, sysadmfile;
+type root_t, file_type, mount_point, polyparent, sysadmfile;
 
 #
 # mnt_t is the type for mount points such as /mnt/cdrom
-type mnt_t, file_type, sysadmfile;
+type mnt_t, file_type, mount_point, sysadmfile;
 
 #
 # home_root_t is the type for the directory where user home directories
 # are created
 #
-type home_root_t, file_type, sysadmfile;
+type home_root_t, file_type, mount_point, polyparent, sysadmfile;
 
 #
 # lost_found_t is the type for the lost+found directories.
@@ -64,7 +64,7 @@ type lost_found_t, file_type, sysadmfile;
 # boot_t is the type for files in /boot,
 # including the kernel.
 #
-type boot_t, file_type, sysadmfile;
+type boot_t, file_type, mount_point, sysadmfile;
 # system_map_t is for the system.map files in /boot
 type system_map_t, file_type, sysadmfile;
 
@@ -77,7 +77,7 @@ type boot_runtime_t, file_type, sysadmfile;
 #
 # tmp_t is the type of /tmp and /var/tmp.
 #
-type tmp_t, file_type, sysadmfile, tmpfile;
+type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile;
 
 #
 # etc_t is the type of the system etc directories.
@@ -137,7 +137,11 @@ type shlib_t, file_type, sysadmfile;
 # texrel_shlib_t is the type of shared objects in the system lib
 # directories, which require text relocation.
 #
+ifdef(`targeted_policy', `
+typealias lib_t alias texrel_shlib_t;
+', `
 type texrel_shlib_t, file_type, sysadmfile;
+')
 
 # ld_so_t is the type of the system dynamic loaders.
 #
@@ -171,26 +175,27 @@ type sbin_t, file_type, sysadmfile;
 #
 # usr_t is the type for /usr.
 #
-type usr_t, file_type, sysadmfile;
+type usr_t, file_type, mount_point, sysadmfile;
 
 #
 # src_t is the type of files in the system src directories.
 #
-type src_t, file_type, sysadmfile;
+type src_t, file_type, mount_point, sysadmfile;
 
 #
 # var_t is the type for /var.
 #
-type var_t, file_type,  sysadmfile;
+type var_t, file_type, mount_point, sysadmfile;
 
 #
 # Types for subdirectories of /var.
 #
 type var_run_t, file_type, sysadmfile;
 type var_log_t, file_type, sysadmfile, logfile;
+typealias var_log_t alias crond_log_t;
 type faillog_t, file_type, sysadmfile, logfile;
 type var_lock_t, file_type, sysadmfile, lockfile;
-type var_lib_t, file_type, sysadmfile;
+type var_lib_t, mount_point, file_type, sysadmfile;
 # for /var/{spool,lib}/texmf index files
 type tetex_data_t, file_type, sysadmfile, tmpfile;
 type var_spool_t, file_type, sysadmfile, tmpfile;
@@ -203,7 +208,7 @@ type var_log_ksyms_t, file_type, sysadmfile, logfile;
 type lastlog_t, file_type, sysadmfile, logfile;
 
 # Type for /var/lib/nfs.
-type var_lib_nfs_t, file_type, sysadmfile, usercanread;
+type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
 
 #
 # wtmp_t is the type of /var/log/wtmp.
@@ -211,11 +216,6 @@ type var_lib_nfs_t, file_type, sysadmfile, usercanread;
 type wtmp_t, file_type, sysadmfile, logfile;
 
 #
-# catman_t is the type for /var/catman.
-#
-type catman_t, file_type, sysadmfile, tmpfile;
-
-#
 # cron_spool_t is the type for /var/spool/cron.
 #
 type cron_spool_t, file_type, sysadmfile;
@@ -239,6 +239,7 @@ type mqueue_spool_t, file_type, sysadmfile;
 # man_t is the type for the man directories.
 #
 type man_t, file_type, sysadmfile;
+typealias man_t alias catman_t;
 
 #
 # readable_t is a general type for
@@ -271,23 +272,23 @@ type locale_t, file_type, sysadmfile;
 # the default file system type.
 #
 allow { file_type device_type ttyfile } fs_t:filesystem associate;
-ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
-')
 
 # Allow the pty to be associated with the file system.
 allow devpts_t self:filesystem associate;
 
 type tmpfs_t, file_type, sysadmfile, fs_type;
 allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
+ifdef(`distro_redhat', `
+allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
+')
 
 type autofs_t, fs_type, noexattrfile, sysadmfile;
 allow autofs_t self:filesystem associate;
 
-type usbdevfs_t, fs_type, noexattrfile, sysadmfile;
+type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
 allow usbdevfs_t self:filesystem associate;
 
-type sysfs_t, fs_type,  sysadmfile;
+type sysfs_t, mount_point, fs_type,  sysadmfile;
 allow sysfs_t self:filesystem associate;
 
 type iso9660_t, fs_type, noexattrfile, sysadmfile;
@@ -302,6 +303,12 @@ allow ramfs_t self:filesystem associate;
 type dosfs_t, fs_type, noexattrfile, sysadmfile;
 allow dosfs_t self:filesystem associate;
 
+type hugetlbfs_t, mount_point, fs_type,  sysadmfile;
+allow hugetlbfs_t self:filesystem associate;
+
+type mqueue_t, mount_point, fs_type,  sysadmfile;
+allow mqueue_t self:filesystem associate;
+
 # udev_runtime_t is the type of the udev table file
 type udev_runtime_t, file_type, sysadmfile;
 
@@ -310,7 +317,12 @@ type krb5_conf_t, file_type, sysadmfile;
 
 type cifs_t, fs_type, noexattrfile, sysadmfile;
 allow cifs_t self:filesystem associate;
-typealias cifs_t alias sambafs_t;
+
+type debugfs_t, fs_type, sysadmfile;
+allow debugfs_t self:filesystem associate;
+
+type inotifyfs_t, fs_type, sysadmfile;
+allow inotifyfs_t self:filesystem associate;
 
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
@@ -318,4 +330,11 @@ allow removable_t self:filesystem associate;
 allow file_type removable_t:filesystem associate;
 allow file_type noexattrfile:filesystem associate;
 
+# Type for anonymous FTP data, used by ftp and rsync
+type ftpd_anon_t, file_type, sysadmfile, customizable;
+
+allow customizable self:filesystem associate;
+
+# type for /tmp/.ICE-unix
+type ice_tmp_t, file_type, sysadmfile, tmpfile;
 
diff --git a/strict/types/network.te b/strict/types/network.te
index 39666ee..bf5ca67 100644
--- a/strict/types/network.te
+++ b/strict/types/network.te
@@ -8,50 +8,27 @@
 # Modified by Russell Coker
 # Move port types to their respective domains, add ifdefs, other cleanups.
 
-# generally we do not want to define port types in this file, but some things
-# are insanely difficult to do elsewhere, xserver_port_t is a good example
-# getting the type defined is the easy part for X, conditional code for many
-# other domains (including one that starts with a) is the hard part.
-ifdef(`xdm.te', `define(`use_x_ports')')
-ifdef(`startx.te', `define(`use_x_ports')')
-ifdef(`xauth.te', `define(`use_x_ports')')
-ifdef(`xserver.te', `define(`use_x_ports')')
-ifdef(`use_x_ports', `
 type xserver_port_t, port_type;
-')
 #
 # Defines used by the te files need to be defined outside of net_constraints
 #
-ifdef(`named.te', `define(`use_dns')')
-ifdef(`nsd.te', `define(`use_dns')')
-ifdef(`tinydns.te', `define(`use_dns')')
-ifdef(`dnsmasq.te', `define(`use_dns')')
-ifdef(`use_dns', `
-type dns_port_t, port_type;
-')
-
-ifdef(`dhcpd.te', `define(`use_dhcpd')')
-ifdef(`dnsmasq.te', `define(`use_dhcpd')')
-ifdef(`use_dhcpd', `
-type dhcpd_port_t, port_type;
-')
-
-ifdef(`cyrus.te', `define(`use_pop')')
-ifdef(`courier.te', `define(`use_pop')')
-ifdef(`perdition.te', `define(`use_pop')')
-ifdef(`dovecot.te', `define(`use_pop')')
-ifdef(`uwimapd.te', `define(`use_pop')')
-ifdef(`use_pop', `
+type rsh_port_t, port_type, reserved_port_type;
+type dns_port_t, port_type, reserved_port_type;
+type smtp_port_t, port_type, reserved_port_type;
+type dhcpd_port_t, port_type, reserved_port_type;
+type smbd_port_t, port_type, reserved_port_type;
+type nmbd_port_t, port_type, reserved_port_type;
+type http_cache_port_t, port_type, reserved_port_type;
+type http_port_t, port_type, reserved_port_type;
+type ipp_port_t, port_type, reserved_port_type;
+type gopher_port_t, port_type, reserved_port_type;
+type isakmp_port_t, port_type, reserved_port_type;
+
+allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
 type pop_port_t, port_type, reserved_port_type;
-')
-ifdef(`apache.te', `define(`use_http_cache')')
-ifdef(`squid.te', `define(`use_http_cache')')
-ifdef(`use_http_cache', `
-type http_cache_port_t, port_type;
-')
 
-ifdef(`dhcpd.te', `define(`use_pxe')')
-ifdef(`pxe.te', `define(`use_pxe')')
+type ftp_port_t, port_type, reserved_port_type;
+type ftp_data_port_t, port_type, reserved_port_type;
 
 ############################################
 #
@@ -71,6 +48,16 @@ type kerberos_admin_port_t, port_type, reserved_port_type;
 type kerberos_master_port_t, port_type;
 
 #
+# Ports used to communicate with portmap server
+#
+type portmap_port_t, port_type, reserved_port_type;
+
+#
+# Ports used to communicate with ldap server
+#
+type ldap_port_t, port_type, reserved_port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.
@@ -120,3 +107,79 @@ allow kernel_t node_type:node { rawip_send rawip_recv };
 # Kernel-generated traffic, e.g. TCP resets.
 allow kernel_t netif_type:netif { tcp_send tcp_recv };
 allow kernel_t node_type:node { tcp_send tcp_recv };
+type radius_port_t, port_type;
+type radacct_port_t, port_type;
+type rndc_port_t, port_type, reserved_port_type;
+type tftp_port_t, port_type, reserved_port_type;
+type printer_port_t, port_type, reserved_port_type;
+type mysqld_port_t, port_type;
+type postgresql_port_t, port_type;
+type ptal_port_t, port_type, reserved_port_type;
+type howl_port_t, port_type;
+type dict_port_t, port_type;
+type syslogd_port_t, port_type, reserved_port_type;
+type spamd_port_t, port_type, reserved_port_type;
+type ssh_port_t, port_type, reserved_port_type;
+type pxe_port_t, port_type;
+type amanda_port_t, port_type;
+type fingerd_port_t, port_type, reserved_port_type;
+type dhcpc_port_t, port_type, reserved_port_type;
+type ntp_port_t, port_type, reserved_port_type;
+type stunnel_port_t, port_type;
+type zebra_port_t, port_type;
+type i18n_input_port_t, port_type;
+type vnc_port_t, port_type;
+type openvpn_port_t, port_type;
+type clamd_port_t, port_type, reserved_port_type;
+type transproxy_port_t, port_type;
+type clockspeed_port_t, port_type;
+type pyzor_port_t, port_type, reserved_port_type;
+type postgrey_port_t, port_type;
+type asterisk_port_t, port_type;
+type utcpserver_port_t, port_type;
+type nessus_port_t, port_type;
+type razor_port_t, port_type;
+type distccd_port_t, port_type;
+type socks_port_t, port_type;
+type gatekeeper_port_t, port_type;
+type dcc_port_t, port_type;
+type lrrd_port_t, port_type;
+type jabber_client_port_t, port_type;
+type jabber_interserver_port_t, port_type;
+type ircd_port_t, port_type;
+type giftd_port_t, port_type;
+type soundd_port_t, port_type;
+type imaze_port_t, port_type;
+type monopd_port_t, port_type;
+# Differentiate between the port where amavisd receives mail, and the
+# port where it returns cleaned mail back to the MTA.
+type amavisd_recv_port_t, port_type;
+type amavisd_send_port_t, port_type;
+type innd_port_t, port_type, reserved_port_type;
+type snmp_port_t, port_type, reserved_port_type;
+type biff_port_t, port_type, reserved_port_type;
+type hplip_port_t, port_type;
+
+#inetd_child_ports
+
+type rlogind_port_t, port_type, reserved_port_type;
+type telnetd_port_t, port_type, reserved_port_type;
+type comsat_port_t, port_type, reserved_port_type;
+type cvs_port_t, port_type;
+type dbskkd_port_t, port_type, reserved_port_type;
+type inetd_child_port_t, port_type, reserved_port_type;
+type ktalkd_port_t, port_type, reserved_port_type;
+type rsync_port_t, port_type, reserved_port_type;
+type uucpd_port_t, port_type, reserved_port_type;
+type swat_port_t, port_type, reserved_port_type;
+type zope_port_t, port_type;
+type auth_port_t, port_type, reserved_port_type;
+
+# afs ports
+
+type afs_fs_port_t, port_type;
+type afs_pt_port_t, port_type;
+type afs_vl_port_t, port_type;
+type afs_ka_port_t, port_type;
+type afs_bos_port_t, port_type;
+