diff --git a/booleans-olpc.conf b/booleans-olpc.conf
new file mode 100644
index 0000000..9bac249
--- /dev/null
+++ b/booleans-olpc.conf
@@ -0,0 +1,51 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+#
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+#
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+#
+allow_execstack = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+#
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+#
+allow_gssd_read_tmp = false
+
+# Allow sysadm to ptrace all processes
+#
+allow_ptrace = false
+
+# Allow reading of default_t files.
+#
+read_default_t = false
+
+# Allow system cron jobs to relabel filesystemfor restoring file contexts.
+#
+cron_can_relabel = false
+
+# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
+#
+staff_read_sysadm_file = false
+
+# Allow users to read system messages.
+#
+user_dmesg = false
+
+# Allow sysadm to ptrace all processes
+#
+allow_ptrace = false
+
+## Control users use of ping and traceroute
+user_ping = true
+
+# Allow unlabeled packets to flow
+#
+allow_unlabeled_packets = true
+
diff --git a/modules-olpc.conf b/modules-olpc.conf
new file mode 100644
index 0000000..9b43e3d
--- /dev/null
+++ b/modules-olpc.conf
@@ -0,0 +1,397 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+#
+acct = base
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+#
+alsa = base
+
+# Layer: apps
+# Module: ada
+#
+# ada executable
+#
+ada = base
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = base
+
+# Layer: system
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+#
+application = base
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = base
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+#
+canna = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = base
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = base
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = base
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = base
+
+# Layer: system
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = base
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+#
+hal = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = base
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = base
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = base
+
+# Layer: apps
+# Module: java
+#
+# java executable
+#
+java = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+#
+kudzu = base
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+#
+mcs = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = base
+
+# Layer: apps
+# Module: mono
+#
+# mono executable
+#
+mono = base
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = base
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = base
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+#
+nscd = base
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+#
+ntp = base
+
+# Layer: admin
+# Module: prelink
+#
+# Manage temporary directory sizes and file ages
+#
+prelink = base
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+#
+readahead = base
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = base
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+#
+usbmodules = base
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+#
+xfs = base
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+#
+xserver = base
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
diff --git a/policy-20070525.patch b/policy-20070525.patch
index 3105212..205f655 100644
--- a/policy-20070525.patch
+++ b/policy-20070525.patch
@@ -1,3 +1,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts 2007-06-26 07:57:11.000000000 -0400
+@@ -0,0 +1,4 @@
++system_r:local_login_t:s0 guest_r:guest_t:s0
++system_r:remote_login_t:s0 guest_r:guest_t:s0
++system_r:sshd_t:s0 guest_r:guest_t:s0
++system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts 2007-06-19 17:06:27.000000000 -0400
@@ -4650,8 +4658,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.1/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ftp.te 2007-06-19 17:06:27.000000000 -0400
-@@ -156,6 +156,7 @@
++++ serefpolicy-3.0.1/policy/modules/services/ftp.te 2007-06-26 07:22:44.000000000 -0400
+@@ -88,6 +88,7 @@
+ allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ftpd_t self:tcp_socket create_stream_socket_perms;
+ allow ftpd_t self:udp_socket create_socket_perms;
++allow ftpd_t self:key { search write link };
+
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+
+@@ -156,6 +157,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -4659,15 +4675,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
-@@ -167,6 +168,7 @@
+@@ -167,7 +169,9 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
+logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
++logging_set_loginuid(ftpd_t)
miscfiles_read_localization(ftpd_t)
-@@ -216,6 +218,14 @@
+ miscfiles_read_public_files(ftpd_t)
+@@ -216,6 +220,14 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -9661,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/userdomain.if 2007-06-21 14:03:09.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/userdomain.if 2007-06-26 07:46:18.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -9749,7 +9767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -677,16 +674,6 @@
+@@ -677,67 +674,39 @@
attribute unpriv_userdomain;
')
@@ -9766,12 +9784,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_untrusted_content_template($1)
userdom_basic_networking_template($1)
-@@ -695,49 +682,29 @@
- userdom_xwindows_client_template($1)
+ userdom_exec_generic_pgms_template($1)
-- userdom_change_password_template($1)
+- userdom_xwindows_client_template($1)
-
+- userdom_change_password_template($1)
++ optional_policy(`
++ userdom_xwindows_client_template($1)
++ ')
+
##############################
#
# User domain Local policy
@@ -9816,7 +9838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
-@@ -750,12 +717,6 @@
+@@ -750,12 +719,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -9829,7 +9851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -768,31 +729,16 @@
+@@ -768,31 +731,16 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@@ -9863,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
-@@ -807,19 +753,12 @@
+@@ -807,19 +755,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@@ -9883,7 +9905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -834,34 +773,14 @@
+@@ -834,34 +775,14 @@
')
optional_policy(`
@@ -9918,7 +9940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -889,17 +808,19 @@
+@@ -889,17 +810,19 @@
')
optional_policy(`
@@ -9944,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -913,16 +834,6 @@
+@@ -913,16 +836,6 @@
')
optional_policy(`
@@ -9961,7 +9983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
resmgr_stream_connect($1_t)
')
-@@ -932,11 +843,6 @@
+@@ -932,11 +845,6 @@
')
optional_policy(`
@@ -9973,7 +9995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
samba_stream_connect_winbind($1_t)
')
-@@ -967,21 +873,122 @@
+@@ -967,21 +875,122 @@
##
##
#
@@ -10102,7 +10124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -990,15 +997,45 @@
+@@ -990,15 +999,45 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -10152,7 +10174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1038,14 +1075,6 @@
+@@ -1038,14 +1077,6 @@
')
optional_policy(`
@@ -10167,7 +10189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-@@ -1059,12 +1088,8 @@
+@@ -1059,12 +1090,8 @@
setroubleshoot_stream_connect($1_t)
')
@@ -10181,7 +10203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
-@@ -1107,6 +1132,8 @@
+@@ -1107,6 +1134,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -10190,7 +10212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
# Declarations
-@@ -1132,7 +1159,7 @@
+@@ -1132,7 +1161,7 @@
# $1_t local policy
#
@@ -10199,7 +10221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1144,8 +1171,6 @@
+@@ -1144,8 +1173,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -10208,7 +10230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -3083,7 +3108,7 @@
+@@ -3083,7 +3110,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -10217,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5553,6 +5578,26 @@
+@@ -5553,6 +5580,26 @@
########################################
##
@@ -10244,7 +10266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Unconfined access to user domains. (Deprecated)
##
##
-@@ -5564,3 +5609,124 @@
+@@ -5564,3 +5611,124 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/securetty_types-olpc b/securetty_types-olpc
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/securetty_types-olpc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b4ede7e..8f13e2c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -172,7 +172,7 @@ fi;
%description
SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision 2336.
+Based off of reference policy: Checked out revision 2348.
%prep
%setup -q -n serefpolicy-%{version}
diff --git a/setrans-olpc.conf b/setrans-olpc.conf
new file mode 100644
index 0000000..9b46bbd
--- /dev/null
+++ b/setrans-olpc.conf
@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+#
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023. Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
diff --git a/sources b/sources
index 3566ffe..d4500e0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-7c004ddde0e20cfeba8a94b2aa308a06 serefpolicy-3.0.1.tgz
+15e7cf49d82f31ea9b50c3520399c22d serefpolicy-3.0.1.tgz