diff --git a/modules-targeted.conf b/modules-targeted.conf
index f2fc695..fa8c19b 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1565,3 +1565,10 @@ munin = module
#
bitlbee = module
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+#
+soundserver = module
+
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 6eec528..cad545c 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -109,6 +109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.4/M
endef
# create-base-per-role-tmpl modulenames,outputfile
+Binary files nsaserefpolicy/man/ru/man8/samba_selinux.8.gz and serefpolicy-3.2.4/man/ru/man8/samba_selinux.8.gz differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.4/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
+++ serefpolicy-3.2.4/policy/flask/access_vectors 2007-12-13 17:37:33.000000000 -0500
@@ -703,7 +704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.4/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te 2007-12-13 17:37:33.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te 2007-12-18 10:07:53.000000000 -0500
@@ -21,8 +21,8 @@
# Local policy
#
@@ -732,19 +733,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
# kudzu will telinit to make init re-read
# the inittab after configuring serial consoles
init_telinit(kudzu_t)
-@@ -140,30 +143,3 @@
- optional_policy(`
- udev_read_db(kudzu_t)
+@@ -142,28 +145,6 @@
')
--
--optional_policy(`
+
+ optional_policy(`
- # cjp: this was originally in the else block
- # of ifdef userhelper.te, but it seems to
- # make more sense here. also, require
- # blocks curently do not work in the
- # else block of optionals
-- unconfined_domain(kudzu_t)
--')
++ unconfined_domtrans(kudzu_t)
+ unconfined_domain(kudzu_t)
+ ')
-
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
@@ -3405,6 +3405,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
+optional_policy(`
+ xserver_xdm_rw_shm(wine_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc 2007-12-18 11:39:23.000000000 -0500
+@@ -127,6 +127,8 @@
+ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /usr
+ #
+@@ -147,7 +149,7 @@
+ /usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+@@ -186,6 +188,8 @@
+ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.4/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.if 2007-12-13 17:37:34.000000000 -0500
@@ -3418,8 +3448,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in 2007-12-13 17:37:34.000000000 -0500
-@@ -133,6 +133,7 @@
++++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in 2007-12-18 14:43:53.000000000 -0500
+@@ -122,6 +122,7 @@
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+ network_port(monopd, tcp,1234,s0)
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(munin, tcp,4949,s0, udp,4949,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+ portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+ network_port(nessus, tcp,1241,s0)
+@@ -133,6 +134,7 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -3448,7 +3486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.4/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/kernel/devices.if 2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/kernel/devices.if 2007-12-18 10:39:31.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -3484,7 +3522,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete a directory in the device directory.
##
##
-@@ -667,6 +686,7 @@
+@@ -649,6 +668,7 @@
+ ')
+
+ getattr_blk_files_pattern($1,device_t,device_node)
++
+ ')
+
+ ########################################
+@@ -667,6 +687,7 @@
')
dontaudit $1 device_node:blk_file getattr;
@@ -3492,7 +3538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
')
########################################
-@@ -704,6 +724,7 @@
+@@ -704,6 +725,7 @@
')
dontaudit $1 device_node:chr_file getattr;
@@ -3500,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
')
########################################
-@@ -2787,6 +2808,97 @@
+@@ -2787,6 +2809,97 @@
########################################
##
@@ -4924,6 +4970,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.2.4/policy/modules/services/bitlbee.te
+--- nsaserefpolicy/policy/modules/services/bitlbee.te 2007-09-17 15:56:47.000000000 -0400
++++ serefpolicy-3.2.4/policy/modules/services/bitlbee.te 2007-12-18 09:56:33.000000000 -0500
+@@ -54,6 +54,9 @@
+ corenet_tcp_connect_msnp_port(bitlbee_t)
+ corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+
++dev_read_rand(bitlbee_t)
++dev_read_urand(bitlbee_t)
++
+ files_read_etc_files(bitlbee_t)
+ files_search_pids(bitlbee_t)
+ # grant read-only access to the user help files
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.4/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/bluetooth.fc 2007-12-13 17:37:34.000000000 -0500
@@ -6118,7 +6177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/dovecot.te 2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/dovecot.te 2007-12-18 11:01:04.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -6218,7 +6277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+')
+
+optional_policy(`
-+ postfix_manage_pivate_sockets(dovecot_auth_t)
++ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
')
+
@@ -6465,6 +6524,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ exim_manage_var_lib(exim_lib_update_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.4/policy/modules/services/fail2ban.fc
+--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.4/policy/modules/services/fail2ban.fc 2007-12-18 11:18:22.000000000 -0500
+@@ -1,3 +1,4 @@
+ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
++/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+ /var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.4/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.4/policy/modules/services/ftp.if 2007-12-13 17:37:34.000000000 -0500
@@ -6931,6 +6998,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.4/policy/modules/services/mailman.if
+--- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/mailman.if 2007-12-18 11:04:17.000000000 -0500
+@@ -211,6 +211,7 @@
+ type mailman_data_t;
+ ')
+
++ manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
+ manage_files_pattern($1,mailman_data_t,mailman_data_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.4/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/mailman.te 2007-12-13 17:37:34.000000000 -0500
@@ -7274,6 +7352,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.4/policy/modules/services/munin.fc
+--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
++++ serefpolicy-3.2.4/policy/modules/services/munin.fc 2007-12-18 14:51:15.000000000 -0500
+@@ -8,4 +8,5 @@
+ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+ /var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/www/html/munin(/.*)? gen_context(system_u:object_r:http_munin_content_t,s0)
++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:http_munin_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.4/policy/modules/services/munin.te
+--- nsaserefpolicy/policy/modules/services/munin.te 2007-11-15 13:40:14.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/munin.te 2007-12-18 14:50:13.000000000 -0500
+@@ -37,6 +37,9 @@
+ allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow munin_t self:tcp_socket create_stream_socket_perms;
+ allow munin_t self:udp_socket create_socket_perms;
++allow munin_t self:fifo_file create_fifo_file_perms;
++
++can_exec(munin_t, munin_exec_t)
+
+ allow munin_t munin_etc_t:dir list_dir_perms;
+ read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
+@@ -73,6 +76,7 @@
+ corenet_udp_sendrecv_all_nodes(munin_t)
+ corenet_tcp_sendrecv_all_ports(munin_t)
+ corenet_udp_sendrecv_all_ports(munin_t)
++corenet_tcp_connect_munin_port(munin_t)
+
+ dev_read_sysfs(munin_t)
+ dev_read_urand(munin_t)
+@@ -118,3 +122,9 @@
+ optional_policy(`
+ udev_read_db(munin_t)
+ ')
++
++#============= http munin policy ==============
++apache_content_template(munin)
++
++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.4/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/mysql.fc 2007-12-13 17:37:34.000000000 -0500
@@ -8222,7 +8341,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.4/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/postfix.if 2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/postfix.if 2007-12-18 11:00:59.000000000 -0500
+@@ -416,7 +416,7 @@
+ ##
+ ##
+ #
+-interface(`postfix_create_pivate_sockets',`
++interface(`postfix_create_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
@@ -427,6 +427,26 @@
########################################
@@ -8235,7 +8363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+##
+##
+#
-+interface(`postfix_manage_pivate_sockets',`
++interface(`postfix_manage_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
@@ -8252,7 +8380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/postfix.te 2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/postfix.te 2007-12-18 10:58:24.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -8303,7 +8431,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_master_t)
-@@ -273,6 +288,8 @@
+@@ -248,6 +263,10 @@
+
+ corecmd_exec_bin(postfix_cleanup_t)
+
++optional_policy(`
++ mailman_read_data_files(postfix_cleanup_t)
++')
++
+ ########################################
+ #
+ # Postfix local local policy
+@@ -273,6 +292,8 @@
files_read_etc_files(postfix_local_t)
@@ -8312,7 +8451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -285,6 +302,7 @@
+@@ -285,6 +306,7 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
@@ -8320,7 +8459,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -346,8 +364,6 @@
+@@ -295,8 +317,7 @@
+ #
+ # Postfix map local policy
+ #
+-
+-allow postfix_map_t self:capability setgid;
++allow postfix_map_t self:capability { dac_override setgid setuid };
+ allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+@@ -346,8 +367,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -8329,7 +8478,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -392,6 +408,10 @@
+@@ -360,6 +379,11 @@
+ locallogin_dontaudit_use_fds(postfix_map_t)
+ ')
+
++optional_policy(`
++# for postalias
++ mailman_manage_data_files(postfix_map_t)
++')
++
+ ########################################
+ #
+ # Postfix pickup local policy
+@@ -392,6 +416,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -8340,7 +8501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
procmail_domtrans(postfix_pipe_t)
')
-@@ -400,6 +420,10 @@
+@@ -400,6 +428,10 @@
')
optional_policy(`
@@ -8351,7 +8512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -532,9 +556,6 @@
+@@ -532,9 +564,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -8361,7 +8522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +578,10 @@
+@@ -557,6 +586,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -13821,7 +13982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.4/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/system/unconfined.te 2007-12-17 17:05:56.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/system/unconfined.te 2007-12-18 13:42:58.000000000 -0500
@@ -9,32 +9,48 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently