diff --git a/policy-20071130.patch b/policy-20071130.patch
index f1341a8..e9e5e8a 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -2404,6 +2404,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+optional_policy(`
+ xserver_xdm_rw_shm(java_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.1/policy/modules/apps/loadkeys.te
+--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-12 08:56:02.000000000 -0400
++++ serefpolicy-3.2.1/policy/modules/apps/loadkeys.te 2007-12-01 08:16:19.000000000 -0500
+@@ -44,3 +44,5 @@
+ optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
++
++userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.1/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/apps/mono.if 2007-11-30 11:23:56.000000000 -0500
@@ -3840,7 +3849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/files.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/kernel/files.if 2007-12-01 06:48:16.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -3944,7 +3953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.1/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te 2007-12-01 08:42:02.000000000 -0500
@@ -25,6 +25,8 @@
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -3954,6 +3963,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+@@ -135,6 +137,11 @@
+ genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+ files_mountpoint(squash_t)
+
++type vmblock_t;
++fs_noxattr_type(vmblock_t)
++files_mountpoint(vmblock_t)
++genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
++
+ type vxfs_t;
+ fs_noxattr_type(vxfs_t)
+ files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.1/policy/modules/kernel/kernel.if 2007-11-30 11:30:39.000000000 -0500
@@ -5131,8 +5152,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.1/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/clamav.fc 2007-11-30 11:23:56.000000000 -0500
-@@ -13,8 +13,7 @@
++++ serefpolicy-3.2.1/policy/modules/services/clamav.fc 2007-12-01 07:49:02.000000000 -0500
+@@ -5,16 +5,18 @@
+ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+
+ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+ /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -5140,11 +5171,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
++/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.1/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/clamav.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.1/policy/modules/services/clamav.te 2007-12-01 08:04:25.000000000 -0500
@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -5153,7 +5185,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
-@@ -127,6 +128,10 @@
+@@ -120,6 +121,8 @@
+ cron_use_system_job_fds(clamd_t)
+ cron_rw_pipes(clamd_t)
+
++mta_read_config(clamd_t)
++
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+@@ -127,6 +130,10 @@
amavis_create_pid_files(clamd_t)
')
@@ -5164,7 +5205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# Freshclam local policy
-@@ -233,3 +238,7 @@
+@@ -233,3 +240,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -5803,8 +5844,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-11-30 11:25:57.000000000 -0500
-@@ -48,9 +48,7 @@
++++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 18:58:51.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(cups,1.8.2)
++policy_module(cups,1.4.1)
+
+ ########################################
+ #
+@@ -43,14 +43,12 @@
+
+ type cupsd_var_run_t;
+ files_pid_file(cupsd_var_run_t)
+-mls_trusted_object(cupsd_var_run_t)
+
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t,hplip_exec_t)
@@ -5812,27 +5865,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
+domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
++domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
-@@ -81,14 +79,14 @@
+@@ -71,6 +69,8 @@
+
+ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
++
++ mls_trusted_object(cupsd_var_run_t)
+ ')
+
+ ########################################
+@@ -81,12 +81,12 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
+-allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:process { setpgid setsched signal_perms };
- allow cupsd_t self:fifo_file rw_file_perms;
++allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
-allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
++allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
-+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
- # generic socket here until appletalk socket is available in kernels
- allow cupsd_t self:socket create_socket_perms;
-@@ -105,7 +103,7 @@
+@@ -105,7 +105,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -5841,7 +5903,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -122,13 +120,14 @@
+@@ -117,13 +117,19 @@
+ manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
++# This whole section needs to be moved to a smbspool policy
++# smbspool seems to be iterating through all existing tmp files.
++# Looking for kerberos files
++files_getattr_all_tmp_files(cupsd_t)
++userdom_read_unpriv_users_tmp_files(cupsd_t)
++files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
++
+ allow cupsd_t cupsd_var_run_t:dir setattr;
+ manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
@@ -5851,14 +5925,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
- allow cupsd_t ptal_var_run_t : sock_file setattr;
-
-+auth_use_nsswitch(cupsd_t)
-+
- kernel_read_system_state(cupsd_t)
+@@ -133,8 +139,7 @@
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
-@@ -150,21 +149,26 @@
+
+-corenet_all_recvfrom_unlabeled(cupsd_t)
+-corenet_all_recvfrom_netlabel(cupsd_t)
++corenet_non_ipsec_sendrecv(cupsd_t)
+ corenet_tcp_sendrecv_all_if(cupsd_t)
+ corenet_udp_sendrecv_all_if(cupsd_t)
+ corenet_raw_sendrecv_all_if(cupsd_t)
+@@ -150,31 +155,39 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5884,18 +5961,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
- mls_file_write_all_levels(cupsd_t)
- mls_file_read_all_levels(cupsd_t)
-@@ -173,6 +177,8 @@
+-mls_file_write_all_levels(cupsd_t)
+-mls_file_read_all_levels(cupsd_t)
++mls_file_write_down(cupsd_t)
++mls_file_read_up(cupsd_t)
++mls_rangetrans_target(cupsd_t)
+ mls_socket_write_all_levels(cupsd_t)
+
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-+auth_use_nsswitch(cupsd_t)
-+
auth_domtrans_chk_passwd(cupsd_t)
++auth_domtrans_upd_passwd_chk(cupsd_t)
auth_dontaudit_read_pam_pid(cupsd_t)
++auth_rw_faillog(cupsd_t)
-@@ -187,7 +193,7 @@
+ # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+ corecmd_exec_shell(cupsd_t)
+@@ -187,7 +200,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -5904,7 +5987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -196,12 +202,9 @@
+@@ -196,15 +209,14 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -5918,7 +6001,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
init_exec_script_files(cupsd_t)
-@@ -221,17 +224,38 @@
++auth_use_nsswitch(cupsd_t)
++
+ libs_use_ld_so(cupsd_t)
+ libs_use_shared_libs(cupsd_t)
+ # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+@@ -221,14 +233,37 @@
sysnet_read_config(cupsd_t)
@@ -5932,9 +6020,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
ifdef(`enable_mls',`
lpd_relabel_spool(cupsd_t)
- ')
-
- optional_policy(`
++
++ mls_trusted_object(cupsd_var_run_t)
++ init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
++')
++
++optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+')
+
@@ -5942,7 +6033,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+ init_stream_connect_script(cupsd_t)
+
+ unconfined_rw_pipes(cupsd_t)
-+ unconfined_rw_stream_sockets(cupsd_t)
+
+ optional_policy(`
+ init_dbus_chat_script(cupsd_t)
@@ -5951,45 +6041,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
+ dbus_stub(cupsd_t)
+ ')
-+')
-+
-+optional_policy(`
- apm_domtrans_client(cupsd_t)
')
-@@ -262,16 +286,16 @@
- ')
+ optional_policy(`
+@@ -241,6 +276,7 @@
optional_policy(`
-- nscd_socket_use(cupsd_t)
--')
--
--optional_policy(`
- # cups execs smbtool which reads samba_etc_t files
- samba_read_config(cupsd_t)
- samba_rw_var_files(cupsd_t)
+ dbus_system_bus_client_template(cupsd,cupsd_t)
++ dbus_send_system_bus(cupsd_t)
+
+ userdom_dbus_send_all_users(cupsd_t)
+
+@@ -262,7 +298,7 @@
')
optional_policy(`
+- nscd_socket_use(cupsd_t)
+ mta_send_mail(cupsd_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(cupsd_t)
')
-@@ -291,7 +315,9 @@
- allow cupsd_config_t self:unix_stream_socket create_socket_perms;
- allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
- allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
--allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+allow cupsd_config_t hplip_exec_t:file read_file_perms;
-+domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
-
- allow cupsd_config_t cupsd_t:process signal;
- ps_process_pattern(cupsd_config_t,cupsd_t)
-@@ -330,6 +356,7 @@
+ optional_policy(`
+@@ -319,8 +355,7 @@
+ kernel_read_system_state(cupsd_config_t)
+ kernel_read_kernel_sysctls(cupsd_config_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_config_t)
+-corenet_all_recvfrom_netlabel(cupsd_config_t)
++corenet_non_ipsec_sendrecv(cupsd_config_t)
+ corenet_tcp_sendrecv_all_if(cupsd_config_t)
+ corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
+ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -330,11 +365,13 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -5997,16 +6079,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -354,6 +381,8 @@
-
- logging_send_syslog_msg(cupsd_config_t)
-+auth_use_nsswitch(cupsd_config_t)
-+
- miscfiles_read_localization(cupsd_config_t)
+ corecmd_exec_bin(cupsd_config_t)
++corecmd_exec_sbin(cupsd_config_t)
+ corecmd_exec_shell(cupsd_config_t)
- seutil_dontaudit_search_config(cupsd_config_t)
-@@ -376,6 +405,14 @@
+ domain_use_interactive_fds(cupsd_config_t)
+@@ -376,12 +413,17 @@
')
optional_policy(`
@@ -6014,14 +6093,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+')
+
+optional_policy(`
-+ unconfined_rw_pipes(cupsd_config_t)
-+')
-+
-+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -391,6 +428,7 @@
+ optional_policy(`
+ dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
+ dbus_connect_system_bus(cupsd_config_t)
++ dbus_send_system_bus(cupsd_config_t)
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_config_t)
+@@ -391,6 +433,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -6029,30 +6111,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -402,14 +440,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(cupsd_config_t)
--')
--
--optional_policy(`
-- nscd_socket_use(cupsd_config_t)
--')
--
--optional_policy(`
- rpm_read_db(cupsd_config_t)
- ')
-
-@@ -430,7 +460,6 @@
- allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
- allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
- allow cupsd_lpd_t self:udp_socket create_socket_perms;
--allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
-
- # for identd
- # cjp: this should probably only be inetd_child rules?
-@@ -480,6 +509,8 @@
+@@ -461,8 +504,7 @@
+ kernel_read_system_state(cupsd_lpd_t)
+ kernel_read_network_state(cupsd_lpd_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+-corenet_all_recvfrom_netlabel(cupsd_lpd_t)
++corenet_non_ipsec_sendrecv(cupsd_lpd_t)
+ corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
+ corenet_udp_sendrecv_all_if(cupsd_lpd_t)
+ corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
+@@ -480,6 +522,8 @@
files_read_etc_files(cupsd_lpd_t)
@@ -6061,7 +6130,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
-@@ -495,14 +526,6 @@
+@@ -487,22 +531,12 @@
+
+ miscfiles_read_localization(cupsd_lpd_t)
+
+-sysnet_read_config(cupsd_lpd_t)
+-
+ cups_stream_connect(cupsd_lpd_t)
+
+ optional_policy(`
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')
@@ -6076,8 +6153,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# HPLIP local policy
-@@ -523,11 +546,9 @@
- allow hplip_t cupsd_etc_t:dir search;
+@@ -520,14 +554,12 @@
+ allow hplip_t self:udp_socket create_socket_perms;
+ allow hplip_t self:rawip_socket create_socket_perms;
+
+-allow hplip_t cupsd_etc_t:dir search;
++allow hplip_t cupsd_etc_t:dir search_dir_perms;
cups_stream_connect(hplip_t)
-
@@ -6091,38 +6172,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,7 +579,9 @@
+@@ -535,8 +567,7 @@
+ kernel_read_system_state(hplip_t)
+ kernel_read_kernel_sysctls(hplip_t)
+
+-corenet_all_recvfrom_unlabeled(hplip_t)
+-corenet_all_recvfrom_netlabel(hplip_t)
++corenet_non_ipsec_sendrecv(hplip_t)
+ corenet_tcp_sendrecv_all_if(hplip_t)
+ corenet_udp_sendrecv_all_if(hplip_t)
+ corenet_raw_sendrecv_all_if(hplip_t)
+@@ -558,13 +589,15 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
+
-+lpd_read_spool(hplip_t)
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -585,8 +608,6 @@
- userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
+
+ # for python
+ corecmd_exec_bin(hplip_t)
++corecmd_search_sbin(hplip_t)
+
+ domain_use_interactive_fds(hplip_t)
+
+@@ -586,6 +619,7 @@
userdom_dontaudit_search_all_users_home_content(hplip_t)
--lpd_read_config(cupsd_t)
--
+ lpd_read_config(cupsd_t)
++lpd_manage_spool(hplip_t)
+
optional_policy(`
seutil_sigchld_newrole(hplip_t)
- ')
-@@ -666,3 +687,11 @@
- optional_policy(`
- udev_read_db(ptal_t)
- ')
-+
-+
-+# This whole section needs to be moved to a smbspool policy
-+# smbspool seems to be iterating through all existing tmp files.
-+# Looking for kerberos files
-+files_getattr_all_tmp_files(cupsd_t)
-+userdom_read_unpriv_users_tmp_files(cupsd_t)
-+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+@@ -627,8 +661,7 @@
+ kernel_list_proc(ptal_t)
+ kernel_read_proc_symlinks(ptal_t)
+
+-corenet_all_recvfrom_unlabeled(ptal_t)
+-corenet_all_recvfrom_netlabel(ptal_t)
++corenet_non_ipsec_sendrecv(ptal_t)
+ corenet_tcp_sendrecv_all_if(ptal_t)
+ corenet_tcp_sendrecv_all_nodes(ptal_t)
+ corenet_tcp_sendrecv_all_ports(ptal_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500
+++ serefpolicy-3.2.1/policy/modules/services/cvs.te 2007-11-30 11:23:56.000000000 -0500
@@ -7527,7 +7621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##